About roma

Hello, I have two 3200 series firewalls (different models though). How can I copy a custom URL category from one firewall to the other one? Thanks. ... View more

I would like to receive email alerts on certain system events, such as when there is a successful login and unsuccessful login attempt from GUI and CLI. (Among other events). The filter for the stem log is looking for certain "strings" or "attributes" Andi have no idea where to find them. Any ideas? Thanks. ... View more

Hello, On my "no-decrypt" policy - I couldnt find a way to exclude only a specific site from having an untrusted CA issuer. The only way to solve the problem and to be able to connect the device on our LAN to the website was to uncheck the box on the no-decrypt profile " Block sessions with untrusted issuers" - but now that opens up all of them. ... View more

Hi All, I'm using SSL decryption and if I wanted to have a URL in the exceptions (not decrypted) list, I would add it to a custom url category I created and just add the domain and apply the cutom url to the policy. But I also noticed that in Device>Certificate Management>SSL decryption exclusion - there are many predefined domains that seem to not be decrypted. If this is the case, why do they have that listed under certificates? If I add a url to the custom url category I created or the one in certificates, is it the same thing? Thanks. ... View more

Hello, I just turned on logging on my intra and inter zone security rules and noticed that in the security logs a few external ip addresses from zone untrust to zone untrust, with the source of a public ip being allowed, session end reason time out. How can something be allowed from zone untrust to untrust, that doesnt make sense to me? the same public ip is also logging from zone untrust to zone trust and policy is denied. ... View more

Hello all, We have a software ipsec connection that will be between an inside server and a server in the cloud. The PA will just be a pass through so to speak, (nating and security rule). The ipsec requires UDP 500 and 4500 and the IP 50 protocol. Do you know which app-id's I'll need for that? The palo has these 4 app-id's: ike tcp/500, udp/500 ipsec-ah - nothing ipsec-esp - nothing ipsec-esp-udp - udp/4500, udp/4501 I don't see anything for IP 50, is there? Also, since I'm using app-id, do I leave the service still as "application-default"? Thanks. ... View more

Hello all, I enabled DNS Sinhole on my palo and it is working fine. But now I'm interested in the DNS security license. Please help me understand some things? According to PA documentation since I have TP\\AV\\WF licenses, when a DNS query is made to a bad site the firewall will check its local DNS signatures which will hold a capacity of 100,000 signatures. So there's a chance that a bad query is not seen. However with the DNS seurity license, DNS signatures are stored in the cloud, it has an infinite amount of DNS signatures, and the DNS requests are real-time analysis and you get instant access to newly added DNS signatures, no need to wait for a download from your dynamic updates AV. My questions: 1. When I look at how to enable DNS security from their documentation, it looks exactly like how I have it now with only DNS sinkhole. So I guess I would just add the DNS security license and assume its working? 2. When a DNS query is made from a client on my network, by the time it does a live real-time lookup\\analysis, will the end user see any "lag" on their web request a timeout perhaps? 3. Will the DNS request use the local cache on the firewall (the 100,00 signatures), and if it doesn't find anything, it will then use the cloud, or it goes directly to the cloud? I wish Palo had more in depth documentation on how these things work\\flow, like a deeper dive. ​ Also, what are your thoughts on DNS security, have you found it to be useful? ... View more

  Hello all, Is there an official document from Palo Alto that lists their MFG part #'s? For example if I'm looking to purchase a 1 year subscription for my 3220 stand alone firewall I need to know the license part # to purchase. The frustrating part is that different websites list different MFG for the same product and its confusing. For example one may list it as this: MFG#: PAN-PA-3220-ADVURL While another website lists it completely different. ... View more

Hello all, I have the regular PAN-DB URL filtering and was considering the Advanced URL filtering.   From what I understand after reading the documentation, if the PA URL DB recognizes a URL as risky, it sends it to the Advanced URL DB in cloud for real time analysis. Without the advanced URL feature, I'm open to a zero day attack because the URL database on the firewall may not have been updated just yet. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/url-filtering-features/advanced-url-filtering.html   "Malicious URLs can be updated or introduced before URL filtering databases have an opportunity to analyze the content; this lag time gives attackers an open period from which they can launch precision attack campaigns on the firewall"   I have my Application and Threats updates to download and install every 30 minutes. So I'm figuring this "lag time" is the 30 minutes window, correct? Also, it says it only forewards URL's that are designated as risky. Wanting to know how many "risky" URL's my current standard URL license detects I want to see if its worth it. But, how do I view "risky" URL's?   In your opinion is it worth the purchase, have you found it to be a valuable asset? ... View more

I've just upgraded to 10.1.4-h4 from 9.x code and have noticed that the traffic logs take at least 30 seconds or longer to load. On the previous code it was only a couple of seconds. Mgmnt pane cpu is very low 5%.   Anyone have similar problems and fixes? Thank you. ... View more

Hello, I've been looking a history entries in our threat log and it seems to me that most of the default settings for vulnerabilities - "action" are set to low, for example to "alert" - although they classify the threat as "medium" or "high". For example in the screenshot below the threat of this hacktool is set to "alert". Shouldn't this be a set at east to a drop\reset, etc or something that doesn't allow it? What's Palo's thinking behind this? Thanks. ... View more