About emr_1

emr_1 · ‎06-25-2014

#1 How is dataplane load going? You can check by 'show running resource-monitor' If it looks high average or 100% in max, it might stops traffic via HA1 port. To avoid this situation, you can enable heartbeat backup. #2 You can check if some kind of process was restarted. 'show system files' shows you core-dump if generated. If you can find any output, then you can export it, open the case, then TAC will investigate it.

emr_1 · ‎06-17-2014

Sounds you were previously using 5.0 or above. If correct, PA supports SSL Decryption profile from 5.0 as new feature. In the process of downgrade PANOS, PA does not automatically convert configuration file for 4.1, so you need to delete new schema manually. To delete them, you first need to export current config, delete it, then import and load new one. I think you can find following part in your config file (xml file) <profiles> <decryption/> </profiles> Regards, Emr

emr_1 · ‎09-04-2013

Thanks for your reply. I tested two more cases. One is completely denying my dos traffic by security policy and see how it goes. The result was 100% CPU usage. Another is allowing dos policy, but configured resource limit by 10. It also reached to 100% CPU usage. If your reply is correct, let say...for example: if PaloAlto device place in front of web bank system and if I attack this web site, paloalto device would protect my attack by dos or zone protection, but CPU will reaches to 100%. As a result, the web bank system will be protected, but nobody will be able to use the bank system until CPU goes down. I think this is not good solution for dos protection. Don't you think? Regards,

emr_1 · ‎09-04-2013

Hi guys, I have question related to both Zone and DoS Protection features. I'm testing with PA-200 and PA-2050 by using following DoS tool. LOIC | Free Security & Utilities software downloads at SourceForge.net I'm configuring this tool to generate lots of UDP packets in short time and see how CPU usage of dataplane goes. I could find that CPU easily reaches 100% (I can confirm with 'show running resource-monitor second') and even Protection is working it still keeps 100% usage. And also, my other traffics which should not affected by protection could not reaches to internet websites via PaloAlto until I stop the DoS tool and CPU goes down. My thought is this is because detecting packets and dropping packets are handling on Security Processor. If I'm correct, how can I decrease usage of CPU and keep dropping high rate packets, and make successful transaction for other traffics? If I can't get good solution on PA-2000 and lower model, can I get better result if I use PA-3000 or PA-5000 series? Regards,

emr_1 · ‎08-22-2013

If you are talking about detail URL logs in UAR, there is max rows. You can find this value under device tab > setup > management tab > Logging and Report Settings. *NOTE: I should say panorama tab, this issue was on panorama. The default value for Max Rows in User Activity Report is 65535. Can you check that your report with 30 days hits to 65535 lines? Regards,

emr_1 · ‎08-22-2013

Well, it looks like your PaloAlto device places between client PC and proxy server. I'm not using proxy. This might causes different result.

emr_1 · ‎08-22-2013

If you are talking about bug#50133, it was fixed on v5.0.6. 50133—When configuring a GlobalProtect portal and adding an external gateway address for GlobalProtect clients, the IP format ip-address:port could not be added. Update made to allow this format. Regards

emr_1 · ‎08-22-2013

If the user is using skype client, you can find skype-probe in traffic log as below: I can see all URLs you mentioned. (URL category name might be different from you because I'm using PAN-DB instead of BrightCloud) What is 'users log' you are pointing to? Do you mean detail log for 'secure.skype.com'?

emr_1 · ‎08-22-2013

Hi The URL log as below is generated by accessing to secure.skype.com from IE10. Do you mean you can't figure out this is actual skype session or just https session from browser? If my understanding is correct, I guess there is no clue to figure out which pattern is it because the session is encrypted by ssl and PaloAlto device could not see the payload. However, skype client send out skype-probe session, if you can see skype and skype-probe from one source address, you might be able to say that user is using skype client. Regards

emr_1 · ‎08-20-2013

Hi achitwadgi, I see. It helps me to understand more clearly. Thanks for the updates.

emr_1 · ‎08-20-2013

Hi, That is expected result and normal. Please refer to following KB: ACC Shows Different Results After Clearing Filters Regards

emr_1 · ‎08-20-2013

Thank you for your replies, guys. I tested with my PA device. As VinceM says, I confirmed PA did not upload the APK file at this point. I think this is new feature available from 6.0.

emr_1 · ‎08-19-2013

I found following new press release: Palo Alto Networks WildFire Protects Against Cyber Threats Targeting Android Smartphones and Tablets I have PaloAlto device with Wildfire subscription. The device is running on PANOS 5.0.6. How can I use this new wildfire? Does it mean I just change configuration of File Blocking to upload .apk files? If someone knows, please help. Otherwise, I'll contact to my local SE. Regards, Emr

emr_1 · ‎07-23-2013

I don't know there is any document related to this filter, but I found this filter from PaloAlto API browser and debug for web browser. You can access to API browser by typing in https://<IP address for MGT>/api/ For debug, you can access to https://<IP address for MGT>/debug Regards,

emr_1 · ‎07-22-2013

Hello, Please use following filter in security rule page (on GUI). (log-start eq 'yes') You can change log storage allocation under device tab > setup > management tab > logging and reporting settings please click edit button on the right upper corner. Regards,

Member Since	‎05-10-2010 06:49 PM
Date Last Visited	‎01-10-2025 02:14 AM
Posts	359
Total Likes Received	120

Online Status	Offline
Date Last Visited	‎01-10-2025 02:14 AM

About emr_1

Re: GlobalProtect app being automatically uninstalled as PC moves from one LAN to another LAN

Re: Difference between Rulebase Security Rules and security policy in CLI

Re: compatibility issue between GP and IOS18.2

Re: Panorama moving to LEGACY MODE

Re: GP - Split Tunneling

Re: CLI: setting and unsetting log forwarding

Re: Sonicwall Firewall v6.5.4 migrate to PaloAlto Next Generation Firewall

Re: Minimize log size

Re: License for feature lcaas will expire on 2024/10/30

Re: License for feature lcaas will expire on 2024/10/30

Re: compatibility issue between GP and IOS18.2

Re: GP - Split Tunneling

Re: The required '11.1.0' base image must be loaded before this image can be loaded

Re: request sc3 reset API

Re: Does Global Protect RADIUS support Message Authentication? (to mitigate BlastRADIUS 9/10 CVSS vulnerability )

Re: TID 95187 is not on my signature list

Re: what does "SWITCH" in hardware architecture mean?

Re: any solution to keep tracking user IP mapping?

Re: any solution to keep tracking user IP mapping?

Re: [need help]can't see new incoming logs after upgrading M-100 into 8.1.12

Nominated Discussion: What does "SWITCH" in hardware architecture mean?

Nominated Discussion: How to Change Forward Decrypt Trust Certificate

Re: High Availability weirdness

Re: invalid configuration. Schema verification failed. profiles -> decryption unexpected here.

Re: Looking for best way for using DoS protection

Looking for best way for using DoS protection

Re: User activity reports

Re: Skype false positive

Re: SSL VPN with Global Protect Agent 1.2.0 on different port

Re: Re: Skype false positive

Re: Re: Skype false positive

Re: How to use Wildfire for Android APK

Re: acc top source destination

Re: How to use Wildfire for Android APK

How to use Wildfire for Android APK

Re: Policy with "Log at Session Start" option - how to find it?

Re: Policy with "Log at Session Start" option - how to find it?

Nebula Beta

Unlock your full community experience!

About emr_1