About networkadmin

Curiously our 3020 running 7.1.7 has absolutel crapped itself today.   It could be coincidence but it's been fine for the past six months.   We're on 708-4066 as of now. ... View more

I meant to post this link https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Cipher-suite-enforcement-in-decryption-rules/ta-p/74291   I guess I'm not sure how a decryption profile interacts to force the traffic to something that can be decrypted. ... View more

Right now all we have is our PAN ... View more

@Brandon_Wertz wrote:  I'm getting confused by what you're saying you're trying to do and how you're creating a policy to accomplish that.   You said you created a security policy with ANY source / dest / application.  That uses service http/https.   What I'm curious about is are you using a custom URL object within the security policy on the "services" tab, or are you using a URL profile with the custom URL object you're referring to?   Since you've got an any / any /any rule it's natural for the other traffic to match this rule.  It's only until the domain matching occurs that traffic would transition to a different rule in your firewall.  All that other "random stuff" you reference is occurring over ports 80 and 443 so it initially matches. Thanks for the reply and hopefully this will clarify.   I'm adding the URL category to the Service/URL category tab on the security policy rule. ... View more

@Brandon_Wertz wrote: @networkadmin wrote: ...if I add a URL category and create a rule at the top of my ruleset that allow source "any" to destination "any" with service-http, service-https and application "any", and add the URL category that contans the domains above, I seem to see a lot of matches that I wouldn't expect to, as if other traffic is hitting them.   Feels like I've overlooked something daft... thanks!     How are you "adding the URL categpry?"  Are you adding it in the security policy or in a URL profile? Trying on the security policy as if I try adding on a URL profile it would have the effect of blocking everything else. ... View more

Thanks but that doesn't work, I guess Sophos Central isn't quite the same app.     Using the URL filter on a rule that only applies to my own PC I'm seeing Dropbox and other random stuff match the rule.   Tbh I didn't expect that something that on paper looks so simple would prove so difficult for a Palo Alto box. ... View more

Thanks, one concern/query I do have is how people are using minemeld given there seems to be total of 50,000 entries maximum across all EBLs?   I don't know the count on the ProofPoint feed for example but I could imagine things being quite large.   Also (and I'm hoping to speak to ProofPoint) does anyone know if there is masses more on their commercial feed than the open source one?   I ask as I believe the ET Pro subscription inclues a ton of suricata/snort rules which we cannot use with our PAN, so essentially the only piece we'd be using is the EBL content via minemeld.   Thanks ... View more

OK thanks, is there any easy and supported way to combine everything across a single physical link between the switch and the PAN?   Essentially I would have: L3 interface/subinterface between PAN and switch L2 interface to inspect   I'm guessing L2 and L3 cannot be mixed on the same physical interfacel which makes sense and hopefully the topology will be changing fairly soon to accomodate this so we don't need to be doing it at all. ... View more