Though the communication is constant, there is very little bandwidth used for the traffic between the Palo Alto Networks firewall and the User-ID Agent or PAN-Agent. The summary below indicates the frequency of various queries: Every 2 seconds Get new user/IP mapping from the agent. Used to retrieve new user/IP
Cisco’s news at this years RSA Conference is the unveiling of SecureX. Cisco itself describes this next generation security architecture as “complicated” in that it includes new scanning elements, policy language and enforcement capabilities (endpoint control, presumably), all aimed at improving security in a broader range of contexts. While Cisco admits these context-aware scanning elements are “completely independent of the architecture”, the company is only talking about embedding them into its line of ASA firewalls. Is that a round-about way of answering enterprises’ call for a next-generation firewall?
AD Group Policy Overview Active Directory Group Policy allows you to manage your network from on high, governing how your users and computers operate within your AD environment. Policy settings can be created to target the logged-in user or the computer, and a variety of settings that can be
Overview This document is intented to give simple tips to help in configuring a Juniper to Palo Alto Networks VPN. In this sample configuration, a Juniper SRX firewall is using a route-based VPN configuration terminating at a Palo Alto Networks firewall. Tips IPSEC Proxy IDs The VPN will come up
Palo Alto Networks is a brash security vendor that believes its playing the role of disruptor in the staid security market with its high-performance, multifunction firewalls. Competitors have dismissed the upstart as having little room to expand features and functionality beyond its core value proposition. The answer: Take on complementary partners that round out the features and functionality of a firewall.
Palo Alto Networks Next-Generation Firewalls have several security features built in to prevent various types of hacking attempts. When detected, these packets are dropped by default and are not logged in traffic or threat logs. Viewing Global Counters Global counters indicate when traffic has been dropped by these security features.
PAN-OS has two predefined services, service-http and service-https. To migrate from NetScreen/Juniper's security policies using their predefined service easily, run (copy & paste) the following commands in CLI configuration mode and use it in security policy configuration. Note: Some service names are not exactly the same as the one used
Last Friday was the annual Data Privacy Day, held to raise awareness about data privacy issues among consumers, organizations, and government. A key piece of online data is information about a user’s location. While location information has enabled the delivery of interesting services, it has also raised security concerns. Social media applications allow users to share their location with friends and businesses that provide value-added services. But at the same time, they expose users to serious security issues such as the ones on PleaseRobMe.com and ICanStalkYou.com. Recently, concerns were raised by …
Overview Panorama saves a backup of every committed configuration from each device it manages. In addition, Panorama saves copies of its own committed configurations. To facilitate off-box backup requirements, the system supports a method to regularly export these backups to an external data store. This document describes the steps to
This week, Facebook announced HTTPS support for all communication between its servers and end users’ web browsers. This is the right thing for Facebook to do in light of recent proof that session hijacking of Web 2.0 applications is both easy and increasingly common with tools like Firesheep. While HTTPS is not yet on by default (users have to specify HTTPS in the Facebook URL), that is the stated intention. Note that Gmail went to default HTTPS a year ago. Both of these moves highlight an important trend – applications …
In our content updates over the last two weeks, we included App-IDs for 8 new applications – 3 of which are very interesting to me, as evidence for the continued movement towards browser-based filesharing, and another as proof of the increasingly common user expectation that personal digital content should be available everywhere – including at the office.
Set the interface in the applicable OSPF Area and check the box marked Passive. Routing updates will be accepted but not sent and no adjacencies will be formed. If an interface is edited and changed to passive mode, all existing adjacencies will be dropped. owner: panagent
Overview The Palo Alto Networks device supports anit-virus scanning for the following applications: ftp http https: (if SSL decrypt is enabled) imap pop3 smb SMBv2 Note: file blocking is also supported for SMBv2. However, there is a limitation when multiple files are sent at the same time. Because SMBv2 sends
Is the firewall obsolete? Probably not, but current implementations were never designed to cope with the threats posed by Webmail, various social networking tools, and even popular corporate collaboration applications like SharePoint and WebEx.
Overview This document describes the steps to configure admin authentication with a Windows 2008 RADIUS server. The prerequisites for this configuration are: L3 connectivity from the management interface or service route of the device to the RADIUS server. A Windows 2008 server that can validate domain accounts. Steps Part 1:
Health care providers are an interesting situation with regard to network security. Like many industries, they’re dealing with rapid technological change in the face of a variety of regulations – in the U.S. health care industry it’s HIPAA and HITECH, and PCI – focused on the portability, security and privacy of PHI and the security of patients’ credit card data, respectively.
Health care providers are an interesting situation with regard to network security. Like many industries, they’re dealing with rapid technological change in the face of a variety of regulations – in the U.S. health care industry it’s HIPAA and HITECH, and PCI – focused on the portability, security and privacy of PHI and the security of patients’ credit card data, respectively. At the same time, their users are adopting many of the same high-risk, high-reward applications that users in other industries are adopting. The problem, as in most industries, is …
Details NAT traversal is required when address translation is performed after encryption. With this option enabled, the firewall will encapsulate IPSEC traffic in UDP packets allowing the next device over to apply address translation to the UDP packet's IP headers. Note: Encapsulating IPSEC in UDP is likely to require an
A big shortcoming of traditional file transfer protocols such as FTP or HTTP has been the impact on throughput that results from TCP’s aggressive congestion control mechanism; especially when transferring large data files over wide area networks. Aspera’s FASP is an application layer protocol that is among the many alternatives that have been designed to address this issue. It uses UDP instead of TCP as the underlying transport layer and leverages the fact that bulk file transfer does not require in-order delivery of byte streams.
A somewhat rhetorical question really. Much like which came first, the chicken or the egg. In his ThreatPost article, George Hulme highlights the challenges and risks associated with allowing consumer-owned devices (phones, laptops, netbooks, tablets) onto corporate networks.
Overview “U-turn” refers to the logical path traffic appears to travel when accessing an internal resource when the external address are resolved. U-turn NAT refers to a network where internal users need to access an internal server using the server’s external public IP address. Details For this example,
The Boy Billionaire, aka Facebook CEO Mark Zuckerberg, has done it again. His proposal to turn Facebook messaging into a sort of universal communications platform is probably the worst idea of the year. It's bad for the privacy of users and for corporate IT, which will have to deal with a huge spike in hard-to-defend Webmail.