Configuration Articles

Featured Article
This document is a 'how to' guide in configuring Captive Portal in a Vwire Deployment. It will provide documentation on implementing either Transparent or Redirect mode with Client Certificate Authentication.   Transparent Mode:   Transparent—The firewall intercepts the browser traffic per the Captive Portal rule and impersonates the original destination URL, issuing an HTTP 401 to invoke authentication. However, because the firewall does not have the real certificate for the destination URL, the browser will display a certificate error to users attempting to access a secure site. Therefore you should only use this mode when absolutely necessary, such as in Layer 2 or virtual wire deployment.   Generate the Captive Portal Server Certificate. In this instance, I'm using the Trusted Root CA also used to sign the intermediate/client certificate. You can certainly create a separate Server Certificate if you wish.       Create the authentication profile to utilize. In this case, LDAP is used to authenticate unknown users.       Enable Captive Portal using Transparent Mode. As noted, we are using the previously created LDAP authentication profile and the Captive Portal Server Certificate.       Configure your Captive Portal Policies: (Note, to trigger CP on SSL enabled websites, SSL Decryption will need to be enabled)     After committing your changes, open up a web-browser on the system (the source IP must be an unknown user otherwise you will not get a captive portal prompt) behind the Vwire Trust zone (Note, make sure this zone is enabled for user identification). My host IP is 192.168.125.111 and it's currently unknown on the PA's ip-user-mapping.   admin@lab-26-PA5050> show user ip-user-mapping all   admin@lab-26-PA5050>     As previously mentioned, when using transparent mode, all browsers will issue a warning indicating that the destination url does not match the common name found in the certificate.       After accepting the exception for the common name mismatch, you will be presented with the Captive Portal Web Form requesting for the credentials to authenticate the user.     Upon completing the web form and entering the correct credentials, users will be redirected to the original requested URL/website.     The session table and IP mapping will appear as follows:   admin@lab-26-PA5050> show user ip-user-mapping all     IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 192.168.125.111 vsys1  CP      rkalugdan                        888            3462 Total: 1 users       admin@lab-26-PA5050> show session id 33570653     Session        33570653             c2s flow:                 source:      192.168.125.111 [vtrust]                 dst:         209.95.138.162                 proto:       6                 sport:       39066           dport:      80                 state:       ACTIVE          type:       FLOW                 src user:    rkalugdan          <==================================== via Captive Portal                 dst user:    unknown             s2c flow:                 source:      209.95.138.162 [vuntrust]                 dst:         192.168.125.111                 proto:       6                 sport:       80              dport:      39066                 state:       ACTIVE          type:       FLOW                 src user:    unknown                 dst user:    rkalugdan             DP                                   : 1         index(local):                        : 16221         start time                           : Tue Jan 27 08:27:52 2015         timeout                              : 3600 sec         time to live                         : 3593 sec         total byte count(c2s)                : 1381         total byte count(s2c)                : 1006         layer7 packet count(c2s)             : 13         layer7 packet count(s2c)             : 12         vsys                                 : vsys1         application                          : web-browsing         rule                                 : vwire         session to be logged at end          : True         session in session ager              : True         session updated by HA peer           : False         layer7 processing                    : enabled         URL filtering enabled                : True         URL category                         : content-delivery-networks         session via syn-cookies              : False         session terminated on host           : False         session traverses tunnel             : False         captive portal session               : False         ingress interface                    : ethernet1/6         egress interface                     : ethernet1/4         session QoS rule                     : N/A (class 4)         end-reason                           : unknown         Redirect Mode:     Redirect—The firewall intercepts unknown HTTP or HTTPS sessions and redirects them to a Layer 3 interface on the firewall using an HTTP 302 redirect in order to perform authentication. This is the preferred mode because it provides a better end-user experience (no certificate errors). However, it does require additional Layer 3 configuration. Another benefit of the Redirect mode is that it provides for the use of session cookies, which enable the user to continue browsing to authenticated sites without requiring re-mapping each time the time outs expire. This is especially useful for users who roam from one IP address to another (for example, from the corporate LAN to the wireless network) because they will not need to re-authenticate upon IP address change as long as the session stays open. In addition, if you plan to use NTLM authentication, you must use Redirect mode because the browser will only provide credentials to trusted sites.   (To use the captive portal in redirect mode, you must enable response pages on the interface management profile assigned to the Layer 3 interface to which you are redirecting the active portal.)     In this example, I've generated a Trusted Root CA, an intermediate CA which is then signing the client certificate for use in client certificate authentication. For the Trusted CA, which will be used as the Captive Portal Server certificate, I will use 'cpcaroot.pantac2008.com' as the CN and the client cert will have its CN as 'renato.' We will use 'renato' to help identify the users being captive portal'd via the client cert profile.       The 'CA_Root', 'intermediate' certificates are exported  in PEM format from the PA and imported into the host client. This can be done more seamlessly in a production environment via GPO.  In this scenario, I've imported them to the Trusted Root and Intermediate CA stores respectively.             The client certificate signed by the intermediate cert will need to be exported in PKCS12 format as it will require both the private and public keys to make this work. It will then be imported into your Personal Certificate store accordingly.             The same Captive Portal Policies apply as shown below.       Create the Certificate Profile to utilize for Client Certificate Authentication. Insert both the Trusted Root CA and Intermediate CA within the CA Certificates option. Username Field will be 'Subject' defaulting to common-name. You can modify this option to help identify your users. As mentioned, we'll be using the CN 'renato' to help identify the Captive Portal user by choosing Subject in the Username Field.       Enable the Captive Portal and choose 'Redirect' mode. This will enable other fields that require your attention. I'm using the same Trusted Root CA as the server certificate. The CN used was 'cpcaroot.pantac2008.com. This will be the redirect host configured and we then point to the client cert profile previously created.       In this example, I will have to make sure my host machine knows how to reach 'cpcaroot.pantac2008.com' so I have to configure the host file accordingly. This should not be a problem in a production environment if DNS is able to resolve the fqdn defined as your Redirect Host which should also match the CN for your server certificate.     Windows host file output:   # Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 192.168.125.2     cpcaroot.pantac2008.com     In Vwire deployment while using redirect mode, we'll need to burn an L3 interface on the PA device to get this functional. The interface is assigned to the L3-Trust zone and has a mgmt profile enabled with at the very least, response pages. Notice the IP address used is 192.168.125.2, which is what my system will be redirected to once Captive Portal is triggered given the use of the CN 'cpcaroot.pantac2008.com' in the Captive Portal Server Certificate.   Also, keep in mind that the redirected host will need to be in the same broadcasts domain as the client so that it will respond to arp requests accordingly. If the Captive Portal redirect interface is outside the of the clients broadcast domain and the traffic needs to traverse the v-wire you will need to create an exception policy to allow the traffic destine to this interface a Captive Portal intervention       Here's the screenshot of the host attempting to open a socket to www.google.com. The browser then submits the client cert to the PA device as we're using client certificate authentication instead of LDAP in this scenario. I subsequently redirect the browser to www.jimmyr.com and I'm now presented the web page and CP has identified me as 'renato' per my client certificate.           Previously seen as unknown for 192.168.125.223:   admin@lab-26-PA5050> show user ip-user-mapping all     IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 192.168.125.223 vsys1  Unknown unknown                          2              5 Total: 1 users     Upon completing the client certificate authentication, the PA now reflects the following:     admin@lab-26-PA5050> show log system direction equal backward 2015/01/27 09:05:58 info     general        general 0  User admin logged in via CLI from 192.168.125.223 2015/01/27 09:05:58 info     general        auth-su 0  User 'admin' authenticated.   From: 192.168.125.223. 2015/01/27 09:05:40 info     general        general 0  Captive Portal authentication succeeded for user: renato on 192.168.125.223, vsys1 2015/01/27 09:05:40 info     general        general 0  Captive Portal client certificate authentication successful from ::ffff:192.168.125.223.         