About TonyDeHart

Interestingly, to add to this, traffic from other firewalls to Panorama is properly tagged as Panorama traffic and NOT SSL.   Palo support is scratching their head over this too so I now don't feel so bad. If I find out what's going on I'll post it here. ... View more

It is on port 3978 but now that I've sat on this a while and looked at the logs again, it appears there may be legitimate SSL traffic on 3978 as not all the traffic is identified as Panorama.  Some it appears to be remaining as SSL over the long term.  When I had initially set this up the SSL was switching over to Panorama so I assume it was ALL identified a Panorama but there appears to be a good deal of both here.  Just seems strange to me that Panorama's own traffic wouldn't be identified as just that and not generically as SSL. ... View more

So why doesn't CASE 1 apply here? It is SSL traffic and then shifts to PANORAMA was my assumption here.  Not doubting your answer just trying to understand as that was how I was reading it - the SSL is implicitly allowed until identified and what I see in the logs is this initial SSL communications on 3978 and then the shift to PANORAMA. ... View more

I guess my question has more to do with why the Implied App isn't actually used in this case.  If I have a rule that specifies PANORAMA as an application and SSL is implicit to that I don't understand why SSL isn't allowed automatically and needs to be explicitly allowed in the rule itself. ... View more

I guess I was assuming APPLICATION-DEFAULTS needs to be set to make sure it is using the correct ports for the applications as listed.  I assume it is failing because of that since SSL wouldn't fail otherwise but if I add SSL and don't specify a port or application default then SSL can run on any port. Do I just need a separate rule for SSL on that specific PORT then? What's the point of the implicit applications then? ... View more

Unfortunately no. It is a Sonicwall at the other end. ... View more

Along with these application rules and use of policy optimizer to sort out traffic, what strategies are people using to get the what the essential applications are for inbound traffic?  I've got a few rules that are port based and should be fairly specific as to the applications used, yet there are 60+ applications listed as seen on the rule.  This doesn't seem likely and in a few instances even looking at the rule doesn't show what I'd expect for an application.   For example, we have an inbound rule to a netscaler for Vmware Horizon traffic and yet I see things like ms-ds-smb-base, mssql-db-base and ssh which isn't likely valid traffic but I see no Blast or Vmware-view application listed when Blast is the only protocol we use and it appears there is an application designation for Blast.   It would seem the inbound rules are the most important to tackle first but the types of services being used requires me to be careful not to break anything mission critical.   For what it is worth, there are Warning Signs (the red triangle) next to many applications that are listed which would seem to be a good indication these aren't valid traffic.    (This may warrant another topic and if so I'll create one.) ... View more

Thanks. The warning icon or some indication as to use of non-standard ports is what I was looking for. It is unfortunate that doesn't show when there is a mix as it certainly makes it much less useful w/o the second rule.  Your suggestion on negating standard ports is what I was doing in the logs I was just hoping there would be a warning indicator or some field you could filter on in the logs too for non-standard port use. ... View more

Maybe I just don't know where to look but is there a way to tell if traffic hits a rule and doesn't fall into the application-default category for an application?  As an example, SSL traffic on a non-standard port - is there a way to filter on something like that? While SSL is easy, other more obscure apps could be more difficult. Is there a way to determine if the traffic matched the application-default ports? ... View more

Unfortunately I have not had a chance to test this but I'll see if I can carve out some time.  I've been in the midst of several decomm's of old(er) devices and have had to concentrate my time on that and other duties but I'm just as curious to see if it works or not.   What version of PAN-OS are you running?  I'm in 10.1.9h1. ... View more

After waiting this out for the day it seems like the old domainname.com user names have finally flushed and I'm getting a consistent domainname\username entry in the logs.   Hopefully it stays this way but so far so good. ... View more

Sorry that was probably confusing - I changed the user domain for the LDAP profile being used by the GP Gateway under Authentication Profiles. Blank did not work but domainname (w/o the .com) worked.   I only have one User-ID source under group mappings pointing to our AD domain.   I'm wondering if the system needs some time to flush out some of the old data/domain info.  An early query I did with show user ip-user-mapping ip x.x.x.x returned the domainname.com\username and just now it returned the more proper domainname\username.  More importantly it shows all the groups that user belongs to properly now too whereas it did not before.   Probably need to monitor this tomorrow and see if it is more consistent and working properly after some time has passed.   ... View more