About jteetsel

jteetsel · ‎11-27-2018

This is how I got it to work. The objective was to disable NetBIOS over TCP for all Windows systems. The Vendor Class ID determines which systems inherit the setting. "MSFT 5.0" is equal to all Windows 2000 machines and up.

jteetsel · ‎12-18-2013

This was a rare issue for one platform involving non-tcp\udp traffic. The details of this fix are located in the release notes for 5.0.8 54347- Extremely large amounts of traffic (Exabytes, or Billions of Gigabytes) were showing up in the ACC tab and logs for users. An issue where the date of record showed as starting in 2031 caused the incorrect counter of traffic, due to the date being set in the future. Date verification is now supported to prevent this from occurring.

jteetsel · ‎12-18-2013

Hi Larry, I've taken a look at the cases in question. It appears that the traffic was being blocked because there was no policy in place to allow this traffic. The reason the engineers added 'any' to the application list on the policy is so that you can identify which applications you need to allow. You will see the type of traffic (which applications) are hitting this policy in the traffic log. Once you identify and decide which applications you want to allow you can then update the policy at the top to allow only those applications rather than 'any'. Anything else will hit the deny rule.

jteetsel · ‎11-01-2013

Hello, how far back do your traffic logs go? Under Monitor > Traffic use the below filter and adjust the date to find out how far back they go: ( receive_time leq '2013/11/01 15:46:17' ) leq = less than or equal to You can also run the below command from the command line: show log traffic direction equal forward This will show you the oldest log entry

jteetsel · ‎09-23-2013

Hi depps, you cannot decrypt based on application since the PAN would need to decrypt the traffic to see what app it is in the 1st place. You would need to create a security policy to allow drop box for the source users in question, then create another policy that denies the app for the rest. For your non decryption VIPs, you could create a decryption policy that contains to the users in question (in the source) with the action of 'no-decrypt'. Then another policy below that that applies to the rest of the users below this policy, with the action set to 'ssl-forward-proxy'

jteetsel · ‎09-03-2013

Hello, wild-fire uses the threat logs. In your case the quota would be 16% (13GB)

jteetsel · ‎08-14-2013

Got it, I must have missed that part..Are you nating when going between zones? Is 10.0.0.49 the IP of the server you are connecting to or the ip of the PAN?

jteetsel · ‎08-14-2013

Hello, you need need to setup a user ID agent to collect user > IP mappings. This can be done with the internal user ID Agent built in to the device or by using the external Windows User ID Agent.

jteetsel · ‎08-13-2013

Hi Bob, if your not using decryption on the PA its likely that its not the firewall causing this. What happens when you browse to the site from a system on the same network segment that does not traverse the PA? Did the VM hosting the site move to a different ESX recently? I've seen the certs get screwed up after moving a VM and having to re-install the cert locally.

jteetsel · ‎08-09-2013

Hello, I may be a little late but this should work for both OWA and Active sync connections, The most common reason for the Exchange mappings not appearing is that logon events are not being audited on the Client Access Server. The user ID agent uses events 4624 or 4648 to collect user to IP mapping info. If your Exchange Server is not a domain controller the auditing for such events it likely to not configured.

jteetsel · ‎08-07-2013

That is correct, GotoMeeting is excluded from ssl decryption as it is not supported at this time.

jteetsel · ‎08-07-2013

Hello...I assume you have the endpoints configured to use the floating IP? In either case the floating IP will bind the preferred node so the tunnel will only be active on one node. During a fail-over the tunnel would need to be brought up manually or by generating interesting traffic that triggers the tunnel to come up. An alternative could be to set up 2 different tunnels on each node using the real IPs. Sessions using the tunnel on the failed node may still need to rebuild during a fail over.

jteetsel · ‎08-06-2013

This is correct, once you get the the job id you need to read the results of this job using the below string: (replace the xx with your variables) https://.x.x.x.x/api/?type=log&action=get&job-id=xx&key=xxxxxxx

jteetsel · ‎08-05-2013

If you need to create a key for an existing account on the PAN see below for an example assuming you use the account named "admin" https://x.x.x.x/api/?type=keygen&user=admin&password=******

jteetsel · ‎08-05-2013

Once you kick off the report using the API, make note of the Job id...you then need to read the report data using the job ID..see below for an example https:// <panIP>/api/?type=log&action=get&job-id=<job id>&key=<your account key>

jteetsel · ‎07-29-2013

I would take a look at the placement of the policy that's blocking the traffic...It could be that the policy blocking this traffic is sitting above the policy that allows it. If not, take a closer look at the policy that's supposed to allow it and find out why the traffic is not not hitting it.

