About bradk14

it depends on which field you are looking at. the URI request which is what I probably would have used in this case is the GET (or POST) line. it wouldn't have http in it. I'm not even sure if the traffic itself would ever actually even have http in it. http:// specifies the protocol to be used, but the actual transmission (e.g. the headers) don't mention http.   in any case, I would start really simple as I mentioned earlier. PA seems to be ultrasensitive about its regex patterns.   I'm still not very hopeful for you in this case, to be honest. even if it does work, I think blocking all IPs is a bad idea and alert is would be fine, but obviously not as effective. the EDL's are pretty much mandatory IMO. PAN-OS 8.0 even comes with a couple of malicious EDL's pre-defined. ... View more

you should just be able to rename the zone itself. the policies reference a pointer, like a number/index, not literally the name itself. the only thing i believe that wouldn't be affected is historical data (i.e. the logs).   if you need both old and new zones in parallel for some reason, I don't know of a search/replace functionality per se, but you can always export the configuration as an xml file, open it up in notepad++ or something like that (xml is just basically text in a format like html in case you didn't know), search/replace and then import it back in. just take the necessary pre-cautions, of course. ... View more

if I understand you correctly, you can't really just send HTTP traffic destined to port 80 to 443 and expect it to work. HTTP =/= HTTPS.   I don't know if it will work in this instance, but what you may what to consider trying is:   1) set up a dummy HTTP server somewhere on the inside to listen on port 80 2) configure the HTTP server to redirect to your portal url on port 443 (and https) 3) configure destination NAT port forwarding to take traffic destined for the untrust interface on port 80 and point it to the dummy server from step 1.   if #1 is too much of an investment, maybe it's possible to redirect to an external hosted cloud server like from digital ocean which would run you $5/mo. or leveraging a device like an F5 would make this possible.     ... View more

depending on how specific (or generic) your rule is, have you tried the test security-policy-match command to see which rule your traffic expected based on the policy is actually hitting? it may be shadowed, tho it should report that as a warning when committing. ... View more

sorry if I was confusing, bottom line is I _don't_ think it will work because of the 7 character non-regex minimum.   you can try something even as basic as .*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+.* which won't do any IP validation (but arguably http://999.9999.999.999 wouldn't work anyway), but you'll get the 7 byte error.   this is from the tech doc:   1. Every pattern you create must contain at least a 7-byte string with fixed values. o The 7-byte fixed string can be anywhere in your pattern. o The 7 values must be fixed, this means no ‘.’ (dot), no ‘*’ (star), no ‘+’ (plus), or other wildcard characters within the 7 bytes.   ... View more

in theory, your plan should work. however there are several caveats, the main one being that when it comes to creating a custom threat object, PA requires a minimum of 7 bytes/characters that are fixed, presumably to minimize the potential of false positives.   I don't see any method of detecting the traffic where you have the required minimum of known characters.   beyond that, there are additional caveats such as that you won't see any it on HTTPS traffic unless you have SSL decryption.   I also feel like while every little bit helps, it may lead into a sense of false security. most malware AFAIK does in fact use domain names, often they are even 'dynamically' generated.   My advice would be to opt instead for the use of EDL/DBL lists and credible threat intelligence feeds and security policies to block them. Many feeds will provide IP based lists in addition to domains, although blocking IPs vs domains has its own caveats to be considered. ... View more

there may be a more direct, better way, but what immediately comes to mind to me is if you have a threat prevention license and these are actual CVEs already known by PA, you can configure the vulnerability protection profile to have an action of Block IP which will shun the offending IP for up to an hour.           ... View more

so then generate a new certificate, making sure you don't check the CA button to create and export the CSR, run the CSR through your enterprise CA and then import the resulting public key.   https://live.paloaltonetworks.com/t5/Featured-Articles/How-to-Generate-a-CSR-Certificate-Signing-Request-amp-Import-the/ta-p/53593 ... View more

