About bradk14

so I'll indirectly answer this question and hopefully this will rock your world.   # show will display the candidate configuration, but by default, it's in XML format. so _outside_ of configure mode (for some reason), run the following command:   set cli config-output-format set that will set the show output to set commands. now when you run show in configure mode, you will see each entry in a clear, easy to use CLI syntax. You can actually use the service parameter to see just the services.   admin@PA-220# show service set service service-https-mgmt protocol tcp port 4443 set service service-ssh protocol tcp port 22 set service service-plex protocol tcp port 32400 not only does this show you all the custom services (note the predefined service-http and service-https are not displayed), but it gives you the exact syntax to add additional ones via the CLI. If you have a lot of services, you can also supplement the command with | match <filter> at the end so it shows only matching service objects.   admin@PA-220# show service | match "tcp port 22" set service service-ssh protocol tcp port 22 so to answer your questions, if you create a service object with the same name as an existing one, it will let you and just overwrite the existing object's values. if you create a new service object with a different name but the same protocol/port, it also well let you.   my sage advice is to keep it simple and develop an administrative policy so that service objects are simply named for their protocol/port, such as tcp_22. using app names like I have before helps read better, but unless I also plan to have a service-sftp object, I'm just going to create a lot of unncessary 'duplicate' objects. ... View more

I never reported it. I suppose I should, but I just sort of accepted it for what it was. There's a lot about the DHCP server that I don't care for. It seems like an afterthought, but it's really not even the primary function of the firewall, so I cut it some slack in that respect.   ... View more

I have the same issue on 8.0.1           ... View more

yes, definitely applies to 7.0+ (and 8).   you may also want to seek out the free self paced training for Panorama in the Palo Alto Networks Education website. the whole thing is just 2 hours or so, but there's a section on template stacks which helps demonstrate how the policies are applied when using multiple templates. ... View more

not sure I follow. if we are talking about the unknown-udp app, I don't think it applies here. it has nothing to do with session matching (or lack thereof). it has to do with not being able to associate the traffic with an otherwise known app.   if you want more information on that, this article by @reaper should help   https://live.paloaltonetworks.com/t5/Management-Articles/Pro-Tips-Unknown-Applications/ta-p/77052 ... View more

don't quote me on this, but it should just be dropped.   if there was no session generated for an outbound DNS request, a stateful firewall would not be able to open the port for the received s2c traffic. it gets even more convoluted when you factor in dynamic ip and port natting, assuming you aren't using public IPs on the inside. most of the time, DNS servers are going to see your public IP, presumably the IP of the untrusted interface, so the best they could do is spoof that as the source IP to generate a response from a DNS server. that would then hit the PA, which would have no session to reference who to forward the response back on to, so it should just drop it.   if anything, it should count against a UDP flood attack and be covered under the zone protection file, assuming you have one configured and applied to your untrust interface.   if that makes any sense. ... View more

I'm assuming you have a RADIUS server as a back end for wireless authentication? If so, are you sending the username/ip combinations via syslog to the PA User-ID? or how is your User-ID configured currently to get username/ip? After they move, are they coming in as unknown or the wrong user? is their IP address changing? Do you have a captive portal policy in place?   I believe the LDAP connection only applies to looking up usernames and group memberships for the use of User-ID in policy, it shouldn't have anything to do with mapping, so not sure Novell vs AD is the situation here, nor may switching to AD be the answer for this specific problem (it would help with the mapping, however, when a user logs in).   ... View more

same result for me using jperf2.0.2 from the Google Code archive. your app/threat content is current? you are using the default port of 5001?           ... View more

I just tried it using the iperf3 64 bit windows binaries from https://iperf.fr/iperf-download.php and it matches on 8.0.1    can you offer more specifics on what you're using?     ... View more

so I need to ask. is this a production environment? even if you are using private IPs for a machine, you usually wouldn't want the untrust to be able to access the trust network in a traditional network environment. if any machine on the 10.1..1.0/24 network gets compromised (or whatever the subnet mask is), it has unfiltered access to all machines on that same subnet (save for host based firewalls). even if your trust zone is subnetted, the default PA rule allows traffic between same zones. all this can be worked around of course, but best practice would be to have a DMZ zone where you can at least have a tighter control on access.   okay, soapbox aside...   the general rule here is that on your security policy, you use pre-nat IPs and post-nat zones. So in this example, your security policy should be something like:   source zone: untrust source ip: any destination zone: trust destination ip: 99.99.99.13   without seeing it laid out from the GUI, your destination NAT sounds correct, however.   https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/networking/nat-configuration-examples#_58788 should help. ... View more

Hi and Thanks for stepping in, which option won't drop the netowrk or at least would bring it down for couple of minutes, also which one is revirsable if something went wrong? neither should bring the network down. what you are effectively doing is taking away Panorama's ability to dictate policies with the second option, but it's still actually connected and reporting to Panorama as far as I know.   I'd think option#1 will be better, but how to tell the post or Pre rules?   easiest way is to create a local policy. if it shows up at the top, then you can override Panorama as you wish. if it's at the bottom, Panorama will enforce its rules first. And of course it can end up in the middle if Panorama is using both pre and Post rules. ... View more

There are a couple of options.   First (and probably most preferable in your case) is to determine whether the Panorama policies are Pre-Rules or Post-Rules. If they are Post-Rules, you should be able to create your own policies on the local firewall which will effectively override Panorama rules as it's a top-down, first match approach.   If that's not an option, you can indeed prevent Panorama from affecting local policies, at which point you should have the option to import/copy the Panorama policies into the local firewall.   I would advise reading this document before making that decision: https://live.paloaltonetworks.com/t5/Management-Articles/Disable-Panorama-Policy-and-Objects-Disable-Device-and-Network/ta-p/76539 ... View more