About tezza

tezza · ‎05-15-2018

This rule worked for me, stuck on this version for now.

tezza · ‎11-05-2017

This worked for me thank you very much

tezza · ‎02-27-2017

@gwessonyou are correct we could just change the service to any but this is a security comprimise as we do have multiple application in this rule. The reason we are using application default is we need to specify the ports to adhere to our security requirements. @OtakarKlieryou are also correct as we currently have rules to allow these applications over port 443 but these rules are becoming cumbersome to manage. Update also I am told these 2 feature requests might be the fix. FR ID : 2636, this is to dynamically update the port information and allow the traffic. FR ID : 3914, Ability to Clone an existing App-ID (not custom) and change name and ports. Anyone else want to get their SE to put in a vote for these?

tezza · ‎02-23-2017

This is not my experience. We are currently running 7.0.10 in any case. I will give an example. Rule Source: Trust Zone, Specified Addresses, and Trusted User --> Destination: Untrust Zone, Any Address, Application http-video (plus other apps), Application default | Allow, with security profile enable as well. 1. User browses to a news website www.stuff.co.nz and tries to view an article with a video embedded. 2. The video uses the application http-video (Applipedia says port 80 only) but the provider of the video uses https for the link to the video which puts it on port 443. 3. The Palo alto firewall decryptes the traffic and recognises the application as http-video but the port that it is using is 443. 4. The firewall then blocks the application because the port is not the application default as its expecting port 80. Given I would prefer to decrypt this sort of traffic as otherwise it just shows as SSL rather than http-video, how would I fix this without creating new rules for each application I have this issue with?

tezza · ‎02-22-2017

After enabling decryption recently we started to have a few issues with applications being identified incorrectly. A few common examples of this are sap, http-video and http-audio These end up being blocked with "application default" for the service, this appears to be because in some instances sites use https anyway and once these apps are decrypted they show as going over port 443 rather than 80 which makes sense but is contrary to the app-id signatures default ports. I know we can create rules for applications like this to allow them specifically but this is starting to become very time consuming to create a rule for every application that has this issue. Is there a way to allow this traffic while still inspecting it with some sort of override? it feels a little like there should be a http-video (Decrypted) or https-video application. I think it would be great to be able to create an application signature that overrides default settings, this would allow you to pick pre existing application signature and override the default ports for example. We can then add this overriden application to a pre-existing rule. Is there another work around for this I have missed?

tezza · ‎02-23-2016

Bump Feature requests would be so much easier online, why not let the people actaully using your products help you shape it? You could have a voting feature to count the customers requesting it. Cheers

tezza · ‎02-23-2016

@HULK wrote: Hello Natti. As per my understanding, This feature is still not available with PAN-OS software. If this could be something that will be useful in your environment, you can ask to your Palo Alto Sale Engineer ( SE) and raise a feature Request for the same. The SE will log the feature request with Product Management on your's behalf and act as an advocate. FYI.. This feature is still not available, that is why if you enable PPPoE, IPv6 tab will be no more available. Hope this helps. Thanks This isn't exactly a solution its a not currently possible, would be better if IPv6 existed as a feautre for PPPoE, I dont really understand why it doesn't given other brands have done this for years, It should also be added to the IPv6 compatibilty chart so people know about it.

tezza · ‎11-12-2014

Any word on this from Palo Alto???

tezza · ‎07-22-2014

That's perfect for a policy level but what about at Management Profile level for the interfaces.

tezza · ‎07-17-2014

Hi, Can anyone please tell me if there is a way to stop my PA from responding to ICMP type 13 and 14 timestamp requests/replies? Cheers

tezza · ‎07-16-2014

Also found this article if just so we get all the information in one post. Does PAN Device Support FIPS Mode? I must say I have had a good scan of the admin and global protect guides there is very little mentioned about FIPS, its not like it says oh by the way if you want you firewall to pass security audits you might want to enable FIPS. The bigger question is why doesn't Palo Alto firewalls with global protect enabled pass audits by default!

tezza · ‎07-16-2014

OK I can see what FIPS might fix the issue but why the heck do I need to reset the configuration of my firewall just to do it? Also why is this not enabled by default? I'm guessing it breaks some features, is this usual in other brands of firewall?

tezza · ‎07-15-2014

Hi, I would really like an answer to this considering this is supposed to be a security product in the first place and I see several people have already asked the question. We have just had a security audit completed by a third party, they highlighted 2 issues with the address that our global protect portal and gateway reside on. SSL server accepts connections that use: 1. Rivest Cipher RC4 2. Cipher-block chaining (CBC) mode I noted that these 2 are similar questions that dont really have an answer, one tries to answer it but I'm not sure what FIPS is and enabling it (How to Enable or Disable FIPS Mode) sounds like a nightmare considering according to this article it erases your config and puts you back to defaults? Qualys Scans SSL Weak CBC Mode Vulnerability Is there a good way to fix this, maybe someone can answer all three posts by answering mine!

tezza · ‎07-14-2014

Hi, I have been tasked with creating a report out of our Palo Alto firewall that shows the following. For a period of 1 month Users Hours\Sessions on a website Top 20 visited websites. Top 20 Categories. We are using the user agent so all the data should be there, I can see some of it but getting this into a format that easy to read for a CEO? Can someone please help me?

tezza · ‎06-19-2013

Can you please send me this document?

Member Since	‎10-22-2012 08:22 PM
Date Last Visited	‎10-06-2020 06:47 AM
Posts	25
Total Likes Received	3

Online Status	Offline
Date Last Visited	‎10-06-2020 06:47 AM

About tezza

Re: PAN-OS 8.1.0 SMB Issues

Re: Purge queued email?

Re: http-video and http-audio getting blocked with decryption enabled

Re: http-video and http-audio getting blocked with decryption enabled

http-video and http-audio getting blocked with decryption enabled

Re: ICMP Timestamps

Re: Feature Request

Re: Purge queued email?

Re: http-video and http-audio getting blocked with decryption enabled

Re: Global Protect HTTPS weakness - Help!

Re: ICMP Timestamps

Re: FQDN vs NetBIOS Domain Name

Re: PAN-OS 8.1.0 SMB Issues

Re: Purge queued email?

Re: http-video and http-audio getting blocked with decryption enabled

Re: http-video and http-audio getting blocked with decryption enabled

http-video and http-audio getting blocked with decryption enabled

Re: Feature Request

Re: IPv6 over PPPoE

Re: Global Protect HTTPS weakness - Help!

Re: ICMP Timestamps

ICMP Timestamps

Re: Global Protect HTTPS weakness - Help!

Re: Global Protect HTTPS weakness - Help!

Global Protect HTTPS weakness - Help!

How do I create a browsing report thats easy for a CEO to read...

Re: Setting Up PPPoE

Network Security

Cloud Security

Security Operations

About tezza