About GavinPalmer

Hi guys,   Strange issue here which I'm hopeing to get resolved.  I was SSH'ed into the our PA VM-100 today and happened to run the command >ping host 8.8.8.8.  This resulted in 100% (DUP!) replies on the ICMP replies.  However, when I specify the source and host I dont get this issue.   Any ideas why this could be happening?   Thanks   ... View more

We are looking to implement QoS on our Palo Alto device for our voice traffic. We are currently tagging voice traffic with DSCP 46(ef). This is done at the source using Windows group policy to tag all traffic that originates from application "lync.exe". We can see the traffic is definitely being tagged by performing a pcap at different points in the network. We want to make sure that the Palo Alto firewall is honoring this DSCP marking and prioritizing the traffic over everything else. So a few questions to that end are: 1) Setting the DSCP marking in a security policy, is this only marking the traffic? Is it mandatory for QoS to function since we are already marking the traffic using Windows GPO? I think this isnt required. 2) Does the Palo Alto firewall ONLY prioritize traffic that traverses from one zone to another? 3) Can I use the default QoS profile? Thanks all. ... View more

Ok I'm pretty sure this has been covered elsewhere however I cannot find anything on it.  Let me give you some background on the config:  Currently using software version 6.0.5 SSL decryption in operation Trust to Untrust traffic flow direction Ok so I have a rule called "Trust Web Traffic".  This rule allows any trust user to any untrust destination for applications "dns, google-analytics, ssl and web-browsing".  While SSL decryption is turned on for my user account, and I then navigate to www.google.com I get an application blocked.  I believe this is happening because google redirects the traffic to port 443.  In the monitor tab I can see the traffic first appear as port 80 web-browsing THEN change to port 443 ALSO web-browsing.  Since this is a non standard port for the application "web-browsing" the traffic is denied. What is the solution here?  I already know if I change the service to ANY it will work however this leaves this rule allowing any protocol for that application which I dont want to do.  I've also been told creating a custom app could be the way to go.  But seriously google search should be covered in Palo Alto Applipedia. What is the solution here?  While still keeping the rule explicit to the application-default. Thanks ... View more

I was wondering if someone could enlighten me on how to replicate the Mapped IP functionality from Juniper SSG to Palo Alto. We have a number of services on our current Juniper SSG.  The way we firewall these services is using MIP's on the Untrust Zone then the traffic passing from Untrust to Trust using standard juniper policies.  I was playing around with the Palo Alto and it seems its as easy as setting up an address on the Untrust Zone and Trust Zone.  Then allowing the traffic based on the App-ID.  Can someone explain this to me please? Apologies for the noob question.  But gotta start somewhere eh? Cheers ... View more