About KGC

Thanks, that's what we are finding as well. ... View more

Not a problem, happy to oblige. I have a feeling your smiley disposition will net you very little help. Good luck. ... View more

If you are indeed decrypting SSL, you should have said so; your original message does not make that implication at all clear. When we tested SSL decryption we were able to identify all manner of applications which hide inside SSL. Keep in mind that some applications will "pretend" to use SSL on TCP 443 while using their own encryption methods. So even SSL decryption would not help you here. ... View more

networkadmin wrote: ksemenov wrote: After an afternoon of playing with 4.0.1 I found enough "bugs" that we decided to go back to 3.1.7 for now. Can you expand a little please? We're on 3.1.7 now and I was debating whether to go to 3.1.8 or just jump to 4.0.1 - can't say that 4.0.1 brings anything to the table that for us is like "We must have that", but equally I don't see too much in the way of solid guidance from Palo Alto of when to use a given version of PAN OS the same as Juniper do. It was a combination of factors, really. We actually really like a lot of 4.0 offers, not the least of which are some of the GUI enhancements (especially in the policy edit view, such as hiding the menu, better support for editing / viewing object, drag'n'drop, etc.) as well as the ability to share more of the configuration aspects from Panorama (e.g. Authentication Profiles) than was previously possible. 4.0 is definitely a move in the right direction. So we upgraded our entire pre-production environment (Panorama + several HA f/w instances) just to see how it looks. Unfortunately, we didn't get a good enough feeling to stay with it. There were a few basic interface bugs (such as reporting the disk space incorrectly - I already posted about this) as well a problem specifying an email recipient for alert notification. Combined with the fact that the original release was pulled almost immediately and re-released, it didn't inspire confidence in the level of QA that PAN put into the 4.0 release. These factors multiplied by the amount of new functionality introduced in 4.0 led us to conclude that it would not be prudent for us to put it into production yet. Perhaps we were unfair or hasty in our assessment, but we can't gamble with the stability of our environment and had to make a decision fairly quickly. We are going to look at 3.1.8 for now and hope that PAN works out the bugs from 4.0 in short order. Hope this helps. ... View more

Something I wanted to clarify / confirm: it seems the agent needs to read the security logs from the domain controller which handles desktop (or console) logins, not from domain controllers which process authentication requests for access to resources (e.g. data or email servers) Can someone confirm / deny this? It would be ideal if we could just read the auth requests from (or near) our email server, since we have just a few centralized email servers but dozens and dozens of domain controllers. ... View more

My understanding is that you need to allow skype-probe traffic through to establish a connection, and then block the actual skype traffic once the Skype client believes it has connected. This prevents Skype from going evasive, but it does create a confusing situation on the client where it appears to be connected successfully, yet calling does not actually work. ... View more

Yes, I noticed a couple of interface issues in PANOS 4.0.1, though I can't recall the specifics now. I couldn't specify the email notification setting in one instance. It seemed to be nothing more than a GUI issue. After an afternoon of playing with 4.0.1 I found enough "bugs" that we decided to go back to 3.1.7 for now. ... View more

I seem to recall we had some issues with the brightcoud database versions being out of sync between Panorama and the firewall as well, or am I imagining this? Brightcloud either changed the names of the categories or added/removed some of them at some point. ... View more

I think you could probably rig it up with URL filters and application policies to achieve the same thing ISA does today. But for a basic web server I can't imagine you would need more than a basic NAT policy terminating on the untrust side and a basic security policy to allow web-browsing / ssl to your web server. ... View more

Yep - same here. ... View more

Does Panorama also do an AutoCommit post-upgrade? After our upgrade I do not see it as one of the jobs. We also can't commit the Panorama config due to a similar error: shared -> ssl-decrypt unexpected here ... View more

I've seen something similar on v3.1.7 and it had to do with device timeouts - we needed to increase the timeout values under Device / Setup / Management. ... View more