About cstancill

cstancill · ‎07-18-2019

I believe expedition just takes a config snapshot (the Panorama xml config file rather than a tarball).

cstancill · ‎04-06-2017

Panorama will not ingest tags from AWS directly. What you can do is create the AWS tags in Panorama manually. Then the firewall will apply the tag to IP mapping when it inforces policy based on those same tag values it learns from AWS.

cstancill · ‎04-17-2015

Jared is absolutely correct regarding using decryption to enable inspection. To address the performance concern: whether or not decryption has an appreciable effect on your performance depends entirely on *how much* you are decrypting. Each platform has specific upper limits in terms of the maximum number of concurrent decrypted sessions. The additional overhead caused by decryption will depend on this volume. You can limit the scope of decrypted traffic using different criteria (e.g. URL category). This approach will let you inspect things that need to be, like youtube, facebook, etc. while not wasting resources on sessions that probably don't need to be (e.g. online banking, healthcare, etc).

cstancill · ‎03-18-2014

Is there an issue creating a second set of tunnels? Unless you will have the same public addressing at your DR site, using the same configuration won't help (as the other end of the tunnel won't be configured for the DR IP address). Additionally, having a second set of tunnels that are already up will reduce your recovery time.

cstancill · ‎03-18-2014

Have you tried downloading the license from the support portal on a system that has internet access (e.g. a laptop) and uploading it to the firewall from there?

cstancill · ‎03-18-2014

Try and rebuild the userinfo.xml file using the following commands: > debug user-id clear group all > debug user-id reset group-mapping all > debug user-id reset user-id-manager type user-group > configure # commit force This will force the firewall to rebuild the userid.xml file based on a refresh from the LDAP server. If this doesn't work, give support a call so that we can take a look.

cstancill · ‎03-12-2014

Sorry, I suffered a multi-tasking failure :smileylaugh:. That should have been " " if we have a start time of 08:15:00 and default settings, then we ignore all entries between 08:15:00 to 08:15:20"

cstancill · ‎03-11-2014

Minow, Check what Hulk said, and double check your routes (including any PBF rules). It could be that the return packet is being routed to a different interface than the SYN packet came in on, which will give you the zonechange drop counter. Craig Stancill | Technical Support Engineer Shift Time : 05:00 – 14:00 GMT Support Contact: US: (866) 898-9087, Outside the US: +1-408-738-7799 Palo Alto Networks | 3300 Olcott Street | Santa Clara, CA 95054-3005, USA https://support.paloaltonetworks.com/

cstancill · ‎03-11-2014

We use the concept of average page load time (default of 20 seconds) as the assumed time it takes to load all of the page elements. For example, when you go to a media intense site like cnn.com, you see a lot of URL log entries associated with the various page elements. For the purposes of calculating browse time, we ignore all log entries from the start time through the average page load time. This means that if we have a start time of 08:15:00 and default settings, then we ignore all entries between 9:10:00 to 09:10:20. This may be the reason for the empty entry. Do you have the URL logs for that user? You may be able to confirm it that way.

cstancill · ‎02-02-2014

From the description, this sounds like it may be an issue with monitoring server session reads. Just so I understand the flow, is the following correct? User is logged into their workstation, and is correctly mapped to the IP of that workstation. User maps a drive to a share on a server using different credentials and the mapping is updated based on that information causing an issue with the rule set. In the above case, you can disable server session reads to resolve the issue. Please let me know if there is more to this.

cstancill · ‎01-11-2014

They are not required for VWire as interfaces configured as such don't have IP addresses and don't participate in Layer 2/3. If you have an additional interface that is in L3 mode (to support Captive Portal redirect mode for example), then you can add a floating IP for that interface if desired. -Craig

cstancill · ‎12-28-2013

Vesna, You aren't missing anything. Please open a case so that we can address this with the developers. Thank you for bringing this to our attention! Craig

cstancill · ‎12-27-2013

Cheon, Sorry for the delayed response. For denied logs, you are correct. Craig

cstancill · ‎12-22-2013

Nyanko, Only the candidate configuration (when you choose to save the candidate) is saved to flash. Configuration versions and named configuration snapshots are saved to the hard drive Flash isn't used for long-term configuration storage.. Craig.

cstancill · ‎12-16-2013

Cheon, 1. That is correct, provided packet forwarding is enabled. 2. This is correct as well. 3. Unfortunately, the actual session ID will be different for each firewall. Craig

cstancill · ‎12-14-2013

Sorry, no. System logs would only be available from the GUI (I confused the posters in this thread, my mistake). Craig

cstancill · ‎12-13-2013

Slawek, No problem! The 'scp export log traffic' is a CLI command, so you could use something like an expect script to schedule downloads. You could also use the XML API to fetch a maximum of 5000 logs (using /api/?type=log&log-type=traffic&nlogs=). Craig

cstancill · ‎12-13-2013

As of right now, that is the limitation. If the different locations are used for different logging purposes (maybe a couple are for traffic and another is for information threat logs, etc), you could split the servers into groups based on what the logging system is being used for. For example, create one SNMP Trap server profile and include only the monitoring systems that need traffic logs. Then create a separate profile for the systems that are looking for the threat traps, etc. Craig

cstancill · ‎12-13-2013

Guraj, You should be able to export your logs using the following CLI command: scp export log traffic The above command will work with tftp as well and has options (use ? after 'scp export log traffic') for the start time and end times to export. It is important to note that you may not have 5 months of logs on the device, depending on available storage and your logging configuration. Craig

cstancill · ‎12-13-2013

SLV, You can export the system logs from the Monitor tab. You should see an icon in the upper right-hand corner that looks like the Excel icon. Clicking this will allow you to export the logs to a CSV file. Craig

cstancill · ‎12-12-2013

You can request a change of URL categorization at the following links: If if you are using BrightCloud, Webroot, Inc. If you are using PANDB, Palo Alto Networks URL Filtering - Test A Site The application Pando, found in applipedia, is based on the type of traffic (the contents of the packets) and if the application is still being identified as Pando, then it is likely still filesharing traffic. If this is a case of a false positive, open a ticket with support and we will be able to get a bug filed for the content. Craig

cstancill · ‎12-12-2013

Mackwage, You can. Add a QoS policy on the policy tab and use the source address as a matching criteria: This will allow you to set the class on this traffic and apply the egress limits you want via the QoS profile you have defined.

cstancill · ‎12-03-2013

You can get this information using SNMP. OID .1.3.6.1.4.1.25461.2.1.2.3.4 will show the number of active TCP sessions while .1.3.6.1.4.1.25461.2.1.2.3.4 shows the number of active UDP sessions. Below are the links for the PAN MIBs: PAN-OS version 5.0: Enterprise SNMP MIB 5.0 PAN-OS version 4.0: Enterprise SNMP MIB 4.0 There are a lot of other values in the MIB you can monitor as well.

cstancill · ‎12-03-2013

Vikas, At this time, renaming the rule will give it a new ID in the idmgr. The result of this is that the rule will show up as unused after it has been renamed. Craig

cstancill · ‎11-15-2013

I would definitely open a support case so that we can review the logs and configuration. I had a similar case recently, and the cause was a couple of configuration items (using applications listed as tcp/dynamic and setting tcp-reject-non-syn to no).

cstancill · ‎11-15-2013

Auttaphan, You need to first configure a Netflow profile under Device->Server Profiles->Netflow. Once you have done that, you should be able to choose the profile under Network-> Interfaces-> Ethernet-> ethernet1/x (where x is the interface number you want to collect Netflow data from). The drop down to choose a Netflow profile is located just under the drop down for interface type.

cstancill · ‎10-29-2013

Call support. We can help you with deleting old logs and clearing up space.

cstancill · ‎10-29-2013

1. Does the manual test work? 2. Is the SMTP gateway reachable by the device? Test this by pinging the gateway from the interface you use for sending the reports: > ping host smtp.gateway.com Or, if service route is configured: > ping source <source_ip> host smtp.gateway.com If you are using a hostname name in the Email server profile, ensure that the firewall can resolve the name using the DNS servers configured. Also, ensure that there are no rules which are blocking the traffic (if the firewall is in the network path to the SMTP gateway). Additional troubleshooting information can be found here: https://live.paloaltonetworks.com/docs/DOC-1065

cstancill · ‎08-29-2013

The zero means that it isn't limited. One you enter your value in that column, then it will be enforced.

cstancill · ‎08-29-2013

Tiger, The \ 'escapes' the following character (in this case a '.') so that the regex engine treats it as a normal character instead of the regex special character '.' Without escaping first, the regex engine treats that period as a sort of wildcard character that will match anything but a newline. Escaping it causes the engine to treat is as an actual period to be matched against. Hopefully this helps.

Date Registered	‎02-14-2013 04:48 PM
Date Last Visited	yesterday
Total Messages Posted	89
Total Likes Received	16

Online Status	Offline
Date Last Visited	yesterday

Enterprise

Prisma

Cortex

About cstancill