About bradk14

I don't know about TACACS+ but I've had no issues accomplishing this with RADIUS using either Cisco ACS or Cisco ISE on the back end.   it returns PaloAlto-Panorama-Admin-Role attribute which then maps to a defined admin role. ... View more

the only way I can even think this possible is to use some sort of convoluded method using the API to analyze logs and add client IPs to a block rule after 5 attempts.  you'd have to factor in youtube API if you want to calculate length, but in order to even see a user went to a video directly, you'd have to have SSL decryption, otherwise you won't get anything but the hostname.   ... View more

file block profile?   https://live.paloaltonetworks.com/t5/Configuration-Articles/Blockable-File-Types-and-Their-Associated-Programs/ta-p/56119   would require SSL decryption for full visibility however ... View more

to build on that, you will basically need an internal CA and then deploy the root CA certificate to each of your clients so they inherently trust the certificates that the PA will generate for each site decrypted. Or you can do the same with a self signed cert from PA, but the internal CA is a better option, especially in the long run.   and to add confusion, while you can't just buy a subordinate CA from public issuers, several do offer private/managed services such as Symantec and Entrust, which will let you obtain the right certificate for SSL decryption. ... View more

as I mentioned earlier, while it may sound counterintuitive, Palo Alto AppID is able to identify some apps even when SSL is not decrypted. Obviously it can't inspect traffic, but it can use other environmental aspects to help categorize traffic. PA won't disclose all the attributes AppID uses, but obviously if someone is going to youtube.com, they're likely using the youtube-base app.   You can witness this yourself in the PA traffic logs. ... View more

admittedly I didn't scroll all the way down that far to see the trusted CA, so I apologize.   in any case, again, it's hard to see what the cert errors being presented are just by the screenshots provided. there should always be a padlock for sure. the green bars/URL are because it's an EV cert, which PA is not generating, so that's why the green bar goes away. other icons indicate partial encryption, which is often because the page refers to non-https resources.   ... View more

without seeing the certificate details, I can point out that there is an inherent issue with SSL decryption in that what you are doing technically is performing a Man-in-the-Middle attack, replacing the site's real certificate with one being supplied by the firewall.   The first question is did you supply a certificate with resigning capabilities to the Palo Alto firewall for SSL decryption or are you using a self-signed certificate?   In either case, the clients need to be able to trust the self-signed cert or the cert's provider as a trusted root CA to avoid errors. What's happening is the PA is regenerating a new cert to present to the end user's browsers which claims to be from the website, but the browser needs to be able to trust the entire chain of the cert so that someone else without authority didn't create a false certificate on behalf of the server.   I'm not sure if that's making sense, but if there is a warning that there is a problem with the site's certificate, that is why. also there are varying levels of SSL certificates, the most trusted will change the address bar to green (depending on the browser). there isn't much you can do about that. ... View more

good you got it figured out. one of the well documented banes of AppID and web browsing.   for future reference:   https://live.paloaltonetworks.com/t5/Configuration-Articles/After-Configuring-SSL-Decryption-Web-Browsing-Sessions-Do-Not/ta-p/53040 ... View more

>gives you some really nice information even if you're not planning on migrating to anything.   this, including the ability to edit multiple policies at once. ... View more

@reaperthanks for clarification on the databas   @BPryhalf truth on my part. I know where you're coming from, that's called job security for me. nobody reads error messages or how to use google if they do. but truth is that in my environment, there's never a commit without warnings (of course if you don't address them, they won't go away), so that I have warning fatigue. On the rare occassion there's a failure, it usually takes me 2 or 3 commits to even notice. but when I do notice them, I do read them. promise. ... View more

I'll leave it to someone else to address your layout cuz as far as I can tell it looks alright to me but it's not really my thing.   But yes, as HA, the configuration you make to one will sync to the other, so they will be duplicate configs. So your interface type on one PA will be reflected as the same on the other. Assuming you are making the PA a next hop, they'll all be L3 and it will use the same IP on the interface for both units (again, you are configuring just one unit and it will sync config to the other).   All that said, obviously the two PAs will have separate management configs. different IPs for the management interface and different hostnames, etc ... View more

your issue is very vague. if you are talking about the same website on multiple computers, the first thing to check is to see if each computer is hitting the same rule for the same website in the traffic log. if so, you should also look at the reason for the session end, if it's a tcp-fin or timed out or a reset of some sort. also consider the threat log if you have a threat prevention policy in place. you also need to consider if all computers are using the same browser/version.   there are many places something like this could go wrong, but unless your rules are applied subjectively/unevenly, the firewall is probably the least likely source of the issue. ... View more

what's a warning? I hardly ever read failure messages. ... View more

from the CLI, show session ... will show the original and translated IPs, but that's on a per session basis, of course. so anything static wouldn't show unless there was an active session. ... View more

Maybe it's just me, but I'm a little confused by the question. Security Policies and Decryption Policies are two separate entities, so one should not be directly affecting the other.   Would probably help by reviewing your Decryption Policies to begin with. ... View more