About rps

How is the traffic recognized in your traffic log, as ssl or as paloalto-userid-agent? There is an application named "paloalto-userid-agent" (or similar) which in case you use a non default port you might need to setup an "application override" for so the PAN will know its userid-agent traffic. However when you setup a policy for this traffic (if reach through one of the interfaces on the dataplane) I think you need to setup both ssl and paloalto-userid-agent as allowed applications. ... View more

What about making the PAN to automatically include subdomains when you create the basedomain in the urlfilter? So you only have to write: youtube.com instead of: youtube.com *.youtube.com ... View more

A workaround to take care of browserbased stuff would be to enable captive portal and set it to "ntlm auth" (in order to make it transparent for the user). Note however that the PAN unit currently only cache the ntlm auth per ip (which means if you have one user per ip then you are safe, but not if you have several users per ip like with terminalservers). I have been told that this (ntlm caching per ip) willl most likely be fixed in upcoming versions (so it will be an option to cache per session instead making it work with terminalservers similar to how Bluecoat does its user-mapping). ... View more

What is on your allow list? Perhaps you have enabled msn2go (or a category/subcategory where msn2go exists in) by accident (which is basically browserbased msn chat), on the other hand I have been told that PAN will have "deny" as highest prio (like if one rule says deny msn and the other rule says allow msn2go then the deny rule should win). ... View more

Not that I have noticed other than that the update server was reeeeally slow wednesday and yesterday. Does it work when you go to "licenses" or "ssl-vpn" and click on check/refresh? Also check monitor->traffic so you dont block any traffic towards the updateservers aswell as in "service route configuration" that you use the correct interface for the updates. ... View more

Are there no applications you can use for this instead? Or is that not an option in your case? Like setup an application filter containing: category: media subcategory: audio-streaming category: media subcategory: photo-video Another method worth investigating might be to setup a custom url-category where you set the urls to: *.mp3 *.mp4 and so on... the downside is the false-positives if you visit a page that ends in lets say .mp3 but its actually an html-page (or for that matter if you have clients running ie who ignores the ending and goes for the magic bytes instead - like an url which ends with .htm but its actually an exe-file and so on). ... View more

Im trying to but its dreadfully slow - several hours to download those 250MB. Are there any plans from PA to have mirrors in lets say Europe (to speed up downloads for customers there)? ... View more

How come? ... View more

Cant you set QoS based on filetype? Because most stuff on windowsupdate is just gif, html etc until you actually starts to download the updates which are .exe or .cab. ... View more

I have been told that active/active HA is on the roadmap but not when it will be available. It seems that it wont be part of 3.1 release. ... View more

Another option would be to setup a /30 net (private ips) between the PAN and the isp and then let the isp route all /24 to the private ip of the PAN. In the PAN you will then setup DNAT and/or SNAT rules regarding if its incoming or outgoing traffic you want to let through. Would look something like: ISP: 10.0.0.1/30 PAN: 10.0.0.2/30 PAN def gw: 10.0.0.1 ISP route: x.x.x.x/24 next hop 10.0.0.2 DNAT x.x.x.101 (server1) -> 192.168.1.101 (traffic towards x.x.x.101 will be destination nated and sent to 192.168.1.101 on the dmz zone) SNAT 192.168.0.0/24 -> x.x.x.200 (traffic from client zone will be source nated into x.x.x.200 (all clients will be hidden behind one ip)) or whatever your network will look like... This way you will have a single (and a straight forward design) connection to the isp and at the same time having your internal zones (dmz + client) to use private ips (the PAN will perform the nating) while the public ips wont change. ... View more

Unfortunately not since its not 2008 boxes, its 2003 boxes But in case using 2008 that looks like a possible workaround for the workaround 😃 ... View more

I guess what you could do if you want to avoid nat for the servers is to setup an interface pair of virtual wire. Like: int1: L3 outside (internet ip's /24) int2: L3 inside (private ip's, nated to outside ip's) int3: vwire1 int4: vwire1 And then get another switch for the outside so it will become switch <- two cables -> PAN <-> one cable to the private ip switch, one cable to the switch for the servers The downside is that this looks a bit "complex", the upside is that if you dont like PAN in front of the servers its easy to just move them like you have it today - no need to change ip addresses, gateways, routing etc... ... View more

Hmpf that was bad to hear since I have an ongoing case where ts-agent is failing after a few hours and a sufficient workaround for that case would be to use ntlm auth instead. However this will fail as long as the PAN unit does the ntlm auth caching per ip instead of per session (which was what both me and the company we have for support believed that the session cookie thingy enhancement in 3.1 would solve regarding ntlm auth). ... View more

Hopefully the session-based ntlm in 3.1 will be a good workaround/replacement for when you cannot use ts-agent. Today the PAN will do the ntlm caching based on ip which along with terminalservers is a very bad thing because you usually have more than one user per terminalserver. The bad thing is that the wrong user is being logged (the PAN unit believes that traffic from one terminalserver is only one user where in fact it can be several users). The workaround until 3.1 is released could be to enable ntlm auth in captive portal and setup policy to allow only the ad-group of users you want to be able to surf (or set it to "known-users"). However note that the logging of which user who did what will be incorrect (but it will work in terms of blocking users who are not allowed to surf). ... View more