About mikand

The utilization on its own is pretty much couldnt care less since you will have the virtually the same latency with one packet vs 100.000 packets (until it hits the roof). As you can see with your figures using 149k sessions yielded 38% utilization on the fpga's bringing you a ratio of 3921 sessions per percent. With 220k sessions you had 50% which brings you a ratio of 4400 sessions per percent. According to some tests performed by NSS Labs in autumn 2010 and spring 2011 the tested PA unit (4020) yielded higher true throughput than stated in the datasheets: http://www.paloaltonetworks.com/literature/research/NSS-Labs-Report.pdf http://www.paloaltonetworks.com/literature/research/NSS-Labs-Report-2011.pdf So the question here is how you have setup the test-network along with which settings you use in your PA unit? Are you for example having extensive use of NAT's and PBF's and stuff like that? ... View more

I guess you have already checked page 59 in the administration guide (if you are using 4.1.x)? Palo Alto Networks Administrator's Guide Release 4.1 (English) Doesnt seem to have much options... you basically setup the ip:port of the netflow-collector along with some refreshment settings and thats it... ... View more

Whats the possibility to get some GUI grouping similar to Juniper NSM (and others for that matter)? So one can expand/compact each group of rules (for example if you group the rules as inbound rules to each zone). The look would be something like: [+] DMZ-ZONE1 [+] DMZ-ZONE2 [+] DMZ-ZONE3 click on the DMZ-ZONE1 and you will see the rules you need to see: [-] DMZ-ZONE1 rule1 rule2 rule3 [+] DMZ-ZONE2 [+] DMZ-ZONE3 ... View more

I agree that this needs to be fixed. If I allow clearspace then I have nothing against if the PAN will do some magic behind the scenes to make this work but at the same time it should never allow other applications as you described. In the particular case I can agree to that http-proxy needs to be allowed at first (in order to detect clearspace) but once clearspace is detected (or not detected) then http-proxy should no longer be allowed through the PAN for this particular flow. The question here is perhaps how many packets is needed for the detection to work? Doing tests for how the appid works (deny unknown, allow any appid (with full idp, antivirus and antispyware inspection incl ssl-termination) showed that the request will be allowed through the PAN (because at this point it doesnt know what app this might be and because I simply allow all applications in this test) but the response from the server is blocked (because now PAN figured out that the application in use was web-browsing BUT the request itself wasnt web-browsing so the endresult was unknown which was denied). In this particular test I sent a "a b c" as request to a webserver (located behind the PAN) and could verify that the packet with just "a b c" (instead of "GET / HTTP/1.0" or whatever) passed through - but the (I think it was) "HTTP 400 Bad Request" sent as response from the webserver was not allowed and the session was destroyed (as it should). So is there some manual workaround one can use to fix this problem unless PAN cannot fix this? At first I thought that something like this could work (before my brain started to function ) 1) Allow appid: clearspace, http-proxy 2) Deny appid: http-proxy but once my brain booted up (a few microseconds later ) I realized that this will never work becuase PAN uses top-down first-match so rule no1 will always be used before rule no2 (a flow identified as http-proxy will never hit rule no2). ... View more

There is a technote released just before christmas who also describes how the QoS in PA works (and how to set it up). What I have not yet learned (or figured out) is how many classes one need in your custom QoS profile? Let say I want to prioritize down some traffic going to/from a specific zone but let everything else at default. Should this custom QoS profile only contain lets say class1 or should this profile contain all classes where I then in the QoS policy define that traffic to/from this zone should be put into the class1 flow (lowest prio)? Or should this QoS profile just contain class1 (which I want to match my lowprio traffic into) and class4 (which is the default class for unmatched traffic)? Edit: And the link to that technote aswell :smileysilly: QoS in PAN-OS 4.1 ... View more

