About jkim2

answers is depends. from a security standpoint i would recommend alert for all so you can correlate your traffic. Without URL logging you may only be able to get the DNS which doesnt' always resolve back correctly if its hosted . URL logging of all http/https traffic also helps with custom app-id creation and ips signature creation. As far as not logging social networking i would also advise against that as C2 / Command and Control traffic can go through social media . If your doing SSL decrypt on the box or in the network url category search engines can also reveal alot of info. Also by logging all traffic we've also identified non standard http traffic and the specfic URI From a performance standpoint obviously not recommended to log everything. ... View more

Also with 6.1 it has a session end reason enhancement in the logs ... View more

debug dataplane pool statistics will show you all kinds of hw and sw pools . Look for use / available . When your dataplane cpu spikes because of large packets you'll see the pools getting depleted. match that with a show running resource-monitor to see if it was related to cpu, session or packets ... View more

are all the ads being classifed as web-advertisement ? which app-id does it match if its web-browsing or ssl ? I ended up writing custom apps to just block the connection with no response . long list of digital ad companies http://www.aboutads.info/participating http://www.networkadvertising.org/choices A few of the highest ones i've seen doubleclick quantcast integralads openx doubleverify pubmatic tubemogul mediamind liverail scorecard research addthis ... View more

have your SE run a WF coverage report its much more comprehenisve similar to what you can do with a AVR ... View more

similar to the youtube thread. .. if you create an app-id it'll take precedence over the built in apps similar to if you create custom apps that are categorized as web-browsing they'll match the custom one ... View more

by creating a custom app-id it takes precedence over builtin apps. ... View more

To truly appreciate the capability of this box i would recommend logging and alerting everything then tune out false positive or severity . Below is based on 6.0 but 6.1 has some additional http fields it can log. easiest thing to do is use the gui to do a filter then write it down but its pretty simple once you get it going and replace the eq with a contains or neq for negate (you could also put a ! to negate the filter) geq  greater than or equal , leq less than or equal ,  (neq "") or (contains"")  for is present . You could also start with the ACC then move to the traffic logs once filters are setup. Each log (traffic, threat,url,datafilter etc..) can have their specfic syntax . Also the syntax may overlap with the custom reports but not always. The syntax also doesnt' match doesnt' match up 100% with the traffic filters. from traffic logs its : category-of-app eq media for example from a custom report to filter app category of media syntax is : category-of-name eq media same with sub categories subcategory-of-app eq photo-video in traffic logs , subcategory-of-name eq photo-video in custom reports The two mentioned also aren't available as a selectable attribute in the Add log filter gui You can also enter some attributes that are NOT available in the dropdown Some interesting filter examples in the traffic log 1. photo-video downloads greater than 100mb subcategory-of-app eq photo-video and bytes_received geg 100000000 2. bytes sent greater than 1mb to destination country no US bytes_sent geg 1000000 and dstloc neq US 3. filter for app category of media application NOT rtmp category-of-app eq media and app neq rtmp You can also nest multiple search terms 4. Any ip of from subnet 192.168.0.0/16 in source or dest , application is ssl and dest port is NOT 443 addr in 192.168.0.0/16 and app eq ssl and port.dst neq 443 5. looking for destination port 80 or 8080 that is not application web-browsing ((port.dst eq 80) or (port.dst eq 8080)) and app neq web-browsing Some interesting filter examples in the threat log If a device is managed by panorama there is a field 'URL' that shows up but this is actually additional info such as a file etc.. in the custom report the attribute value is 'misc' . Even if a device is not managed by the firewall you can filter for misc . In a detailed log view under 'threat detail' you'll also see the option of URL . In panorama you can simply look at the URL field in the threat logs 1. To see if a medium severity or higher threat has any value for url / misc severity geq medium and misc neq "" 2. Virus that matches smtp subtype eq virus and app eq smtp 3. threats that are not a virus that contains a .doc or .docx file name (only the data filtering logs lets  you filter by file type / threatid for a file so searching by file ext could provide some useful data) !(subtype eq virus) and ((misc contains .doc) or (misc contains .docx)) Some interesting filter examples in the URL log 1. find a url that partially matches vpn. url contains vpn. 2. category malware and application ssl or port 443 category eq malware and ((app eq ssl) or (port.dst.eq 443)) Now for some interesting filter examples in the Data Filtering 1. Findout if people are downloading pirated movie / tv shows via http . filename that contains hdtv (commonly used for illegal ripped hdtv shows), threatid eq 52104 (threat id to match file type mp4) More info http://en.wikipedia.org/wiki/Pirated_movie_release_types filename contains hdtv and threatid eq 52104 2. All file types PE that were not part of a software update category subcategory-of-app neq software-update and threatid eq 52060 ... View more

From CLI for dataplane show running resource-monitor shows specfic cpu load sampling by group - flow lookup, flow fastpath, flow slowpath, flow fwding etc... it can also be customized with a time interval show running resource-monitor hour last 12  (imo a bit easier to read) interval value can be set to second  minute, hour days week etc.. will provide last resource stats for every 1 hour for last 12 hour Average and Max value for each DP's CPU per core, session , packet buffer etc.. for mgmt plane show system resources follow        Session specfic info show session info  & show system statistics session ... View more

another option is to create a custom app-id that can identify the ssl certs (common name There are many options such as SSL-Req-Certificate , ssl-req-client-hello, ssl-rsp-cert-subjectpublickey, ssl-rsp-certicate, ssl-rsp-server-hello etc.. This will be more of a brute force approach blocking anything that matches the SSL SNI (Server name indication) For example to block Adap.tv (advertisement) user a custom pattern-match with context ssl-req-client-hello with a regex  :     .\.adap.\tv  this will match the client hello for any character going to .adap.tv for sites that use wildcards may be a bit more difficult but then you can block the entire Many of the built in apps also identify ssl applications such as facebook-video even though its not decrypted. ... View more

those are ok to test but most of the free ones really are not' comprehensive enough. I've actually had some customer use opendns (paid),  threatstop and others to get dns or other larger type block list. typically the block list are really useful if an organization has a large threat feed (govt / dod etc..) or an enterprise with a large SOC / security analysis / incident response team  that can actually manage the block list. Otherwise if you don't have the man power than use pan-db malware category(only as good as palo alto's threat feed) along with other threat feeds / security appliance / solutions etc for defense in depth. ... View more

if its a long session it won't log until the session closes so make sure log at session start & log at session end are both selected for the rule. Try this as well Go to the traffic logs and enable views for 'bytes sent' 'bytes received' , packets sent & packets received set the filter to 'bytes geg 10000000' will show you bytes uploads greater than 10mb unit is in bytes geq = greater than or equal leq = less than or equal you can also use 'bytes_sent geg 1000' or 'bytes_received geq'1000' this will show all traffic that had a bytes sent greater than 100kb you can also increase decrease and continue to filter down in the logs. This is how i detect large uploads or large downloads you can do the same with packet but bytes is easier imo. ... View more

also try google or ie development tool from the browser. They show a lot of info including timing ... View more