About pulukas

Are you having a particular issue? ... View more

The basic difference between agent and agentless is as follows: User-id agent installs on a windows computer and collects the user to ip mappings for forwarding to the firewall Agentless user-id runs on the firewall and queries the windows servers to retrieve the user to ip mapping information User-id agent can install multiple ways Install directly on the domain controller for each one and collect local data Install on one computer and query data from multiple domain controllers from this location General considerations: each domain controller in your AD domain has local only copies of the login mappings you need so all must participate in user-id in some way If you have a lot of processing on the firewall and a lot of domain controllers then agentless user-id may not be practical If your AD computers are spread around multiple WAN links the traffic generated by agentless user-id may be problematic the best source for the gory details is the User-id Best practices documentation. User-ID Best Practices - PAN-OS 5.0, 6.0 ... View more

There is an option when you setup the dynamic updates to choose "sync to peer" on your primary device.  This is designed for the situation you have. Using this option the download occurs on the primary and is copied and applied to the secondary via HA sync process. Is Content Database Sync Recommended in an HA Environment? ... View more

Sonicwall nat and policy organization is basically the same as you have in PanOS.  They are separate and require two rules. Look at your Sonicwall nat rule for the inbound address to the exchange server. Create this same rule in the nat section on the PA In the security policy add a rule on the PA to permit the inbound smtp application to the exchange server. Once you have both the nat rule and security policy the inbound traffic should flow. ... View more

Wenar Thanks for the bug id and the follow up. ... View more

As hshah mentions the proxy-id are a required configuration on the ASA.  Unfortunately, the Cisco configuration does not call them proxy-id.  Rather the Cisco engineer will know them as the vpn ACL or interesting traffic ACL. These are simply the subnet on the Cisco side and the subnet on the PA side.  The trick is they must exactly match. Ask your Cisco partner what his vpn ACL contains. Sample: The fist ip address is the ASA side and the second is the PAN side: access-list PanACL extended permit ip 192.168.1.0 255.255.252.0 192.168.2.0 255.255.0.0 ... View more

hshah Looks like there is an issue with the Test A Site database.  I just ran this on the PA research center and it shows clean as computer category. craigmueller You should try to back trace the clients making the request for the site.  They are likely infected with malware. ... View more

I've used both Qradar and Splunk and both are strong platforms.  I think that Qradar is stronger in customizing reports and fields for security.  But Splunk is stronger in ease of use for creating reports on the fly. Splunk does have an initiative to work more tightly with PA logging.  They were an active participant to show the tools they have developed at Ignite this year and they do look good.  But I have not used them in production. I can't speak to implementation or cost, as I've only been a user/consumer of the services not the original installer. ... View more

Thanks hshah adding my vote too. ... View more

I would say that if you are looking for long term archive referral of firewall information you do want a tool on the caliber of Splunk security or another professional SIEM platform like Qradar.  These tools go beyond basic syslog storage to allow you to correlate and find the information you need when doing an investigation or troubleshooting. The other advantage they have is they scale well and allow the correlations to server, switch and router infrastructure in addition to the firewalls.  And they are easy to expand storage for longer archive terms as needed. https://www.splunk.com/view/it-security/SP-CAAAAKD IBM Security QRadar SIEM Splunk also offers a basic free version that supports 500 meg logging per day that would cover the syslog fundamentals if you don't want to go for a SIEM solution. Free vs. Enterprise | Splunk License Comparison Table | Splunk ... View more

Does anyone have the feature request numbers for these snmp updates? FR#### I should send a vote off to my sales team while I'm thinking about it. ... View more

I agree that the snmp polling option really should be there. The obvious work around is to pull the data from the connected port on the switch where other network vendors do give us this data.  (hint, hint to PA). ... View more

Do keep us posted on the final resolution and bug number when assigned. Also could you clarify the exact procedure you are using as the work around to get the committed changes on secondary onto the restored primary? ... View more

Thanks for sharing the final answer. ... View more