About mikand

You mean like a ratelimiting but for the Threat Prevention functions? IMHO that doesnt make sense... you want to allow bad traffic but block the bad traffic for lets say 5 minutes and then allow the bad traffic again? Or could you perhaps describe the usercase in more detail? ... View more

No, I mean go to https://support.paloaltonetworks.com and login. Then in the right menu click on "Dynamic Updates". Here you can download both the threat & app db along with the url db in a single file to your computer. Upload then the files needed in the webgui of your PAN devices (Device -> Software if im not mistaken). Then you click on "install from file" (the file(s) must first be uploaded to the PAN before they will show up in the list of "install from file"). ... View more

That is because both Cisco and Juniper have some sort of "proxy lite" feature regarding SIP in order to replace the contents of the packets (so not a true proxy) which often f**k things up rather than fix stuff (the main purpose is to aid use of SIP etc through NAT because SIP will use the data within the payload of where to connect instead of looking at the ip-header). PaloAlto (as far as I know) doesnt do this so you can either setup your rules such as: srczone: voipclients srcip: somerange srcport: >1023 dstzone: voipservers dstip: someotherrange dstport: tcp5060, udp5060 (or whatever you use) appid: sip action: allow or just set the appid to "any" if you doesnt care of which traffic will flow for the particular ports. ... View more

Have you tried to manually download the updates and manually upload them to both devices and then commit the updates? I have seen for the past month or so several similar questions on this forum with failing updates but there is still no official comment (that I have found but I didnt search for that long on the other hand) for why this is happening (my best guess so far is that some update failed big time and for some cases you need to do a manual update to the latest package to get it flowing again). ... View more

Ahh yes if your box doesnt have any dedicated HA interfaces then your only option is to use the dataplance interfaces and in this case I would go for a sfp so the fiber is directly attached to the PAN unit (instead of an external fiberconverter). ... View more

I guess you have already seen following docs? User Identification with PAN-OS 4.0 https://support.paloaltonetworks.com/index.php?option=com_pan&task=dl_tech_doc&filename=User-Identification-Operations-4.0.pdf User-ID Upgrade (4.1) https://support.paloaltonetworks.com/index.php?option=com_pan&task=dl_tech_doc&filename=User-ID_Upgrade_4.1-RevB.pdf According to the above docs there is an Update Interval for some settings which defaults to 3600 seconds (1 hour). This setting can be manually altered for values between 60-86400 (1min - 1day). So in your case (as a test) try to lower it to at least 300 (seconds). The point here is that the agent will cache information and by that lower amount of traffic needed between the agent and the directory aswell as between the PAN and the agent. But if you can have a close monitor on the PAN (and the server running the agent) you could of course try 60 seconds to see if traffic goes up (so you wont overload the mgmtplane or something). ... View more

According to https://support.paloaltonetworks.com/index.php?option=com_pan&task=dl_tech_doc&filename=HA-Active-Active-Tech-Note.pdf you should be fine. The HA1 is used for mgmtplane sync and HA2 (and HA3) is for dataplane sync. The recommendation is to use the dedicated HA1 port (if available) along with a fiberconverter (if you need fiber between the sites) instead of using builtin sfp due to the fact that when using an in-band port (builtin sfp or other port not labeled HA1) the control messages will be following a less direct route for the controlplane through the dataplane. If the dataplane for some reason fails the HA1 sync (which syncs mgmtplane) might get confused. ... View more

So my suggestion wont work in your case? I mean you have the following setup: Client does split tunneling, everything except DNS-queries goes outside the tunnel (DNS-queries goes into the tunnel which terminates at your datacenter) - if I understood your setup correctly... The PAN at the datacenter terminates your VPN (or if you use some other device for the VPN stuff and then forward all traffic through your PAN). Your PAN will apply a DNAT (Destination NAT) for traffic coming from zone VPN-clients which have dstport UDP53/TCP53 and force that traffic to a virtual server handled by your loadbalancer (such as F5 or whatever) - the DNAT will rewrite destination ip. Your loadbalancer will then loadbalance which of your DNS-servers should get the query. You then setup your DNS-servers to block queries regarding the hosts/domains you dislike (or give a false answer so the client will get for example 192.168.0.1 as reply and when connecting to 192.168.0.1 (who is a local server in your network, preferly on a DMZ)  get some information for why this host/domain is blocked and how to contact support etc)). Or did I completely misunderstood what you want to do? 🙂 ... View more

