This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About SimmSimm
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About SimmSimm
09-26-2018
26Posts
7Likes
0Solutions
Sep 26, 2018Last Visited
User
Activity
User
Profile
Latest posts by SimmSimm
| Subject | Views | Posted |
|---|---|---|
| 2853 | 09-06-2018 02:05 AM | |
| 2890 | 08-08-2018 06:57 AM | |
| 16772 | 06-01-2018 06:22 AM | |
| 16788 | 06-01-2018 01:50 AM | |
| 4522 | 09-10-2015 01:43 AM | |
| 7719 | 03-20-2014 03:59 AM | |
| 2586 | 01-02-2014 04:22 AM | |
| 2334 | 01-02-2014 04:16 AM | |
| 1628 | 11-21-2013 02:46 AM | |
| 4018 | 07-18-2013 06:53 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 09-06-2018 02:05 AM | |
| 1 Like | 06-01-2018 06:22 AM | |
| 1 Like | 04-22-2013 03:22 AM | |
| 1 Like | 03-20-2014 03:59 AM | |
| 2 Likes | 07-18-2013 06:53 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 07-27-2011 05:40 AM |
| Date Last Visited | 09-26-2018 01:56 PM |
| Posts | 26 |
| Total Likes Received | 7 |
09-06-2018
02:05 AM
1 Kudo
For completeness - this was fixed in 8.1.3, along with another issue for clustered servers whereby dynamic updates for anti-virus patterns stopped being installed correctly & evenutally stopped the active node in the cluster accepting commits. 8.1.3 is appearing to be stable, at least for us !
... View more
08-08-2018
06:57 AM
At the weekend I upgraded all our boxes from 8.0.9 to 8.1.2 as we need to make use of the new GP - Split Tunnel by URL features & Enhanced UserId coolness. Yes, I know - this was brave 🙂 Everything seems to be working as expected & as it was pre-upgrade with the exception of logging, where we no longer get the SourceUser in the logs for Traffic or URL logs in two locations. We are using UserId agent version 8.1.2 , & I can see that the IP - username mapping is working as expected via show user ip-user-mapping ip xxxxx from the CLI, the policy is also enforcing user / group rules as expected - however the logging for traffic just has an empty field for SourceUser where pre-upgrade it was populated correctly. This problem appears on our HA 3020 cluster and our HA 3050 cluster (both Active / Passive) - not on our standalone 820 / 500 / 220 which are using the same config & useridagents since the policy is pushed from Panorama to all devices. Anyone have any ideas ? Thanks - Nick.
... View more
06-01-2018
06:22 AM
1 Kudo
Interesting ! having a spare system to play with, I tried that & it does appear to clear out all the other groups ! thanks ! Its not clear to me how they all got there in the first place - but looking at one of our new 820s which started life on PanOs 8, they only have the 31 groups I would expect whilst the older boxes which have been upgrading from the days of 5.x have the full 7,576 so Im guessing you are right - at some point in the past the LDAP lookup has retrieved the whole lot & its never been cleared out since. Thanks. Nick.
... View more
06-01-2018
01:50 AM
Recently upgraded to 8.0.9 from 7.1.x with mutiple devices from PA200 up to PA3050, Using UserIdAgent against an MS domain. managed via Panorama. Started getting notifications in thes system log along the lines of 'User Group count of 7492 exceededs threshold of 1000' In UserId -> GroupMapping I have an LDAP search filter that returns only the groups that are relevant to the firewall, 31 in total, & I can see thats correct via "show user group-mapping statistics" so Im guessing that the 7,492 referes to the user-group-mapping information returned from the UserIdAgent in total, ie for all our users there are 7,492 unqiue groups at the moment. I dont appear to be able to filter the information returned by UserIdAgent to just the groups that the firewall needs to know about. The question is should I be worried - I dont seem to have a problem with the user mapping for the 31 groups of interest on the firewall but I would like to get rid of the alert from the logs + there is a certain amount of information leakage in that firewall administrators can see users full group membership from AD via "show user user-ids match-user" when really they should only be concerned with the 31 groups that control firewall permissions.
... View more
09-10-2015
01:43 AM
A couple of things from my own experience with testing decryption (6.0.14 on the GWs) - - After changing the decryption policy it can need to rebuild the certificate cache as sites are accessed, so you are best to leave off testing for 5 mins or so otherwise you can get odd results - Browser cache can also produce different results (yes - I know SSL results shouldnt be cached, just passing on what I found) so if you get odd results be sure to CTL + F5 Might help ? Nick.
... View more
03-20-2014
03:59 AM
1 Kudo
Ive been finding the service from Brightcloud to be increasingly poor, with odd mistakes & poor response to update requests so Ive been thinking about making the switch myself. Ive been keeping a list of URLs which have been an issue for us over the last couple of weeks & it looks like pandb is producing better results for my test cases than brightcloud - so I think Im going to switch over as part of next months changes. Most of my users are European BTW. Nick.
... View more
01-02-2014
04:22 AM
Well I can confirm that it works fine - The only thing to think about from me is to make sure that the PA200 talks to the internet without the DSL router filtering out traffic - I always try to get a proper external static IP when deploying in that sort of situation but it may not be possible in all cases & so you need to watch out for NAT & router - firewall problems.
... View more
01-02-2014
04:16 AM
I found when updating to 5.0.9 from 4.1.x that some old rules for excluding networks from user id scanning (Network tab -> Zones) reappeared in some strange way - at the time I put it down to me being a bit far fingered, but maybe this applies in your case too ?
... View more
11-21-2013
02:46 AM
Are you using GP client < 1.2.7 ? There's a bug along these lines which is fixed in 1.27 ?
... View more
07-18-2013
06:53 AM
2 Kudos
We have a remote branch office VPNed back to our Datacenter via an IPSEC tunnel between two Palos ; in the DC I setup a separate interface for the branch office traffic on the Palo, the routed the traffic out of the DC steelhead to that interface, down the IPSEC tunnel & out the other end where the second steelhead picks it up. Works fine - Palo identifies the traffic as application riverbed-rios so there may be a gotcha in there if you want to filter by application type (since you cant tell what the original app was once its been processed by the steelhead).
... View more
06-26-2013
12:01 AM
Which properties are you missing ? in 4.11 you can hover over the red/green interface icon & it pops up the speed / duplex ? Things I would like to see (I run 4.1.11h1 mostly): - The ability to log implicit rules so I can get rid of the explicit block all at the end of my policy which causes it to generate a screen full of warnings - or add an option to turn off the generation of spurious warnings on commit. - Port Panorama to HyperV for more deployment options. Panorama should be free IMHO. - Improved logging for high profile events like a reboot so I dont have to guess why the box restarted. - Better QC ; I would much rather have a slower release of new features & better testing to ensure that existing features are not broken. - Allow me to customise the messages generated when dropping SMTP with a Data Filter rule. At the moment it sticks in something about Blocked by PaloAlto firewall which is undesirable. - SSD upgrade options for all the older hardware so I dont have to replace everything to get rid of my 15 min commit time....
... View more
06-19-2013
02:53 AM
That depends on what makes your users different - you can set up different client settings for gateway choice / IPSec vs SSL etc based on username / group membership IF all your users authenticate to one source (Kerberos to AD for example), but if you need to use a completely different authentication method for your different user types then you probably do need a separate portal for each one.
... View more
06-19-2013
12:05 AM
1 Kudo
Still broken in 378-1833, reverted back again. Im told that this was bugged & fixed, but clearly hasnt made it thru to release yet. Maybe next week !
... View more
06-13-2013
01:45 AM
Case with support - 00142213 I should have added that Im on 4.1.11hf1 but I'm not in the the office this week so doing support remotely. I tend to auto install the updates as they appear (Im on UK time) ; its a trade off between having the latest threat patterns & getting the occasional FP ; and I do hear from the users pretty quickly if something is broken, bless them.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-26-2018
01:56 PM
|
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks