About BPry

Multiple things wrong with this but I'll take your questions first. 1. Categories is only for http/https traffic urls? No, It's all traffic 2. If we modify categories, do u think it can affect the applications? Don't modify the original cateogries just create custom 3. On application under policy created we allowed im viber based googlebased. In PA process who comes first the application policy or url profile? Everything on the PA is analyzed from top to bottom and from left to right. Therefore as long as your applicaiton is allowed it will then check your URL profile. If your URL profile is blocking the connection then you still get denied. 4. On logs/monitor traffic upon checking there's no blocking for viberpublic address. Never trust the logs from your device, as if you haven't enabled logging at start and end it can be off. If you are troubleshooting something run a PCAP. 5. How can we verify which policy categories blocking the viber? Look at the URL Filtering logs; it'll have what category it falls into. 6. any best practice in creating/blocking categories? Honestly, don't do it unless you know what the URL you are going to is actually going to fall under. Including this many block categories it would have been faster to actually create a list of what you have actually allowed.    Okay now to the rest.  This security policy is all messed up. One your applications that you are allowing doesn't include all the dependacies of the applications, you need to look at those and actually include them when you build a policy or it will never work. Secondly almost every application you can build out destination addresses instead of running any 'any' rule. Viber Media Inc has the IP addresses 54.225.248.192-255 and 54.225.251.128-255 currently assigned, include those and if you don't know what the addresses are build out the rule and allow it as needed. Third, don't include that large of a URL Filter with this rule; give it it's own rule after you build out the rule actually allowing your IM apps. While your at it don't include that many applications at once in one rule; I understand the want to keep your rule count down but doing so is kinda stupid unless you are actually hitting the policy ceiling.  Keep in mind also that the ability to actually create rules based by app-id is deligated to how much visability that the firewall has on your traffic. If you aren't doing SSL decryption then sometimes app-ids just don't actually work.    On monitor traffic 1. Why sometimes it's using/choosing the other policy and not the pol 1 since ip add and the policy 1 ive created is specific only for workstation ip add and has a higher seq. No. Than the other policy? You match the first policy that is actually created. If something is going past the first policy and hitting the second then the policies are not actually the same.  2. What if user1 id is using the workstation that has the ip address of 192.168.1.1 which policy will be preffered, pol 1 or pol 2? It will use the first policy that it finds as a match; once it finds a matching rule it stops looking at the list. 3. Any best practice creating a policy for a specific host or ip? What process are we using to choose ip add over user id for policy? This doesn't really matter; if you have someone that moves around and needs specific access then build out their rule based on their user id. If you know for a fact that one machine that has a static address needs access to one specific thing that most others don't then build it by IP. The big thing to remember is that depending on your user-id setup you can have a slight delay in when a user-id is actually assigned to the IP that the user is currently using.    I would really look at some different articles and read them and train up on how Palo Alto does things. All of these are questions that while I don't think anybody on the Live community minds answering, you included so many of them all in one post that could have been easily researched that taking the time to respond to them isn't something that most will do. Try to research your questions first and then when you do have to ask the community a question keep it shorter; you are by far more likely to get an answer 🙂 ... View more

That would be the proper way to do it. I don't believe that you can actually do this automatically in the CLI, it's something that you have to modify after.  I really wouldn't clone your existing rule and move it, just move the NAT rule that you need above the new ones.  ... View more

Are you talking about seeing 'spyware' entries in the threat logs or is your URL Filtering actually kicking in and blocking you from getting from these sights. If it's the log entries that's actually normal and a good thing that the firewall is catching them, hopefully you are blocking or otherwise taking action on them; if your URL Filtering is kicking in when it shouldn't be you may have to change how often your grabbing the updates, it could be that they were categorized correctly at the time but your update is timed long enough that they allow it to get out of sync with what you are seeing on the website.  ... View more

If that is all you are doing then simply put the device into tap mode and it will be able to look at the traffic before it enters the ASA. Simply create an 'any any' allow rule and apply a url filter profile on that rule and you should be set. Added benefit is you will be able to still take basically full advantage of most of the Palo Alto features. Find the documentation in the link below   https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Device-for-Tap-Mode/ta-p/59438  ... View more

As already stated you can't actually block directly by mac-address. You would need to allocate a static IP address for that machine and then block it like that. Alternatives would be: 1) Block it from getting an IP address at all on your DHCP server 2) If userid is setup then just create a rule that denies that user access to anything.  ... View more

Ubiquiti is nice for this but I think that Axis makes an all around better camera, although you will pay for it. Really easy to install though and it will generally get you a credit on your home insurance (state-side anyways)   ... View more

I would also be sure to take into account the SSL Decryption session limit if you are looking to decrypt the traffic. This is lower than the generally supported session limit on the device for obvious reasons.  ... View more

I think what @Brandon_Wertz is saying is that additonal traffic would hit this rule and match until it actually did the URL check. You would then need to have a rule after this one that would allow your other traffic to actually work, otherwise it would drop into the default 'deny' rule and your traffic would drop off.  ... View more

If my memory recalls correctly this was discussed before and no solution was offered. Since it's a field in the actual client they would either need to have an editable registry key or some type of entry in the config file; I don't think that is available at this point.  ... View more

http://indeni.com/how-to-configure-ipsec-vpn-between-palo-alto-and-cisco-asa/   That is a pretty good guide on how to configure this correctly. I would run through that and actually verify that you have everythign configured corrrectly.  ... View more