Greetings. We are running PA-3050 HA pairs in active-passive configuration. PANOS 5.0.4 is installed. We have been running 3050's since early May. We have a security policy defined to block all youtube apps for any user, unless they are in a specified Active Directory group, in which case only youtube-base is allowed. This policy is App-ID based only, and as such we do not block Youtube URLs. The result of this policy has always been that users can browse youtube.com, but cannot play videos (they either get an error in the player, or nothing happens). Users can also sometimes see embedded Youtube, but cannot play (this depends on the page where the videos are embedded). In the last several weeks I've noticed that if I were to browse Youtube.com, I could load and play SOME, but not all videos. Some of my colleagues have mentioned that they encountered embedded videos that will sometimes play as well. This was disconcerting due to the fact that neither I or my colleagues are granted permanent Youtube access The "success rate" of getting a youtube video to play seems to be on the increase, at least based on my anecdotal observations. There seems to be a correlation between the age of the youtube video and my ability to sneak it past the firewall. Specifically, "old" videos tend to get blocked, while many videos uploaded sometime in 2013 get past the security policies. Turning to my traffic logs, I notice that when I get a youtube video blocked, the app is identified as "youtube-base" and therefore matches with the security policy to deny Youtube. However when I successfully load and play a video, I see that I am generating traffic identified as "flash", with a destination IP somewhere in Google's IP block (all addresses resolve to a 1e100.net domain). This improper app identification causes the traffic to not match the desired policy and hence be allowed. I reviewed the applications recognized on my device, and do not see any new youtube child apps. This was not happening when we first switched to 3050's as I thoroughly tested all security policies. My current suspicion is that Google is retooling something with Youtube and it is now behaving differently. If anyone has encountered this or has an explanation I would appreciate it. I decided to try the communities first rather than create yet another support case. Thanks, Jake
... View more
In firewalls running 3.1.7, I was able to use a custom URL category to create an exception for the domain *.citrixonline.com. I think Citrix Online domains/IPs are the main culprit when SSL decrypt breaks GoToMeeting or another Citrix product. My opinion: When implementing SSL Decryption, create rules that allow for exceptions for both sources and destinations, and the use of a custom URL category is super helpful as well.
... View more
Greetings, This is my first post on KnowledgePoint, so apologies for any breaches of etiquette Relevant info: Panorama version 3.1.7 Attempting to use the API to run a report per this article: https://live.paloaltonetworks.com/docs/DOC-1031 I have generated my key with my account used to access Panorama. It is a AD account (not local to Panorama). I have full admin rights to the system (I am primary admin) I attempt to use the key just generated seconds before to pull a report using this sample URL from the above article: https://hostname/esp/restapi.esp?type=report&reporttype=dynamic&reportname=top-app-summary&period=last-hour&topn=5&key=keyvalue I keep getting "key invalid" as a response. I am unsure what I am doing wrong. I am researching this functionality in an attempt to discern the possibility of providing on-demand reports to users of their own web-browsing activity. Any help is greatly appreciated. Thanks, jake
... View more