About pulukas

Glad you have it all figured out.  I've used that technique as well it works. ... View more

This is not an option available at this time. You can contact your sales engineer and ask if there is an existing feature request for this or not.  Palo Alto maintains a database of potential new features and customers can vote for a feature via their sales engineer. If there is an open request or you create a new one, publish the FR number here to encourage others to vote for the feature. ... View more

In order for the PA to identify the computer the traffic would have to cross the PA from the computer to the DNS server or from the computer to the proxy. For the proxy server requests I would check the proxy logs for the DNS record and see if it logs that site as visited by a user. For the DNS server if you did put this into its own dmz like zone then all traffic to the DNS would get seen and logged.  But be careful what you ask for.  This will generate a LOT of logs and will thus shorten the time frame of available logs on the PA.  DNS is used very frequently on a modern network.  A single page load can generate 10 dns requests easily. ... View more

Not sure I understand your question.  Pretty much by definition in the cli you are entering one command at a time.  So I guess you are asking about something else. What are you trying to achieve or what task are you trying to perform on multiple rules? ... View more

I would provide the getting started section from the Admin Guide.  This pretty clearly states that the user/password is required to use the console port even when the device is factory fresh. ... View more

I've only used the migration tool a couple times.  But from what I've seen this only deals with the configurations.  It seems like the approach you suggest would require some kind of log preservation and report.  And this tool is designed for migrations and application rule changes. Seems like the better outside tool for this type of report would be to ship all syslog to a log server and create reports from there. In any case the current unused rule feature in PanOS only performs the simple task of noting if a rule has ever been hit since the last reboot of the system, nothing more.  This is not a hit counter in the traditional sense. ... View more

The highlight unused rule function clears with a system reboot.  This only measures whether a rule was used or not since the most recent reboot. There is no way to adjust the operation or parameters of this feature. ... View more

You might also try downloading a fresh copy.  Perhaps the file is corrupt or incomplete. ... View more

VMware just released ESXi 6 in May.  It generally takes PA a few months to verify all is well and add official support for the new versions. If you need official answers and dates, you will need to contact your Palo Alto sales engineer.  Palo Alto never makes any roadmap or future release statements in any public forum. ... View more

Typically this just means that the session ran for a period of time then traffic just stopped.  Age out occurs when the tcp connection is left open in case the application wants to continue, but then there is no further communications for the time out period for the protocol.  Once the protocol timeout is reached the session ages out and closes. ... View more

If you need to rollback these are the instructions to reverse the upgrade. How to Downgrade PAN-OS And these to revert to the saved configuration. How to Revert to a Previous Configuration ... View more

Glad to hear you have it all worked out. ... View more

Just to add to what Phil is saying about trusting your tester.  make sure that if you do create these wide open access for his scanner that the report format he generates will not be "punishing" you for having lots of exposed and open systems.  When we open firewall rules for full access to the scanner some of these automated reports that go to management will make it look like your systems are far more exposed to internet threats than they actually are. But at the same time allowing the scanner automatically past all the defenses will give your server admins a good solid list of all the missing patches on their systems that would be hidden by the firewall protection. It all depends on what your goal for the test is.  Do you want to see your true exposure to internet threats? Or do you want a full list of all possible vulnerabilities that need to be remediated? ... View more

In order to use the sub interfaces you will need to configure the attached Cisco port into trunk mode. ... View more

jprovine wrote: Yes I had been thinking that very thing I have a security policy that has that IP and a wide range of IP's in it, I was considering creating a security policy with that specific IP address I want to monitor and put it above the current one. What I don't know it what that will do to my traffic, will it just say that the rules are shadowing each other or will it interrupt traffic or anything else negative? You will need to be careful about shadowing rules with this approach.  And you are correct that to only syslog for these particular addresses you will need to isolate them to their own rules.  then the log portion of the rule will contain your syslog server but none of your other rules will contain this log forwarding profile. If you create the rule too broadly you can give this user or segment more access than they should have so be careful with the rule construction. the safest approach would be to clone every rule this address may match and make the first of the two rules only have this ip address as the source or destination with the rest of the rule the same. ... View more