admin@lab-26-PA5050> show user ip-user-mapping all     IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 192.168.125.223 vsys1  CP      renato                           899            3518 192.168.125.111 vsys1  CP      rkalugdan                        261            1037 Total: 2 users             admin@lab-26-PA5050> show session id 33571113     Session        33571113     c2s flow: source:      192.168.125.223 [vtrust] dst:         216.58.216.2 proto:       6 sport:       51049           dport:      80 state:       ACTIVE          type:       FLOW src user:    renato   <====================================================== dst user:    unknown     s2c flow: source:      216.58.216.2 [vuntrust] dst:         192.168.125.223 proto:       6 sport:       80              dport:      51049 state:       ACTIVE          type:       FLOW src user:    unknown dst user:    renato     DP                                   : 1 index(local):                        : 16681 start time                           : Tue Jan 27 09:05:41 2015 timeout                              : 3600 sec time to live                         : 3580 sec total byte count(c2s)                : 3637 total byte count(s2c)                : 9854 layer7 packet count(c2s)             : 10 layer7 packet count(s2c)             : 14 vsys                                 : vsys1 application                          : web-browsing rule                                 : vwire session to be logged at end          : True session in session ager              : True session updated by HA peer           : False layer7 processing                    : enabled URL filtering enabled                : True URL category                         : web-advertisements session via syn-cookies              : False session terminated on host           : False session traverses tunnel             : False captive portal session               : False ingress interface                    : ethernet1/6 egress interface                     : ethernet1/4 session QoS rule                     : N/A (class 4) end-reason                           : unknown       Here's an example of client certificate authentication using an Ubuntu client with Firefox as the browser. I've installed the Root CA and intermediate certificate in the Trusted store for Firefox whereas the client certificate is associated with 'Your Certificates' store.         Here's Firefox presenting the client certificate upon the user's attempt to access www.jimmyr.com           Finally, the original requested website is presented to the user       PA CLI output fo the syslog and ip-user-mapping below:   admin@lab-26-PA5050> show user ip-user-mapping all IP Vsys   From User IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 192.168.125.111 vsys1  CP renato 893            3561         Total: 1 users dmin@lab-26-PA5050> show log system direction equal backward Time Severity Subtype Object EventID ID Description =============================================================================== 2015/01/27 13:24:07 info general        general 0 Accepted keyboard-interactive/pam for admin fr om 192.168.125.111 port 50672 ssh2 2015/01/27 13:23:45 info general        general 0  User admin logged in via CLI from 192.168.125.1 11 2015/01/27 13:23:44 info general        auth-su 0  User 'admin' authenticated.   From: 192.168.125 .111. 2015/01/27 13:23:11 info general        general 0  Captive Portal authentication succeeded for use r: renato on 192.168.125.111, vsys1 2015/01/27 13:23:11 info general        general 0  Captive Portal client certificate authenticatio n successful from ::ffff:192.168.125.111.   The following is an example from a MacOS client using the Chrome browser. We've copied the same certs using the Keychain Access Certificates and My Certificates folder respectively.           As you can see once again, PA is requesting client certificate authentication and Chrome is presenting said client certificate as expected.             admin@lab-26-PA5050> show user ip-user-mapping all   IP Vsys   From    User                             IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 192.168.125.113 vsys1 Unknown unknown 3              6 Total: 1 users   admin@lab-26-PA5050> show user ip-user-mapping all   IP Vsys   From    User                             IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 192.168.125.113 vsys1 CP      renato                           899            3585 Total: 1 users     Time Severity Subtype Object EventID ID Description =============================================================================== 2015/01/27 13:00:40 info     general        general 0  WildFire update job succeeded  for user Auto update agent 2015/01/27 13:00:39 info     general        general 0  Wildfire package upgraded from version <unknown version> to 51969-58674 by Auto update agent 2015/01/27 13:00:37 info     general        general 0  Installed wildfire package: panup-all-wildfire-51969-58674.tgz 2015/01/27 13:00:35 info     general        general 0  WildFire version 51969-58674 downloaded by Auto update agent 2015/01/27 13:00:34 info     general        general 0  Connection to Update server:  completed successfully, initiated by 10.46.32.26 2015/01/27 13:00:23 info     general        general 0  Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by 10.46.32.26 2015/01/27 13:00:21 info     general        general 0  Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by 10.46.32.26 2015/01/27 13:00:20 info     general        general 0  Captive Portal authentication succeeded for user: renato on 192.168.125.113, vsys1 2015/01/27 13:00:20 info     general        general 0  Captive Portal client certificate authentication successful from ::ffff:192.168.125.113.    
