About pulukas

Do you have a logging option selected in the "action" tab of your policies? ... View more

I would also confirm that the Server Windows firewall settings are the same between the working and non-working servers. ... View more

From the point of view of security, you may have two types of rules. If you are trusting the ip range because this is your selected ISP and you trust what they choose to source from this range.  Then write a traditional ip address based allow rule from your network. If you are allowing the listed applications, then you create an application based allow rule to any ip address and permit the traffic. ... View more

The examples you mention here are recognized as applications in the Palo Alto world.  So you would just identify the list of approved applications and place that allow rule based on application before your captive portal. You don't need to know ip addresses or ports, PanOS will recognize them from the app-id selected. ... View more

This does sound like a bug. You could also try to clear the arp by interface instead of globally. clear arp ethernet1/1 ... View more

I have successfully upgraded HA pairs without service interruption.  But we do always schedule in a maintenance window for safety sake. ... View more

This is not possible.  The best you can do is use dhcp mac reservations to give this mac address a specific ip address every time. Then write a rule to deny the traffic from this address. How to Configure DHCP Reserved Addresses on a Palo Alto Networks Firewall ... View more

There is not a direct way to email from a profile. You can do this indirectly by adding email to the security policy. 1-Create the email profile with the address you want under: Device > Server Profiles > Email 2-Create a log forwarding profile and attach this email profile to it. Objects > Log Forwarding 3-Add this log forwarding profile to the security rule where your vulnerabilty, AV and Spyware profiles are applied that you want the alert. ... View more

The number of virtual routers you need is dictated primarily by your routing separation needs. Yes, a common case of two virtual routes is having two ISPs.  This way each router has one default route and each ISP has a source of traffic in that router. Other use cases for multiple virtual routers is multi-tenancy.  If the datacenter has a need to have routing separation from multiple clients, then virtual routers provide a simple way to achieve this.  These are especially useful when running OSPF to keep the routers from one client from leaking into the routing tables of another unrelated client. ... View more

I agree with Hulk that you will need to gather data when the issue is occurring.  The top candidates for me would be cpu issues or resource exhaustion.  These are checked with: show running resource-monitor debug dataplane pool statistics On possible cause of these issues could be a threat or a ddos attack. Another good test would be if you can get a laptop into that on the Juniper switch between the ISP router and the Palo Alto if an address is available.  Then run the download test from here during the issue.  This will eliminate the PA from the loop and do a test during the incident for possible outside influences or a transient ISP issue that they don't see because it is gone when they investigate but there during your problems. ... View more

I agree with Eric here, bending over backwards to get a mgmt connection to run through a v-wire is just weird. The correct answer is what Hulk notes above.  If you use v-wire you need to configure a mgmt port or L3 interface separate from the v-wire in order to connect to and manage the Palo Alto. ... View more

As I recall MLT in Avaya is an LACP based aggregation.  So I believe this will work across v-wire similar to how a Cisco LAG is connected. Assuming a two port LAG you would create two v-wire using the same two zones on each v-wire Then you connect switch stack A/B ports to the "trust" side of v-wire 1 & v-wire 2 Then connect switch stack C/D ports to the "untrust side of v-wire 1 & v-wire 2 The switches will behave as if they are directly connected not seeing the PA. the traffic will be visible to the PA on the v-wire interfaces and you can create your rules as in any other v-wire deploy. You could also add more v-wire and ports as needed up to the traffic capacity of the Palo Alto. This document describes the similar situation with Cisco switches. Cisco Link Aggregation Traffic Through a PAN Device ... View more

I think this is the document you are referring to from April of 2012 and citing version 4.1 as the affected releases. Invalid Username/Password They mention future support may happen.  This generally means an enhancement request was submitted.  So you could check the release notes for versions higher than what you are currently running (where the issue obviously still exists) to see if this was addressed. If you find this was not yet added, you can also check with the SE and have them place your vote for the enhancement in the Palo Alto Internal tracking system. ... View more

This seems normal to me.  In the same way that not every thing is fully inspected in normal traffic streams but goes through the fast path, ssl decryption is similarly situated.  Enough needs to be seen for app-id and threat scans to do their job and the rest is fast path through. I'm not sure I follow your comment on MS ISA server.  The Palo Alto is a firewall, NOT a reverse proxy.  In some ways a reverse proxy is better but in other ways the Palo Alto inspections are a big improvement.  If you want to reverse proxy and/or load balance the traffic you would still need another appliance to replace the ISA.  This would sit behind the Palo Alto so all the inspection and firewall protection would be in place, but the traffic is buffered by the reverse proxy towards the servers. ... View more

Yes, if the application override does not work to solve the issue, then a downgrade would be necessary. Be sure you create the application override for the most specific traffic possible and in both directions first. Also before downgrading follow the steps outlined by mbutt above and get packet captures on both sides of the Palo Alto for the failed traffic.  This way support will identify which bug is your issue and can notify you when the fix is being released for the bug. Steve ... View more