You really should fix permissions to the docs you are linking to... " It appears you're not allowed to view what you requested. You might  contact your administrator if you think this is a mistake. " ... View more

You could setup it this way if you still want to keep the VWIRE (just an example): VSYS1: int0, int1 VSYS2: int2, int3 and then in the switch before and after your PAN split up which VLAN will be sent through which VSYS like so: internal-switch (VLAN10) gi0/1 -> PAN int0 internal-switch (VLAN20) gi0/2 -> PAN int2 external-switch (VLAN10) gi0/1 -> PAN int1 external-switch (VLAN20) gi0/2 -> PAN int3 But I would recommend you switch to a layer3 type deployment. Using VWIRE (in my opinion) is more of a IDP/IPS scenario rather than having the PAN taking more decisions regarding what the nexthop should be and stuff like that. You can still use VSYS with layer3 deployment, actually it will in some way better utilize the interfaces available (comparing to just use a single interface for all traffic connected to the uplink) and it will also minimize rules needed in each VSYS if you for example split up so one VSYS will be for webbrowsing while the other VSYS will be used for handling your regular production based traffic like email, DMZ etc. ... View more

There are all sort of solutions depending on your needs, taste and size of wallet 🙂 I have over the years been playing with for example Ironport which is nice but really expensive. What it comes down to in terms of anti-spam is a combination of actual contents of the email in combination with some kind of "reputation" filtering (mails sent from known spamsources will get a higher point of probability of being a spammail). Another thing to not ignore is the possibility of false positives. A common setup is to use "reputation" filtering to simply drop connections from wellknown spamsources and then forward the rest to the client but tag the subject (or so) with [Possible Spam] or similar so the client can then have a rule to place those mails in their own folder (this will also ease the needs for administration from the IT-department to all the time scan for mails that shouldnt be dropped/quarantined or for that matter people who wants their mail to get released from the quarantine - the later will of course still exist if your email policy is to not allow executables to be sent through and stuff like that). ... View more

Your SE (Sales Engineer) should be able to help you with this. What did the support say regarding not helping you with creating this custom app? Otherwise there is an url to send in new app requests.    Edit: http://www.paloaltonetworks.com/researchcenter/tools/ and click on "Submit an App". ... View more

Hmm... "bit-internal" isnt available on http://apps.paloaltonetworks.com/applipedia/ either (which I suppose contains latest app-id db?) Edit: Did it perhaps get merged into "bittorrent" or some other appid? Because if you look at the dependecy document "bit-internal" is just before "bittorrent" comparing to "gnutella-internal" which is next to "gnutella". ... View more

What about setting up a DNAT (Destination NAT) rule based on dstport 53 for both UDP and TCP and force that traffic to your own DNS-server(s) where you then perform the DNS-policy you wish (since you didnt want to use OpenDNS to do this)? Preferly use some sort of loadbalancing aswell so if one server is down or performs badly the other DNS-servers will get more of the requests (like the PAN will DNAT to an IP handled by a VSERVER in a F5 or so which will then loadbalance to the true server). The problem is the split tunneling which might also mean that the client can bypass also the DNS-filtering (by manually query a DNS outside the tunnel and therefor not pass the PAN's at all depending on how strictly you enforce the split tunneling rules). Or for that matter modify the local resolv.conf/hosts-file which will overrule any answer (or non-answer) from the local DNS-servers. Otherwise using URL-categories in your PAN-unit (along with SSL-termination) would be the preferred method to enforce DNS-policy (well URL-policy) but this will have the same limitation as using DNAT - the traffic from the client must pass the PAN-unit (but in your case it seemed that only the DNS-traffic was forced into the tunnel while the rest of the browsing happend outside the tunnel). ... View more

Keep the rest of us updated on how this request progresses 🙂 ... View more