View full article
gswcowboy ‎09-14-2018 11:44 AM
41,498 Views
0 Replies
Overview Dead Peer Detection (DPD) refers to functionality documented in RFC 3706 , which is a method of detecting dead Internet Key Exchange (IKE/Phase1) peers. Tunnel Monitoring is a Palo Alto Networks proprietary feature that verifies traffic is successfully passing across the IPSEC tunnel in question by sending a PING down the tunnel to the configured destination. Tunnel monitoring can be used in conjunction with “Monitor Profiles” to bring down the tunnel interface allowing routing to update to allow traffic to route across secondary routes. Tunnel monitoring does not require DPD. Dead Peer Detection must be either active or disabled on both sides of the tunnel, having one side with DPD enabled and one side with it disabled can cause VPN reliability issues.   Details Dead Peer Detection DPD is a monitoring function used to determine liveliness of the Security-SA (Security Association and IKE, Phase 1)   DPD is used to detect if the peer device still has a valid IKE-SA. Periodically, it will send a “ISAKMP R-U-THERE” packet to the peer, which will respond back with an “ISAKMP R-U-THERE-ACK” acknowledgement.   The Palo Alto Networks does not currently have a log associated with DPD packets, but can be detected in a debug packet capture. The following is a PCAP from a peer device:   Mar  4 14:32:36 ike_st_i_n: Start, doi = 1, protocol = 1, code = unknown (36137), spi[0..16] = cd11b885 588eeb56 ..., data[0..4] = 003d65fc 00000000 ... Mar  4 14:32:36 DPD; updating EoL (P2 Notify Mar  4 14:32:36 Received IKE DPD R_U_THERE_ACK from IKE peer: 169.132.58.9 Mar  4 14:32:36 DPD: Peer 169.132.58.9 is UP status_val: 0.   The DPD query and delay interval can be configured when DPD is enabled on the Palo Alto Networks device. DPD will tear down the SA once it realizes the peer is no longer responding. Note: The DPD is "not persistent" and is only triggered by a Phase 2 rekey. This means if Phase 2 is up, Palo Alto Networks will not check to see if IKE-SA is active. To get Phase 2 to trigger a rekey, and trigger the DPD to validate the Phase 1 IKE-SA, enable tunnel monitoring.   Tunnel Monitoring Tunnel Monitoring is used to verify connectivity across an IPSEC tunnel. If a tunnel monitor profile is created it will specify one of two action options if the tunnel is not available: Wait Recover or Fail Over. Wait Recover tells the firewall to wait for the tunnel to recover and not take additional action Fail Over will force traffic to a back-up path if one is available In both cases, the firewall will try to negotiate new IPSec keys to accelerate the recovery. A threshold option can be set to specify the number of heartbeats to wait before taking the specified action. The range is between 2 and 100 and the default is 5. The interval between heartbeats can also be configured. The range is between 2 and 10 and the default is 3.   Once the tunnel monitoring profile is created, as shown below, select it and enter the IP address of the remote end to be monitored.   owner: panagent
View full article
nrice ‎08-30-2018 10:14 AM
130,054 Views
22 Replies
2 Likes
Details The following diagram illustrates an IPSec site-to-site between a Palo Alto Networks firewall and Cisco:   Tunnel Interface Create a tunnel interface and select virtual router and security zone. The security policy needs to allow traffic from the LAN zone to the VPN zone, if placing the tunnel interface in some separate zone other than the internal LAN network zone.   The IP address is not required. To run the routing protocol through the tunnel, you must add an IP address to the tunnel interface.         Loopback Interface For this scenario we are using a Loopback interface to simulate a host in an internal zone for testing purposes, otherwise there is no need for the loopback interface.         Phase 1 Create a Phase 1 policy, which will be the same on both sides:   Phase 2 Create a Phase 2 policy, which will be the same on both sides:     IKE Gateway The peer IP address must be reachable through the interface Ethernet 1/1, as shown below:       IPSec Tunnel Select the tunnel interface, the IKE gateway, and the IPSec Crypto profile to make sure the Proxy-ID is added, otherwise phase 2 will not come up.       Route Add the route of the internal network of the other side pointing towards the tunnel interface and select None:   Configuring Cisco   ip access-list extended Crypto_Acl permit ip 10.50.50.0 0.0.0.255 16.16.16.0 0.0.0.255 crypto isakmp policy 16 encr aes hash md5 authentication pre-share group 5 crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto ipsec transform-set TSET esp-aes esp-sha-hmac crypto map CMAP 10 ipsec-isakmp set peer 10.50.240.55 set transform-set TSET match address Crypto_Acl interface FastEthernet0/0 crypto map CMAP   owner: pakumar
View full article
pankaku ‎08-28-2018 10:34 AM
9,415 Views
0 Replies
2 Likes
Although it is not possible to change the port GlobalProtect uses, it is possible to use another port with help from a loopback IP address and security rules.   Here is how to do that: Create a loopback   Make sure the untrust interface can ping the loopback. Assign the loopback as the portal address and the gateway address     In the GlobalProtect Portal > Agent > External tab, set the external gateway to address (10.30.6.56:7000 for example)   Create a Destination NAT rule with service:7000 to 10.30.6.56 (Untrust Interface) translating to 10.10.10.1 (loopback) on service:443 Create a security policy with destination address as the untrust interface and services as 7000 and 443 With this configuration, you will be able to access the global protect portal page on https://10.30.6.56:7000 which will translate to https://10.10.10.1 .Download and install the GlobalProtect client software.   Use the credentials in the username & password fields. In the portal field, use the IP as 10.30.6.56:7000 as shown.             owner: mvenkatesan
View full article
mvenkatesan ‎07-19-2018 06:07 AM
49,423 Views
17 Replies
4 Likes
How to Allow a Single YouTube Video and Block All Other Videos In this example we only want to allow this one youtube video: https://www.youtube.com/watch?v=hHiRb8t2hLM, and block the rest of YouTube.  Please follow these steps to accomplish this.   Steps Block streaming-media in your URL Filtering Profile. Get there in the WebGUI > Objects > Security Profiles > URL Filtering > click on the URL Filtering profile you would like to use. URL Filtering Profile detail showing Streaming-Media being set to Block. Create a Custom URL Category from Objects > Custom Objects > URL Category. Your Custom URL Category must include the following entries: *.youtube.com *.googlevideo.com www.youtube-nocookie.com www.youtube.com/yts/jsbin/ www.youtube.com/yts/cssbin/ ... this will make sure that any youtube page or content you go to is decrypted, so that the full HTTP GET can be read. Add a decryption policy of type SSL Forward Proxy, the decryption policy must be tied to your Custom URL Category in the "Service/URL Category" tab. Please see the following article about configuring SSL Decryption: How to Implement and Test SSL Decryption  Go to your URL Filtering profile, in the Allow list add the following URL's: www.youtube.com/watch?v=hHiRb8t2hLM *.googlevideo.com ... the first entry is the URL for the container page itself, then *.googlevideo.com will allow the media that is fetched from that container page out of Google's content CDN at *.googlevideo.com . Also, make sure that the custom URL category you created is also "allowed" inside of the URL filtering profile. URL filtering profile detail showing the allowed URL List. Commit and test.   Thanks to Milvaldi for the contribution. owner: jdelio    
View full article
‎07-12-2018 11:51 PM
97,433 Views
28 Replies
Steps Click Device. Under Server Profiles, click on LDAP. Click Add to bring up the LDAP Server Profile dialog. Enter Server name, IP Address and port (389 LDAP). Select LDAP server type from drop down menu. Enter the Base Distinguished Name for the domain. Enter the Bind DN and Bind Password for the service account. Uncheck SSL checkbox (SSL can be used if the Domain Controller will listen for LDAP SSL on port 636).   Commit changes.   owner: bnelson
View full article
bnelson ‎06-26-2018 03:19 AM
42,310 Views
4 Replies
Forwarding threat logs to a syslog server requires three steps Create a syslog server profile Configure the log-forwarding profile to select the threat logs to be forwarded to syslog server Use the log forwarding profile in the security rules Commit the changes   Note: Informational threat logs also include URL, Data Filtering and WildFire logs.   Syslog server profile Go to Device > Server Profiles > Syslog Name: Name of the syslog server Server : Server IP address where the logs will be forwarded to Port: Default port 514 Facility: To be elected from the drop down according to the requirements   Log forwarding profile Go to Objects > Log forwarding Create the syslog server profile for forwarding threat logs to the configured server. Add a Log Forwarding Match List to the profile add the syslog server and select a desired (if any) filter Use the filter builder to add more filtering parameters for logs to be forwarded   Once configured, the log forwarding should look like the following   Security Rule Go to Policies > Security Rule Select the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule. Go to Actions > Log forwarding and select the log forwarding profile from drop down list.   Commit the configuration  
View full article
ppatel ‎06-12-2018 12:47 AM
48,643 Views
9 Replies
To open a case with Technical Support, please see the following article that describes how to open a Support Case. How to Use the New Web-Based Case Creation Wizard!
