This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About acc6d0b3610eec313831f7900fdbd235
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About acc6d0b3610eec313831f7900fdbd235
08-31-2022
128Posts
80Likes
19Solutions
Aug 31, 2022Last Visited
User
Activity
User
Profile
Latest posts by acc6d0b3610eec313831f7900fdbd235
| Subject | Views | Posted |
|---|---|---|
| 5368 | 08-09-2017 08:04 PM | |
| 11832 | 07-13-2017 12:45 AM | |
| 3829 | 07-12-2017 01:09 PM | |
| 4014 | 07-11-2017 03:54 PM | |
| 19032 | 07-11-2017 10:01 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 06-22-2017 08:45 PM | |
| 2 Likes | 07-13-2017 12:45 AM | |
| 1 Like | 07-11-2017 10:01 AM | |
| 2 Likes | 07-11-2017 08:08 AM | |
| 2 Likes | 07-10-2017 12:47 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 3 Likes | |||
| 5 Likes |
by
Retired Member
| ||
| 2 Likes | |||
| 2 Likes | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 10-30-2015 05:59 PM |
| Date Last Visited | 08-31-2022 04:21 PM |
| Posts | 128 |
| Total Likes Received | 80 |
08-09-2017
08:04 PM
Hi @Betchem According to the latest notification I received from my local SE in Vancouver, BC. The eTAC Recommended Release for PAN-OS is PAN-OS 7.1.10. For customers on older code releases, we recommend PAN-OS 6.1.17. We are no longer recommending PAN-OS 7.1.9 per the following advisory: https://live.paloaltonetworks.com/t5/Customer-Advisories/UPDATED-06-19-Important-information-regarding-Content-Apps-amp/ta-p/161418 User-ID Agent 7.0.7 is recommended GlobalProtect 3.1.6 and 4.0.0 are recommended. PAN-OS 8.0: PAN-OS 8.0.0 is the minimum required version for the new VM-50, VM-500, VM-700, PA-220, PA-800 Series and PA-5200 Series. The new User-ID Agent 8.0.x and GlobalProtect 4.0.x are both tied to PAN-OS 8.0 We are still monitoring PAN-OS 8.0.3 as this is a new release, before providing any recommendations EOL Reminder: PAN-OS 7.0 support has been extended and will become EOL on December 4, 2017 I hope this helps, Willian
... View more
07-13-2017
12:45 AM
2 Kudos
Hi @JDominguez Based on your description, there are two applicable options: Standalone Deployment and Small Single Site Deployment. Standalone Deployment This design is typically recommended for initial proof of concept (POC) or a small site with fewer than 3000 Traps agents, use a standalone deployment to install the following Endpoint Security Manager (ESM) components on a single server or virtual machine: • ESM Server • ESM Console • Forensic (quarantine) folder • Database I don't recommend to any of my customers to use this design in production, as it does not provide any redundancy for console or cores. Small Single Site Deployment As per the link you posted, and the official admin guide, this design requires: One dedicated database server One ESM Console for managing the security policy and Traps agents Two ESM Servers, one primary and one backup, on the same network segment as the database server and ESM Console One forensic folder accessible by all endpoints for storing real-time forensic details about security This is the minimal I always recommend to all my clients due to the redundancy aspects and flexibility. Now to your questions. My recommendation is that you adopt the Small Single Site Deployment 1 x ESM Console + Core (Combined) 1 x ESM Core (Redundancy) 1 x Database Server - Notice that SQLITE is no longer supported or recommended by Palo Alto even in POCs; hence, the official recommendation for environments with more than 250 endpoints is SQL Server Enterprise or SQL Server Standard as per the below screenshot. Important: You only can have one console installed. For further details on requirements please refer tothe following for the administrator guide: link: https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/technical-documentation/40/endpoint/endpoint-admin-guide.pdf I hope this helps.
... View more
07-12-2017
01:09 PM
@rrealica I had a meeting with the NSS engineers a few weeks back when the report was released, and the explanation was that it failed or did not do well, during the evasion tests.
... View more
07-11-2017
03:54 PM
Hi @Sadik_Khirbash My apologies for my fat finger. The command is: tail follow yes mp-log ikemgr.log The phase 2 ProxyID is a crucial piece of this configuration, and it would be important for us that you ensure it configured properly. The concern is not the Phase 2 paramenters, but the Proxy ID configuration at this point. That's how your Proxy ID should be configured on the PA-200 side. Run the above command and post the output for us, then maybe we can shine some light on it for you 🙂
... View more
07-11-2017
10:01 AM
1 Kudo
Hi @TranceforLife According to this new feature guide, since PAN-OS 6.1 the "policy-deny" reason, is because the session matched a security policy with a deny or drop action. https://www.paloaltonetworks.com/documentation/61/pan-os/newfeaturesguide/networking-features/session-end-reason-logging In other words, the app-id or port being hit, does not match an explicity policy; hence, it is most likely hitting the interzone-default policy. By the way, the interzone-default policy (at the bottom of the rule base) is not logged by default; however, you can override this configuration. Default Interzone Policy: Default Interzone Read-only: Default Interzone default action: Override Default Interzone-Policy Note: Click the Override button at the bottom of the screen Change Default Interzone default action: The reason I want to log the session at the start is because the action is "Deny" or "Drop", and I don't care about having the full session view in this case. In other words, as soon as the traffic is denied, a log is generated right away and not only at the end of the session. I hope it makes sense. Now to your original question, my point is that the policy-deny reason you are seeing is because the app-id or port is not explicitly placed in an allow policy; hence, it will hit the default deny (Interzone) policy, which is not logged by default, as I stated before. I hope this helps.
... View more
- Tags:
- policy-deny
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-31-2022
04:21 PM
|
Latest Tags
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks