About joseglez

Hello everyone, I have to block some URLs and applications as per our company policies. Since we dont have a general rule from the inside zone to the outside (Internet), we are very restrictive in our access to the internet, and since there are some websites and applications that we need explicitly to block no matter what, what I did was create a top policy from inside zone (any IP) to outside zone (any IP) in order to block all the applications and URLs requested. I created a application group including all the applications to be blocked, and I also created a URL category for our blocked URLs, so:   1- Can I use in the same policy the app group under application and then add the URL group under service/URL category? I have this doubt since I understand that all the tabs (except the last ACTION tab) for the policy rule are IF conditions, meaning that all of them have to match in order for the rule to apply and THEN deny or allow as per the action option selected. So lets say for example under apps I have youtube, facebook, skype ... and under URL group I have xyz.com, abc.com .... Obviously there is no way that all apps match all URL, but since the IF/THEN logic of teh policy rules Im confused here if this setup is correct. 2- Do I need to enable SSL Decryption????? I know most of the traffic is going to be encrypted, so, How, if there is no SSL decryption, the palo alto is going to be able to look deep in the data flow and inspect what application and URL are actually present in order to determine of block or allow them????? Thank you!!! ... View more

Hello all, I am implementing an IPsec VPN and I have to NAT the source IP address, but I am very confused with the bidirectional source NAT, Lets say my local IP=192.168.1.1 (natted to 1.1.1.1), remote IP in the other side of the VPN= 10.10.10.1 For example If I configure:   Src Zone        Src IP                  Dest Zone            Dest. IP             NAT  Internal          192.168.1.1            VPN                 10.10.10.1        source nat: 1.1.1.1   (bidirectional)   behind the scene the returning NAT rule created will be:   Src Zone        Src IP                  Dest Zone            Dest. IP             NAT  Any                   Any                       VPN                     1.1.1.1              dest. nat: 192.168.1.1    My confusion is based in the fact that 1.1.1.1 is not in the VPN zone, its a external IP in the External zone so I think I cannot use bidirectional NAT in this scenario and I have to create 2 rules for each direction like:   Src Zone        Src IP                  Dest Zone            Dest. IP             NAT  Internal          192.168.1.1            VPN                 10.10.10.1            source nat: 1.1.1.1  Src Zone        Src IP                  Dest Zone            Dest. IP             NAT   VPN              10.10.10.1             External               1.1.1.1              dest. nat: 192.168.1.1    Am I wrong about this?           ... View more