Configuration Articles

Featured Article
Overview When configuring BGP with the option to configure Export/Import rules based on the Next Hop entry from the routing table, the next hop entry cannot be just an IP address. The next hop entry must have the /32 prefix; a different prefix will not match the rule.   Steps Export the Rule. This configuration will filter the BGP routes based on the next hop IP address. If routes have 1.1.1.1 as a next hop they will be advertised through BGP. Other routes will be filtered by the Palo Alto Networks device. A. From the WebGUI, go to Network > Virtual router and Click "default" . B. Select BGP > click on the "Export" tab and "Add" to create export rule. C. Then go to "Match" and Add next hop IP address as shown below.   Import the rule. This configuration will filter the BGP routes based on the next hop IP address. Routes with 1.1.1.1 as a next hop will be received through BGP and other routes will be filtered by the Palo Alto Networks device. A. From the WebGUI, go to Network > Virtual router and Click "default." B. Select "BGP" > click on "Import" tab and "Add" to create export rule. C. Then go to "Match" and Add next hop IP address as shown below.   owner: aciobanu
View full article
aciobanu ‎09-24-2018 02:11 PM
9,670 Views
0 Replies
To configure a Palo Alto Networks firewall as a DHCP server: Begin by opening a new WebUI management session Navigate to Network > DHCP > DHCP Server  Click the Add button at the bottom of the window. The DHCP Server configuration window will open and the DHCP server options will be displayed. Note: The sections shaded in yellow are the minimum fields necessary for a working DHCP deployment, however additional options may be configured as needed. Select the interface which will be sourcing DHCP leases Specify the default gateway and primary DNS Specify the desired lease range in the 'IP Pools' section. Address ranges may be entered using CIDR notation, or by entering the start and end IP addresses in the range separated by a "-" dash. Click 'OK' Commit the changes to enable DHCP services.   owner: ggarrison
View full article
ggarrison ‎09-17-2018 09:38 AM
12,115 Views
0 Replies
Overview In Captive Portal scenarios, traffic flows through the Palo Alto Networks device for unidentified users. The traffic logs show an empty Source User for unidentified users:   No filter is available to view only the logs that have an empty Source User column.   Resolution To view only the logs that empty or unidentified Source Users: On the Monitor > Logs > Traffic page, click the Add Filter button (green plus icon). Configure the filter with Attribute = Source User and Operator = is present: The filter gets added as (user.src neq ''). Remove the 'n' from 'neq,' so that the filter appears as (user.src eq ''). Click the Apply Filter button (green arrow) to activate the filter. owner: kadak
View full article
kadak ‎09-14-2018 01:19 PM
8,533 Views
0 Replies
2 Likes
QRADAR LEEF syntax for your Syslog needs in PAN-OS 8.0
View full article
taddair ‎09-11-2018 01:14 AM
6,930 Views
2 Replies
1 Like
Overview Dead Peer Detection (DPD) refers to functionality documented in RFC 3706 , which is a method of detecting dead Internet Key Exchange (IKE/Phase1) peers. Tunnel Monitoring is a Palo Alto Networks proprietary feature that verifies traffic is successfully passing across the IPSEC tunnel in question by sending a PING down the tunnel to the configured destination. Tunnel monitoring can be used in conjunction with “Monitor Profiles” to bring down the tunnel interface allowing routing to update to allow traffic to route across secondary routes. Tunnel monitoring does not require DPD. Dead Peer Detection must be either active or disabled on both sides of the tunnel, having one side with DPD enabled and one side with it disabled can cause VPN reliability issues.   Details Dead Peer Detection DPD is a monitoring function used to determine liveliness of the Security-SA (Security Association and IKE, Phase 1)   DPD is used to detect if the peer device still has a valid IKE-SA. Periodically, it will send a “ISAKMP R-U-THERE” packet to the peer, which will respond back with an “ISAKMP R-U-THERE-ACK” acknowledgement.   The Palo Alto Networks does not currently have a log associated with DPD packets, but can be detected in a debug packet capture. The following is a PCAP from a peer device:   Mar  4 14:32:36 ike_st_i_n: Start, doi = 1, protocol = 1, code = unknown (36137), spi[0..16] = cd11b885 588eeb56 ..., data[0..4] = 003d65fc 00000000 ... Mar  4 14:32:36 DPD; updating EoL (P2 Notify Mar  4 14:32:36 Received IKE DPD R_U_THERE_ACK from IKE peer: 169.132.58.9 Mar  4 14:32:36 DPD: Peer 169.132.58.9 is UP status_val: 0.   The DPD query and delay interval can be configured when DPD is enabled on the Palo Alto Networks device. DPD will tear down the SA once it realizes the peer is no longer responding. Note: The DPD is "not persistent" and is only triggered by a Phase 2 rekey. This means if Phase 2 is up, Palo Alto Networks will not check to see if IKE-SA is active. To get Phase 2 to trigger a rekey, and trigger the DPD to validate the Phase 1 IKE-SA, enable tunnel monitoring.   Tunnel Monitoring Tunnel Monitoring is used to verify connectivity across an IPSEC tunnel. If a tunnel monitor profile is created it will specify one of two action options if the tunnel is not available: Wait Recover or Fail Over. Wait Recover tells the firewall to wait for the tunnel to recover and not take additional action Fail Over will force traffic to a back-up path if one is available In both cases, the firewall will try to negotiate new IPSec keys to accelerate the recovery. A threshold option can be set to specify the number of heartbeats to wait before taking the specified action. The range is between 2 and 100 and the default is 5. The interval between heartbeats can also be configured. The range is between 2 and 10 and the default is 3.   Once the tunnel monitoring profile is created, as shown below, select it and enter the IP address of the remote end to be monitored.   owner: panagent
View full article
nrice ‎08-30-2018 10:14 AM
129,958 Views
22 Replies
2 Likes
Details The following diagram illustrates an IPSec site-to-site between a Palo Alto Networks firewall and Cisco:   Tunnel Interface Create a tunnel interface and select virtual router and security zone. The security policy needs to allow traffic from the LAN zone to the VPN zone, if placing the tunnel interface in some separate zone other than the internal LAN network zone.   The IP address is not required. To run the routing protocol through the tunnel, you must add an IP address to the tunnel interface.         Loopback Interface For this scenario we are using a Loopback interface to simulate a host in an internal zone for testing purposes, otherwise there is no need for the loopback interface.         Phase 1 Create a Phase 1 policy, which will be the same on both sides:   Phase 2 Create a Phase 2 policy, which will be the same on both sides:     IKE Gateway The peer IP address must be reachable through the interface Ethernet 1/1, as shown below:       IPSec Tunnel Select the tunnel interface, the IKE gateway, and the IPSec Crypto profile to make sure the Proxy-ID is added, otherwise phase 2 will not come up.       Route Add the route of the internal network of the other side pointing towards the tunnel interface and select None:   Configuring Cisco   ip access-list extended Crypto_Acl permit ip 10.50.50.0 0.0.0.255 16.16.16.0 0.0.0.255 crypto isakmp policy 16 encr aes hash md5 authentication pre-share group 5 crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto ipsec transform-set TSET esp-aes esp-sha-hmac crypto map CMAP 10 ipsec-isakmp set peer 10.50.240.55 set transform-set TSET match address Crypto_Acl interface FastEthernet0/0 crypto map CMAP   owner: pakumar
View full article
pankaku ‎08-28-2018 10:34 AM
9,415 Views
0 Replies
2 Likes
Note: Customers are not required to modify firewall policies unless the conditions outlined below are in use.   Issue : Firewalls are typically required to act as an ALG to create pinholes for SIP sessions and provide address translation capabilities. The "sip" App-ID creates such pinholes that allow the protocol to function seamlessly when it encounters the firewall. When a SIP server communicating using static NAT in one zone (source) emits traffic that is destined to a SIP server in another zone (destination), the firewall creates a pinhole that consequently allows a host using SIP within destination zone to communicate with the SIP server in the source zone. For example, a SIP server P.Q.R.S in the source zone static NAT-ed to D.E.F.G:5060, dispatches a SIP REGISTER message to an external SIP server A.B.C.D:5060 in the destination zone. This results in the firewall creating a pinhole that accepts incoming connections from hosts in the destination zone addressed to D.E.F.G:5060.   Resolution : The "sip-trunk" App-ID disables the creation of such a pinhole when used in conjunction with an Application Override. This App-ID is meant to be used between known SIP servers. The source and destination addresses of these servers must be specified, with their SIP traffic overridden to the new "sip-trunk" App-ID. In addition, given the lack of a pinhole, administrators are required to configure a Security Policy rule that permits traffic between these servers in the reverse direction. This allows the SIP servers to communicate with each other, and the absence of the pinhole prevents the firewall from accepting inbound connections from other hosts within the destination zone.     Requirements:   SIP Registrar or Proxy is statically NATed through the firewall SIP trunking is being used in the environment Content database version 518 or higher   Note that switching to sip-trunk requires clearing all active SIP traffic, so the process will be disruptive to users.  We recommend scheduling an outage or maintenance window after hours to implement these changes.  Also, any ports other than udp/5060 that are in use by your SIP server will need to be added to the new policies accordingly.   How to Implement:   1) Create an Application Override policy with a rule that allows sip-trunk traffic on udp/5060 as well as any other ports that are being used by this application in your environment.  The policy can be limited in scope to only match the desired SIP traffic by specifying source and destination IP addresses as well as zones.   2) Create a Security policy that blocks the “sip” application. 3) Create a Service object that contains udp/5060 as well as any other ports required by your SIP servers. 4) Create Security policies beneath the rule created in the previous step that allows the “sip-trunk” application.  This policy should be limited in scope to only match the desired SIP traffic by specifying source and destination IP addresses as well as zones.     5) Create a static bi-directional source NAT policy.   6) Commit policy. 7) Clear all current SIP sessions from the CLI ( NOTE : this command will disrupt all active SIP traffic): > clear session all filter application sip   8) Clear the application cache from the CLI: > clear appinfo2ip
View full article
ggarrison ‎08-28-2018 10:32 AM
36,465 Views
0 Replies
3 Likes
Symptoms Packet drop is observed after DoS Protection Rule is applied. Threat logs for DoS Protection are not generated.   This tends to happen when the DoS Protection Rule is created with Classified setting and "src-dest-ip-both" is selected for the Address setting.   The issue can happen even if the number of active sessions is much lower than the max session number that the platform supports and also lower than the "Maximum Concurrent Sessions" setting in DoS Protection Profile.     During that time, the following global counters are incremented. flow_dos_rule_drop             Packets dropped: Rate limited or IP blocked flow_dos_rule_drop_classified  Packets dropped: due to classified rate limiting flow_dos_no_empty_entp         Unable to find empty classified entry during insertion   Cause If those counters above show the same value, it indicates that hash insertion to classification table failed thus packets were dropped. Hash insertion fails when the classification table is full or when hash collision happens. By the setting of  "src-dest-ip-both", the firewall has to track the sessions based on the source IP and the destination IP pair which results in utilizing more entries in classification table. When more entries are created, there're more chances for the hash collision to happen.   Solution - Select "source-ip-only" or "destination-ip-only" instead of using  "src-dest-ip-both" in Classified setting. - Use Aggregate setting instead of Classified. - "debug dataplane reset dos classification-table" command can be used as a temporal workaround to clear the classification table. Note: This is not a permanent fix. - Configure DoS Protection rule to be more specific, for example, reduce the number of Zones to apply the policy instead of selecting all existing Zones.      
View full article
ymiyashita ‎08-21-2018 07:52 AM
958 Views
0 Replies
Domains There are a number of Domains/SSL Certificates that are excluded from SSL Decryption.    Starting with PAN-OS 8.0 and newer, the SSL exclusion is handled inside of the Certificates section of the WebUI.  To see the full list of domains/SSL certificates that are excluded from SSL Dectyption, Inside of the WebGUI > Device > Certificate Management > SSL Decryption Exclusion.   The domains selected with the "Exclude from decryption" in this location will not be decrypted by the Palo Alto Networks device. This list of domains are added the SSL Decryption Exclusion list in each Content load so that the SSL engine will allow them to pass through, rather than trying to decrypt them.   Applications In PAN-OS 7.1 and older, applications were used instead of domains.   These applications are added to an exclude list in each Content load so that the SSL engine will allow them to pass through, rather than trying to decrypt them. # Application 1 adobe-echosign 2 aerofs 3 aim 4 airdroid 5 amazon-aws-console 6 anydesk 7 appguru 8 apple-game-center 9 apple-push-notifications 10 asana 11 authentic8-silo 12 bluejeans 13 cryptocat 14 daum-mypeople 15 discord 16 dnf 17 efolder 18 evault 19 filesanywhere 20 finch 21 google-plus-posting 22 gotoassist 23 gotomeeting 24 gotomypc 25 hbo 26 hp-virtual-rooms 27 icloud 28 informatica-cloud 29 itunes 30 itunes-appstore 31 itunes-mediastore 32 itwin 33 jungledisk 34 kakaotalk 35 kakaotalk-audio-chat 36 kakaotalk-file-transfer 37 lantern 38 linkedin 39 live-mesh 40 logentries 41 logmein 42 logmeinrescue 43 meerkat 44 megachat 45 metatrader 46 minecraft 47 ms-lync-online 48 ms-product-activation 49 ms-spynet 50 ms-update 51 naver-line 52 norton-zone 53 ntr-support 54 odrive 55 office-on-demand 56 okta 57 onepagecrm 58 onlive 59 opera-vpn 60 packetix-vpn 61 paloalto-wildfire-cloud 62 pando 63 pathview 64 periscope 65 proofhq 66 puffin 67 rift 68 second-life 69 signal 70 silent-circle 71 simplify 72 sophos-rms 73 springcm 74 sugarsync 75 telex 76 tigertext 77 ubuntu-one 78 ultrasurf 79 vagrant 80 via3 81 vmware-view 82 vudu 83 wallcooler-vpn 84 webroot-secureanywhere 85 wetransfer 86 whatsapp 87 winamax 88 wiredrive 89 yunpan360-file-transfer 90 yuuguu 91 zoom 92 zumodrive
View full article
nrice ‎07-27-2018 03:49 PM
277,535 Views
76 Replies
3 Likes
This document describes how to enable and disable CCEAL4 mode on a Palo Alto Networks firewall with high availability, with minimum impact on the network.   Before attempting this procedure, read the following article to understand the changes and impact of enabling the FIPS/ CCEAL4 mode: Changes that Occur if FIPS Mode is Enabled.   Preparation Make sure you have physical access to the firewall and a console connection. Change the configuration to fulfill the requirements in the above document, which will ensure you do not commit errors while loading the configuration. Make sure the passwords meet the minimum length criteria. Setup a lockout time for failed login attempts. On the GUI, go to  Device > Setup > Management > Authentication Settings > Lockout Time (min) Make sure supported ciphers suites are used for IPSEC VPNs and all certificates were generated using 2048 bits key size. Enable HA on both HA peers and make sure they are talking to each other: How to enable encryption on HA1 in high availability configurations. Take backups of the configuration and licenses from both firewall 1 and firewall 2 after making the above changes. On the GUI, give proper names to each file.  Device > Setup > Operations > Save Named Configuration Snapshot Device > Setup > Operations > Export Named configuration Snapshot Device > Setup > Operations > Export Device State Device > Support > Generate a Tech Support File, and then download it. This step is optional if the device is being managed from Panorama also. Go to Panorama > Setup > Operations > Export Panorama and device config bundle. Test the failover between the HA pair to make sure traffic is flowing fine via both firewalls. Disable preemption on the High Availability settings to avoid any unnecessary failovers. On the CLI, disable TCP-Reject-Non-SYN for the window. This is allow successful failover of traffic between the firewalls once one is in FIPS mode and other is not.    > configure   # set deviceconfig setting session tcp-reject-non-syn no   # commit Failover all traffic to Firewall 2, while setting Firewall 1 in FIPS mode.   Steps to enable FIPS mode: Remove all HA and network cables on Firewall1 and follow the procedure in the following article to enable FIPS mode on firewall 1: How to Enable or Disable (Common Criteria) CCEAL4 Mode After you are able to log into the firewall via GUI on Firewall1 on 192.168.1.1, import Firewall1’s exported candidate configuration into the firewall A using WebGUI : Device > Setup > Operations > Import Named Configuration Snapshot. Note: If the device is being managed from Panorama, then import the device state: (WebGUI)  Device -> Setup -> Operations -> Import Device State . Disable HA on Firewall1. Make sure you have a local admin account configured with a known password so that we are still able to manage the device after committing. Export HA encryption keys from Firewall1 Device -> Certificate Management -> Certificates -> Export HA Key. Commit the changes, and if the commit goes through, connect the management port back to the network so that you can connect back to original management IP to regain access to the firewall. After logging in again,  update the Licenses, Content and Antivirus database, URL database to the required version and update the Wildfire Package as well Wildfire Configuration, Testing, and Monitoring Connect the network cables (no HA cables yet) on Firewall1, and disconnect network cables on Firewall2 at the same time.  Note : There will be an outage at this step as we are doing a stateless failover to Firewall1.  Verify that traffic is passing through the Firewall. Repeat steps 1 to 8 for Firewall2. At this point both firewalls are in FIPS mode but acting as standalone units. Now we will enable HA on both. Follow the article How to enable encryption on HA1 in high availability configurations to import HA keys of Firewall2 into Firewall1 and vice versa. Enable HA on both Firewalls as before (Encryption needs to be enabled). Disable preemption as of now. Commit the changes. Connect the HA cables between Firewall1 and Firewall2 and let the HA state transition take effect. Once the HA is established, connect the network cables on Firewall2. Test the failover by suspending Firewall1 Enable preemption if required and make sure the tcp-reject-non-syn is enabled again. Note: Arrange downtime for the procedure, and contact support if you run into any issues.
View full article
abjain ‎07-24-2018 09:31 AM
16,714 Views
0 Replies
Although it is not possible to change the port GlobalProtect uses, it is possible to use another port with help from a loopback IP address and security rules.   Here is how to do that: Create a loopback   Make sure the untrust interface can ping the loopback. Assign the loopback as the portal address and the gateway address     In the GlobalProtect Portal > Agent > External tab, set the external gateway to address (10.30.6.56:7000 for example)   Create a Destination NAT rule with service:7000 to 10.30.6.56 (Untrust Interface) translating to 10.10.10.1 (loopback) on service:443 Create a security policy with destination address as the untrust interface and services as 7000 and 443 With this configuration, you will be able to access the global protect portal page on https://10.30.6.56:7000 which will translate to https://10.10.10.1 .Download and install the GlobalProtect client software.   Use the credentials in the username & password fields. In the portal field, use the IP as 10.30.6.56:7000 as shown.             owner: mvenkatesan
View full article
mvenkatesan ‎07-19-2018 06:07 AM
49,386 Views
17 Replies
4 Likes
How to Allow a Single YouTube Video and Block All Other Videos In this example we only want to allow this one youtube video: https://www.youtube.com/watch?v=hHiRb8t2hLM, and block the rest of YouTube.  Please follow these steps to accomplish this.   Steps Block streaming-media in your URL Filtering Profile. Get there in the WebGUI > Objects > Security Profiles > URL Filtering > click on the URL Filtering profile you would like to use. URL Filtering Profile detail showing Streaming-Media being set to Block. Create a Custom URL Category from Objects > Custom Objects > URL Category. Your Custom URL Category must include the following entries: *.youtube.com *.googlevideo.com www.youtube-nocookie.com www.youtube.com/yts/jsbin/ www.youtube.com/yts/cssbin/ ... this will make sure that any youtube page or content you go to is decrypted, so that the full HTTP GET can be read. Add a decryption policy of type SSL Forward Proxy, the decryption policy must be tied to your Custom URL Category in the "Service/URL Category" tab. Please see the following article about configuring SSL Decryption: How to Implement and Test SSL Decryption  Go to your URL Filtering profile, in the Allow list add the following URL's: www.youtube.com/watch?v=hHiRb8t2hLM *.googlevideo.com ... the first entry is the URL for the container page itself, then *.googlevideo.com will allow the media that is fetched from that container page out of Google's content CDN at *.googlevideo.com . Also, make sure that the custom URL category you created is also "allowed" inside of the URL filtering profile. URL filtering profile detail showing the allowed URL List. Commit and test.   Thanks to Milvaldi for the contribution. owner: jdelio    
View full article
‎07-12-2018 11:51 PM
97,364 Views
28 Replies
Before installing User-ID, run through the following checklist: Determine the machine the user-agent will be installed on. Windows XP, Windows 7, Windows 8 or Windows Server 2003/2008/2012. Network connectivity to the DCs and to the management port of the firewall. Be a member of the domain. Determine which user account can be used by the user-agent to query the domain. This account needs the user right to read the security logs on the domain controllers. The domain admins group has this right, but a new group can be created in AD that has this right added to basic user rights. Determine which domain (with corresponding domain controllers) the user-agent will be querying. One user-agent is required for each domain and can handle a maximum of 64000 users in a domain. Steps Installing and Configuring the User-ID Agent Select a PC in the domain to install the user-agent software. Download and install the latest version of user-agent from https://support.paloaltonetworks.com Configure the user-agent server to run under a different account than the local system, which is selected by default.  This user account must have access to read security logs and netbios probing of other machines.  To get to the service: admin tools > service > pan agent > log on > switch from local user to this account, then select the user that will be used for this service. Restart PAN agent service. Start user-agent GUI, Start > Programs > Palo Alto Networks > User Identification Agent in the top right corner, then click Configure. Fill in the following information: Domain name - FQDN of the domain, for example, acme.com. Port number of your choosing - any port number not currently used on this machine. Make sure the local machine does not have any firewall that is blocking inbound connections to that port. Domain controllers ip address - add all the DCs in the domain. Users can be authenticated with any DC in the domain, so you can enter up to 10 IP addresses. Allow list - subnets that contain users to track. Ignore list - IP address of the terminal server, any other machines that could potentially have multiple users logged in simultaneously. If netbios is not allowed on the network, disable netbios probing.  For more accurate IP to user mapping support, disable netbios probing. Click OK. You can monitor the agent status window in the top left corner, which should display no errors. Other messages: Connection failed. Please start the PAN agent service first. Reading domain name\enterprise admins membership. No errors. To confirm that the server running the user-agent is listening on the port configured in Step 8, run the following command on the PC: netstat -an | find "xxxx" Configuring the firewall to communicate with the User-ID Agent Log into the Palo Alto Networks firewall and go to Device > User Identification. Configure Name, Host (IP address) and Port of the User-ID Agent. Enable user identification on each zone to be monitored.  On the Network > Zone page, edit the appropriate zones. In the bottom left corner of the Zone properties page, check the box to Enable user identification. Commit the changes. To confirm connectivity, run this command via CLI of APN firewall: show pan-agent statistics   which should return state connected, ok. To view currently logged in users, run: debug dataplane show user all   Testing To make sure everything is working, create a new security rule.  You should be able to select users or groups.   owner: jnguyen
View full article
jnguyen ‎06-28-2018 05:41 AM
84,959 Views
12 Replies
