About CRDF18

thanks Mayur that is the same conclusion i came to so i have just been tweaking it in recent weeks ... View more

im in the same boat, but cant see much out there for best practises. I noticed we still get port scanned a bit so keen to try and minimise this as much as possible ... View more

FYI   The zone protection profile didnt do much and the 2 rules i put in to allow approved applications (panos-web-interface, panos-global-protect etc) then a deny rule just under the allow rule for applications like ping, telnet and web-browsing.    It seemed like this may have increased the amount of alerts i was getting, so today i disabled the allow rule and then created a separate rule, under the deny applications rule, to deny any application but only for port 80, this was because in our threat logs the alerts for outside to outside were for port 80 but it was saying the incomplete application.    I have tested VPN gateway and portal access and all seems to be OK, so i will give it a few days to see if it has cut down on the alerts/attempts. Ive already seen a lot of things being blocked thanks to the deny on port 80 so i am feeling confident on this.   Thanks for your help ... View more

I think i will have to do the something similar. I need to apply zone protection profile and also create one allow intrazone rule with the likes of panos applications but also with other applications such as ipsec-esp-udp for our VPN tunnels and then follow it up with a deny rule ... View more

Hi    We dont specifically have a rule allowing or denying the gateway traffic so that was the confusing thing ... View more