View full article
nrice ‎05-05-2018 04:16 PM
10,445 Views
1 Reply
Ever wonder how to globally block URLs without having to use a URL filtering policy in the rule?  The problem when using a URL filtering policy is that URL traffic is either blocked or allowed on a single rule. Because of matching on a single rule, none of the URL traffic is scanned by the rest of the security policy.
View full article
‎04-26-2018 08:23 AM
19,499 Views
5 Replies
1 Like
To configure Multicast L3 with PIM Sparse Mode when not the rendezvous point: Go to Network > Virtual Routers and select desired virtual router. Click Multicast. Enable Multicast globally by checking the box. 3a. Next, add the Remote Rendenvouz Point by clicking "Add". Go to Interfaces and click Add. Add the interfaces to participate in Multicast. Under Group Permissions, add the multicast groups for which the traffic is permitted. Make sure to enable IGMP on the interface facing the client. Make sure PIM is enabled on the interface connecting to the RP. Configure a security policy to allow the traffic. The destination zone should be 'multicast' and the destination address can be the multicast group addresses. Commit the configuration.   owner: nayubi  
View full article
npare ‎04-20-2018 02:24 PM
18,857 Views
3 Replies
Overview Before installing the Terminal Server (TS) Agent, make sure that the following requirements are met : Verify the requirements in the Release Notes of the version of Terminal Server (TS) Agent to be installed. The administrator on the terminal server needs to install the TS Agent. The TS Agent should be configured to be started only by the administrator in order to prevent other remote logon users from controlling it. For the TS Agent to successfully install the necessary driver. Note that the installer must have administrator rights. The Windows firewall on the machine where TS Agent is installed needs to be disabled.   Steps Installation The install will first check to see if the TS Agent is compatible with the operating system it is being installed on. If the operating system is not compatible, it will pop up with the error message similar to the following: The TS agent installer will request a destination folder for the install. For a new installation the administrator does not need to reboot the system; however, without reboot, the TS Agent can only identify the new outbound TCP/UDP traffic. For the TCP/UDP traffic occurring before the installation, the Palo Alto Networks TS Agent can not identify the users. Configuration of the TS Agent on Terminal Server Main Panel The TS Agent Controller is the application used on the Terminal Server for configuration and verification of agent status. The main panel will show Connection List which displays each PAN device connected to the TS agent as well as the device access control list.By default Device Access Control list is disabled. Enable this option if you want to specify which PAN device the TS Agent will listen to. The TS agent will ONLY accept incoming connections from the devices in the allow list. Configure Panel Listening Port: The port that the TS Agent communicates on the Palo Alto Networks device with. Source port allocation range: Range of source ports users will be able to pull from. Reserved Source Ports: Ports that need to be excepted from the source port range because another service running on the Terminal Server needs it to communicate with. Port Allocation Start Size Per User: Minimum port allocation for new user port lease. Port allocation Maximum Size Per User: Maximum port allocation for user port lease. Fail port binding when available ports are used up: Prevents over lapping port allocations. Monitor Panel The monitor operation from the navigation window displays all of the current users and port allocations. The “Ports Count” show the current used ports for the user. The Ports Count can be refreshed by clicking the “Refresh Ports Count”. You can also manually set a refresh internal by selecting the check box “Refresh Interval”. Configure of the TS Agent on Palo Alto Networks Device The Palo Alto Networks device needs to be configured with the following information: IP Address: IP address of the server where TS Agent installed on. Port: TS Agent listening port which should match what is configured on TS Server. IP List (optional): Terminal server source IP list if the terminal server has multiple source IPs, max of 8 IPs. Commit the changes on the firewall Troubleshooting Hints The TS Agent maintains a log file which is very useful for troubleshooting. In case there is an issue with the TS Agent, these logs should be collected and sent to the TAC Support Team. The log file can be viewed on the TS Agent using File > Show Logs. To enable detailed information on the User-ID Agent operation, go to File > Debug and select Verbose.  The logs will now display more detailed messages.   