About dtopohaverford

Just looking of for clarification around google-docs app IDs. If I allow the google-docs container ID in a policy\app group...I'm essentially including ALL the child apps contained within.... correct. ??? No need to explicitly specify the child apps ???   ie.... google-docs-base   google-docs-uploading   google-docs-editing  etc etc    Appreciate this -- as rudimentary a question as it is. !     Dennis ... View more

Hello all...   I find myself in a bit of quandary on how to deal with blocking\inspecting various SSL based urls for our student BYOD users.   I realize I need to decrypt the traffic in order to take action on it... but our problem lies with how to deal with certs....and keeping browsers happy with an intact trust chain.   PA support told me that I must either user an Enterprise CA ...or...export and import the trusted cert on all our devices. Since we are BYOD....and have no managing capabilities on student owned devices, neither option is possible.    How can one best manage large groups of students attempting to go to bad sites!? I simply want to block off some youtube channels and things of that nature. Things that slip through safe search.....etc   I thought for a second that obtaining say a go daddy cert that maps to a domain name that we own (ie ourfirewall.ourschool.org) - map that name to our inside interface IP in our on prem split zone dns - and see if that would work. I'm thinking the cert will still come up as invalid since the signing source of the traffic would be a private ip address, and not necessarily the dns name. (Although...I'm just not sure) ????   Another option is to try and devise a method to import a self minted cert into the devices in an easy fashion - if that exists. We have an Aerohive wifi infrastructure .... perhaps there's a way to present a 3rd party cert to connecting devices- something a user can simply accept and import...and continue browsing.   Hopefully there are others out there that have some experience with this and can shed us some light!   Thanks in advance..Dennis   ... View more

Hello All...   We are looking for a solution for a medium sized private school (k -12) to track users web activity. We'd want to be able to go back a week or so..nothing crazy. But would love to be able to get a report on a site\url and see what user visited that site and when. And of course, vice versa-- seek out a particular user and see what they visited and when. Here's our infrastructure breakdown: We are an Aerohive shop... half our devices we own, and about half are BYOD...where the students bring whatever. Includes Macs, Chromebooks, phones, PC laptops etc. Our perimeter unit is a Palo Alto 3020- however, we do not authenticate users via the firewall. For url\category filtering, we base it all on IP address and what vlan\sub net you are on. Each school building has student, faculty and guest wireless subset. We authenticate wireless access via 802.1x using Archive radius enabled APs and our Active Directory...users are placed in the correct vlan based on AD group and Aerohive polices.     What I've done so far on our PAN for a basic test was to just configure a category for alerting ...shopping in this case..so that I can get some logging going. I then ran a report on my own IP. While the info is great, it doesn't tell me specifically "when" I visted a site. Also, if we wanted to run a report on a certain site to and capture what users visited that site in a givin time period...I don't see a way of doing that.  Also, if we were to enabel logging on all allowed categories for all connected users\subnet ranges, I'm cerain this would whack our performance..so not sure if that's even feasible.    Anyway...just looking for a way to leverage our PAN is possible, and acheive the before-mentioned reports....or, if there are other better suited solutions out there.... would be great to hear about those too.  Thanks much....Dennis... ... View more

          Not sure this is the right venue or forum to post this, but I’m looking to set up an automated failover to a backup ISP line per the attached network diagram of my environment.   I’m new to PAN and the PAN way of doing things so thought I’d reach out for some advice before making changes. It’s quite hard, compared to Cisco, for example, to find a lot of content , blogs or user support forums on PAN configurations etc. I did find this article here…. and it’s almost what I want to do.   https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/policy/use-case-pbf-for-outbound-access-with-dual-isps.html   The article talks about using a PBR with a monitor - and when the monitor (ie a ping to the next hop gateway of the main ISP) fails, internet bound traffic is routed via the default static route to the BackUp ISP. All makes sense….except the part about using a “negate” statement for your internal servers….so that traffic to those local servers would not use the PBR. Why would it? That local traffic bound to those servers would not even hit the firewall to begin with. So that’s something I’d like to clarify.   Also,,I could achieve this config using a single Virtual Router? With a static default router out to my BackUp ISP modem\router….and return  routes to my internal subnets... then config a PBR to route all my ISP bound traffic via the Main ISP?? Am I understanding this correctly?   And I’m thinking my NAT rule only needs to apply to the MAIN isp interface (Int 7) since I won’t need NAT for the BackUp ISP interface (int 😎 - the Natting is done on the modem\router for the BackUp ISP.   Anyway….really appreciate any guidance from more seasoned PAN people ) Thanks and look forward to your responses !   Dennis…. ... View more