Overview This document describes how to use General Policy Objects (GPO) to push SSL decryption certificates to the end-user. Steps Note: Actual screen displays will vary between Windows releases and environments. Export the SSL-Decryption certificate from the Palo Alto Networks firewall. Create a GPO profile. Import the SSL-Decryption cert to
The Application Usage and Risk Report (7th Edition, May 2011) from Palo Alto Networks provides a global view into enterprise application usage by summarizing 1,253 application traffic assessments conducted between October 2010 and April 2011. The key findings and observations both globally and by specific countries are outlined in this report.
Overview This document outlines the basic steps involved in establishing a tunnel between a Palo Alto Networks device and a Check Point UTM-1 Edge. The UTM-1 Edge might also be referred to as VPN-1 Edge, SofaWare, or Safe@Office appliances. All the named Check Point devices run SofaWare’s Embedded NGX code.
The following is list of possible codes returned should the auto update agent fail to download the latest Content version. The updater error code is viewable in the ms.log in the Tech Support file. The codes are: case -1: return "generic communication error" case -2: return "command error" case -3:
The ongoing WikiLeaks saga has been one of the most intensely covered stories in information security, and for good reason. It involves the exposure of damaging national secrets; has ignited fresh debates about the freedom of information, and has a very willing villain/hero in Julian Assange who is all too happy to hold the spotlight. However, for all of these same reasons it is easy to be lured into following the narrative of WikiLeaks, while missing the very real lessons and warning signs for enterprise security.
Details Basic Information RFC1661 and RFC2516 are supported Per physical-interface configuration The maximum number of PPPoE instances on a device is the number of physical interfaces of the device Only one PPPoE instance can be configured on each physical interface Note: Cannot configure PPPoE on a VLAN tagged sub-interface PPPoE
Here is the FileType list with Threat-ID as of May, 2017. *The Description for each File Type does not included on this page due to contents size limitation. ID Name File Type Name Min Version Scope File Type Direction 52000 Microsoft PowerPoint ppt 1.0.1 session both 52001 Microsoft Word
Issue After attempting a software (PAN-OS) upgrade, the Palo Alto Networks firewall displays the error on the console: "System Initializing; please wait". This is followed by a continuous reboot cycle. Resolution Perform factory reset on the Palo Alto Networks firewall. See: How to Factory Reset a Palo Alto Networks Device.
Palo Alto Networks devices are designed and built with security in mind but as with any network computing device it is important to avoid certain pitfalls when performing configuration tasks. Below are a few guidelines that will assist the administrator in ensuring that their Palo Alto Networks device is properly
Twitter has recently joined the ranks of fellow social media giants Facebook and Google by moving to more widespread and defualt use of SSL to protect their end-users’ information. Twitter announced on their blog that users can set a preference to secure all Twitter communication via HTTPS, which will in time become the default setting for the Twitter service. You can read the Twitter blog here: http://blog.twitter.com/2011/03/making-twitter-more-secure-https.html This shift highlights a very real and important challenge for enterprise security that boils down to this:
RSA, the security division of EMC, is trying to contain the damage caused by hackers who penetrated its network and compromised technical specifications for its SecurID token-based multifactor authentication system.