User-ID Agent requirements: Must be running Windows 2008 or 2003 Server that is a member of the domain in question. Although User-ID Agent can be run directly on the AD server, it is not recommended. The service must be running as a domain account that has local administrator permissions on the User-ID Agent server. The service account must have permission to read the security log. In Windows 2008 and later domains, there is a built-in group, “Event Log Readers,” that provides sufficient rights for the agent. In earlier versions of Windows, the account must be given the “Audit and manage security log” user right through a group policy. Making the account a member of the Domain Administrators group provides rights for all operations. If using WMI probes, the service account must have the rights to read the CIMV2 name space on the client workstation. The User-ID agent account needs to be added to the "Remote Desktop Users". Domain admin has this by default. If using only one User-ID Agent, make sure it includes all domain controllers in the discover list. The domain controller (DC) must log “successful login” information.   The User-ID Agent monitors the domain controllers for the following events: Windows 2003 672 (Authentication Ticket Granted, which occurs on the logon moment), 673 (Service Ticket Granted) 674 (Ticket Granted Renewed which may happen several times during the logon session) Windows 2008 4768 (Authentication Ticket Granted) 4769 (Service Ticket Granted) 4770 (Ticket Granted Renewed) 4624 (Logon Success) For account logon, the DC records event ID 672 as the first logon for authentication ticket request. No relevant account log-off event is recorded. If NetBIOS probing is enabled, any connections to a file or print service on the Monitored Server list is also read by the agent. These connections provide updated user-to-IP mapping information to the agent. In all cases, the newer event for user mapping overwrites older events. If WMI probing is enabled, make sure the probing interval is set to a reasonable value for the amount of workstations it may need to query. For example, if there are 5,000 hosts to probe, do not set a probing interval of 10 minutes.  Both settings are under User Identification > Setup > Client Probing on the User-ID agent :   In some cases the WMI probe will fail because the workstation may be running a local firewall or it may not be a member of the domain. If this happens, the mapping can be deleted once the cache timeout is exceeded, even though the workstation is up and passing traffic. To test, run the following command from the User-ID agent. wmic /node:workstationIPaddress computersystem get username It should return the user currently logged in to that computer. Windows firewalls can be set using these commands locally on the workstation or server if remotely configurin the firewall is not possible: For Windows XP/Windows Server 2003:  netsh firewall set service RemoteAdmin enable For Windows Vista/Windows Server 2008 (note that command line should be executed in the elevated command prompt):  netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes If you are not confident the workstations will respond to WMI probes, set the user ID cache timeout to a higher value since the mapping will be dependent upon the users login events. In this case, if the cache timeout is exceeded after the initial login event, the mapping will be deleted even though the user is still logged in. This setting is under User Identification > Setup > Cache on the User ID agent:   Confirm that all the domain controllers are in the list of servers to monitor.  If not, not all the User-to-IP mappings may be included since any domain controller can potentially authenticate the users. Confirm the Domain Controller list is accurate by running the following command from a domain controller: dsquery server –o rdn (which prints a list of your DCs). Remove any DCs that no longer exist. Confirm that user ID is enabled on the zone in where the traffic is sourced. This setting is under Network > Zones:   Helpful commands on the firewall Status of the Agent and connection statistics show user user-id-agent state all Display IP mappings show user ip-user-mapping all Display a single IP mapping with details including group info show user ip-user-mapping ip IPaddress Display the groups being parsed on the firewall show user group list Display the members of a group according to the firewall show user group name “group name” (this will be the DN) Delete a group mapping and rebuild it debug user-id clear group “group name” debug user-id refresh group-mapping all   See Also Getting Started: User-ID How to Configure Agentless User-ID   owner: jteetsel
View full article
PANW1337 ‎06-28-2018 05:36 AM
99,122 Views
13 Replies
3 Likes
Steps Click Device. Under Server Profiles, click on LDAP. Click Add to bring up the LDAP Server Profile dialog. Enter Server name, IP Address and port (389 LDAP). Select LDAP server type from drop down menu. Enter the Base Distinguished Name for the domain. Enter the Bind DN and Bind Password for the service account. Uncheck SSL checkbox (SSL can be used if the Domain Controller will listen for LDAP SSL on port 636).   Commit changes.   owner: bnelson
View full article
bnelson ‎06-26-2018 03:19 AM
42,287 Views
4 Replies
Details When terminating IPSec VPN tunnels on a Palo Alto Networks firewall, consider that: The terminating interface must be associated with the same zone as the external port where the tunnel packets enter the firewall. If terminating the tunnel on an aggregate ethernet interface, the aggregate interface must also be bound to the external interface (where the tunnel packets enter the firewall). The interface is where the original packet (IKE packet) entered the firewall.   owner: nayubi
View full article
nayubi ‎06-19-2018 01:16 AM
7,718 Views
0 Replies
Forwarding threat logs to a syslog server requires three steps Create a syslog server profile Configure the log-forwarding profile to select the threat logs to be forwarded to syslog server Use the log forwarding profile in the security rules Commit the changes   Note: Informational threat logs also include URL, Data Filtering and WildFire logs.   Syslog server profile Go to Device > Server Profiles > Syslog Name: Name of the syslog server Server : Server IP address where the logs will be forwarded to Port: Default port 514 Facility: To be elected from the drop down according to the requirements   Log forwarding profile Go to Objects > Log forwarding Create the syslog server profile for forwarding threat logs to the configured server. Add a Log Forwarding Match List to the profile add the syslog server and select a desired (if any) filter Use the filter builder to add more filtering parameters for logs to be forwarded   Once configured, the log forwarding should look like the following   Security Rule Go to Policies > Security Rule Select the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule. Go to Actions > Log forwarding and select the log forwarding profile from drop down list.   Commit the configuration  
View full article
ppatel ‎06-12-2018 12:47 AM
48,560 Views
9 Replies
