About pulukas

Generally, any subnet that has servers hosting internet facing applications should be in a different security zone than the rest of the internal network.  This is the basic definition of the DMZ that has existed from even before the internet when we connected to networks outside our companies. I don't think web servers are any more vulnerable to compromise from the outside than Exchange.  But I guess hosting a public web site does give more of an advertisement and invitation to visit than spinning up OWA. So in general, I would suggest creating a DMZ to isolate the public web server and setup the necessary network and security policies from there.  I would encourage moving the Exchange Frontend at least into the DMZ as well. ... View more

I'm an end-user in the enterprise space. Feature Requests are an internal Palo Alto database of new features users have requested from sales engineering.  You can ask your sales team to add your company as a "vote" for the new feature. I''m told that if a lot of users vote for a feature they move it up on the development timeline. ... View more

The reported issues with RADIUS had to do with special accented letters failing in user names after the upgrade from 5 to 6. FTP had at least three reported issues with the upgrade. All are listed as fixed in the 6.0.2 release notes. Browse the resolved issues section of the release notes and you get a sense for the scope of the issues.  The list is better compared to the 5 launch, but not yet where it should be.  Everyone I've talked to in PA is working hard to improve regression testing and get these types of flaws down with each new release and much progress has been made. ... View more

Palo Alto is a firewall.  You would need an MDM (mobile device management) solution for these functions. ... View more

I'm not sure what your question is here.  Are you having a problem filtering traffic logs? ... View more

Determining your log size requirement is not that simple.  This will vary greatly depending on how your logging policies are configured and the volume of your traffic. If you system is already running you can make a rough estimate by looking at the oldest recorded logs versus your disk size for your own environment. In general, I would create the largest Panorma disk sizes that you can afford to have.  Logging always seems to go up in size and having them is often helpful. ... View more

See a general discussion on the PAN OS 6 upgrades here. Re: PANOS 6.0.2 release date In general, I would stick with PAN OS 5.0.12 unless there is a compelling new feature in PAN OS 6 you would want to implement at the site.  We waited till 5.0.6 to move up from PAN OS 4.  The transition to PAN OS 6 does seem better, but there were still significant issues with basic protocols like ftp and RADIUS.  We will probably upgrade earlier in the release train with PAN OS 6 but I personally am not ready yet. ... View more

This sounds like a bug.  I don't see anything like this on the list of addressed issues in PAN-OS 5.0.12 either. I would open a ticket to get this reported and into the bug database for a fix. ... View more

This previous thread says the answer is no for now. Custom App-ID for the World Cup You could join in requesting one be created: How to Request a new App-ID You could also try to create you own custom App-ID by following the examples in these similar ones for the Olympics and NCAA finals.  You will need to know which site your users go to for the feed and create the matching patterns to identify the traffic. Custom App-ID for BBC Olympics 2012 Custom App-ID for NCAA March Madness 2011 ... View more

If you don't want to install Global Protect, you could configure captive portal to kick in for unknown users. Overview and procedure: Captive Portal Operation in PAN-OS 4.0 Minor updates in PAN-OS 5: How to Configure Captive Portal ... View more

I've not used it but it seems like they are just bundling up a basic pen test suite as a promotion for the firewall.  This might be something Palo Alto should look at doing too. We have generally used a combination of nmap and metasploit to confirm systems and firewalls.  But there are lots of options. Check out a basic list here. http://www.concise-courses.com/security/top-ten-pentesting-tools/ And Security Power Tools gives some great examples on how to use many of these tools for security tests. Security Power Tools - O'Reilly Media ... View more

The candidate config will only be in memory unless you save it as a named config or commit the config. you can rollback the config pretty easily after commit. So I would always commit Panorama first then the devices.  If you need to back out the change use the rollback on Panorama and commit both again. ... View more

No, Palo Alto is not a session border controller. Policies can provide some of the security features of a SBC.  But none of the voip specific signaling or features would be available. ... View more

The limits are not really about the number of users but the use of resources.  The primary measure would be the bandwidth usage and the number of sessions. See the spec details on the product selection guide. Product Selection ... View more