Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About tezza
About tezza
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
2 weeks ago
18Posts
3Likes
0Solutions
May 19, 2020Last Visited
User
Activity
User
Profile
Latest posts by tezza
| Subject | Views | Posted |
|---|---|---|
| 772 | 05-15-2018 09:14 PM | |
| 1087 | 11-05-2017 01:44 PM | |
| 1669 | 02-27-2017 03:48 PM | |
| 1685 | 02-23-2017 01:27 PM | |
| 1737 | 02-22-2017 11:45 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 07-22-2014 06:02 PM | |
| 2 | 02-23-2016 05:02 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 1 | |||
| 3 | |||
| 2 |
User Badges
Public Statistics
| Date Registered | 10-22-2012 08:22 PM |
| Date Last Visited | 2 weeks ago |
| Total Messages Posted | 25 |
| Total Likes Received | 3 |
02-27-2017
03:48 PM
@gwessonyou are correct we could just change the service to any but this is a security comprimise as we do have multiple application in this rule. The reason we are using application default is we need to specify the ports to adhere to our security requirements. @OtakarKlieryou are also correct as we currently have rules to allow these applications over port 443 but these rules are becoming cumbersome to manage. Update also I am told these 2 feature requests might be the fix. FR ID : 2636, this is to dynamically update the port information and allow the traffic. FR ID : 3914, Ability to Clone an existing App-ID (not custom) and change name and ports. Anyone else want to get their SE to put in a vote for these?
... View more
02-23-2017
01:27 PM
This is not my experience. We are currently running 7.0.10 in any case. I will give an example. Rule Source: Trust Zone, Specified Addresses, and Trusted User --> Destination: Untrust Zone, Any Address, Application http-video (plus other apps), Application default | Allow, with security profile enable as well. 1. User browses to a news website www.stuff.co.nz and tries to view an article with a video embedded. 2. The video uses the application http-video (Applipedia says port 80 only) but the provider of the video uses https for the link to the video which puts it on port 443. 3. The Palo alto firewall decryptes the traffic and recognises the application as http-video but the port that it is using is 443. 4. The firewall then blocks the application because the port is not the application default as its expecting port 80. Given I would prefer to decrypt this sort of traffic as otherwise it just shows as SSL rather than http-video, how would I fix this without creating new rules for each application I have this issue with?
... View more
02-22-2017
11:45 AM
After enabling decryption recently we started to have a few issues with applications being identified incorrectly. A few common examples of this are sap, http-video and http-audio These end up being blocked with "application default" for the service, this appears to be because in some instances sites use https anyway and once these apps are decrypted they show as going over port 443 rather than 80 which makes sense but is contrary to the app-id signatures default ports. I know we can create rules for applications like this to allow them specifically but this is starting to become very time consuming to create a rule for every application that has this issue. Is there a way to allow this traffic while still inspecting it with some sort of override? it feels a little like there should be a http-video (Decrypted) or https-video application. I think it would be great to be able to create an application signature that overrides default settings, this would allow you to pick pre existing application signature and override the default ports for example. We can then add this overriden application to a pre-existing rule. Is there another work around for this I have missed?
... View more
02-23-2016
05:02 PM
2 Kudos
Bump
Feature requests would be so much easier online, why not let the people actaully using your products help you shape it?
You could have a voting feature to count the customers requesting it.
Cheers
... View more
02-23-2016
04:50 PM
@HULK wrote:
Hello Natti.
As per my understanding, This feature is still not available with PAN-OS software. If this could be something that will be useful in your environment, you can ask to your Palo Alto Sale Engineer ( SE) and raise a feature Request for the same. The SE will log the feature request with Product Management on your's behalf and act as an advocate.
FYI..
This feature is still not available, that is why if you enable PPPoE, IPv6 tab will be no more available.
Hope this helps.
Thanks
This isn't exactly a solution its a not currently possible, would be better if IPv6 existed as a feautre for PPPoE, I dont really understand why it doesn't given other brands have done this for years, It should also be added to the IPv6 compatibilty chart so people know about it.
... View more
07-22-2014
06:02 PM
1 Kudo
That's perfect for a policy level but what about at Management Profile level for the interfaces.
... View more
07-17-2014
09:06 PM
Hi, Can anyone please tell me if there is a way to stop my PA from responding to ICMP type 13 and 14 timestamp requests/replies? Cheers
... View more
Labels:
07-16-2014
08:34 PM
Also found this article if just so we get all the information in one post. Does PAN Device Support FIPS Mode? I must say I have had a good scan of the admin and global protect guides there is very little mentioned about FIPS, its not like it says oh by the way if you want you firewall to pass security audits you might want to enable FIPS. The bigger question is why doesn't Palo Alto firewalls with global protect enabled pass audits by default!
... View more
07-16-2014
08:30 PM
OK I can see what FIPS might fix the issue but why the heck do I need to reset the configuration of my firewall just to do it? Also why is this not enabled by default? I'm guessing it breaks some features, is this usual in other brands of firewall?
... View more
07-15-2014
08:27 PM
Hi, I would really like an answer to this considering this is supposed to be a security product in the first place and I see several people have already asked the question. We have just had a security audit completed by a third party, they highlighted 2 issues with the address that our global protect portal and gateway reside on. SSL server accepts connections that use: 1. Rivest Cipher RC4 2. Cipher-block chaining (CBC) mode I noted that these 2 are similar questions that dont really have an answer, one tries to answer it but I'm not sure what FIPS is and enabling it (How to Enable or Disable FIPS Mode) sounds like a nightmare considering according to this article it erases your config and puts you back to defaults? Qualys Scans SSL Weak CBC Mode Vulnerability Is there a good way to fix this, maybe someone can answer all three posts by answering mine!
... View more
Labels:
07-14-2014
10:32 PM
Hi, I have been tasked with creating a report out of our Palo Alto firewall that shows the following. For a period of 1 month Users Hours\Sessions on a website Top 20 visited websites. Top 20 Categories. We are using the user agent so all the data should be there, I can see some of it but getting this into a format that easy to read for a CEO? Can someone please help me?
... View more
- Tags:
- reporting
Labels:
05-05-2013
02:25 PM
Has anyone seen this happening, threat logs seemed to have stopped logging new information.
... View more
Labels:
11-04-2012
03:40 PM
Thanks this works for me very useful, we have Sophos Antivirus and the update manager user was causing issues, this really needs to be added as a GUI feature to the agent, or even to the agent documentation/help.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
2 weeks ago
|
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
