About rapoint_person

I agree 100% with this one: - Improve FW UI in a way  to allow creation of Rule Sections. Now the rulebase is quickly becoming very confusing. Look at the Migration Tool, that's how It's done (Thanks Albert 🙂 ... View more

Agree that a scheduler on-box would be nice. However, ssh-key auth is available from 4.1. This means that you can automate backups by adding a cron job on an external box. Simple enough. ... View more

I'd say - look at Global Protect if you want a packaged product. If you have the skills/time you could use the API to push computer names and IP in to the PAN. Would require some development time on your end though. ... View more

I'd have to agree. RSA keys and Certificates in general is something I'd like to see. ... View more

Are we talking about virtual desktops or terminal server/citrix here? Please elaborate a bit further on the subject. ... View more

Yes, I have seen that type of behavior a few times. The reason being that the agent is continuously reading the DC/Exchange logs that you point out in the agent configuration. The more complex the environment (number of users, number of polled DC's per agent) will have an impact on how much traffic that is generated. Unfortunately reading the security log is something that can consume quite a lot of bandwidth in some environments. If possible I suggest you try adding one more agent and place it closer to the remote DC/Exchange server. ... View more

Yes, that my friend is in the manual. In the gui simply click the VR, Add the route (network/mask/gw) and commit. Thats about it. ... View more

No, a VR holds both static and dynamic routes, (if used). Lets say your VR looks like this: Route                              Gateway                    Interface 0.0.0.0/0          195.1.2.3        eth1 192.168.20.0/24    192.168.10.5     eth2 195.1.2.1/27                        eth1 192.168.10.1/24                     eth2 In the example above, using anti-spoofing on the zone with eth2 as a member interface would only allow hosts from the directly connected network 192.168.10.0/24 and the nexthop network 192.168.20.0/24 as these two networks are the only ones with valid return routes. The PAN-device extracts the source IP and source interface, (source zone) when the ingress packet arrives. ... View more

Anti-spoofing is not based on any address-book or address-group entry. It is simply based on the routes you have in your VR. In other words you need to compare route tables between your Checkpoint-GW and the PAN-device. ... View more

As you have a Dynamic IP on one of the boxes I suggest you setup aggressive-mode VPN. As the PAN is using a dynamic IP it's best if the PAN inititates the tunnel. ... View more

From what I heard the buffers vary between the hardware models, (no surprice there really). The WFQ ratio should be 24:1 I'm told. When the queues fill upp packets start getting dropped. This can be seen by issuing "show qos interface intname counter". Hopefully Palo will release an official document describing QoS in greater detail and differences between their hardware. ... View more

Doesn't sound like bug. Rather speed/duplex issues. In cases involving a PAN-device and other swithes/routers many of the typical counters showing crc errors, collisions, etc never show any significant number of errors. You however can get any other number of symptoms: Some applications work, others do not, broken sessions, etc, etc Check speed/duplex on all connecting equipment ... View more

Enable user identification in the zone where you have your tunnel interface (for the SSLVPN portal) and specify the IP-pool network as well. After that you should have your SSLVPN users in ACC/Log ... View more

Have you looked in the ACC or in the URL log and verified you actually have the event logged? Did you look at the correct time frame when generating a custom report or using ACC? Start searching the URL log with something simple: (category eq adult-and-pornography). ... View more

If you only have a "limited" number of forbidden sites, why not create apps of these sites and then use the custom apps to allow/deny access? ... View more

With regards to size and power consumption those numbers are in the spec sheets. If the boxes are going to be clusterad (A/P) it costs two interfaces in each box. One for heartbeat, one for sync. Also rememeber management usually is configured on a dedicated interface on each box. ... View more

Well, you are almost right Yes, the PAN-device can and must exist within the same subnet as your default gateway (Palo IP *.2 vs default gw IP *.1). No, it doesn't "listen" to all available public IP's (proxy-arp for those IPs in the public subnet). It does however proxy-arp (listen) for for those IP's where you explicitly create NAT-policies. You can create NAT-policies by having loads of IP's on your public (internet facing) interface. Another, more practical approach would be to have address book entries for both the public and private IP of the servers/hosts you wan't to NAT between. Example: OWA_Pub = 195.x.y.5/32 OWA_Priv = 10.x.y.5/32 NAT policy to access OWA could look like: From: Untrust_Zone To: Untrust_Zone From: ANY (IP) To: OWA_Pub NAT: Destination OWA_Priv Security Policy could look like: From: Untrust_Zone To: Trust_Zone From: ANY (IP) To: OWA_Pub Action: Allow ... View more

Nice to see I'm not the only one that is complaining about: -Documentation with proper real-life scenarios/examples. Detailed explanation what different settings does and why they should be used or not. -QA has been mentioned. I agree as well. I'd like to see: -The ability to block/act on ongoing attacks directly from the session browser and log (traffic/threat). IE, block offending IP for X hours. -Better exceptions for Threats. I'd like to be able to create an exception for a particular threat in conjunction with a source and/or destination IP. -If possible, Better reporting/logging for DDoS/Zone protection. -commit timer. I'd like to be able to commit with a timer value. If a second commit hasn't been performed within the specified time, the box automaticaly reverts to the previous version. -Multiple Captive Portal "profiles" -Bulk set security profiles in CLI, (example: set rulebase security * from trust to untrust profile-setting profile ......) This helps making changes in large rulebases. ... View more