About u10723

I have only 28,000 active session at this time, which isn't a lot, and my CPU is roughly between 70-80% constantly.  We are in our summer semester at school which doesn't have a lot of users on our network. I am nervous when people return in the fall they will be greated with slow internet and possibly crash the Palo Alto. We are running two Palo-Alto's both running 4.1.6 in Active/Active mode behind ASA 5580's.  The only action the PA's are taking is security policies.  No QoS, NAT, DLP, or any other process that would require high processing. My current rules are as follows: Servers-IN: outside > inside servers allow - no filtering and no server response inspection Servers: inside servers > outside  allow - no filtering and no server response inspection BLOCKING: any to any Deny - deny any P2P applications Data-Traffic inside > outside - allow - scanning for URL, Malware, Virus Data-Traffic outside > inside - allow - scanning for URL, Malware, Virus Student-Wireless student-wireless > outside - allow - scanning for URL, malware, virus I was running 4.1.2 and had 100% CPU which was crashing my PA and after digging in the forums found it was a software bug and upgraded to 4.1.6.  I hope this is a bug as my max sessions shows over 220,000. Any help would be greatly appreciated.  P.S. I have read the other threads regarding this issue, but they were on 4.1.2 which had a known bug. ... View more

I have setup two rules for blocking bittorrent on a particular zone.  First rule is set to Deny Trust to Untrust using an application filter built with P2P applications.  Second rule is set to Deny Untrust to Trust using the same application filter.  I am able to block any uploading content, but the filter doesn't block any torrents from downloading.  From the trust side, i also have a URL filter setup to block P2P websites.  So if a user starts a bittorrent session, then brings the torrent to our network then the session will download fine, but not upload.  Any suggestions on how to fix this? ... View more

Our students that use our wireless must authenticate to Cisco ACS using their domain credentials before gaining access to the network.  How can I setup my User-ID agents to properly log the student wireless name and ip?  Will this need to be a change on the domain controller, acs, or the pan-agent? Thanks for any advice! ... View more

In regard to user identification of traffic, older implementations of PAN we would install the PAN-Agent, but after reading a bit more on the 4.1 it seems I would no longer need to use the agent in an Active Directory installation. Is there any documentation on how to do this for multiple DCs in multiple domains?  We are in the midst of a domain transition. If the agent is still required for 4.1 installations?  If so what premissions are needed on the member server, user, and domain controllers for it to work?  If the agent is not required are there any limitations to the number of DCs that can be added to the groups?  Can I also use the new way of doing profiles to allow usernames to have certain levels of administration of the appliance itself? ... View more