About Demast

Thank you, I will give it a try and see what happens. ... View more

I am a little confused.  You said you didn't need to modify anything to get it working but you also said you can't decrypt this traffic.  Do you mean that you did needed to add to the no-decrypt URLs as per the article for the regular windows updates but after that you did not need to do anything else for windows insider updates?   You are right, we are early in the outgoing on 443 decryption so it is not yet widespread, and also most windows workstations and servers do get central updates.  We are on all Windows 10 if it makes a difference, I have read some things saying it might get updates differently or from a different place.  I was hoping I would not need to add decrypt exceptions for windows since some exist by default, but if needed I will add exceptions.   Thanks! ... View more

Just curious, but do you know if the normal Windows update sites need to have SSL decryption exceptions in order to work with PAN-OS 8.0?   ... View more

I don't know in great detail about how it works, but I suspect it probably works differently.  Normal windows downloads the updates - Insider updates download the build updates to upgrade to the next build.  I believe this is more like an image then an update package. ... View more

I am not 100% certain what it is monitoring in regards to CPU, but it does show 2 CPU entries.  One does seem to correspond to the management plane and one to the data plane.  I don't expect it would show any spikes since they are super short it would not likley witness them when polling the current usage.    Whenever I log in to the PA management page, I check the dataplane CPU on the dashboard page and it also is always below 30%.  Whatever is happening is likely very brief.  Here are the last seven days:   Resource monitoring sampling data (per day): CPU load (%) during last 7 days: core    0       1       2       3       4       5       6       7      avg max avg max avg max avg max avg max avg max avg max avg max        *   *   7  84   8  84  10  85  10  84  14  93  14  93  14  93        *   *   8 100  10 100  12 100  12 100  17 100  17 100  16 100        *   *   2  99   4 100   3  99   3  99   4  99   4 100   4  99        *   *   1  89   3  90   2  89   2  89   2  89   2  89   2  89        *   *   1  87   3  87   2  87   2  87   3  87   3  87   3  87        *   *   2  94   4  94   3  95   3  94   5  94   5  94   5  94        *   *   3  99   5  99   6  99   6  99   8  99   8  99   8  99 core    8       9      10      11      avg max avg max avg max avg max       14  93  14  93  14  93   8  84       16 100  16 100  16 100   9 100        4  99   4  99   4  99   2  99        2  89   2  89   2  89   1  89        3  87   3  87   3  87   1  87        5  94   4  94   4  94   2  94        8  99   8  99   8  99   4  99   ... View more

Apps themselves have the risk rating, so SMTP has a risk of 5.  If you go to the applipedia (https://applipedia.paloaltonetworks.com/) you can check out the apps and their associated risk level. ... View more

Thanks for the input.  I suppose anywhere else I have it, I can have isolated pockets of OSFP and since they're isolated, each one can have their own area 0 since I don't forsee us switching to OSFP overall. ... View more

Fast response from PA supprt: On November 30th, a video was posted by the owner of the NetSecVulns YouTube channel titled "666 different ways to bypass palo alto networks in 6 minutes”.   In the first video, posted Nov 30th, NetSecVulns sets up a lab with a Windows XP SP2 victim and the Stonesoft Evader tool configured to use the Conficker attack and a Palo Alto Networks Next-Generation Firewall in Layer 3 mode placed in between 2 endpoints. Great pains are made to show that our firewall is configured using our Best Practices configuration document. Once the Evader tool completes its run, the administrator shows that our firewall missed 666 evasion attempts.    In reality, NetSecVulns skipped step 4 in our Best Practices document: creation of an unknown application block rule. This can be verified in the video (at 2:20) where we see a single allow rule instead of the expected 2 rules with the first one dropping unknown applications. Later in the video, at 4:31 and 5:49, it shows the "threat logs”, carefully avoiding "traffic logs" where we would have seen unknown-tcp sessions allowed through.   After running this test in our own lab on PAN-OS 7.0.3, and correctly following the same Best Practices document, we verified that we block 100% of the 204,090 evasion attempts. Also note that this test is performed by our internal QA team for each PAN-OS major and minor feature release.   On Dec 3 rd , NetSecVulns posted a new video, correcting the "step 4" error. However once again they did not follow all steps in the Best Practices document, rendering the test inaccurate and misleading. ... View more

In an Active/Passive device pair NOT managed by panorama, would the flag be synchronized between devices? ... View more

Thanks kadak!  I will add my vote to the FR. ... View more