>What has been your experience with the real world throughput of the Palo Alto firewalls you manage?   I wish I had a scientific answer for this, but I don't. What I can tell you about what you've been told (and I'm probably just regurgitating information) is this. First, AppID is always active. This is the core concept behind the Palo Alto NextGen firewall. The rule of thumb is that when Threat Prevention is enabled (in any capacity), the total theortical maximum bandwidth is halved, give or take. The argument about the HTTP testing is because Palo Alto wants you to know that their measurements come tests that simulate real world traffic, it's not pure bytes as there is tremendous overhead in typical TCP traffic, so PAN's philosophy is to base tests on the worst possible conditions in an effort to produce a number they feel comfortable with as a result. In reality, the boxes should be able to handle more than promised, as they'd rather undersell the product and leave customers happy rather than oversell and make customers upset.   >What did you use to judge the performance of the devices when the numbers given during sales pitches are coming from ideal conditions using small transactions?   The only real world information I can share is I have a 220 at home and the promised throughput with Threat Prevention is 150Mbpbs and it hasn't affected my 100Mb connection at all (I just ran speedtest.net and it peaked at 111Mb for me).   >What has been your Palo Alto tech support experience? Are they so big that wait times to get the right engineer are in the hours even before a call back (think Cisco) or do you get an engineer right away?   I can directly compare Cisco ASA support to Palo Alto support and I know exactly what you mean. With Cisco, you can get someone on the line by calling them and making it a level 1 or 2 call and waiting on hold for 10-15 minutes after going through the negotiation process with the non-support agent that answers the call. With Palo Alto, you call and the person that answers the phone is the one who will help you, and they aren't a level 1 type person either, they generally know their stuff. It hasn't necessarily been 100% with me, but I wouldn't hesitate to say I have at least a 90%-95% satisfaction rate with them. I've never had to wait for more than 5 minutes to get someone from PA on the line.   For lesser, maybe less technical issues, my SE has been tremendously responsive as well.   >Comparing support costs to other vendors such as Fortinet, Palo Alto firewalls are 3 to 4 times more expensive, but do you think it's been worthwhile for your business to stay with Palo Alto over any other vendor?   Even though in my environment, we have Checkpoint, Juniper and ASA (in the process of migrating completely to Palo Alto), my only real experience has been with ASA when it comes to firewalls and it really is night and day. Based on my admitedly limited experiences, conceptually, I think PAN is second to none on just about every level (probably including the high cost). Whether or not the investment is worth it, is completely for you to decide, but you can buy into the 220 lab version for a very modest investment and see for yourself.    And just to add, another massive strength for PA is WildFire (cloud version, not on-prem). I've heard SEs and reps from other vendors (including those from competitors) commend WildFire as a viable sandboxing technology. ... View more

if I am understanding everything correctly, if you've already generated the CSR on the PA and thus it already has the private key installed, then yes, just import the public key from the CA. The PA should marry the two automatically.   ... View more

As per   https://www.paloaltonetworks.com/documentation/80/pan-os/ua-80-release-notes/user-id-agent-8-0-release-information/operating-system-os-compatibility#_49172   The User-ID agent is compatible with PAN-OS 8.0 and earlier PAN-OS releases that are still supported by Palo Alto Networks.   Obviously you may not gain any additional functionality that requires PANOS 8, but should still be compatible. Also the minimum Windows Server version has been bumped to 2008.   Same rules should apply to GlobalProtect (and I believe PAN-OS 8 requires 4.0.) ... View more

Captive portal would require successful authentication which means accounts have to exist somewhere. I don't know of any off the shelf solutions that you can plug in (there may very well be one), but you could probably fairly 'easily' create some sort of homebrew solution such as a registration service (that you could link to from the captive portal page) that could accept the mobile number as an input (and whatever else) and possibly even tie integration into an SMS service such as nexmo so the user would receive a one time code to validate the number, then create a temporary account in a database and use that to authenticate against Palo Alto via LDAP or whatever.   that's what immediately comes to mind, though what usually comes to my mind immediately is often overlooking an even more simple approach.   ETA: If you went with the SMS approach, you could probably even have the backend script automatically update PA's UserID via the XML API directly, then redirect back to the internet where hopefully PA has the user already identified.   If the user has javascript enabled, you could probably avoid the captive portal page altogether by simply setting the window location url directly and redirect to the custom script without user intervention. ... View more