Since you have limited amount of rules I would try going through the applications one by one to see which one it is thats also allowing youtube. A guess is that "web-browsing" is the general app for all kind of browserbased browsing which means that youtube and others are "included" within this app. ... View more

tcprewrite from the tcpreplay package can be used to modify the headers (and save into a new pcap) but it doesnt seem to support modifying payload. Also modifying payload can be tricky since many protocols uses various methods of "encryption" (or rather encoding) - but sure to replace a string with another string "should" be easy (as long as you know the limitations of this) - however I didnt found any good rewriter of the payload stuff yet. Edit: Some good examples regarding tcprewrite: http://chrissanders.org/2010/12/sanitizing-pcap-files-for-public-distrubution/ ... View more

Dunno if that might work... keep in mind that PA is like most firewalls top-down first-match (only ACL's which doesnt do that, which I have found so far, is the ipf/pf from *BSD and the ACL engine in Allied Telesyn equipment (I think AT changed into Cisco-style in their latest hardware releases but there are still a few AT devices which isnt the latest models still out there). But sure if your SSL clients wont hit the rule containing hipprofile then they will hopefully hit the following rule without the hipprofile. The problem here is what to do with your IPSEC clients (iphones etc) that should hit the hipprofile but for some reason fails the hip control? ... View more

Setting up a new VSYS should do this as you already explained (one who only accepts IPSEC the other only accepts SSL). Otherwise, cant you in the hipsprofile define which device the client is using? Or cannot one use different zones, one zone for ipsecclients and one for sslclients? Another method would be if you place the hardware devices in different AD-groups and by that create policies (only allow AD_IPSEC and not AD_SSL and the other way around per security policy). ... View more

Yeah a "Create PDF" would be a better option that a print button in my opinion. Edit: A workaround might be to use some addon for firefox to capture the while rendering and save into a png and/or pdf. But I have not yet found such addon that doesnt include uploadfunctions. ... View more

Speaking of wildfire... I assume that "bening" means that "file ok"? Because I have manually uploaded a file thats anything but "bening" but wildfire still draws the conclusion that the file is bening (even if the report detected that the file tries to drop stuff at c:\sample.exe and modify registry and other kind of dirty work). Is there perhaps some document who better describes why wildfire thinks stuff is bening while it obviously isnt (at least from my point of view 😉 ? ... View more

Visit the url in question and verify that your MITM-cert was being used (check the "issued by" stuff when you click on the cert on clientside - it should read the name you gave the cert (issuer) instead of Verisign or whatever the EICAR-site uses). Also verify in your decoding policy that you decode for all url-categories (the above will verify if you have set this up correctly). I have sometimes noticed that occationally the PA unit will let bad code pass, dunno why as I have not yet setup a testcase for this or even did a tcpdump so see what actually happens - the result was anyway that I got open the EICAR.txt over https instead of getting the blocked virus page. One theory is that the PA unit will send the TCP-RST (or whatever) just after the first packet passes as with EICAR the EICAR teststring will fit in a single packet. Then based on which browser is being used the browser will try to display whatever it got instead of displaying the block (well antivirus) page generated by the PA. Anyone else who have noticied this behaviour (or now if this have been addressed in 4.x series - I think the box in question is a PA-2050 running either 3.0 or 3.1)? ... View more

Well thats what it does today when you set url-category:advertisements to block, the users get this custom block page instead and starts asking questions about that instead of just a white/empty page (this looks somewhat funny when you visit most sites who does iframe and shit to get ads on their pages these days). And setting the blockpage to a white (empty) page wont help since you cannot have several different block pages in PA (because I want the information to reach the client for other blocked categories - the custom page brings some data for the tech to search on along with information to the client how to get in contact with support etc). Using a deny based on url-category should work the same way as if you manually set the adserver hostname in your hosts file to point to 0.0.0.0 or 127.0.0.1 - the browser cannot reach the adcode and will therefor not display any ads (compared to when the PA today sends a custom block page instead). ... View more

What do you think is the probability that if I file this as a feature request (TCP-RST for url-categories) this can be implemented (this somewhat feels that if this by design would be possible then this would have already been implemented)? ... View more