Overview This document describes how to configure NAT64 on a Palo Alto Networks firewall.   Details NAT64 enables IPv6 hosts to communicate with IPv4 hosts. A NAT64 equivalent address for an IPv4 destination is formed by combining the 32 bit IPv4 address with the Well-Known Prefix 64:ff9b::/n for NAT64 as outlined in RFC 6052.   This implementation needs a DNS64 server that the IPv6 client can communicate with to synthesize AAAA records from A records. The DNS64 server is responsible for doing an IPv4 lookup for the destination and then returning an equivalent IPv6 address (AAAA) to the client by appending the well known prefix. The client then sends the packet with: Src IP = Configured IPv6 address Dst IP = IPv4 embedded IPv6 address returned by DNS64 server When the firewall receives this packet, both the Src IP and Dst IP are translated into IPv4 addresses.          Note:    Though this example shows how to implement NAT64 with a DNS64 server, the firewall is capable of performing the translation from IPv6 to IPv4 regardless of if this was done by a DNS64 server or by some other method, as long as the IPv4 address is embedded into the IPv6 address as described below.               Note: The NAT64 feature supports RFC6052 compatible prefix, which covers Well-Known Prefix and network-specific prefix (For example: all or a part of the customer's global address prefix). This document explains the scenario of Well-Known Prefix with 96.  This can apply to Network-SpecifIc Prefix as well. The following table is the mapping rule from IPv6 to IPv4. The mapping varies with the length of prefix:   Steps The following network topology is used for the configuration example: Bind 9 was used as the DNS64 server for this setup. The following configuration needs to be added to the /etc/bind/named.conf.options file. options { dns64 64:ff9b::/96 { }; listen-on-v6 { any; }; allow-query { any; }; }; Assign the 64:ff9b::/96 network to the interface assigned to 'Untrust' zone. This is to ensure that zone lookups for destination IPs in this network matches the Untrust Zone. Configure the NAT64 rule as follows: On the client, open a browser and try to navigate to a website. We will use www.w3schools.com an example site. The website www.w3schools.com resolves to 66.29.212.73 When the PC does a AAAA record lookup for the hostname www.w3schools.com, the DNS64 server returns the IP address as: 64:ff9b::421d:d449 where 421d:d449 is the hex equivalent of 66.29.212.73.   Verification Check the sessions on the firewall for the DNS and the following web browsing sessions: DNS session:         c2s flow:                 source:      2005:db4:40:0:0:0:0:31 [trust-L3]                 dst:         2005:db4:31:0:0:0:0:200                 proto:       17                 sport:       58674           dport:      53                 state:       ACTIVE          type:       FLOW                 src user:    unknown                 dst user:    unknown           s2c flow:                 source:      2005:db4:31:0:0:0:0:200 [untrust-L3]                 dst:         2005:db4:40:0:0:0:0:31                 proto:       17                 sport:       53              dport:      58674                 state:       ACTIVE          type:       FLOW                 src user:    unknown                 dst user:    unknown           start time                    : Wed Nov 13 13:04:31 2013         timeout                       : 30 sec         time to live                  : 15 sec         total byte count(c2s)         : 100         total byte count(s2c)         : 524         layer7 packet count(c2s)      : 1         layer7 packet count(s2c)      : 1         vsys                          : vsys1         application                   : dns         rule                          : allow_all         session to be logged at end   : True         session in session ager       : True         session synced from HA peer   : False         layer7 processing             : enabled         URL filtering enabled         : False         session via syn-cookies       : False         session terminated on host    : False         session traverses tunnel      : False         captive portal session        : False         ingress interface             : ethernet1/4         egress interface              : ethernet1/3         session QoS rule              : N/A (class 4)   Web Browsing session:         c2s flow:        ( Notice IPv6 addresses in c2s flow )                 source:      2005:db4:40:0:0:0:0:31 [trust-L3]                 dst:         64:ff9b:0:0:0:0:421d:d449                 proto:       6                 sport:       49381           dport:      80                 state:       ACTIVE          type:       FLOW                 src user:    unknown                 dst user:    unknown           s2c flow:       (Notice IPv4 addresses in s2c flow )                 source:      66.29.212.73 [untrust-L3]            dst:     10.66.24.80                 proto:       6                 sport:       80              dport:      65144                 state:       ACTIVE          type:       FLOW                 src user:    unknown                 dst user:    unknown           start time                    : Wed Nov 13 13:04:31 2013         timeout                       : 3600 sec         time to live                  : 3568 sec         total byte count(c2s)         : 758         total byte count(s2c)         : 5439         layer7 packet count(c2s)      : 6         layer7 packet count(s2c)      : 6         vsys                          : vsys1         application                   : web-browsing         rule                          : allow_all         session to be logged at end   : True         session in session ager       : True         session synced from HA peer   : False         address/port translation      : source + destination         nat-rule                      : nat6_4(vsys1)      <<<< NAT64 rule is applied         layer7 processing             : enabled         URL filtering enabled         : False         session via syn-cookies       : False         session terminated on host    : False         session traverses tunnel      : False         captive portal session        : False         ingress interface             : ethernet1/4         egress interface              : ethernet1/3         session QoS rule              : N/A (class 4)   Troubleshooting The following command can be used to view counters for NAT64 at the drop/warn level: > show counter global filter value all | match nat64   Example: click to enlarge   Note: IPv6 firewalling needs to be enabled under Device > Setup > Session > Ipv6 Firewalling.   owner: achitwadgi
View full article
kadak ‎05-09-2018 10:21 AM
32,651 Views
1 Reply
1 Like
Ever wonder how to globally block URLs without having to use a URL filtering policy in the rule?  The problem when using a URL filtering policy is that URL traffic is either blocked or allowed on a single rule. Because of matching on a single rule, none of the URL traffic is scanned by the rest of the security policy.
View full article
‎04-26-2018 08:23 AM
19,484 Views
5 Replies
1 Like
Enabling SSO on Aperture requires information from your IDP.  The following section provides details on how to add Aperture as an Application on your IDP and then using information from your IDP to configure SSO on Aperture. Okta is used as IDP.