jteetsel · ‎07-29-2013

Hello, the application will be listed as not-applicable if the traffic is being blocked via a rule that uses source\destination IP or zone as the criteria, with application "any". This happens because the traffic is blocked before it hits the content engine. The only time a block rule will show the application being blocked is when the application is the deciding factor on weather the traffic is blocked and is specifically listed in the application(s) for the policy. Thanks John

jteetsel · ‎07-29-2013

Hi Johan, that is the only work around. It works pretty good in most cases. Thanks John

jteetsel · ‎07-29-2013

Hi Justin, I believe gotomeeting should be excluded from ssl decrypt by default via the exclude cache. Are you sure the GTM session is actually getting decrypted? You can tell using 'show session all filter source <source IP> ssl-decrypt yes' This will show you all decrypted sessions for the source host. If you want to exclude something from ssl decrypt but you don't want to use destination IP or url category you can use the SSL Exclude Certificate. You need to confirm and obtain the ssl cert that the application\site uses, import that cert into the PAN then check the "SSL Exclude Certificate" box for the cert. This should exclude anything that uses that cert. Let me know if you have any questions. John

jteetsel · ‎07-22-2013

Hi Zn, the Palo Alto cannot force a user to open a browser and visit a site. We can only redirect the user to the CP login page if they do. You would need to inform the users to open a browser and sign in to CP. Thanks John

jteetsel · ‎07-21-2013

That’s correct, the CP intercept\logon page can only be displayed via a browser. You would need to deny Skype\Gtalk for unknown users in your security policy and force the users to hit a http\https page before expecting any internet dependent applications to function, this would force them to authenticate via CP before doing any web based type activity . This is usually how hotels do it.

jteetsel · ‎01-15-2013

Hello, It may not be this simple but here are the basics...1 st you need to create a tunnel interface that belongs to the zone that you want your vpn connections to terminate to. Some people use the trust zone others create a separate zone. 2 nd you need to create an iKE gateway that uses your physical untrusted interface that will connect to the peer, this is also where you setup your Peers IP address and the pre-shared key. 3 rd create an IPSec tunnel bound to the tunnel interface that you created and select the IKE gateway you created. The key type is usually auto. 4 th set up your proxy IDs. ..These should be the source and destination network address for the networks on either end of the tunnel. This will be the inverse of what you have on the Cisco end..known as the interesting traffic or encryption domain.

jteetsel · ‎01-11-2013

The redirect host will be an L3 interface on the firewall. Weather its a trusted or untrusted interface depends on where the CP clients are coming from. If your case you want to use an untrusted interface since your CP clients are coming from the outside. Also, in your CP policy should have 'outside' for both your source and destination zones since the destination address is your public IP.

jteetsel · ‎01-10-2013

Below is a pretty good document with some details regarding Captive Portal, it has not changed very much since 4.0: Starting on page 19 is how to configure. Use your traffic monitor to see which source and destination zones are used for the incoming connections for the server in question. Make sure your source and destination zones in your CP policy match what you see in the traffic log. Also, check the following: Make sure captive portal is 'enabled' under Device > User Identification > Captive Portal Settings Make sure that User ID is enabled on the source zone under Network > Zones (should be your untrusted zone in your case) Make sure the host name or IP address you specify for the "Redirect Host" is accessible to the public. If you use a host name make sure it has a resolvable public DNS record Make sure that the interface being used for the Redirect host is using a management profile that has response pages turned on ( Network > Interface Mgmt > Profile Name ) The interface profile is configured under Network > Interfaces > Interface Name > Advanced > Network Management Profile Hope this helps

jteetsel · ‎01-09-2013

Hi Rod, If your intention is to prompt a CP login page for inbound connections from the internet to a system that you have created a destination nat for you Captive Portal policy would like like this: source zone = Untrusted zone source address = blank or whatever the public IP the traffic is comming from (if you want to be specific) Destination Address = The Public IP for your server on the inside (not the private address) Service = the service you are exposing (http,https) This will force any connections coming from the outside to that public address to be faced with a CP login. If the public address is shared between other systems on the inside be careful to be specific with the Service on the CP policy Hope this helps John

jteetsel · ‎12-28-2012

The ActiveSync logon event is recorded in the security log on the domain controller that the Exchange server was connected to at the time of the connection, the problem is that it records the IP address of the Exchange server rather than the IP of the connecting device. When you set up which DCs to query (under Discovery) in the user ID agent you have the option to select the server type, in this case choose Exchange as the type and the host name or IP address of your Exchange server running the client access server role. This will tell the agent to query the exchange specific logs for the logon event. I believe it queries the IIS logs for this info. Let me know if this helps. Thanks John

jteetsel · ‎12-27-2012

Hi Bob, the front end exchange server should log the event in the security log. Starting in version 4.1 the user ID agent has an option to point to an exchange server for this purpose.

jteetsel · ‎12-14-2012

Hello, you can assign a role to a device group which can in turn can be assigned to a specific vsys.

jteetsel · ‎12-11-2012

Also, give the following doc a look:

jteetsel · ‎12-11-2012

Hi Aaron, have you tried putting the values separately in the Custom Patterns object?

Date Registered	‎05-29-2012 05:09 PM
Date Last Visited	2 weeks ago
Total Messages Posted	39
Total Likes Received	15

Online Status	Offline
Date Last Visited	2 weeks ago

Strata

Prisma

Cortex

About jteetsel