About mharding

It's probably due to the Device/Network vs Object/Policy config. The lock must only be honored when making changes to the object/policy side of the config. When you add a new user, you're modifying the device config. It would be interesting to see the results if you added the object first, and then tried to create a new user. ... View more

There isn't a target command in Panorama. Must be VSYS related. ... View more

Do you have your HA licensing, and have you ever configured your cold spare? ... View more

Would that approach be a viable option for a migration in large enterprise environment with a lot of firewall rules allowing proprietary applications where no signature for AppID exists (inhouse application, niche applications). At least for a transition phase until a custom AppID definition can be created or research can be done what is actually transfered over the connection (may be with help of the log or reporting). Talk to your SE. They might have a migration tool to help you get from your current firewall to the Palo Alto. But yes, that's the way I did it way back on PAN-OS 2.0. Then you can use the custom reports to see what apps are actually being used (and that you approve of) and you can start setting them in the security policy. Another question: Web Server in DMZ hosting web sites, which application would you use here to allow connections from public Internet to the web server in the DMZ: web-browsing? That sounds inappropriate but there is no web-hosting application in applipedia? It would be web-browsing. Web-browsing is the parent app for HTTP requests. (You have to be careful. You may have child apps like hotmail and web-crawlers accessing your website that be blocked if you just allow web-browsing.) ... View more

I concur. I bet we'll see an update to the HTTP-Tunnel app in the coming weeks. ... View more

What version of PAN-OS do you have installed? What's the message you're getting in the System logs? I would search the logs for ( eventid eq auth-fail ). ... View more

When you set the application to any and just define a port, it acts like a basic firewall. Not matter what application is being used (DNS/SMTP/Web-Browsing/SSL), it's going to be allowed as long as it's using the defined port/service. Application Override policies bypass the App-ID engine. An application override policy is used to change the way the firewall classifies network traffic into applications.  An application override with a custom application will prevent the session from being processed by the App-ID engine, which is a Layer-7 inspection. The firewall is forced to handle the session as a regular stateful inspection firewall at Layer-4.  If an existing application, web-browsing, for example, is used in the application override, the rule will force all matching traffic into Layer-7 inspection for that specific application. An application override could be used wilth custom internal applications that use non-standard port numbers or internal applications that are classified by the firewall as "unknown" and custom definitions have been created for them. Application Override and Scanning Engines ... View more

The XML-API backup works fantastically. ... View more

I second the internal WSUS server. Much easier to work with Internally. ... View more

Same issue on 4.1.7. One of our 2050s became complete unresponsive on the management side. Data plane side worked great, and continued to flow traffic. Although I think I was having some issues with theMP dynamic URL cache because the management side was completely eaten up. I wasn't able to login with the serial cable either. I eventually had to force a fail over by disconnecting the HA1, HA2, and management interfaces and restart the locked up 2050. Frustrating for the administrators, but the users never knew we were having a problem. ... View more

What's your captive portal policy and security policy look like? ... View more

Have you defined the forwarding profile in each security rule? ... View more

Panorama should make that easy. ... View more

Yea, I stare at envy on the other ones. Maybe in PAN-OS 5.0 ... View more