About SimasK

Our PA 4.1 has problems mapping entries received from user-ID agent and LDAP queries. show user ip-user-mapping command produces following output: 192.168.1.1 AD        grybai\vltr12345678 Here grybai is our NetBIOS domain name for domain and  vltr12345678 is sAMAccountName attribute of user object in LDAP. However command show user user-IDs (which shows information received by PA from LDAP queries) for the same user shows: tadas.blinda@grybaiagrupe.eu    vsys1   cn=b8710 users,ou=email,ou=groups,dc=corp,dc=grybaigroup,dc=eu where tadas.blinda@grybaiagrupe.eu is userPrincipalName attribute for the same user. During policy configuration PA web interface gives list of users in tadas.blinda@grybaiagrupe.eu , however such policy doesn't match traffic for that user. Policy with group also doesn't match traffic for that user. If add policy with grybai\vltr12345678 user (I have to manually type user name during policy configuration), it matches traffic for that user. LDAP server is configured as type active-directory, under "Group mapping settings" username field is configured as sAMAccountName (default). Tried to change that value with no lock. Any ideas how to fix it? ... View more

I made a quite shocking discovery about PA and how it inspects SSL encrypted traffic. Please correct me if I'm wrong. 1. To allow simple HTTPS web browsing traffic it isn't enough to allow "web-browsing" application in the policy, you must to allow "SSL" application as well, otherwise only HTTP browsing will work, but not HTTPS. 2. All non-HTTP traffic which is encrypted with SLL, but PA hasn't application signature for it (in other words cannot classify it to any known application), is classified as SSL. This means, that if you allow HTTPS browsing you also allow all other SSL encrypted traffic for which PA cannot recognize, (it means any application, which isn't very popular and is using SSL can bypass PA security). So far I couldn't find any way how to allow HTTPS browsing and block unclassified SSL traffic at the same time. I attached screenshot with my logs, where.unrecognized SSL traffic is permitted along with HTTPS traffic and nothing can be done to prevent it. : ... View more

I'm trying to create case insensitive regexp for data filtering, however couldn't find any standard regexp way which would work. Also when I tried to workaround and created following data pattern [Vv][Ii][Dd][Ii][Nn][Ii][Aa][Mn] (which is perfectly valid regexp in my opinion)  I received data-object-patter-validation error. Any suggestions how to do it ? ... View more

I configured PA to use my outside interface (192.168.128.61) for update checking (not management interface), after it I noticed strange arp behaiviour from PA: 00:14:40.540937 arp who-has 67.192.236.252 tell 192.168.128.61 PA tries to locate update server by making arp request to it, like it has no default gw configured. Default gw is configured on the only virtual router on the device (outside interface belongs to this vr) Could anyone explain which routing table PA is using in this case and how to configure it, because it seems it doesn't use routing-table of the virtual router. In this topology updates are working because proxy-arp is enabled on the default router, however how PA will behave if I'll disable proxy arp ? ... View more