View full article
ptarra ‎04-23-2018 08:33 AM
7,140 Views
3 Replies
Details   The Palo Alto Networks LDAP Proxy feature sources LDAP traffic destined for the firewall's configured LDAP server addresses (Windows Active Directory, eDirectory, LDAP) from a User-ID agent installed on a Windows server. Without LDAP proxy, this traffic is sourced directly from the management interface or configured service route.   When LDAP proxy is enabled, the firewall communicates with the User-ID agent via the standard SSL connection between the User-ID agent and the Palo Alto Networks firewall. The agent then performs the LDAP queries requested by the firewall and sends the replies back to the firewall.   With PAN-OS 4.1 and later, all the configuration for this feature is on the firewall, if connecting to a Windows domain controller.  Configure both an LDAP server profile and group mapping profile just as if the firewall will be sourcing the LDAP traffic. After creating those profiles, check Use as LDAP Proxy and commit.     After a commit, all LDAP traffic normally sourced from the firewall will be sourced from the configured User-ID agent.   owner: dbraswell
View full article
DavePATS ‎04-11-2018 06:55 AM
10,441 Views
0 Replies
Overview Before installing the Terminal Server (TS) Agent, make sure that the following requirements are met : Verify the requirements in the Release Notes of the version of Terminal Server (TS) Agent to be installed. The administrator on the terminal server needs to install the TS Agent. The TS Agent should be configured to be started only by the administrator in order to prevent other remote logon users from controlling it. For the TS Agent to successfully install the necessary driver. Note that the installer must have administrator rights. The Windows firewall on the machine where TS Agent is installed needs to be disabled.   Steps Installation The install will first check to see if the TS Agent is compatible with the operating system it is being installed on. If the operating system is not compatible, it will pop up with the error message similar to the following: The TS agent installer will request a destination folder for the install. For a new installation the administrator does not need to reboot the system; however, without reboot, the TS Agent can only identify the new outbound TCP/UDP traffic. For the TCP/UDP traffic occurring before the installation, the Palo Alto Networks TS Agent can not identify the users. Configuration of the TS Agent on Terminal Server Main Panel The TS Agent Controller is the application used on the Terminal Server for configuration and verification of agent status. The main panel will show Connection List which displays each PAN device connected to the TS agent as well as the device access control list.By default Device Access Control list is disabled. Enable this option if you want to specify which PAN device the TS Agent will listen to. The TS agent will ONLY accept incoming connections from the devices in the allow list. Configure Panel Listening Port: The port that the TS Agent communicates on the Palo Alto Networks device with. Source port allocation range: Range of source ports users will be able to pull from. Reserved Source Ports: Ports that need to be excepted from the source port range because another service running on the Terminal Server needs it to communicate with. Port Allocation Start Size Per User: Minimum port allocation for new user port lease. Port allocation Maximum Size Per User: Maximum port allocation for user port lease. Fail port binding when available ports are used up: Prevents over lapping port allocations. Monitor Panel The monitor operation from the navigation window displays all of the current users and port allocations. The “Ports Count” show the current used ports for the user. The Ports Count can be refreshed by clicking the “Refresh Ports Count”. You can also manually set a refresh internal by selecting the check box “Refresh Interval”. Configure of the TS Agent on Palo Alto Networks Device The Palo Alto Networks device needs to be configured with the following information: IP Address: IP address of the server where TS Agent installed on. Port: TS Agent listening port which should match what is configured on TS Server. IP List (optional): Terminal server source IP list if the terminal server has multiple source IPs, max of 8 IPs. Commit the changes on the firewall Troubleshooting Hints The TS Agent maintains a log file which is very useful for troubleshooting. In case there is an issue with the TS Agent, these logs should be collected and sent to the TAC Support Team. The log file can be viewed on the TS Agent using File > Show Logs. To enable detailed information on the User-ID Agent operation, go to File > Debug and select Verbose.  The logs will now display more detailed messages.   Useful CLI commands Configure terminal server agent: # set ts-agent <name> <options> where <options> include  ip-address   terminal server agent ip address port         terminal server agent listening port ip-list      terminal server alternative ip list   Show terminal server agent status: > show user ts-agent statistics IP Address Port Vsys State Users ------------------------------------------------------------- 10.1.200.1  5009 vsys1 connected 8 10.16.3.249 5009 vsys1 connected 10   > show user ip-port-user-mapping all User IP-Address Vsys Port-Range ---------------------------------------------------------------------------- test1 10.1.200.1  vsys1 20000-20500 test2 10.1.200.1  vsys1 20500-21000                         21500-22000 test3 10.1.200.1  vsys1 21000-21500 TS Agent may need to lookup a Palo Alto Networks User-ID agent or group mapping data to get the group information for a specific domain user.   Other CLI commands The User-ID Agent's “enable-user-identification” and “User Identification ACL” configuration command also apply to TS Agent. This means that if user-identification feature is enabled, both User-ID Agent and TS Agent feature will be enabled.   owner: panagent
View full article
nrice ‎04-11-2018 06:53 AM
39,453 Views
12 Replies
3 Likes
Details Log in using the default username and password: admin/admin hyper terminal settings bits per second 9600 data bits 8 parity none stop bits 1 flow control none   Once logged in, run the following CLI commands: > configure (enter configuration mode) # set deviceconfig system ip-address 10.1.1.1 netmask 255.255.255.0 default-gateway 10.1.1.2 dns-setting servers primary 4.2.2.2 # commit   owner: jnguyen
View full article
jnguyen ‎04-03-2018 11:19 AM
124,048 Views
12 Replies
1 Like
Symptoms After installing or extracting GlobalProtect 4.1 on Linux and attempting to enter CLI mode by running the globalprotect file, you receive an error such as:  $ globalprotect -bash: /usr/bin/globalprotect: cannot execute binary file: Exec format error Diagnosis This may be caused by extracting/installing GlobalProtect on a 32-bit system. Only 64-bit systems can run GlobalProtect, there is no 32-bit package. Viewing the file info for the 'globalprotect' file shows it is 64-bit: $ file /opt/paloaltonetworks/globalprotect/globalprotect /opt/paloaltonetworks/globalprotect/globalprotect: ELF 64-bit LSB executable, x86-64...   On many Linux distributions, you can view your system type with the following command: $ uname -m   If you see "i686" (or "i386" on a very old computer), it is a 32-bit system. If you see "x86_64", the system is 64-bit and can use GlobalProtect Solution Ensure you are installing GlobalProtect on a 64-bit Linux system. There is no supported way to run GlobalProtect on a 32-bit Linux system.