Useful CLI commands Configure terminal server agent: # set ts-agent <name> <options> where <options> include  ip-address   terminal server agent ip address port         terminal server agent listening port ip-list      terminal server alternative ip list   Show terminal server agent status: > show user ts-agent statistics IP Address Port Vsys State Users ------------------------------------------------------------- 10.1.200.1  5009 vsys1 connected 8 10.16.3.249 5009 vsys1 connected 10   > show user ip-port-user-mapping all User IP-Address Vsys Port-Range ---------------------------------------------------------------------------- test1 10.1.200.1  vsys1 20000-20500 test2 10.1.200.1  vsys1 20500-21000                         21500-22000 test3 10.1.200.1  vsys1 21000-21500 TS Agent may need to lookup a Palo Alto Networks User-ID agent or group mapping data to get the group information for a specific domain user.   Other CLI commands The User-ID Agent's “enable-user-identification” and “User Identification ACL” configuration command also apply to TS Agent. This means that if user-identification feature is enabled, both User-ID Agent and TS Agent feature will be enabled.   owner: panagent
View full article
nrice ‎04-11-2018 06:53 AM
39,498 Views
12 Replies
3 Likes
Details Log in using the default username and password: admin/admin hyper terminal settings bits per second 9600 data bits 8 parity none stop bits 1 flow control none   Once logged in, run the following CLI commands: > configure (enter configuration mode) # set deviceconfig system ip-address 10.1.1.1 netmask 255.255.255.0 default-gateway 10.1.1.2 dns-setting servers primary 4.2.2.2 # commit   owner: jnguyen
View full article
jnguyen ‎04-03-2018 11:19 AM
124,097 Views
12 Replies
1 Like
This document shows how to manage content updates by frequency, day and time, and type of update.   To view new content, go to  Device > Dynamic Updates. From there, the following functions may be performed: Click Check Now to view the latest threat and application updates available from Palo Alto Networks. Click Release Notes to view a description of an update. The recommendation is to always review the release notes. Click Download next to an update to install it. When the download is complete, a checkmark is displayed in the Downloaded column. Click Install next to an update to install the downloaded content update.   With a few exceptions, new content is updated weekly and posted for download late Tuesday evenings Pacific Time. Despite extensive quality assurance testing, Palo Alto Networks may become aware of an error in software released to the public.  In the event of a critical "first day" issue the problem content will either be pulled or superseded with a new release. Typically, the issue is found and acted upon within the first 24 hours after release. Due to varying degrees of customer prioritization (that is, the latest content vs. proven stability) and policy, some customers choose to apply the latest content immediately upon availability. Other customers choose to delay applying the latest changes for a while.   Palo Alto Networks provides the configuration flexibility to accommodate customer policy.   For example: Each update can be manually downloaded and installed as outlined above or scheduled automatically:   To schedule the update for later, click Schedule .   Specify the frequency and timing of the updates and whether the update will be downloaded and installed or only downloaded. If Download Only is selected, the downloaded update can be installed by clicking the Upgrade link on the Dynamic Updates page. When OK is clicked, the update is scheduled. Additionally, there is an option to delay the Action taken by setting a Threshold dictating how old the new content must be before either action takes place. If there are concerns newly downloaded applications could interfere with an existing security policy, they can be disabled until an admin manually reviews and enables them, please read this article for more information:Tips & Tricks: How to Use 'Disable New Apps' in Content Update   We recommend scheduling content for Daily Recurrence with an action of Download and Install and a Threshold in accordance with the risk-versus-benefit tolerance of the site. Daily recurrence allows the opportunity to download any new off-schedule releases for critical bug fixes or filtering updates. Download and install prevents having to manually interact with the system. The threshold can be left blank for immediate action, if the site is more concerned with speed of updates versus potential risk from bugs. Sites wanting to update only once a week can set the following:   Recurrence Weekly Day Wednesday or Thursday Time Select time Action Download and Install Threshold leave blank   owner: panagent
View full article
nrice ‎02-06-2018 01:22 AM
15,242 Views
2 Replies
2 Likes
