About Brandon_Wertz

@Roby_Sreejith   I've had this same issue, talked through it here:   https://live.paloaltonetworks.com/t5/General-Topics/Dual-NIC-IP-Mapping-Issue/m-p/5936#M4320   The issue is a Windows OS problem.  I had a ticket with Microsoft that took over a month to get my answer to.  When not using specific proxy settings IE will not pass login credentials to FQDN URLs as a security feature.  You need to specifically tell the OS to allow credentials to be passed to the FQDN URLs you want.   Further, if you are dual connected, there's no gurantee the Windows OS will send traffic down one adapter versus another.  While the wired adapter SHOULD be used before the wireless if you do a 'netstat' you will likely see connections out to the Internet via both adapters.   Essentially Windows can't know what's Intranet and Internet, because of this it just assumes anything via FQDN is Internet, hence the need for the bypass.   Once that issue is resolved then you can tackle the various remedies Palo has at their disposal for capturing credentials    At my company we've got about 25k domain users with around 12-14k logged in at any given time.  UIA with WMI probing captures around 12k users and CP (With the NTLM challenge / portal redirect) around 400.   This seems to work about 99% of the time for us, but we occasionally run into issues getting attribution for some clients. ... View more

when you have an account on the Palo Support site you can enable your account to receive e-mails.   If for one reason or another they aren't getting / can't get the e-mails you can always set up a rule of your e-mail client to forward anything from "updates@paloaltonetworks.com" to your customer. ... View more

I'm guessing your customer got affected by Content-ID 596?  Is your customer running PAN-OS 7.1.X?     "The best way would be to install manually these apps&threats updates, right?? "     Well the "best way" is subjective.  What's the "right way" for your customer?  What are there needs, what are there requirements?       This package is usually updated on Wednesdays.  You can have your customer set it to automatically updated every week on a Friday.  This would hopefully provide enough of a window where if the content released on Wednesday had a similar issue in the future the package could be removed before it was pushed to them.   There are a bunch of different implementation scenarios, but all require someone thinking about what's best for their enviornment. ... View more

For the sake of arguement:     Rule 1   Trust --> Any IP --> Security Group A --> UnTrust --> Any IP --> Application Web-Browsing --> Application-Default --> Any URL Category  --> Allow  --> URL Profile A  (Block Everything) / File Blocking Profile (Can transfer .pdfs only)     Rule 2   Trust --> Any IP --> Security Group A --> UnTrust --> Any IP --> Application Web-Browsing --> Application-Default --> Any URL Category  --> Allow  --> URL Profile A  (Allow Everything) / File Blocking Profile (Can transfer .pdfs only)     Rule 1 will shadow rule 2 because it's the same base session match criteria.  The application web-browsing will be allowed but the palo doesn't know which rule should "hit" WRT your URL match criteria.     Really the easiest way to do what you want is to do as Raido said.   1.  Create a Custom URL category (Call it whatever "Meeting") --> Add the URL download.citrixonline.com 2.  Create a File Blocking Profile ("EXE Allow") --> Allow exe files to download 3.  Create Rule     Trust --> Any IP --> Security Group A --> UnTrust --> Any IP --> Application Web-Browsing --> Application-Default --> "Meeting"  --> Allow  --> NO URL PROFILE / File Blocking Profile "EXE Allow"   have this rule be above your "Security Group A" "Web-Browsing" rule.  This above rule will only allow users access to the URL "download.citrixonline.com" and will allow them to download .exe files.   ... View more

The work around is a roll-up or integration of all match conditions and desired accesses/restirctions for the desired user security group. ... View more

Palo is a "top down ACL" so if you're using all the same parameters except just chaning a profile the rules below the one above should be shadowed and not hit.   When you committed did you get a "shadowed rule" warning message? ... View more

@clonesheep This should be what you're looking for: https://live.paloaltonetworks.com/t5/Learning-Articles/Video-Tutorial-How-to-configure-URL-filtering/ta-p/59300   Essentially you just need:   a URL subscription service and a URL profile applied to the desired security policy.  There are tons of other variables though that might needed to be added or tweaked based upon your desired controls. ... View more

In the stirctest sense the Palo firewall cannot replace a Web Proxy.  It can replace a web content filtering service.   Web proxies can perform URL re-writting, among other thing, and are a true MITM that afford significant caching of content.  Like Raido has described if all you're wanting to accomplish is WCF replacement the the palo can 100% replace that appliance. ... View more

IMO Palo hasn't done a very good job with the stability of the entire 7.X.X train of code.  7.0.0 was completely deferred and 7.1.0 -.2 have been riddled with certificate/SSL issues among other things.  They could do a lot better,   All that being said if you're in the position to have the responsibility to own/manage the firewall service in your organization then it's your responsibility to ensure the code is right for your production enviornment.  Look at the new features being offered by the new code release then weigh that business requirement against potential risk of service impact if the upgrade doesn't go well.   Are there a lot of bugs identified in the current 7.1.2 release, 11 pages of bug-IDs in-fact.  That in-it of itself stands out as a reason to not upgrade to it.   Sure we should hold Palo accountable for providing a code release that creates a service impact, but at the end of the day we're the ones accountable to our employers for the service outage if we deploy a prorduct with 11 pages of bugs. ... View more

@BPry you only have a TAM if you have preimum plus service support ... View more

@nikoo What platform?  I've got similar issues, but it only occurs when trying to view logs in Panorama on logs fed from my 5060. ... View more

Licensing costs are simple 20% of list...Per licensed feature. ... View more

I haven't done it, maybe others have and can provide realworld info on the subject.  However as I understand it, you're only going to run into an issue if you implement/use some new policy feature that exists in version 7.0.X that didn't in the prior 6.1.X version.   So as long as you're just doing a simple upgrade and not implement anything new a revert should be ok.  Again, that's just my basic understanding. ... View more

Depends on what version of PAN-OS you're on.   From version 6.1.X on, you're good.  Follow these guides  (Essentially you'll just want to create a custom URL Object and use it in policy based upon how you desire to allow or deny on a case by case basis:   https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/url-filtering/block-and-allow-lists#14516     "For example: If you want to prevent a user from accessing any website within the domain paloaltonetworks.com, you would also enter *.paloaltonetworks.com , so whatever domain prefix (http://, www, or a sub-domain prefix such as mail.paloaltonetworks.com) is added to the address, the specified action will be taken. The same applies to the sub-domain suffix; if you want to block paloaltonetworks.com/en/US, you would need to add paloaltonetworks.com/* as well."   https://downloads.paloaltonetworks.com/software/PAN-OS-6.1.0-RN.pdf?__gda__=1465314609_557613dbafd2ac5ed438dd389a7f9018   "PAN-DB can now categorize content down to the page level instead of just at the directory level. Because the pages within a domain can belong to multiple categories, this capability provides increased accuracy in filtering content and prevents potential over-blocking of web content. If, for example, you block malware and allow access to business/ news content for users on your network, they can access http://www.acme.com/c/news.html because it is categorized as news/business, but be denied access to http://www.acme.com/c/malware.exe because PAN-DB categorizes the full-path for this web page as malware. "       ... View more

Though it's not from a Palo UI.  Here's what a "netflow" type report could potentially look like:   ... View more