About pulukas

I agree with HitsSec that the primary threats will be the webmail and web browsing.  So these can continue to be mitigated via the standards settings you deploy on the Palo Alto. And April is not really any different than today.  The real difference starts to build in May the first month without new updates.  And the degree of the boost is only as large as the number of NEW vulnerabilities found and patched everywhere but on XP.  Then this threat will continue to build as each month passes. Everyone will have to make their determination of how large that risk is compared to the expense of migration for the affected workstations. ... View more

Well the docs do a better job in the details on how this works, but the webcast is up on YouTube. this page collects all the information in one place on the new chassis platform. Introducing the PA-7050 :: The Fastest Next-Generation Firewall ... View more

You will need to run show system resources and try to determine which process is responsible for the high cpu in the management plane. Refer to this document for an overview. https://live.paloaltonetworks.com/docs/DOC-4649 ... View more

I don't think the Cisco client is supported. But you can use the built in vpn client for IOS if you don't want to purchase the Global Protect software.  These are the instructions for using the Apple vpn client. GlobalProtect Configuration for the IPsec Client on Apple iOS Devices ... View more

As a temporary solution you could block this the old fashioned way.  Place an smtp block rule for the google ip ranges.  You can do some test sends and capture the data in the logs. For new feature requests, we are supposed to submit these to our Sales Engineer. ... View more

Are you sure it is the same session ID? Perhaps the client is just immediately creating a new session because the traffic still continues after the session is killed. ... View more

Try changing the service to application default instead of any.  Sometimes this prevents the need for an application override rule. Do be sure to open a case so the bug gets logged and into the process for a future update. ... View more

Looking forward to tomorrows rollout webcast for more detail on the hardware architecture. edit: Looks like the documentation is out: PA-7050 Hardware Reference Guide (English) ... View more

The QA versus feature release schedules is pretty much a universal problem in technology companies.  Sure I wish QA was better at preventing bug releases here, but I don't hold out any hope that feature releases will slow down to make sure the QA is complete. That's why we still call it the bleeding edge. I do agree that Palo Alto does seem to be worse than average at producing bugs in .0 releases.  And they should try to at least raise the QA bar to reach average. ... View more

Nice summary. Using a different nat pool for the public or web browsing segments as opposed to your primary smtp or other servers is a good practice.  Keeps the bot net infections from poisoning the reputation of your production traffic. ... View more

Just to add to what ericgearhart says, the version development does occur in parallel on new releases.  But generally when a new train comes out new FEATURES stop in the old train, just the bug fixes and stabilization code releases continue.  Along with support for the dynamic updates until the end of life announcement. So the reason to MOVE from a release train 5 to release train 6 will be the NEW feature you would like to use in the 6 release train. ... View more

If the layer 3 traffic is occurring on the Juniper or Cisco switches, you would need to implement the restrictions at that point of the traffic path.  As Hulk notes, if the traffic reaches the Palo Alto before the destination then a rule here can restrict the access.  But it sounds like you have internal layer 3 connections that are permitted without reaching the Palo Alto. both Cisco and Juniper switches perform this function via packet based (not session based) filters.  You create the allow filter and apply this to the layer 3 interface on the switch. On the Juniper switches you would use the feature firewall filters applied to the RVI (Routed Vlan interface) on the switch. Juniper Documentation Firewall Filters Configuration Guide - Technical Documentation - Support - Juniper Networks Free Day One book on the feature: http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/configuring-junos-policies/ On the Cisco switches the feature is ACL (access control lists) Cisco Documentation Configuring IP Access Lists - Cisco Systems ... View more

Minow, On a cluster you should configure the updates on your primary member then choose the option to sync those updates to the secondary.  This will keep both cluster members in sync smoothly and only require one set of downloads. ... View more

Start by looking at the cpu resources following this tech document.  This will let you know what process is at issue. How to Interpret: show system resources ... View more