This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About mivaldi

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mivaldi
‎05-01-2025
since ‎04-03-2014
L7 Applicator
User Activity
User Profile
Latest posts by mivaldi
View All
My Liked Posts
View All
User Badges
mivaldi's Photos
Community Statistics
Member Since ‎04-03-2014 01:35 PM
Date Last Visited ‎05-01-2025 01:51 PM
Posts 746
Total Likes Received 163

Re: Contact a Sales Engineer

by in General Topics
‎12-09-2014 04:27 PM
‎12-09-2014 04:27 PM
Many times your SE is listed under your Account record. You can ask your Support Engineer to please check the Account record for the names of the "Sales Engineer" under the "Account Team" section. Your Support Engineer can search for your Sales Engineer's e-mail derived from their name on the company's AD directory. ... View more

Re: QoS Statistics with external tool

by in General Topics
‎12-08-2014 03:22 PM
‎12-08-2014 03:22 PM
There are no OID Objects for SNMP queries for this level of detail, so SNMP is out of the picture. There was a similar post here: Re: SNMP QoS You could explore scripting expect commands to extract information from cli commands like > show qos interface ethernet1/1 counter > show qos interface ethernet1/1 throughput 0 Unfortunately the API queries are not working for these operational commands: Command: curl -k "https://<FIREWALL_IP>/api/?type=op&cmd=<show><qos><interface><ethernet1/1><counter></counter></ethernet1/1></interface></qos></show>&key=<API_KEY>&client=curl" Response: <response status = 'error' code = '400'><result><msg>Illegal parameter [request]</msg></result></response> Command: curl -k "https://<FIREWALL_IP>/api/?type=op&cmd=<show><qos><interface><ethernet1/1><throughput><0></0></throughput></ethernet1/1></interface></qos></show>&key=<API_KEY>&client=curl" Response: <response status = 'error' code = '400'><result><msg>Illegal parameter [request]</msg></result></response> Note: The <API_KEY> needs to be generated before-hand. You can generate it using cURL: curl -k "https://<IP_PAN>/api/?type=keygen&user=<your_user>&password=<your_password>" ... View more

Re: Threat ID 1270062

by in General Topics
‎12-08-2014 02:26 PM
‎12-08-2014 02:26 PM
If you open a case with support, here are the instructions to submit a False Positive for analysis: How to Submit a Virus/Vulnerability False Positive ... View more

Re: Use proxy only on certain URL's

by in General Topics
‎12-08-2014 02:24 PM
‎12-08-2014 02:24 PM
If the URL always resolves to the same public IP, and you had more than one route for internet traffic, you could build a PBF rule to have traffic coming/going from/to the website, be funneled through a different internet access route. Would this be a possible solution for your network scenario? ... View more

Re: Malware site and response page - problem

by in General Topics
‎12-08-2014 11:56 AM
‎12-08-2014 11:56 AM
Your management profile on ethernet1/4.1 is set to Ping_Only. Try activating "Response Pages" on the Management profile. The connection you see is trying to go to 6080. That is the Captive Portal Response Page port. As you can see on the Management Profile Help file: The Response Pages check box controls whether the ports used to serve captive portal and URL filtering response pages are open on Layer 3 interfaces. Ports 6080 and 6081 are left open if this setting is enabled. Let us know if that helped. ... View more

Re: How to use dynamic block list?

by in General Topics
‎09-29-2014 04:27 PM
‎09-29-2014 04:27 PM
-"You can also enter a UNC server path." That was a documentation error. Please refer to: Dynamic Block Lists and UNC Server Path ... View more

Re: Wildfire Email Alerts

by in General Topics
‎09-23-2014 05:13 PM
‎09-23-2014 05:13 PM
For future reference, please check the following KB article: WildFire Email Alerts: Subscribe or Add Additional Recipients Best regards, Mariano Ivaldi ... View more

Re: Add Multiple DNS Suffixes

by in General Topics
‎09-12-2014 11:14 AM
1 Kudo
‎09-12-2014 11:14 AM
1 Kudo
Sure thing. This is under Network > DHCP > DHCP Server. Here's a screenshot where I have adomain.local, and additionally otherdomain.local in the DNS Suffix list. Using a space will create multiple Search Domains on the computers. Example. If I tried to resolve with nslookup (or anything else that needs to resolve the name) like: nslookup hello My computer will ask my DNS server for: hello.adomain.local hello.otherdomain.local If instead of using a space in between adomain.local and otherdomain.local, you used a comma, it will be asking for: hello.adomain.local,otherdomain.local ... so it gets confused with commas and concatenates the suffixes. It works fine if you separate them with a space. I'll write a KB with further details and publish it on live... Best, Mariano Ivaldi ... View more

Re: Add Multiple DNS Suffixes

by in General Topics
‎09-11-2014 07:32 PM
‎09-11-2014 07:32 PM
I tested this, and yes, you can add more than one. It will not work if you use commas as delimiters, you need to separate the entered suffixes with spaces. Mariano Ivaldi ... View more

Re: PA-200 configuration for low bandwidth site

by in General Topics
‎09-03-2014 03:44 PM
‎09-03-2014 03:44 PM
Mind that the firewall updates are protecting your network, so I would think that is actually... a good thing. If you are concerned about saturation, you should explore QoS, and give the Palo Alto Networks firewall updates traffic lesser priority. See QoS in PAN-OS 4.1 Having that said, I would advise against expanding the update schedule, and in favor of correctly prioritizing your traffic. Best regards, Mariano Ivaldi ... View more

