About jteetsel

This is how I got it to work. The objective was to disable NetBIOS over TCP for all Windows systems. The Vendor Class ID determines which systems inherit the setting. "MSFT 5.0" is equal to all Windows 2000 machines and up.   ... View more

This was a rare issue for one platform involving non-tcp\udp traffic. The details of this fix are located in the release notes for 5.0.8 54347- Extremely large amounts of traffic (Exabytes, or Billions of Gigabytes) were showing up in the ACC tab and logs for users. An issue where the date of record showed as starting in 2031 caused the incorrect counter of traffic, due to the date being set in the future. Date verification is now supported to prevent this from occurring. ... View more

Hi Larry, I've taken a look at the cases in question. It appears that the traffic was being blocked because there was no policy in place to allow this traffic. The reason the engineers added 'any' to the application list on the policy is so that you can identify which applications you need to allow. You will see the type of traffic (which applications) are hitting this policy in the traffic log. Once you identify and decide which applications you want to allow you can then update the policy at the top to allow only those applications rather than 'any'. Anything else will hit the deny rule. ... View more

Hello, how far back do your traffic logs go? Under Monitor > Traffic use the below filter and adjust the date to find out how far back they go: ( receive_time leq '2013/11/01 15:46:17' ) leq = less than or equal to You can also run the below command from the command line: show log traffic direction equal forward This will show you the oldest log entry ... View more

Hi depps, you cannot decrypt based on application since the PAN would need to decrypt the traffic to see what app it is in the 1st place. You would need to create a security policy to allow drop box for the source users in question, then create another policy that denies the app for the rest. For your non decryption VIPs, you could create a decryption policy that contains to the users in question (in the source) with the action of 'no-decrypt'. Then another policy below that that applies to the rest of the users below this policy, with the action set to 'ssl-forward-proxy' ... View more

Got it, I must have missed that part..Are you nating when going between zones? Is 10.0.0.49 the IP of the server you are connecting to or the ip of the PAN? ... View more

Hi Bob, if your not using decryption on the PA its likely that its not the firewall causing this. What happens when you browse to the site from a system on the same network segment that does not traverse the PA? Did the VM hosting the site move to a different ESX recently? I've seen the certs get screwed up after moving a VM and having to re-install the cert locally. ... View more

Hello, I may be a little late but this should work for both OWA and Active sync connections, The most common reason for the Exchange mappings not appearing is that logon events are not being audited on the Client Access Server. The user ID agent uses events 4624 or 4648 to collect user to IP mapping info. If your Exchange Server is not a domain controller the auditing for such events it likely to not configured. ... View more

Hello...I assume you have the endpoints configured to use the floating IP? In either case the floating IP will bind the preferred node so the tunnel will only be active on one node. During a fail-over the tunnel would need to be brought up manually or by generating interesting traffic that triggers the tunnel to come up. An alternative could be to set up 2 different tunnels on each node using the real IPs. Sessions using the tunnel on the failed node may still need to rebuild during a fail over. ... View more