About _slv_

Thank You for very detailed answer! I think that the best option for me will be upgrade to 5.0.8 and after check logs. I had this errors ie 10.10.2013 about 13:58, in dnsproxyd.log a have enries: Oct 10 14:52:58 Error: pan_dnsproxyd_recv_server_udp_cb(pan_dnsproxy_udp.c:487): [Drop Rcvd Server Pkt]: Error in processing packet Oct 10 14:54:57 Error: pan_dnsproxy_process_server_pkt(pan_dnsproxy_pkt.c:1335): [14122/-][Drop Rcvd Server Pkt]: No pending entry in conn tbl for server_tid:14122 Oct 10 14:54:57 Error: remove_conn_tbl_entry(pan_dnsproxy_pkt.c:284): conn_tbl[14122] entry is already freed! Oct 10 14:54:57 Error: pan_dnsproxyd_recv_server_udp_cb(pan_dnsproxy_udp.c:487): [Drop Rcvd Server Pkt]: Error in processing packet Oct 10 14:55:37 Error: pan_dnsproxy_process_server_pkt(pan_dnsproxy_pkt.c:1335): [44552/-][Drop Rcvd Server Pkt]: No pending entry in conn tbl for server_tid:44552 Oct 10 14:55:37 Error: remove_conn_tbl_entry(pan_dnsproxy_pkt.c:284): conn_tbl[44552] entry is already freed! Oct 10 14:55:37 Error: pan_dnsproxyd_recv_server_udp_cb(pan_dnsproxy_udp.c:487): [Drop Rcvd Server Pkt]: Error in processing packet Oct 10 15:06:14 Error: cfgagent_modify_callback(pan_cfgagent.c:81): Modify string (sw.mgmt.runtime.clients.dnsproxyd.err) error: Unknown error code (1) Oct 10 15:10:36 Error: pan_dnsproxy_query_done_cb(pan_dnsproxy_pkt.c:772): Cache entry not found for Wsadecka.feris.pl. Oct 10 15:52:34 Error: pan_dnsproxy_process_server_pkt(pan_dnsproxy_pkt.c:1335): [26579/-][Drop Rcvd Server Pkt]: No pending entry in conn tbl for server_tid:26579 Oct 10 15:52:34 Error: remove_conn_tbl_entry(pan_dnsproxy_pkt.c:284): conn_tbl[26579] entry is already freed! Oct 10 15:52:34 Error: pan_dnsproxyd_recv_server_udp_cb(pan_dnsproxy_udp.c:487): [Drop Rcvd Server Pkt]: Error in processing packet Oct 10 15:53:00 Error: pan_dnsproxy_process_server_pkt(pan_dnsproxy_pkt.c:1335): [36977/-][Drop Rcvd Server Pkt]: No pending entry in conn tbl for server_tid:36977 Oct 10 15:53:00 Error: remove_conn_tbl_entry(pan_dnsproxy_pkt.c:284): conn_tbl[36977] entry is already freed! is everything OK in this logs? How to make rule for >3 In my scenario I have DNS servers in Zone A, clients in Zone B, my security rule: Should I add rule that alloving traffic from WiFi zone (with source IP = gateway IP for this zone) to Zone A? >You can enable threat scanning for traffic from the original clients to DNS proxy and also DNS response traffic (public DNS servers) How to achieve that? Should I make rule from WiFi to WiFi app=dns with enabled thread prevention profile on it? Regards SLawek ... View more

No, those two DNS servers was "pingable" all the time. Also "DIG google.com" gives me answer - lunched from computer from one of network with dns_proxy. Any idea how to troubleshoot it ? ... View more

Hi This  options and many other isn't supported yet. Maybe on PAN 6.0.0 that is in beta state now. Please contact your local Palo Alto SE to submit a feature request to add DHCP options. Regards Slawek ... View more

Hi Why I'm not able to open this link? I got error: Unauthorized      Access to this place or content is restricted. If you think this is a mistake, please contact your administrator or the person who directed you here.  Regards Slawek ... View more

Few days ago on this forum was topic related to the same problem (I can't find it right now) Your problemn should be solved in latest 5.0.8 PAN - check release notes for id 53962 Regards SLawek ... View more

Thats good that my polices are OK. But I scared that I missed some aplication ... ie - I moved www server to DMZ few days ago, and I see that I have to add also new appliocations: rss, web-crawler. Until now I think that it should be in web-browing, but after I checked few times traffic logs for denied applications I realized that I'm wrong. I agree with you about group of profiles. But is is correct to scan traffic using antivirus/anti-spyware/volnerability/data filtering? or maybe one of them is enought? every profile is taking some resources of PAN, and I'd like to use only that are nessasary. p.s. - sorry for my bad english Regards SLawek ... View more

Please read this topichttps://live.paloaltonetworks.com/message/15066#15066 it could help you - try to use application override regards SLawek ... View more

From which version do you upgrade? I'm on 5.0.7 and I have the same situation, gorps are empty - I try it with 3 different AD users. ... View more

PAN OS 5.0.8 went out on 2013/10/01 - somebody try it on non-test environment? ... View more

Two things: - what happend when you enable compatibility mode? - why you dont upgrade IE to latest 10 version yet? Regards Slawek ... View more

Do you have latest version of user-id installed? Regards Slawek ... View more

In my environment 150 AD users and some WiFi users with 10 security zones, 15 subinterfaces PA 200 is good enought. Known limitation (from life - not technotes ): - don't even think about SSL decryption - PA200 hasnt dedicated ASICs - its has everything virtualized - P2P I have blocked on all zones - upload from trust to untrust is limited to 50Mbit (when you use thread prevention - but who don't use it?) with QoS enabled. But it depends how many session could generate users, one user could use 100 session, another one more than 1000 ... Regards SLawek ... View more