Re: About address object with FQDN and apply it to security policy.

by in General Topics
‎09-03-2014 12:04 PM
3 Kudos
‎09-03-2014 12:04 PM
3 Kudos
The definitive answer depends on what the DNS query responds and if the servers themselves change their IP (or there is more than one server always-listening and DNS is being used as a load-balancing technique). I've experienced a scenario where a FQDN was being used in a security policy, and the destination host was changing its IP address to a pool of 3 IP addresses in a round-robin fashion. The DNS record was also dynamically updated to reflect the newly assigned IP on its non-authoritative section. The Palo Alto Networks firewall does not run a DNS resolution on the fly for every SYN packet that goes out if a FQDN is used in a security policy, thus causing a practical problem. As you described " sometimes it can match the rule and sometimes doesn't." There is a set frequency in which the firewall will resolve a FQDN and run a short commit to update the resulting security policy. The firewall is matching IP addresses and if a FQDN is used in the security policy, it will not work well with frequently changing records. For cloud FQDN's there are different approaches. The DNS records may rotate pointing to new IP's (like Facebook does): computer$ nslookup www.facebook.com Server: <obscured> Address: <obscured>#53 Non-authoritative answer: www.facebook.com canonical name = star.c10r.facebook.com. Name: star.c10r.facebook.com Address: 69.171.237.20 Or another approach is to give you a long list of possible addresses (like Google does): computer$ nslookup www.google.com Server: <obscured> Address: <obscured>#53 Non-authoritative answer: Name: www.google.com Address: 74.125.239.49 Name: www.google.com Address: 74.125.239.48 Name: www.google.com Address: 74.125.239.51 Name: www.google.com Address: 74.125.239.52 Name: www.google.com Address: 74.125.239.50 ... When you have a long list of possible IP's, the Palo Alto Networks firewall will cache up to 10 IP addresses presented in the Non-authoritative section of the DNS query response. This does not mean that it will cache those IP's for a round-robin rotating DNS record. Hope this helps, Mariano Ivaldi ... View more

Re: Slowness over VPN

by in General Topics
‎08-22-2014 02:35 PM
2 Kudos
‎08-22-2014 02:35 PM
2 Kudos
I would say: "Define slowness" You can have great bandwidth throughput, but a roundtrip response time to your DNS servers be very slow. The perceived behavior is slowness in both scenarios. You can also have great performing applications, and applications that behave poorly (Samba file transfers are known to be slow, and they require some tune-up on the firewall). I would troubleshoot such slowness in two ways: Deploy iperf on both ends of the tunnel and run a TCP test with -P 10 to measure bandwidth throughput. http://www.slashroot.in/iperf-how-test-network-speedperformancebandwidth You can use tools like NetMeter on the endpoints or Graphic Traffic Monitoring for Interfaces - QoS Statistics Check how users reach their DNS servers. If you are forcing everyone to go to your central office for DNS resolution, and you are in the opposite side of the globe, you are injecting huge delays in DNS responses. Mariano. ... View more

Re: Unable to view YouTube on HTTPS, for some people

by in General Topics
‎08-18-2014 02:46 PM
‎08-18-2014 02:46 PM
Based on what you describe, you are decrypting packets, otherwise a change in service from 'application-default' to service 'any' wouldn't resolve the issue. In your case it can be that the application you selected doesn't have 443 as an application default port. An alternative solution is leaving service as 'application-default' but adding ssl to the list of allowed applications on your Security Policy. ... View more

Re: Unable to view YouTube on HTTPS, for some people

by in General Topics
‎08-18-2014 10:50 AM
‎08-18-2014 10:50 AM
You should track the URL Filtering logs for the blocks. Sometimes there can be HTTP redirects, if that's the case, it may not be logged to the URL Filtering logs. If that's the case and you can't find it, you can try going to the URL Filtering profile and uncheck the option to "Log container page only". You should also decide to try allowing: *.google.com google.com ... but this can result in allowing more access than intended. Hunting the URL's through the URL Filtering logs would be the best strategy if you wouldn't want to allow too much access to google.com. Once you're done troubleshooting, it is recommended that you check the "Log container page only" option under the URL Filtering profile to avoid excessive logging. Additionally, if the connection is HTTPS, and you have *no SSL Proxy* decryption implemented, the filtering will happen by a wildcard match to the CN presented on the SSL certificate. If that's the case, check out How to Block a Specific HTTPS Site with URL Filtering Mariano. ... View more

Re: Dynamic DNS URL Redirect Control

by in General Topics
‎08-05-2014 04:59 PM
‎08-05-2014 04:59 PM
Assuming the URL is known to be malicious, you could implement DNS Sinkholing: How to Configure DNS Sinkholing on PAN-OS 6.0 An alternative is to set an action of 'block' on your DNS Signature under your Anti-spyware profile. I (personally) also like to configure my DNS server to point to OpenDNS servers and add an extra layer of protection (you can get an account with them, they will tie your public IP to the source of the DNS queries and filter those against their database). That means that you will be covered with both PAN-DB and OpenDNS databases for DNS queries. Hope that helps, Mariano. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎05-01-2025 01:51 PM
Likes Given To
View All
Likes From
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks