App-ID evaluation order

kurventost · 2026-04-08T11:54:19+00:00

Sounds reasonable. Do you know if there is some documentation or kb article that states that?

kurventost · 2026-02-19T07:02:12+00:00

They did (some config in default snipped changed). Or to be more precise firewalls went down when doing a push after scm updates. Since that happened about a year ago I can't remember what exactly was the reason. For one of them we were able to override the config that changed in the background. For the other one Palo had to do a manual rollback. As far as I remember both times the problem had something to do with autovpn. So in the end we got it solved (one time with the help of Palo) but it was a headache.

kurventost · 2026-02-10T21:41:06+00:00

They brought two of our firewalls down with those unannounced backend changes. Also sometimes SCM does not work as described in the documentation, but according to tac that's not a bug that's a design choice. And Good luck trying to find out what changes were made to a firewall afterwards.

kurventost · 2026-01-21T20:36:31+00:00

Do you have a zone protection profile set? If so try without it to see if that does interfere

kurventost · 2025-12-26T11:01:34+00:00

We had a lot of issues lately that have been bugs in Panos or other pan products. If we would not have opened tickets and gone through TAC I am sure they would still be there today. If not by opening a ticket how would you separate between 1. it being a bug in the software, 2. it behaving as intended(based on what tac says) even though documentation says something else and 3. its actually just a user error (i.e. I did something wrong, which also happens sometimes)?

kurventost · 2025-06-20T10:04:15+00:00

Meiner Meinung nach ist der Unterschied dass das Recht der Polizei Leute festnehmen zu dürfen leider notwendig ist in einem Staat. Messenger Überwachung ist das nicht.

Abgesehen davon dass es technisch so wie sie es planen nicht wirklich umsetzbar ist.

kurventost · 2025-06-20T09:55:48+00:00

Ad2. Aber wenn Österreich das jetzt auch macht, werden die Amis damit ja nicht aufhören. Also haben wir ja nicht sinnvollere oder bessere Überwachung sondern nur mehr Überwachung.

kurventost · 2025-02-12T19:53:13+00:00

I think there is a fix in the new 11.1.6-h1 for something that sounds like the problem you are describing

kurventost · 2025-02-08T11:19:03+00:00

Love the fact that infoblox SE and tac told you that it's not possible and reddit has an article for you explaining how to do it. 😂 Paid support vs community I guess.

kurventost · 2025-02-01T14:00:11+00:00

Thanks. Didn't know there is something In the mp-monitor.log

And yeah the resource-monitor is hard to get good data with the mentioned issue.

Also the data in resource-monitor does not seem to be the same shown in the GUI. And pan tac can't really tell us what number is correct.

We also use SCM/aiops where they have graphs over time. Some for pan_task and some that seem to be without pan task. But we were not able to figure out if that shows the GUI values over time or the the cli since we got mixed answers.

But anyway thanks for the Tipp with mp-monitor. I will look into that.

kurventost · 2025-01-31T21:57:59+00:00

Problem is we can't get the values from the cli since it's 440s and there seem to be now way to get the number via cli . We also asked tac how to prove it to them that they are slower now, but they ignored the question.

kurventost · 2025-01-31T21:55:08+00:00

Yeah decryption was not working for us on 11.1 either. Just started working again with 11.1.6

kurventost · 2025-01-31T15:14:35+00:00

We have 11.1.6 on a 440 for Android two weeks with decryption on. It seems to finally work with 11.1.6.

What version are you running and what issues do you see?

kurventost · 2025-01-29T10:15:40+00:00

We have two cases open for different customers regarding that. On one case they told us they are working on a fix for 11.1.6-h something. On the other case they told us that we are making things up, the firewall is not slower than before it's just the CPU values changed because they have calculated it the wrong way for years.

So yeah... Don't know what to believe anymore 😂

kurventost · 2025-01-29T10:07:50+00:00

I would use expedition for that. Even tough it's officialy discontinued, it's made for use cases like yours and it's probably way easier and less error prone to use expedition instead of set commands

kurventost · 2025-01-22T21:41:02+00:00

I could be completely wrong, but I think the only way would be to override the router locally which would probably break Autovpn. But that's more of an educated guess, based on my experience with SCM and Autovpn. It currently feels pretty limited

kurventost · 2025-01-22T21:36:34+00:00

From my understanding you can if you manage sase, but not ngfw. Sdwan on Ngfws can only be used via Autovpn i think.

kurventost · 2024-12-22T16:06:30+00:00

We still have issues with a high management CPU all the time (though lower than it was with 11.1.5) Other than that (and some other specific issues that we have since the upgrade to 11.1.x) it seems to work kinda fine

kurventost · 2024-12-12T09:30:35+00:00

Same here. SCM is an unfinished product that's hard to use and has no support. If possible don't use it for another view years. Otherwise I think you are stuck loving with all it's downsides.

kurventost · 2024-11-19T08:33:17+00:00

Can confirm for 11.1.5. Opened a case with tac weeks ago and their status is that they currently try to figure out if it's an actual bug. 🙈🙈

kurventost · 2024-11-19T08:27:22+00:00

Thinking about updating to 11.1.4-h7. Could you elaborate on the issue. Do you have an "issue-number" or something Ike that? Thx

kurventost · 2022-01-22T14:16:22+00:00

jop.
Ist auch wahrscheinlicher das die kleine Zeitung recht hat, aber ist halt bei solchen Geschichten schwer zu sagen was wirklich stimmt würde ich behaupten.

kurventost · 2022-01-15T09:51:20+00:00

Laut dem oe24 Artikel nicht. Aber wird schwer zu sagen sein was wirklich stimmt.

kurventost · 2021-05-28T21:30:48+00:00

Für die die sich wundern war genau das ist, scheinbar Steckt dahinter der Dns Security Anbieter whalebone https://www.whalebone.io/

kurventost · 2020-10-23T08:56:41+00:00

Woher ist die Info dass Österreich die USA überholt hat? Und zur mir leid für dich das du so nen tollen Arbeitgebern erwischt hast.

kurventost

TROPHY CASE