About camkim_MDEA

3.1.8 suffers from an issue where PAN can start classifying all websites beginning with www as unknown. It was fixed in 3.1.9. That might be what you are seeing. ... View more

If we roll back from the threat updates dated 5/3, is that a temporary workaround? Been on hold for 15 minutes, trying to talk somebody about this. ... View more

Besides the obvious contention of whether its good to use different domain credentials to map drive letters, the PAN is doing exactly what its supposed to. The PAN Agent scrapes the security logs of domain controllers, of the userid and machine that successfully logon to the domain. If a user logs on a PC with domain\userid and then has runs a script using domain\otheruserid, then there would be two entries in the security logs and the latest one would be the one that is valid. I can think of a few ways to get around this, but it would be a pain and overall not a good option. One would be to use local machine credentials when mapping drive letters (which would not create logs on the DC) Another would be to extend the timeout to a length just enough so that once it determines credentials for a host, it won't check again for 8 hours. ... View more

Running a pair of 500's on 3.1.7, I also see this occasionally. Not sure of the cause either, since it seems to occur randomly. In the most recent case, It's been over 3 weeks since the last policy change and it was fine for the majority of the 3 weeks. ... View more

There could be a couple reasons for this, depending on how your PAN is setup. (these are not necessarily in any order) 1) Do you have the appropriate user subnets listed in the correct security zones? 2) Are the correct security zones applied to the correct interfaces? 3) Do you have multiple virtual routers or just one? 4) If only one virtual router, you should have the static routes defining each of the user vlans AND have the gateway of those networks point to the L3 switch. 5) NAT rules? The way I built our PAN config is similiar to our checkpoint configs. We start out with creating network objects of all the networks that we support. Then create logical groups with those networks. Then apply the groups to the right security zones. Use the logical groups for NAT rules as well. ... View more

Hi Renato, Your last statement made more sense. (and that worked). Our default security has a url filtering policy enabled that doesn't allow the category "WebMail". In the end, I allowed login.yahoo.com as an allowed URL, while mail.yahoo.com was blocked due to the url filtering policy of WebMail being blocked. ... View more

I wished Palo Alto would have published the existence of said tool and/or posted it in the community for use. Would have saved time in recreating all the objects. ... View more

for the whitelist, I ended up just adding the url *.domain.com to allow connections to wildcarded SSL hosts to work. However, I think PAN should work on a better method of identifying the actual URL, rather than the listing the wildcard SSL in the logs. ... View more

Unfortunately there isn't too many real-time tools int the GUI. Even when we have the Smartmonitor in Checkpoint, we tend to use our netflow monitoring, combined with firewall logs to pinpoint offenders. I'm thinking we could do something near realtime with a combination of log exports and Splunk. If I am successful, i'll post back. ... View more

Renato, Are you saying that I should open the webmail category, but leave the yahoo mail application out of the allowed list of application to get access to the yahoo portal? Isn't a deny application the same as not including it in the security rule? ... View more

we allow web browsing, but deny the category of webmail. However it needs access to login.yahoo.com which is classified as webmail, in order to access the yahoo portal. ... View more