About ssancho

ssancho · ‎05-12-2016

Hi all, do you know if it is possible to use the syslog parser to obtain device information (for instance Operating system) and use this info in security rules?. I am using the syslog parser to obtain the IP-User mapping and it works perfectly, now I would like to obtain more info from the log. I know that the device info is available if you use GlobalProtect and HIP profiles but I would like to have this feature without install globalprotect (I am thinking in Wifi devices) Is there any possibility? Many thanks Samuel

ssancho · ‎09-22-2015

Hi, not exactly. What I mean is that, when you configured a SSL decryptcion policy, is there any hardware chip insdie the PA-3020 or PA3050 that do the job to decrypt the traffic?, or all decryption is done by software?. If you only wants to decrypt some traffic (and not all), as I understand, it is not necesary to install a decryption device because the firewall can decrypt the traffic directly. Many thanks for your reply Best regards Samuel

ssancho · ‎09-22-2015

Hi, anybody knows if PA3020 and PA3050 has a dedicated hardware for SSL Decryption?. I saw a document a few years ago where you can see that some Palo Altos has a dedicated chip for SSL decryption but I could not find it again and I do not see if PA3020 and PA3050 has the hardware or not. Many thanks for your help Best regards Samuel

ssancho · ‎05-10-2012

Two things: -I can confirm to you that PA 2020 and PA2050 has the same commit times than PA-500. This week about 8 or 9 minutes in PA-2050 for each commit. -thanks jfitz-gerald for your help but what about the origin of this topic?, could it be posible to disable shadow rules check, could it be one of the reasons for this commit times?. We know that the time depends on the size of configuration, logging, number of objects and number of rules, but often this configurations are necesary and the perception of client is a very slow system. Thanks Samuel

ssancho · ‎05-10-2012

Hi, regarding of the desperately slow commits in PA specially with a large number of rules and object. From our experiencie in other systems the rule shadow check is a very high CPU feature. It's sure that PA do a rule shadow and this it's in concordance with the fact that as much rules and objects you have more slow is the commit (more combinations to check) So, could it be possible to have a check before commit to have the option of no use rule shadow?. Imagine that you are change only the name of object, probably you do not need check the shadows and I suppose the commit will be faster. Anyone from PA could have the answer?? Thank you in advance. Samuel

ssancho · ‎04-09-2012

Yes, you have to enable User Identification, not only for identify your users in Inside but to enable VPN on Outside, it is mandatory. Regards Samuel

ssancho · ‎02-15-2012

Thanks, that is what I needed. Regards

ssancho · ‎02-03-2012

Hi, if I configure VPN authentication with client certificate, it will be necesary to enter password?. I don't know if with client certificate you don't need user and password as I've seen in other scenarios. Reading documentation from Palo Alto seems that you will need only password (the name autofill with certificate), but I'm not completely sure. Thank you in advance Samuel

ssancho · ‎12-23-2011

Hi, I'm using PAN OS 4.1.1 and I'm testing pan-agent and user-id agent. Actually I don't know how to delete my old user-group mappings. In CLI I type show user user-IDs and I see all the users, what I had with pan-agent and an old Active Directory and the new ones with User-IDs and new Active Directory. How could I delete the old ones?? Thank you in advance. Samuel

ssancho · ‎12-22-2011

Hi, thanks for your reply. I supossed that, but the strange think is that I can select my groups in security policy but not in allow list of authentication Profile. Do I need to configure LDAP profile to have user-group mappings in allow list of Authentication Profile?. It seems strange to have groups in policies without LDAP profile and need it to use groups in Authentication Profile. EDIT: Hi, I've configured LDAP server profile and install User-ID (not pan-agent) in domain controller. All seems to work fine, I can create policies with users and make the filter of groups in firewall (Device, User Identification, Group Mappings), BUT I cannot select the active directory groups in Authentication Profile. How could I filter the users of Active Directory that can login in captive portal?, at the moment I only can select my local users. Thanks Samuel

ssancho · ‎12-19-2011

Hi, I've PA-500 with 4.1.1 and I've configured Captive Portal with AD Authentication. Pan-agenty seems to work fine and I can select the AD groups when I configure Securtiy Policy. I've created an authentication profile only for Captive Portal with Kerberos authentication and my Domain controller as Server profile but I cannot see the groups in allow list, only can see local users. Although with all in allow list, Captive Portal authentication works fine I'm not sure if I need to configure Group Mappings but as I've read in Administrator Guide of 4.1 group mapping is configured as LDAP server, is it correct?, do I need to configure Group mapping only to have my AD groups in allow list of authentication Profile?. Thank you in advance. Samuel

ssancho · ‎11-16-2011

Thanks savasarala. It works REgards

ssancho · ‎11-03-2011

Hi, as I've readed in release notes of 4.1 there is a new feature to use URL category in Security policies, Qos and Captive Portal but I've updated to 4.1 my PA-500 and I don't see where to configure this in security policies. Anyone has tested this feature? Thank you in advance Samuel

ssancho · ‎09-28-2011

Hi, you need SSL Proxy to unencrypt SSL and analize the traffic. It is very easy to implement. Regards

ssancho · ‎07-04-2011

Hi all, and thanks for your answers. Yes, I'm asking why some Palo Alto firewalls show on Spec Sheets that IPS throughput is 1/2 than firewall throughput. I could understand that with IPS activated the performance is reduced but, for instance PA 4020 has 2Gbps of throughput and 2Gbps of threat prevention and PA4050 has 10Gbps and 5Gbps. Thats it's mean that you have to select the appropiate hardware thinking in Threath prevention throughput instead of firewall throughput?. Thank you in advance Regards Samuel

Member Since	‎11-25-2010 06:33 AM
Date Last Visited	‎03-28-2018 10:40 AM
Posts	21
Total Likes Received	1

Online Status	Offline
Date Last Visited	‎03-28-2018 10:40 AM

About ssancho

Syslog parser

Re: SSL Decryption, ¿hardware or software?

SSL Decryption, ¿hardware or software?

Re: Possible solution to slow commit

Possible solution to slow commit

Possible solution to slow commit

Re: Syslog parser

Syslog parser

Re: SSL Decryption, ¿hardware or software?

SSL Decryption, ¿hardware or software?

Re: Possible solution to slow commit

Possible solution to slow commit

Re: Warning: Zone 'Untrust' does not have 'enable-user-identification' turned on for globalprotect gateway 'tunnel'

Re: VPN Authetication with client certificate

VPN Authetication with client certificate

PAN OS 4.1.1. How to delete user-group mapping

Re: Captive Portal Authentication

Captive Portal Authentication

Re: URL Category in Match Criteria. Release 4.1

URL Category in Match Criteria. Release 4.1

Re: SSL Sites bypass URL Category block

Re: Why IPS throughput is 1/2 than firewall throughput?

Network Security

Cloud Security

Security Operations

About ssancho