About Brandon_Wertz

I just got this error msg on 11.1.0 after upgrading. I did this "debug software restart process log-receiver" and commit works. ... View more

All services / subscriptions of a firewall for the hardware at least (strata) are 20% of list price of the product annually. You can google the product and get a list price pretty easily.   Threat = 20% list price  Advanced URL = 20 % list price Wild Fire = 20% list price Support = 20% list price ... View more

<I'm not a palo support person> You can request a domain recategorization at this Palo website.  It usually happens within 24hours or so. https://urlfiltering.paloaltonetworks.com/ ... View more

When you say you allow "voip" traffic, what's the actual application?  Is that application the only defined application on the rule?  When you say "A to B" you have a defined source and destination IP objects/networks?  As for the service (ports that are allowed and also not matching), are you certain the service object you're using isn't a service range?   To confirm you're saying the rule looks like this? Source --> 1.1.1.0/24 (internal zone) | Destination --> 2.2.2.0/24 (internet zone) | Application <defined application> (not app any) | Service --> <specific ports defined> (Service 'Any' not selected in the drop down, as well as tcp/udp is defined on the service)   You're saying you have these options configured and you're seeing a port being allowed on this rule from a session allow / end? ... View more

Gotta admit I didn't read the comments from the past 4 years in this thread... You're still having the same issue, not being able to split-tunnel certain traffic I'm guessing?  What PAN-OS version?  What GP client version?  What's the config?  And what you trying to split out? ... View more

Great to hear you'll be ok and I was able to help ... View more

For clarity, Premium and Platinum are your support levels.  Focus Services is a different beast, and itself isn't a support level, but rather is an enhancement of your overall support. IMO, Palo's support overall has been abysmal over the past 3 to 4 years.  Their answer is to buy "better support" to get a level of service a person would normally expect.   To your question, the costs, like was shared by @BPry the factors which come into play that create the true cost are truly unique to each organization.  Ultimately your costs will be directly tied to the type of products you have and the quantity.  Also factored into the cost is your support level, Premium versus Platinum. To try to give you a number it could be 5 to 7 figures+ it truly depends on the customer environment.     ... View more

Yes, also both 10.2.X & 10.1.X (P) having logs issues as well. waiting for new release will be available in Jan/24 to fix the process stopping for log-receiver in local firewall.   ... View more

Yeah, there are ways, like creating an application filter that targets newly released applications and allows you to create policy, but that's really a guessing game.  Disabling newly released apps is also a way, but that too is just kicking the can down the road and doesn't really allow admins to understand the change of policy implications on their security policy. None of the existing options, IMO, were what you'd expect from a firewall security appliance.   This new feature squarely hits the target on what admins need to do to properly address application changes in a secured way. ... View more

Kind of, but not really.   The external side of our FW is all L2.  We have multiple L2/L3 segments on our WAN/INet beyond the FW.  There are 2 Border routers beyond the firewall own the L2/L3, which the firewall sees as the WAN.  The BRs are EIGRP neighbors with HSRP for the multiple L2/L3. So in the NAT policy we just "picked" a "random" L2 network as the egress interface, because for us it really doesn't matter if it's the "right" or matching ingress interface because the BRs own all of them.   So the BRs have: WAN-1 (WAN-Zone) WAN-2 (WAN-Zone) WAN-3 (WAN-Zone)   The FW participates in WAN-1, WAN-2, WAN-3 from a L2 perspective.  The ingress might have come in on WAN-1, but the NAT might have said egress = WAN-2, and it worked because the next hop was the BR which has/knows about all those L2 segments.     But with palo "fixing the bug" the egress NAT interface needed to match the specific interface even though they are all a part of the same zone.. ... View more

I recently had this very issue and there's 2 ways to fix it.  By default Aruba ClearPass doesn't send a timeout value to Panorama for authenticated sessions, it assumes you want to use the locally configured timeout value on Panorama (firewalls) which is in: Device --> User-Identification --> (Gear/Setting Icon) --> User Mapping --> Cache   Or   If you want the timeout value to be set via XML from Aruba add timeout="XXXX" (where X = number of minutes for the FW to store the user to IP association) string the XML code being sent to the FW.   This KB shows an example:  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXyCAK  ... View more

Le piratage sonnerie telephone est un gros problème dans le monde entier, mais surtout en Asie. Certains sites de sonneries vendent des sonneries créées avec du matériel protégé par des droits d'auteur sans verser de redevances aux maisons de disques ou aux éditeurs de musique ... View more

is there any eta when it will be fixed, as this conflicts with my dynamic no-ssl-decrypt groups, the policy works and the traffic is marked and supposed to be bypassed for decryption but it hits the allow policy but "end reason - policy deny" ... View more

I had the same issue however you can install browser extension to change it to dark mode    ... View more

Just wanted to weigh in that I'm having this issue too, is there a command-line or GUI command that can reveal overridden items locally on a firewall? ... View more