About pulukas

Sorry for the confusion on my scheduling comments. The default and recommendation for wildfire is to update every 15 minutes.  So using the method outlined by Hulk, you pick which four times per hour you get that update. But you also schedule daily or weekly updates for other categories like url filtering, antivirus and threats. When you pick the specific time of day for these other updates, you need to make sure that this is NOT the same minute that your wildfire update is happening four times an hour.  One of the updates will fail if they are both scheduled for the same time. ... View more

You can check which processes are using how much cpu while at the peak times and see what the culprit is. show system resources I believe the ssl daemon has ssl in the name if I remember correctly. ... View more

See this thread from last year.  They basically created a public vlan for the xbox ports to connect and get a direct address on the internet. This is really hard to swallow that companies like Sony and MS can build networks that don't work with standard internet nat. Re: XBOX Live But I also wonder why Palo Alto can't write an app-id to cover this behavior in some way.  Surely they have enough academic clients with piles of these game systems in the dorm that would use the solution. ... View more

In addition to what Hulk notes on determining the download times for wildfire, remember that you need to coordinate ALL the download times so there is no conflicts.  Those once a day or once a week updates need to happen at a time when the box is not busy with the wildfire update. ... View more

As hparikh mentions, these setup processes are in the management plane, but the traffic for the user is in the data plane processing. As far as capacity goes, each of the PA platforms has an upper limit on the number of SSL vpn connections that it can support.  This is in large part to keep the box from being overloaded.  You should feel comfortable going up to these levels.  And be aware of where that limit is to plan upgrades. Product selector has this limit information. Product Selection ... View more

The webcast is now available in the video portal. Video Link : 1491 ... View more

I had major issues with PanOS and sql connections.  There is a bug that dropped some packets coming through the PA for SQL streams.  This was finally addresses in PanOS 5.0.9.  Prior to this release we had to create an app override for all the sql connections passing the PA. Voip is another issue that we still have open for Avaya connections.  The behvaior was similar, the packet captures show dropped packets through the PA.  The solution was the same, we created app overrides on the random high ports in udp and the control ports in tcp used by Avaya for the voip connections. For the screenOS services with longer time outs on custom or non-standard ports, we also needed app override created to respect the longer timeouts.  The custom application definition was not enough without the app override. ... View more

See the section on defining inter-vsys policies for the steps involved in the Virtual Systems documentation link below. Virtual Systems (VSYS) ... View more

Seems that the technology is all about predictive threats instead of signature based threats.  The intention seems to be to use this as an additional path of blocking in the Wildfire product. ... View more

Looking over the agent documentation again, I don't see any way you can prevent this behavior in the current tools.  The agent is directly reading the AD login information and using this to update the ip address associations. There are some LDAP filtering ability on the firewall configuration for the purpose of browsing group names and contents.  But there does not seem to be any similar browse on the Agent to restrict updates. Essentially, what you need is a way to exclude a portion of the AD tree from logging ip address updates at login. I think you need to contact your Sales team and put in a feature request for this function. ... View more

You can check your configuration against this document outlining how to setup IPSEC VPN when the PA is in Layer 2 mode. Configuring Site to Site IPSec VPN in Layer 2 ... View more

If the users are already authenticated, you can just put an allow rule for known users above the captive portal rule.  This will permit those already known to user-id to proceed to the internet and only redirect unknown users. ... View more

You can redirect captive portal users to a server on the network.  You do need to make sure there are policies in place that make that target server reachable. The server dns name or ip address would go into the redirect host field when you setup captive portal. ... View more

you could try creating an outbound allow smtp policy and have it flagged for the application of all the popular online mail services. If the application awareness does not extend to smtp, then you could manually determine the smtp server destinations from these services mx records.  then create an outbound destination based rule that permits smtp to these services but denies it more generally. ... View more

Running on a test box now and no issues with the upgrade or the 300 rule policy push.  The tap traffic of production all seems to behave the same way. On the feature side, ssl port mirror and the dns sinkhole look like good additions to take a closer look at application in the network. ... View more