About pulukas

Nothing official, but you can follow this procedure to get a good start on an Excel dump version. Export a List of Address Objects or Security Policies and Import into a Spreadsheet ... View more

See the note on the PAN 7 release page.  The 7.0.1 release is posted so you do not need to roll back you can upgrade. Software Release Notices: PAN-OS 7.0.x ... View more

I'm not sure I follow the question, so forgive me if this answers the wrong questions. The portal certificate from a trusted third party like GoDaddy helps the connection from the user machine to the portal.  This prevents the users computer from issuing a certificate warning that the the portal certificate fails the trusted authority check. If you use a domain issued certificate for the portal your domain computers will still be just fine and have no warnings because the domain computers do trust the domain certificate authority.  But any user connecting from computers outside the domain would be given the warning unless you distribute to them a copy of your domain trust chain.  If your remote vpn policy requires users connect using only domain computers then you can use a domain certificate without any issues. For certificate authentication of the connection we generally use domain issued certificates and install the domain trust chain onto the Palo Alto so that the certificates will be accepted.  The idea is to trust the computer using this method.  If you choose to accept this as the only authentication I don't believe you can make that location dependent but just on or off in total. ... View more

You should submit a request that Palo Alto create an App ID for the mobile App using the instructions on this note. How to Request a new App-ID And if you are ambitious you can try to create a custom app id following this process. Custom Application Signatures ... View more

The other consideration here is business risk for false positive blocks.  Applications that are business critical my need to be treated with kid gloves on their action with threat profiles.  Setting the action to alert rather than block to prevent fals positives from blocking critical workflows.  After which you need a regular procedure to review the alerts and insure all is well with the affected workstations. ... View more

- Does the protected port group on the vSphere DSwitch have to be VLAN ID 8 as well, or can I just leave it as VLAN type "None"? Both sides will be none in your case.  You only need to set tags if you have a Q tag port.  In your design these are access ports so none is all you need to do. - Is there anything extra I need to do to ensure that the HA pair will never accidentally create a loop between the two segments of the same network? No, the passive device keeps the traffic interfaces up but never passing traffic.  The PA will not participate in STP at all so all you need to do is make sure the switching system never puts the active device into a blocking port. - Are there any other considerations I need to know about in a deployment like this? I have not used the VMs for HA but I assume you still need the HA ports connected to communicate state tables and the like.  I don't see that in your setup here. your may find the example for layer 2 HA in the Design guide helpful starting on page 80 Designing Networks with Palo Alto Networks Firewalls ... View more

You could also experiment with the DNS servers used by the PA device setup.  I've seen issues with some servers not working consistently.  One was with Google DNS and I can't remember the other public DNS service where the updates would not work consistently. but once a new DNS was selected they worked all the time. ... View more

Logging is all based on available space rollover and not any summarization schedule.  So how much you get is strictly a  matter of the volume of logs generated and the averrable size of storage. ... View more

You may be hitting a conflict with your wildfire download which is also scheduled to happen every 15 minutes.  If two update jobs try to occur at the same time one will fail. You should arrange all the updates to never have conflicting times.  I would move the wildfire to an odd minute running every 15 minutes then the rest of your schedules should have no conflicts. ... View more

Check out the procedure in this document to permit applications with web based dependent apps.  This does not work for every app but does for a large number of them. How to Check if an Application Needs to have Explicitly Allowed Dependency Apps ... View more

If you cannot find your logs for sessions you know occurred, then go to your policy list and make sure you have logging turned on for the policies. You are looking in the right place, your traffic and url filtering logs would be where this should show up. ... View more

I am very conservative for unexpected outages.  So your milage may vary. I waited to the 5.0.6  release before upgrading.  For the next round I went to PanOS 6.0.3 as the comfortable path. Palo Alto has made tremendous strides in release quality over the years. Your best resource for getting a bead on your comfort for upgrade is your  sales engineer.  I would ask for the list of reported bugs roughly 2-3 weeks after each release.  We would scan these against our deployed feature set.  Would the reported bug affect our systems?  Then with the next release we read the reported fixed issues and the reported known issues.  Again we compare against our deploy to see how many would affect us. Once the list of bugs that actually affect our features is basically null, we go for the upgrade for the new train. ... View more

did you setup the service route for management access on the selected port. Setting a Service Route for Services to Use a Dataplane Interface from the Web UI and CLI ... View more

I would try to setup a span port and do a full pcap of the transaction if at all possible.  I think we really need to see the closing packets of the session to understand why the transaction is failing. You may also want to open a ticket on this with support.  They have access to deeper levels of logs and session status that could shed light on the issue. ... View more

Can you find the logs for the specific attempt to download from the play store? ... View more