About Brandon_Wertz

FYI: We push our cert out to Windows machines with group policy, iOS devices with our MDM solution (Airwatch), and to our Chromebooks with the Google Mgmt console. That only leaves personal devices (byod), so we put the cert up on our web site with instructions on who to install it. ... View more

Cheers Brandon  ... View more

Thanks, looks like we have to go down this path as well. ... View more

@Brandon_Wertz Thanks! I've actually had the server setup for a while, evidentally I never actually enabled it on any of the interfaces however.  ... View more

@Brandon_Wertz it's been there for as long as i can remember.... 😉 (so PAN-OS 3.1.4 and after) ... View more

It's a good thought but we already have a Guest regristration process, and honestly I'm not certain how captive portal would play into the "continue" function.   I ended up opening a ticket and found the issue.  It makes sense, but I didn't realize SSL interception was necessary for the "continue" function.   For our non-corporate networks, BYOD, we obvious can't intercept that traffic.  Since the sites I was trying to force through continue were SSL I was getting SSL protocol errors in the web browser.   I guess there are some other settings that were required which I already had configured except one.  Via CLI I needed:   ssl-decrypt url-proxy yes   This allows any website to be processed for interception (only for  which allows the continue function to work.  The one caveate to this is BYOD get the MITM cert error because we're using an internally signed cert for interception and they don't have our root cert on their device.  However in our case that's fine, because we'd rather make them click to continue.   --EDIT--   "continue" breaks applications.  So for instance you want to continue Facebook, well doing so breaks the application on a smartphone.  So just an FYI for someone trying to do so on BYOD. ... View more

Thanks for the response @reaper.  Seems like moral of the story just use the firewall to request the change. lol  Issue with that though is there's no e-mailed response. ... View more

Anyone else use this?  Anyone have info on the formatting (nested applications?)  Also any idea why it's disabled by default? ... View more

Thanks much! Didn't realize that I could actually use a custom URL Category to this affect.  ... View more

Yeah, like @Hithead said the application wasn't allowed, your logs state the connection was reset once Palo was able to identify the traffic as Ultrssurf.   In most cases Palo will "allow" the traffic to pass, then an application shift occurs and once that shift happens the traffic is stopped.   How long was the total session (packets)?  From your screen shot, to me 3 seconds wouldn't be long enough to really get passed your security policy. ... View more

Thanks! I started to look into this a little more and found a petter article than what I was seeing previously. Our system engineer just asked why it was hitting the DCs so often since he had to allocate more resources to them; I didn't have the answer since I thought the probing setting was when it was going out to the server and requesting the user-id information, not every 2 seconds.  ... View more

Hi Eddie,   Could you not use destination NAT to allow your clients to check in/upload externally? Or preferably you could use an always-on VPN back to your internal network that your clients establish? I'm not sure on the requirement to have the server accessible from outside the network?  (maybe I don't have enough traps knowledge) I understand that the traps clients would still function and be protected if they are not connected to the server.   Ben     ... View more