spolo wrote: If it's still failing you may want to call support or open a case via the web on this one.  Here's a couple of CLI commands that may help you diagnose: First, initiate the url database download: > request url-filtering upgrade brightcloud Now check the download log: > tail follow yes mp-log pan_bc_download.log If it helps you, I checked from one of our boxes in Europe and it's having trouble also.  That box does resolve to a different IP than we do here in the US, so not sure if it's something localized or not.  I don't have a lot of time to open a case with support on this right now, but it does warrant further investigation. Hope this helps! Seems to have come good this morning - maybe Brightcloud were having an issue. Thanks anyway ... View more

bhavin_bhatt wrote: Hi, I just came across something quite interesting. A user needs to be able to translate a decent url, but by default translation is blocked by PaloAlto. Once you configure PaloAlto to allow translation, you can actually go into google translate, and translate an adult website into another language and view it within Google translate's page. My question is, i have blocked adult-and-pornography, why can i get to a dirty website, shouldn't palo pick that up. please advice, as one of the users needs translation allowed, but what i explained above is just one of the exploit... cheers Bhavin Simple - because *you* are not going to the dirty web site - Google translate is. You're hitting the Google translate page, and by your own admission you've configured the PA to allow access to it. The PA is doing exactly what it's supposed to - allowing access to the translate page. Think of it as visiting the adult page by proxy. Cheers ... View more

Ronaldgoh wrote: hi i noticed that in some "critical", "high" and "medium" severity vulnerabilities, the default action is just "alert"... especially those brute-force attempts. at the moment, our system is set for default to take care of these.  however, i remember a thread here advising to set the action to "block" for medium severity on the server side vulnerabilities...  is it safe to set action to "block" for "critical", "high" and "medium" severity for server side?  will this break applications? thanks! rgds, - ron If you raise your level to "block" and the threat is detected the firewall will, as the name suggests, block the traffic from transitting. Now, if you're 100% sure the threats being detected are valid, then I suggest you might want to block them. If, however, you're worried about false positives - then don't. The block action may well break soemthing, especially if it triggers a positive threat detection when it's not really a threat. "Alert" is good if you have time to sit and watch threat logs, and can get on top of reported threats immediately - if you're like msot people and DON'T have this time, then block is a good option. Depends how paranoid you are, and how critical potentially blocking a valid action might be. Cheers ... View more

exertum wrote: Hello dagibbs, Did you already perform your intervention (update sslvpn client software for 1.2.0 to 1.3.0)? If yes, did you faced to any issue? Thanks a lot for your help. KR, Benjamin Benjamin. No, I haven't actually been allowed to do this yet - my change management department is giving me fits, and to be honest I've had more important things to deal with, so this has been put on the back-burner. If I do it successfully, I'll post an addendum to this message chain. Cheers ... View more

bdaussin wrote: The root cause of this issue starts becoming more accurate : When an anonymous event comes from a user PC to the DC ( which has already been recognized by the AD agent ), here is the behaviour : With DC2003, the AD agent get the field "sesi10_username" with an empty value, which has no effect on the Pan Agent. With DC2008R2, the AD agent get the field "sesi10_username" with the value ANONYMOUS LOGON, which cause the PAN agent to overwrite the previous UserID-IP identification. So, how to turn around this issue ? Is there a way on the agent to ignore ANONYMOUS LOGON ? Thanks for your help. In the Palo Alto agent directory, create a file called "ignore_user_list.txt" Add your "ANONYMOUS LOGON" to this file - you may need to put it in quotes, like I jsut did, as there is a space in the username. See if this works. Cheers! ... View more