View full article
gwesson ‎03-08-2018 01:07 PM
4,746 Views
0 Replies
Question Does bootstrapping allow software image installation or upgrade ? Answer The feature of bootstrapping a firewall was introduced in PANOS 7.1.   Bootstrapping with software image installation is supported ONLY on the VM firewall models. The physical firewalls DO NOT support software image installation during the bootstrapping process.   The following boot up logs can be seen for a physical firewall :   Serial Console Output for boot up process after successful bootstrap :   Starting PAN Software: port_link: module license 'Proprietary' taints kernel. Disabling lock debugging due to kernel taint 2017-01-22 16:17:03.709 -0800 INFO: Media detected, Starting media sanity check 2017-01-22 16:17:04.782 -0800 INFO: Skip Software image installation, not supported on physical devices. 2017-01-22 16:17:04.785 -0800 INFO: USB media sanity check passed 2017-01-22 16:17:04.800 -0800 INFO: System upgrade state: firstboot, starting upgrade mode 2017-01-22 16:17:04.803 -0800 INFO: Bootstrap media detection completed.   More Info For more information on bootstrapping process, please see the below link : Bootstrapping Firewalls for Rapid Deployment  
View full article
syadav ‎02-27-2018 01:14 PM
4,022 Views
0 Replies
Overview This document describes how to configure the Palo Alto Networks firewall to behave as an IPSec passthrough between VPN terminating devices.   Details Configure a security policy to allow the "ipsec" application traffic between the tunnel endpoints. This will enable the Palo Alto Networks firewall to act as vpn passthrough for traffic between vpn peers.   For example The screenshot below shows devices 198.51.100.1 and 203.0.113.1 (10.0.0.1 internally)  as the vpn peers. T he application, "ipsec", is specified under the Application column.     The ipsec application contains the following sub-apps: ike ipsec-ah ipsec-esp ipsec-esp-udp(NAT-T) The sub-apps above are allowed implicitly when the ipsec application is configured as allowed.   owner: saryan
View full article
saryan ‎02-23-2018 03:49 AM
65,226 Views
9 Replies
In Virtual Wire mode, the Palo Alto Networks device can pass Cisco Link Aggregation Control Protocol traffic in vwire only when the links are not aggregated on the PAN-fw.  In V-wire if  the Links are aggregated then the firewall could forward the packets to the other ports in AE , that will cause the LACP to not come between peers.     Topology example   Switch 1 Configuration Switch 2 Configuration port-channel load-balance dst-ip interface Port-channel5 switchport access vlan 10 switchport mode access   interface GigabitEthernet0/1 switchport access vlan 10 switchport mode access channel-group 5 mode active ! interface GigabitEthernet0/2 switchport access vlan 10 switchport mode access channel-group 5 mode active ! interface GigabitEthernet0/3 switchport access vlan 10 switchport mode access !   port-channel load-balance dst-ip interface Port-channel10 switchport access vlan 10 switchport mode access !   interface GigabitEthernet0/13 switchport access vlan 10 switchport mode access channel-group 10 mode active ! interface GigabitEthernet0/14 switchport access vlan 10 switchport mode access channel-group 10 mode active ! interface GigabitEthernet0/15 switchport access vlan 10  switchport mode access !   Firewall configuration       This is the expected behavior in 7.1.x and 8.0.x     More information on 802.3ad link aggregation can be found on wikipedia's Link aggregation page.   owner: mchandrase
View full article
migration ‎02-22-2018 09:57 AM
52,081 Views
9 Replies
Overview Listed below are scenarios when the GlobalProtect Portal and Gateway licenses are required.   Global Protect Portal License   Prior to PAN-OS 7.0: The GlobalProtect Portal license is required when: Using HIP Configuring multiple gateways Configuring internal gateway PAN-OS 7.0 and later: GlobalProtect Portal license is not required.     GlobalProtect Gateway License   The GlobalProtect Gateway license is required when: Using HIP Using iOS or Android mobile application The GlobalProtect Gateway License requirement remains same for PAN-OS version 7.0 and later.   High Availability deployment of the portal and gateway requires identical licenses to be installed on both the devices.   See Also GlobalProtect Configuration Tech Note GlobalProtect Configuration for the IPsec Client on Apple iOS Devices GlobalProtect Configuration for the IPSec Client on Android Devices   owner: sdarapuneni
View full article
zarina ‎02-21-2018 03:51 PM
90,698 Views
24 Replies
3 Likes
Details Previously, the DP would aggregate all packet-diag logs into a single file directly on DP itself. Starting from PAN-OS 5.0, instead of letting DP write the aggregated log, aggregation is performed with a new operational CLI that can be done after the dataplane debug is completed.   Run the following CLI command: > debug dataplane packet-diag aggregate-logs Note: Be sure to do this AFTER disabling the data plane debug logging such as flow basic using command debug dataplane packet-diag set log off. Wait 10 - 20 seconds after the logging is stopped before starting the aggregation into single file. A dataplane (DP) kernel flush needs to occur before all the info in the log files can be retrieved. you can force the flagged session to be ended by executing this command: > debug dataplane packet-diag clear filter-marked-session all   This will result in all DP pan_task logs to be aggregated to single pan_packet_diag.log file. Use tail or less dp-log pan_packet_diag.log to view the output. Note that although we can aggregate each pan_task log within a single DP log file, each DP will generate its own log file. So for multi-DP platforms (PA-5000 and PA-7000 series), each DP log is separate. For 5000 series, use dpX-log instead of dp-log where X is equal to DP number (i.e. dp0-log , dp1-log ). For 7000 series, use sXdpY-log where X is NPC slot number and Y is DP number within that slot (i.e. s1dp0-log , s7dp1-log )   Note: In order for a PA-200 to view the logs use the following CLI command: > less mp-log pan_task_1.log   For more details regarding how to enable flow basic dataplane debug, refer to the following article: Packet Capture, Debug Flow-basic and Counter Commands   owner: rkim
View full article
rkim ‎02-12-2018 12:41 PM
9,639 Views
0 Replies
PAN-OS 6.0 and later   Details Enabling passive DNS monitoring is an opt-in feature in PAN-OS 6.0 or later. It enables the Palo Alto Networks firewall to act as a passive DNS sensor and send select DNS information to Palo Alto Networks for analysis in order to improve threat intelligence and threat prevention capabilities.   The DNS responses are only forwarded to the Palo Alto Networks and are only forwarded when the following requirements are met: DNS response bit is set DNS truncated bit is not set DNS recursive bit is not set DNS response code is 0 or 3 (NX) DNS question count bigger than 0 DNS Answer RR count is bigger than 0 or if it is 0, the flags need to be 3 (NX) DNS query record type are "A,NS,CNAME, AAAA, MX"   To enable the passive DNS monitoring on a Palo Alto Networks firewall (PAN-OS 7.1 and earlier) go to: Objects > Security Profiles > Anti-Spyware Profile > DNS Signatures and check the box Enable Passive DNS Monitoring, and commit the changes:   To enable Passive DNS on PAN-OS 8.0 and later, go to Device > Setup > Telemetry     owner: achalla
View full article
achalla ‎02-09-2018 04:50 AM
12,851 Views
5 Replies
1 Like
Ask Questions Get Answers Join the Live Community