This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
About JohnP
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About JohnP
08-10-2021
7Posts
2Likes
0Solutions
Aug 10, 2021Last Visited
User
Activity
User
Profile
Latest posts by JohnP
| Subject | Views | Posted |
|---|---|---|
| 3508 | 02-10-2012 06:25 AM | |
| 3957 | 02-08-2012 03:41 AM | |
| 4183 | 01-27-2012 02:40 AM | |
| 3782 | 07-29-2011 11:07 AM | |
| 4304 | 07-27-2011 05:33 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 07-22-2011 01:20 AM | |
| 1 Like | 07-21-2011 05:36 AM |
User Badges
Community Statistics
| Member Since | 07-13-2011 05:41 AM |
| Date Last Visited | 08-10-2021 01:25 PM |
| Posts | 7 |
| Total Likes Received | 2 |
02-22-2019
06:18 AM
John, Do you work in this with new versions of PAN-OS? best, Tiago
... View more
04-26-2012
09:59 AM
We are hoping to include the fix in the 4.1.7 Panorama release. If FF fixes the bug before we release the fix then you will have an earlier solution. We are sorry for missing the code checkin to Panorama which resulted in the fix only being in PAN-OS for 4.1.5.
... View more
05-11-2012
12:22 AM
Rumours says (at least the ones I have heard :P) that PANOS 5.0 will somewhat address this dependency jungle out there so you wont need to open up more than necessary. For example where you today must open web-browsing + facebook (which would allow basically any HTTP surfing which doesnt have its own appid) in a single rule you then will only need to open for just facebook. The PA would then allow a couple of web-browsing packets, enough to identify facebook and if its still not identified after a couple of packets it would deny the session. However if this is true or not or even involves the skype detection I dont know, hopefully someone from PAN can answer this? Otherwise I totally agree with you. One of (many) good things with using a PA box is the ability to block unknown traffic. But this will be spoiled if you are forced to allow unknown just to make detection of (for example) skype (among others) to work. But this whole appid stuff (no matter if its the one PAN uses or from some other vendor) is a bit sketchy - thats why you should NEVER allow "service:any" even if you use appid but set at least "service:application-default" or even better manually define which ports should be allowed. A simple test you can do on your own is if you allow web-browsing to any port for a server. Your "http-like" request can be "a b c" (that is a[space]b[space]c) followed with two enter strokes. This packet will bypass your PA and hit your server. Not until the server replies with "Error 400, Bad Request" the PA will know that "oh this was supposed to be web-browsing but doesnt look anything like it" and block the response from the server to reach the client (and at the same time drop the whole session).
... View more
07-22-2011
01:20 AM
1 Kudo
Yes it is completely possible, I believe a guide is https://live.paloaltonetworks.com/docs/DOC-1166 In a nut shell the account you set to run the agent service must have read / audit rights on your security logs on your DC (but no other elevated rights)
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks