About mikand

If you setup an address object such as: mail1 (mail1.example.com) and use this in a rule the FQDN will be resolved during commit and the ip address which mail1.example.com points to according to the dns-server used will be used. Like so: 1) You click commit 2) The PAN will replace the names of each address object with the  content each address object refers to (mail1.example.com for above example). 3) Next the PAN detects that you use FQDN so it will need to resolve mail1.example.com (lets say into 1.2.3.4) by query your dns-server. 4) The PAN will (hidden from you) "rewrite" the rule so "1.2.3.4" will be actually written to the hardware (FPGA's). Now, if you use address objects which points to ip-addresses (instead of FQDN) there is no need to query external dns-server. Example: Address object: mail1 (1.1.1.1) During commit the following will then happen: 1) You click commit. 2) The PAN will replace the names of each address object with the content each address object referes to (1.1.1.1 for above example). 3) Since you have no FQDN's at this stage the PAN wont need to perform any dns-queries. 4) The PAN will (hidden from you) "rewrite" the rule so "1.1.1.1" will be actually written to the hardware (FPGA's). ... View more

If im not mistaken FQDN rules are resolved when the ruleset is committed and not dynamically. Also note that the ruleset can be automatically committed if you have "download-and-apply" threat preventation and/or url-category database updates (usually once or twice a day). Generelly its bad to use FQDN for firewalls mainly because you will then rely on some external information. Let us assume you setup a rule which looks like: srcip: any srcport: >1023 dstip: mail.example.com dstport: any And then let us assume someone dns poision the dns-server your firewall is using when committing the rules so mail.example.com resolves into "0.0.0.0" (or even worse hacks your dns-server to manually setup the zones). Or for that matter if the dns-server is unavailable when you commits the ruleset - is the default in the firewall "0.0.0.0" for unresolved addresses or is it "255.255.255.255" (or will it even commit)? The result would then be that you allow the current port and/or app-id to EVERY ip-address available for that particular zone (or even worse if you select zone:any). If you want to setup rules towards your email servers we can be pretty sure you already use static ip's for those servers and therefor your have another reason for why you shouldnt use FQDN (because there is simply no need to). You can setup local names in the firewall if you go to Network -> Address objects (and even Address Groups) to setup stuff like: Address objects: mail1.example.com (1.1.1.1) mail2.example.com (2.2.2.2) Address group: Mailservers (mail1.example.com, mail2.example.com) The above will point to the address objects named mail1. and mail2. NOT the FQDN). Or if you think you could be confused if its FQDN or not then just: Address objects: mail1 (1.1.1.1) mail2 (2.2.2.2) Address group: Mailservers (mail1, mail2) and then setup the rule as (just an example, in real life one would choose designated port along with zone AND app-id etc): srcip: any srcport: >1023 dstip: Mailservers dstport: any ... View more

I was more thinking of if there would be some kind of physical limitation (and therefor no need to take the time to write this as a feature request to your SE)? For example if one want 100Gbit/s interfaces there is a physical limitation which gives that this isnt supported for current models (but perhaps in the future) which means that your feature request wont be fixable for current models but maybe for future models. ... View more

" The Short answer is No, there is no way that we support changing the MAC address like that. " Not even if filed as feature request (which sounds really odd since most modern NIC's supports altering the phy-stuff etc)? ... View more

Would be interresting if you can do pings and traceroutes (both ICMP and UDP/TCP) over time through the PAN to see if you notice any raise in latency when your traffic goes up (and report back to this thread 🙂 Also did you update to 4.1.2? ... View more

Sounds like a perfect example of when to also contact the support and not just the forum 🙂 Speaking of which... cant the forum be better integrated with the support? I mean cases like this where other customers could verify that they have seen the same behaviour (without the need to manually file a complain through the support organisation? 🙂 ... View more

Sounds odd/funny. Could it be that your device time was so much different from real time so the onboard ntp daemon refused to sync? Can you verify that the NTP works after you set the time close to real time manually? ... View more

Depends on which situation. If you want to log when a specific filename passes by for http/https traffic you could use url-category. Otherwise it depends on the protocol used. The DLP feature should work if the filename is used in cleartext but you will also end up with all sort of false positives where someone just write this filename for some other reason without actually transmitting the file. ... View more

One way would be to update to 4.1.2 and try again. Another method is to manually download the updates (for url, threats, apps) and install them through the gui by later manually upload them to your PAN unit and then see if the autoupdate starts to work? Also if you are using a regular interface for the updates (and not the mgmt-interface) I think you might need to setup a security policy which allows "paloalto-updates" (limit it to the zone and srcip used by the PAN itself). This can be verified if you check in the ACC right after you had your failed update. ... View more

Didnt you get any warning during commit that you had colliding rules? And which PANOS is it you were using? ... View more

Kamish: Have you filed this as a bug to the support yet? ... View more

Kamish: I do hope you filed this as a bug to the support (or are you expecting other customers to do that? :P) ... View more

According to the https://support.paloaltonetworks.com/index.php?option=com_pan&task=dl_tech_doc&filename=PA-4.1_Administrators_Guide.pdf (unless Im blind or something 😉 PAN currently doesnt support changing the mac-address of the physical interfaces. However it seems to be somewhat supported when enabling IPv6 for a particular interface (page 93 in the linked pdf). But the explanation in the manual can also be that the mac-address wont change when using IPv6, only how the last 64 bits of the IPv6 address will look like (if not set then EUI-64 method will be used). I guess the recommendation would be if you contact your SE and file this as a feature request (unless someone else in here have a tip?). ... View more

I dont get the drawings. Could you provide us with a drawing of how it looks right now (without the PAN) and which network is used on which interface (along with which ip each interface on each box have)? If we assume you have a setup similar to: WAN (192.168.0.0/24) [192.168.0.1] <WAN-ROUTER> [192.168.1.254] (192.168.1.0/24 (L2-SWITCH)) [192.168.1.5] <CLIENT> Then you should be fine with just plugin your PA200 on the switch between WAN-ROUTER and CLIENT and give the PAN unit following settings: 192.168.1.253/24, defgw [IP of ISP-ROUTER] Then in your clients you setup a routing table similar to: 0.0.0.0/0 nexthop 192.168.1.253 192.168.0.0/24 nexthop 192.168.1.254 192.168.1.0/24 directly attached and voila... no need for icmp redirects and shit like that 🙂 ... View more