Configuration Articles

Featured Article
Domains There are a number of Domains/SSL Certificates that are excluded from SSL Decryption.    Starting with PAN-OS 8.0 and newer, the SSL exclusion is handled inside of the Certificates section of the WebUI.  To see the full list of domains/SSL certificates that are excluded from SSL Dectyption, Inside of the WebGUI > Device > Certificate Management > SSL Decryption Exclusion.   The domains selected with the "Exclude from decryption" in this location will not be decrypted by the Palo Alto Networks device. This list of domains are added the SSL Decryption Exclusion list in each Content load so that the SSL engine will allow them to pass through, rather than trying to decrypt them.   Applications In PAN-OS 7.1 and older, applications were used instead of domains.   These applications are added to an exclude list in each Content load so that the SSL engine will allow them to pass through, rather than trying to decrypt them. # Application 1 adobe-echosign 2 aerofs 3 aim 4 airdroid 5 amazon-aws-console 6 anydesk 7 appguru 8 apple-game-center 9 apple-push-notifications 10 asana 11 authentic8-silo 12 bluejeans 13 cryptocat 14 daum-mypeople 15 discord 16 dnf 17 efolder 18 evault 19 filesanywhere 20 finch 21 google-plus-posting 22 gotoassist 23 gotomeeting 24 gotomypc 25 hbo 26 hp-virtual-rooms 27 icloud 28 informatica-cloud 29 itunes 30 itunes-appstore 31 itunes-mediastore 32 itwin 33 jungledisk 34 kakaotalk 35 kakaotalk-audio-chat 36 kakaotalk-file-transfer 37 lantern 38 linkedin 39 live-mesh 40 logentries 41 logmein 42 logmeinrescue 43 meerkat 44 megachat 45 metatrader 46 minecraft 47 ms-lync-online 48 ms-product-activation 49 ms-spynet 50 ms-update 51 naver-line 52 norton-zone 53 ntr-support 54 odrive 55 office-on-demand 56 okta 57 onepagecrm 58 onlive 59 opera-vpn 60 packetix-vpn 61 paloalto-wildfire-cloud 62 pando 63 pathview 64 periscope 65 proofhq 66 puffin 67 rift 68 second-life 69 signal 70 silent-circle 71 simplify 72 sophos-rms 73 springcm 74 sugarsync 75 telex 76 tigertext 77 ubuntu-one 78 ultrasurf 79 vagrant 80 via3 81 vmware-view 82 vudu 83 wallcooler-vpn 84 webroot-secureanywhere 85 wetransfer 86 whatsapp 87 winamax 88 wiredrive 89 yunpan360-file-transfer 90 yuuguu 91 zoom 92 zumodrive
View full article
nrice ‎07-27-2018 03:49 PM
277,668 Views
76 Replies
3 Likes
Enabling SSO on Aperture requires information from your IDP.  The following section provides details on how to add Aperture as an Application on your IDP and then using information from your IDP to configure SSO on Aperture. Okta is used as IDP.
