About pulukas

I setup v-wire with q tag trunk ports on the 5000 series for a data center deployment. this can be as simple as outlined in this document.  Where there is only two zones and all tags are just permitted through the v-wire. Trunked Traffic in a V-Wire If you want more control, you can create a subinterface for each q tag on the v-wire.  These can then be placed onto their own v-wire pipe and assigned zones separately from the other q tags on the trunk port.  This also prevents the automatic passing of additional tagged frames on the trunk without the explicit configuration of the sub-interface and v-wire pair. Create the v-wire for the tag Create the sub-interface on both physical interfaces and assign the tag and the v-wire Assign each side of the v-wire to the desired zones Rules will then apply by zone assignment of the particular v-wire pairs ... View more

You could configure captive portal.  But I guess you don't want to force a login portal. The issue with RADIUS is as dmaynard says, the ip association is in the payloads.  There is a script posted in Dev center to extract this for user id association.  I'm not sure how well it works as I haven't used it. Scripting solution for User ID working with Microsoft IAS/NPS ... View more

The signature does look correct for the response code 200.  Can you do a packet capture on a failed login and confirm what the data looks like in the response? ... View more

There is an evernote app-id that you can use to block the access with an application specific rule. ... View more

infotech wrote: There seem to be more than one policy on the ike policies on the cisco how do I know which one matches the PA? In the Cisco configuration the phase 1 will use each of the policies in order as they appear in the configuration.  As long as you have a matching policy on your side to one of them the phase 1 should complete. For phase two the Cicso configuration usually specifies a proposal set that you must also match. Are you connecting to an ASA or a Cisco Integrated services router? ... View more

The universal solution to computer problems, reboot. But a little disappointing that there is not a clearer logging on a problem.  these look like normal sessions. ... View more

The feature you really want is called DNS doctoring.  With DNS doctoring when you configure a nat the firewall with "doctor" the DNS response from internal clients to present your internal ip address instead of the public one.  DNS doctoring is not yet a feature on the Palo Alto.  Contact your sales team and ask if there is a Feature Request pending you can add a vote for. In the mean time, if you setup DNS proxy from the link Hulk provided, you can perform the following steps to have your setup act as desired. 1-configure the DNS proxy 2-add static entries (step 5 in the documentation) with the internal address for all your server resources 3-change you DHCP server to present the PA as the DNS server for your LAN 4-update any static computers to use the PA for DNS ... View more

Could you post the log message the Palo Alto generates on the firewall logs when the client disconnects? ... View more

Do you have ipv6 enabled and configured on the Palo Alto? Have a look at the checklist for ipv6 usage here. How to Check IPV6 Traffic Routing ... View more

Thanks for keeping us posted. Your reboot procedure is the same one we using in upgrades of a cluster, one at a time with the secondary first. This is a serious bug.  Do I understand you correctly that traffic is still passing with the secondary node as primary?  Or does this cause an full network outage? ... View more

This diagram of the PA architecture tries to capture the separation of data plane packet processing and management plane control system processing. See the tech brief on Content ID for a fuller discussion on the processing modes in the PA firewall. http://media.paloaltonetworks.com/documents/techbrief-content-id.pdf ... View more

Here are the ignore list instructions for Agentless User-id on the firewall. How to Add/Delete Users from Ignore User List using Agentless User-ID ... View more

You will find the details on QOS configuration and behavior here. QoS in PAN-OS 4.1 ... View more