About Laurent_Dormond

Hello,   We are using a proxy server to control Internet access from internal resources, including the PA firewall. This proxy can only be used to reach external destination. Also, we had to configure the proxy server on the PA device (Setup -> Services -> Global) in order for the PA to perform updates.   Now we would like to use External Dynamic List (EDL), and it seems that the connection to the Source URL is also using the configured proxy server. However our EDL file is hosted in our internal network, also our proxy can't reach this network.   Is there any way to selectively configure proxy server for PA services ? For example having a proxy server configured fo PA updates and no proxy server configured for accessing EDL ?   Kind Regards,   Laurent ... View more

Hello,   We have several of our users that are using well-known Creative Cloud client to download/manage/update/upload/assess/enhance/whatever their wonderfull Adobe softwares (Aftereffect, DreamWeaver, ...)   We have a PA with application-based policies.   We deny all traffic that rely on "ms-update" application by default (because we have WSUS in place and we don't want users to perform OS updates on their own or even unexpected).   The issue is that it seems that a lots of (all?) Adobe CC updates are identified by PA as "ms-updates" traffic. I put that in evidence by issuing PCAP capture on the PA device filtered on the source IP of one workstation that is facing this issue and I saw lots of HTTP GET to *msupdate" as well as *adobe.com* destinations at the same time...   My question is : How to allow Adobe CC related traffic while denying "real" MS updates traffic ?   Kind Regards,   Laurent ... View more

Hello,   It's not the first time that I am facing this kind of issue :   Context : PaloAlto FW with (multiple) userID agents in a single (or multiple) Microsoft domain and user id based security policies.   The User ID feature seems at a glance to be working well, however sometimes UserID seems to "loose focus" on several source IP addresses (users).   For example, at instant t : IP x.x.x.x is identified with user A. Suddently, at instant t + delta t (random) : IP x.x.x.x is no more identified (no more source user). Again after delta t (random) : IP x.x.x.x is identified with the same (or sometimes another) user A   You can see an occurence in the extracted logs below.        We can see IP 10.35.111.103 is identified with source user domain\johnd, then suddently the IP has no more user during around 30 minutes (and appropriate rule is obviously no more matched). And then the IP is associated back with the correct user.   I have seen this behaviour many times with a end customer impact range from "no matter, that seems to be working fine" to "it doesn't work! fix it!", obviously depending of the security policies configuration.   In this particular example, we are running PanOS 7.1.7 on PA-5050 cluster, with UserID agents release 7.0.4.5   Have you ever been facing such issue ?   Regards,   Laurent ... View more

Hello,   We are planning to perform SSL Decryption for overall Web Traffic (we are a public organization of around 5000 users).   We have started several tests by implementing SSL Decryption Best practice like not decrypting "Financial Services" and "Health" categories.   However we are facing common issues with browsers that often states that connexion is not secured. This appears in various manners depending of the browser in use.   Here are some screenshots :   Internet Explorer   WebSite https://www.manor.ch/fr/   SSL Decrypt disabled     SSL Decrypt enabled         WebSite SSL https://www.migros.ch/fr.html     SSL Decrypt disabled   SSL Decrypt enabled     Firefox   WebSite https://www.manor.ch/fr/   SSL Decrypt disabled     SSL Decrypt enabled       WebSite SSL https://www.migros.ch/fr.html     SSL Decrypt disabled       SSL Decrypt enabled       As you can see, a user would think that the connexion is unsecure when SSL traffic is decrypted, thus we can't go ahead and deploy SSL decryption like this.   The certificate used for forward decryption has been signed by our internal CA, and thus is trusted by all the browsers.   How could we prevent this issue to happen ?   Regards,   Laurent ... View more