View full article
ptarra ‎04-23-2018 08:33 AM
7,150 Views
3 Replies
Pre-requisites  You should have a working knowledge of:   Active Directory   User-id feature on the Palo Alto Networks firewall   Components Used The information in this document is based on these software and hardware versions:   Palo Alto Networks VM firewall running PANOS 7.1   Active Directory Services running on Microsoft 2012 r2 server, configured as a Domain controller   The information in this document was created from the devices in a specific lab environment. If your network is live, make sure that you understand the potential impact of any command.   Background  Palo Alto Networks firewall uses the domain map to store the fully qualified active directory domain name (fqdn) and its equivalent netbios domain (netbios name). It's used to normalize or convert the username and groupnames from FQDN to their corresponding netbios domain name format. For example, consider the domain 'paloaltonetworks.com' as the fqdn, then its equivalent netbios domain name is 'paloaltonetworks'   In an active directory environment a user which is a member of this domain will have its username as paloaltonetworks\username.   Details  Let us take a deeper look as to how the firewall retrievesthe netbios domain name from active directory domain controllers, populate the domain map and then use it for conversion of fqdn to netbios name.   For the sake of simplicity and ease of illustration we'll break the work flow into three phases.     PHASE 1   Retrieving the netbios domain name    Firewall sends the request for the netbiosname domain name while sending the LDAP partition query during LDAP refresh , populates it’s domain map and writes this entry into the dnsnetbios.map file   Fetched through 389/636 LDAP connection (not Global Catalog one's - 3268 or 3269) All Domain Controllers should have this info    Location: LDAP://CN=Partitions,CN=Configuration,DC=<DomainName>, DC=<local|com> ADSI Edit: Connect to "Configurations“ (ADSI - Active Directory Service Interfaces)       Here's the LDAP partition query response from the active directory domain controller to the firewall showing the :   Target of the query - CN=Partitions,CN=Configuration,DC=test,DC=kunaldc,DC=com  FQDN - 'test.kunaldc.com' Netbios domain name - 'test'        PHASE 2    Storing the netbios domain name    The ‘dnsnetbios.map’  file which contains the fqdn and it's netbios domain name is stored internally in the linux based directory structure on the firewall   You can view the domain-map from the command line of the firewall using 'debug user-id dump domain-map'     The domain map persists a device reload, even when you’ve deleted the group mapping profile for a respective domain   Along with this any netbios domain name once learnt on the firewall continues to persist unless explicitly removed via the cli command ‘debug user-id clear domain-map’     PHASE 3   Apply the netbios domain name to user groups and members of these groups    The objective of the netbios name is to    1.   Convert 'fqdn\username' formats to netbios domain name i.e. 'netbios\username' format    Eg: Username test is a member of the active directory domain 'test.kunaldc.com'           It's fqdn name format is 'test.kunaldc.com\testuser'    Once the firewall learns about the netbios name of the active directory domain then it will convert all the fqdn username format to netbios name formats        Hence the fqdn username format of 'test.kunaldc.com\testuser'  is converted to 'test\testuser'     2.   Normalize the groups from full dn to short name format In absence of the domain maps all AD groups are recognized in their full domain name format   A group named sme_group  whose full dn name format is 'cn=sme_group, ou=tier2,ou=networking,ou=apac,ou=tac2,dc=test,dc=kunaldc.com,dc=com'  is converted into  'test\sme_group' Simialrly, the user which is a member of sme_group and the active directory domain 'test.kunaldc.com' is also transformed from 'test.kunaldc.com\testuser' to 'test\testuser'         NOTE   1.  PAN firewall applies the normalization on the users retrieved from ip-user mapping mechanisms (using methods such as - userid agent, agentless, syslog,xmlapi etc) as well as the users retrieved from active directory domain controllers using LDAP    2.  Domain map is not synchronized between the active and passive firewalls in an Active-Passive HA setup The passive device must at some point serve as an active device in the HA in order to connect to the active directory server to fetch the netbios domain name via the ldap partition query 
View full article
kbiswas ‎05-08-2017 05:11 AM
20,418 Views
1 Reply
5 Likes
In this video tutorial, Ion demonstrates how to configure Cisco ISE 2.1 with RADIUS vendor ID for Palo Alto Networks and its associated VSAs.
View full article
Ion.Ermurachi ‎03-15-2017 08:34 AM
17,703 Views
3 Replies
2 Likes
When configuring a Cisco ASA key-id field, how do you determine the correct value to put in the PAN IKE peer KEYID field? The Cisco-ASA allows any ASCII string input. This ASCII string key-id must be converted to hexadecimal before using it in the PAN’s dynamic IKE Peer KEYID field. For example: Cisco ASA isakmp key-id: foobar PAN dynamic peer KEYID: 666f6f626172 Packet capture the traffic from the dynamic peer as it arrives at the PAN (debug ike pcap on; debug ike pcap off; scp export debug-pcap from ikemgr.pcap) and examine in wireshark.  The HEX and ASCII values in the first IKE packet from the dynamic peer is listed. Hex to ASCII converter tool: http://www.dolcevie.com/js/converter.html Sonicwall, Juniper and Netscreen use  ASCII for the key ID as well. owner: panagent
View full article
panagent ‎01-16-2012 03:53 PM
4,358 Views
0 Replies
1 Like
Ask Questions Get Answers Join the Live Community