The hard drives for the PA-2000 series devices are swappable, but there are some caveats listed below: Does the drive come preloaded with a version of PANOS? Yes, A version number will be asked for at the time of the RMA and the spare HDD will come pre-loaded with that
The GlobalProtet data file, located on the Device tab > Dynamic Updates contains the OPSWAT file that lists the vendors to be used in the HIP object configuration. A valid Global Protect Gateway and Portal license is necessary, and the download schedule needs to be configured before automatic updates can
It’s that time of year again when college basketball takes center stage in America – brackets are filled out, fretted over, and filled out again. Otherwise sane and reasonable coworkers morph into die-hard superfans, and full-grown men begin having serious debates about Cinderella. They call it March Madness for a reason. It is also the time of year when IT and network teams brace for the surge of network traffic as employees tune in to watch the games on-line. This year the impact is likely to be largest ever as …
When creating a policy rule, there is an option to log the session at session start, session end, both or none. Two terms will show up in the logs that are easily confused Session start time - time at which the session started Receive time - time at which the
Microsoft provides a tool, certreq.exe, with its certificate server, to create and submit certificate signing requests (CSR) to a Microsoft certificate server. These tools can be used in place of openssl for environments that use a Microsoft CA. The commands can be used from any domain member system. Certreq requires an
Overview This document explains the RADIUS Vendor Specific Attributes (VSA) used with the Palo Alto Networks Next Generation Firewalls and Panorama server. The configuration on the Palo Alto Networks device and Panorama server are identical. Note: Palo Alto Networks uses the vendor code: 25461 There are 5 attributes: PaloAlto-Admin-Role:
Details Configuring a Kerberos server allows users to authenticate natively to a domain controller. When the Kerberos settings are configured, Kerberos becomes available as an option when defining authentication profiles. Recommendations for configuring Kerberos are provided below: DNS Entries If using Active Directory, it is easiest to use the AD
The Secure Shell (SSH) is a protocol for secure remote login and other secure network services over an insecure network. SSH allows tunneling, which can be used to subvert firewalls and breach security policies. Users can "sneak through" a firewall by hiding applications that the firewall would normally block, wrapping
Yes. For URL filtering, file blocking, and antivirus profiles, you can automatically issue a block page by setting the policy action to "block". In order to issue a block page over SSL, you must also enable SSL decrypt. For more information on how to do this, please refer to the
System Log Fields: Type The purpose of the type field is to provide general categorization of events. This will typically be the feature that is related to the event (routing, vpn, ha, authentication, etc.) Severity Each event has an associated severity. The intent of the severity is to give the
Details It is possible to configure a Denial-of-Service (DoS) protection policy for a server. In the example below, users from the Internet are accessing the server, 18.104.22.168, which is NATed to 192.168.1.10. The DoS policy will be configured to protect the server with a maximum of 20000 sessions and 1000
Overview The lists below show OIDs for Palo Alto Networks Devices and useful OIDs from various MIBs for performing basic SNMP monitoring of the Palo Alto Networks device. OIDs for Palo Alto Networks Devices PA-200: 22.214.171.124.4.1.254126.96.36.199 PA-500: 188.8.131.52.4.1.254184.108.40.206 PA-2020: 220.127.116.11.4.1.25418.104.22.168 PA-2050: 22.214.171.124.4.1.254126.96.36.199 PA-3020: 188.8.131.52.4.1.254184.108.40.206 PA-3050: 220.127.116.11.4.1.25418.104.22.168 PA-4020: 22.214.171.124.4.1.254126.96.36.199 PA-4050:
On most systems, ECC error messages similar to the following in the dp-console and system logs are a good indication that there is a system memory problem with a failed DIMM. Replacing the device is usually required. However, on the PA-500 series, the error could also indicate that software is
Overview This document describes how to manually import the policies of an existing Palo Alto Networks firewall into Panorama. Addresses, address groups, services and policies will be imported so the same policies can be applied to other firewalls that are managed by Panorama. Assumptions You have a PAN firewall that
Ethernet Cable (UTP): White color code Category 6 (550MHz) 7 ft (2.13 m) Console Cable: 6 ft (1.83 m) DB-9 Female to DB-9 Female (for PA-4000 series) DB-9 Female to RJ-45 (for PA-500/2000 series) owner: kmiwa
Overview The Report Stats Dump, found on the Palo Alto Networks firewall Device tab > Support , will only record the past 7 days from the current time by default. The stats dump provides the data used for the "Application, Visibility and Risk Report" compiled by Palo Alto Networks for
Though the communication is constant, there is very little bandwidth used for the traffic between the Palo Alto Networks firewall and the User-ID Agent or PAN-Agent. The summary below indicates the frequency of various queries: Every 2 seconds Get new user/IP mapping from the agent. Used to retrieve new user/IP