If you know which zone the destination IP is in, then I would recommend you specify the destination zone and IP address. However, this is not a requirement. You can also leave the zone as any. It depends on your organizations, topology, security policies and best practices but either way will work. ... View more

If your rule has Zone A to Zone B specified and IP address source and destination of any, then the traffic will be filtered based on zones only regardless of IP. Entering in an IP address is not required, if you want to only filter on zones this can be done as long as your source and destination IPs are "any". Typically you assign interfaces to Zones so you need to understand your network topology to understand what traffic is coming through each zone, but when filtering at the zone level IP addresses do not need to be specified. For Example: I want all of my internal users to access anything in our DMZ and the web and my DMZ to be able to access the Web I would create 3 zones... Zone A = Internal Users, multiple subnets and IPs Zone B = DMZ multiple subnets and IPs Zone C = Internet multiple subnets and IPs My rule would go something like this: Name S. Zone D. Zone S. Address D. Address Application Service Action Rule 1 Zone A Zone B Zone C Any Any Any Any Allow Rule 2 Zone B Zone C Any Any Any Any Allow No Specific IPs need to be listed to put these rules in. ... View more

Can you give a little more info in regards to the size of your network behind the PA500? How many web users, etc... We are using a 4020 with URL filtering and don't have any performance issues with about 800 internet users. But I realize a 4020 has quite a bit more horsepower than a PA-500. Sounds like a call to tech support might be good for this one, If you haven't called them already. Please let us know what you find out. I am considering a PA500 for some of our smaller remote sites so any info / feedback you have would be great. ... View more

I have a PA4020 running PANOS 3.1.8 with URL filter version 3646. My URL filter is set to alert only for all categories. I used google chrome and I am able to get the login to appear on this site. If you aren't seeing anything in the FW logs, try from a few other PCs on your net behind the FW and see if you get the same results. Are you checking the URL logs or the traffic logs or both? Any other rules turned on for this traffic... AV, Threat, Data filtering, etc... Maybe one of these logs has the answer. Message was edited by: joshsmtech ... View more

Are you using AD to log in? Is it possible that somone is logging into the laptop with a local user account? If that is the case, UserID will track all activity from that device as the source user of the last person that logged into the device with AD. If you were the last person to log in and someone else logs in with a local account, I believe your name will still be in the FW logs. The user ID agent polls your AD servers... If it is still in the AD DC security logs that you were the last person to log into the laptop, that is what the PA Firewall will put in its logs. I would check the UserID agent and the domain controller and see what users are showing up there for that laptop. If your AD Logs are different than what your PAN agent has or the PAN agent is different than what your PA Firewall is showing, that would be something worth mentioning to tech support. What version of the PAN UserID agent are you running? ... View more

nvm... found the answer in an earlier post, but here is what I did.... To identify which url-database your panorama is using, go to the CLI and input the following command... panorama>show system setting url-database if it says surfcontrol (which apparently the panorama image I got, comes with by default) then use this command... panorama>set system setting url-database brightcloud You're panorama box will reboot after this. You're panorama device URL categories should match the PA firewalls now. ... View more