About MRosloniec

There's some great comments here on this thread.  One additional comment I can make that I personally get value out of is the session monitoring feature.  I would suggest enabling that as well.     Also, I am no kerberos / windows / AD authentication expert, but processing this through my mind, I would think you would want to make sure that there is a regular cadence of a client/server exchange that takes place on a shorter time interval than your User-ID timeout.  I believe this would register an authentication event on the AD server thus transparently renewing the User/IP mapping in the client.   Another thing you could try is doing NTLM authentication through Captive Portal.  I tested this a bit in my infrastructure and got mixed results in regards to transparency, but it was on older versions of PanOS so that may have been the problem.  Of my positive results in testing NTLM, the captive portal page displayed momentarily but then NTLM passed the user's credentials through and automatically mapped the users.   Lastly, if you have PKI in your environment, you could use those certs to identify users through captive portal as well.  I really like this method of doing captive portal, however the one major drawback is that there is no fail-safe or manual login option should a client fail to have the proper cert for one reason or another.  We actually floated the idea of not using the UserID agents at all, and strictly forcing Captive Portal for all users, using cert base authentication.  Unfortunately it was that lack of having a manual authentication option that forced us to pull the plug on that initiative.  It may be more sensible in a smaller organization though.  We have 25,000+ clients that connect to our network so that introduced it's own host of problems. ... View more

That is what we are doing today.  The challenge is that we must be able to allow downloads from such sites due to a plethora of different vendors and/or service providers we work with (we can't expect them to adhere to OUR preferred file sharing service).. yet we don't want people utilizing our connection to upload 800 wedding photos to dropbox for example.  The problem with QoS is that it applies both ways, and, also severly restricts simply browsing a file sharing site as well.  We're fine with people downloading files from them, but, if data is to leave our environment via a file sharing app we want it done on our preferred service with whom we have legal agreements with. ... View more

Thanks to both of you!  That is helpful!   Matt ... View more

Thanks guys!  Was trying to avoid having to do that because I have had some undesireable results playing around with the XML in the past.  Still baffled why PA wouldn't include this as an option.. makes no sense to me 🙂 ... View more

Keep in mind that the Agents process the include / exclude networks list in a top-down fashion just like the firewalls do policy.  What I did to keep from having to manually identify all of the networks I wanted to include, is I put all of my excludes at the top and then created 3 include entries to cover all of the RFC1918 addresses. ... View more

I am surprised that the TAC Engineer that we were working with did not inform us of this...I even asked specifically. ... View more

dyang Thanks, I will open a ticket with Support. ... View more

Thanks Steven Puluka, the problem is though, that our logging platform is Panorama.  Panorama doesn't offer any of those features.  It seems so ridiculous that a system that is specifically designed (M-100) to be a Log Collector, doesn't have a way to notify its admins when it's not actually collecting logs from a device that it was previously collecting logs from. ... View more

dyang, ajbool, ericgearhart - The device (Firewall) is running 5.0.11.  The Log Collector it sends logs to is 5.1.3, and Panorama is 5.1.6. Also, yes the logs appear correctly on the device.  I took the query I ran in Panorama to get those results, and ran it on the device, and had correct results on the device. ... View more