Marct wrote: The upgrade should be automatic, I think I remember reading that you may need to clear the java cache if the update fails. This is the known issu about netconnect in the release notes [21601] NetConnect may not upgrade properly from 1.1.x to 1.2 without clearing the Java cache. Regards Marc Well, I'm planning to go from 1.2 to 1.3, so I guess I'll just have to suck it and see. Thanks. ... View more

bpappas wrote: @dagibbs: I have researched the question that you brought up and you should be able to delete the software image on the active partition even if it is the installed version on the revert partition. If you cannot, please open a case with the PAN Tech Support team. Thank you, Benjamin Benjamin. Have now done so. Thank you for your input. ... View more

mario.chancay wrote: Hi, will like to understand the oppinion from the PAN community about the features that are still missing or needs to be improved. Will appreciate if you can specify by functionality like : FIREWALL Must Have : A,B,C Nice to Have : D,E,F Thks Mario Documentation, Documentation, Documentation. Without being too blunt, the documentation stinks. It needs cleared explainations, better grammar, and real-world examples instead of useless classroom types so people can sort things out without running to support. if you want examples, look at how Cisco do it. Support, Support, Support. I've had a discussion recently with my "suport partner" regarding the responses (or lack of them) from PA with respect to support calls (seriously, more than 6 weeks ona bug report, and three uploads of tech-support and logs to be told "it's not going to be fixed in this software series, upgrade to 4.x"? Come on!). ... View more

networkadmin wrote: I'd be interested in any feedback on the major benefits in going from 3.x to 4.x as well. Frankly I think Palo Alto have scored a bit of an own goal in bringing out a major OS release but doing a pretty poor job of actually telling their customers a) the benefits of upgrading and b) on what basis they should upgrade. Let me clarify that a little.  Right now, I have a box running 3.1.8.  As far as I'm aware there is no document anywhere that says "If you have a PA-500 the current recommended release of PAN-OS is xxx" so it's left for me to "somehow" figure out which version of PAN-OS I should be running.  So far as 4.x, the feedback and vibe I get from here is very non-committal and to me it almost comes across as if 4.x is still some sort of beta and isn't actually recommended for production unless you really need something it offers that 3.x doesn't have. I'm with you on this one - given what I've seen on the forums, I'm not upgrading to the 4.x series until I'm well convinced it's actually stable without introducing more bugs! Unfortunately, this means I have to live with an annoying, but non critical bug with HA synchronisation on 3.1.x - occasionally (it can be once a day, or once every 3 weeks), the "Cert and Block" pages get out of synchronisaton between the active and passive partners in the HA cluster - PA's response to my bug report/trouble ticket "It's a known bug in 3.1.x which is not going to be fixed. Upgrade to the 4.x series". Not impressed, but will NOT be upgrading until I see better comments from people here than I have so far! ... View more

psi0n wrote: Hi, yes CP was enabled. i disabled the CP Rule and disabled also the User Auth Rule, but the error is already there. on my external interface i'm not be able to see the webserver. it looks like a binding problem. in the l3svc-error.log are the following lines: default:2 main  Configuration for PanWeb Server    default:2 main  --------------------------------------------    default:2 main  Host:               CTINFPA01    default:2 main  CPU:                mips64    default:2 main  OS:                 LINUX    default:2 main  Distribution:       unknown Unknown    default:2 main  OS:                 LINUX    default:2 main  Version:            2.4.0.0    default:2 main  BuildType:          RELEASE    default:2 main  Started at:         Mon May  9 22:55:39 2011    default:2 main  Log rotation count: 0    default:2 main  --------------------------------------------    default:0 main  In mprPanEspInit()    default:0 main  In PanEspModule()    default:0 main  In mprPanMgmtInit()    default:0 main  In PanMgmtModule()    default:0 main  SSL: Need to get private key for /webserver from cryptod    default:0 main  SSL: Try# 1 to get key for web_certificate_key from cryptod    default:0 main  pclose returned 0 with errno 0 which is an error    default:0 main  Got key for web_certificate_key from cryptod I hope this could help to find the problem regards, markus Did you either generate a self-signed SSL key or import a matching key for the hsotname from a valid external certificate authority for the VPN? Sounds like you simply don;t have an SSL key bound to the VPN properly. Under the SSL VPN configuration, do you have a certificate selected? Cheers. ... View more