Overview PAN-OS can decrypt and inspect inbound and outbound SSL connections going through the Palo Alto Networks firewall. SSL decryption can occur on interfaces in virtual wire, Layer 2 or Layer 3 mode by using the SSL rulebase to configure which traffic to decrypt. In particular, decryption can be based upon URL categories and source user and source/target addresses. Once traffic is decrypted, tunneled applications can be detected and controlled, and the decrypted data can be inspected for threats, URL filtering, file blocking, or data filtering. Decrypted traffic is never sent off the device.   Inbound SSL Decryption In the case of inbound traffic to an internal Web Server or device, the administrator imports a copy of the protected server’s certificate and key. When the SSL server certificate is loaded on the firewall, and a SSL decryption policy is configured for the inbound traffic, the device then decrypts and reads the traffic as it forwards it. No changes are made to the packet data, and the secure channel is from the client system to the internal server. The firewall can then detect malicious content and control applications running over this secure channel.   Outbound SSL Decryption (SSL Forward Proxy) In this case, the firewall proxies outbound SSL connections by intercepting outbound SSL requests and generating a certificate on the fly for the site the user wants to visit. The validity date on the PA-generated certificate is taken from the validity date on the real server certificate. The issuing authority of the PA-generated certificate is the Palo Alto Networks device. If the firewall’s certificate is not part of an existing hierarchy, or is not added to a client’s browser cache, then the client receives a warning when browsing to a secure site. If the real server certificate has been issued by an authority not trusted by the Palo Alto Networks firewall, then the decryption certificate is using a second “untrusted” Certificate Authority (CA) key to ensure the user is warned of any subsequent man-in-the-middle attacks.   To configure SSL decryption: Configure the firewall to handle traffic and place it in the network. Make sure the proper Certificate Authority (CA) is on the firewall. Configure SSL decryption rules. Enable SSL decryption notification page (optional). Commit changes and test decryption.   Steps 1. Configure the firewall to handle traffic and place it in the network Make sure the Palo Alto Networks firewall is already configured with working Interfaces (Virtual Wire, Layer 2 or Layer 3), Zones, Security Policy and already passing traffic.   2. Load or Generate a CA certificate on the Palo Alto Networks firewall A Certificate Authority (CA) is required to decrypt traffic properly by generating SSL certificates on the fly. Create a self-signed CA on the firewall or import a Subordinate CA (from your own PKI infrastructure). Select "Forward Trust Certificate" and "Forward Untrust Certificate" on one or more certificates to enable the firewall to decrypt traffic. Note: Because SSL Certificate providers like Entrust, Verisign, Digicert, and GoDaddy do not sell CAs, they are not supported in SSL Decryption.   From the firewall GUI, go to Device > Certificates. Load or generate a certificate for either inbound inspection or outbound (forward proxy) inspection.   Generating a Self-Signed Certificate Using a Self-Signed Certificate is recommended. For information on generating a Self-Signed Certificate, please see: How to Generate a New Self-Signed SSL Certificate   Generating and Importing a Certificate from Microsoft Certificate Server On the Microsoft Certificate Server for your organization, request an advanced certificate using certificate template “subordinate CA”. Download the cert. After downloading, export the certificate from the local certificate store. In IE, access the Internet Options dialog, select the Content tab, then click the Certificates button. The new certificate can be exported from the Personal certificates store. Select “Certificate Export Wizard”, export the private key, then select the format. Enter a passphrase and a file name and location for the resulting file. The certificate will be in a PFX format (PKCS #12). To extract the certificate, use this openSSL[4] command: openssl pkcs12 –in pfxfilename.pfx –out cert.pem –nokeys To extract the key, use this openSSL command: openssl pkcs12 –in pfxfilename.pfx –out keyfile.pem -nocerts Import the cert.pem file and keyfile.pem file into the Palo Alto Networks firewall on the Device tab > Certificates screen. In the case of a High Availability (HA) Pair, also load these files into the second Palo Alto Networks firewall, or copy the certificate and key via the High Availability widget on the dashboard.   The "Forward Trust" and "Forward Untrust" certificates:     Note: If using a self-signed CA, export the public CA Certificate from the firewall and install the certificate as a Trusted Root CA on each machine's browser to avoid Untrusted Certificate error messages inside your browser. Network administrators usually use GPO to push out this certificate to each workstation.   Examples of browser errors if the self-signed CA Certificate is not trusted:   Firefox untrusted CA error:   Chrome untrusted CA error:   Internet Explorer untrusted CA error:   3. Configure SSL Decryption Rules The network administrator determines what needs to be decrypted. A few suggestions for configuring SSL decryption rules: Implement rules in a phased approach. Start with specific rules for decryption, and monitor the typical number of SSL connections being decrypted by the device. Avoid decrypting the following URL categories, as users may consider this an invasion of privacy: Financial services Health and medicine Do not decrypt applications where the server requires client-side certificates (for identification). You can either block or allow connections requiring client authentication via the decryption profile feature introduced in PAN-OS 5.0.   An example of an outbound rulebase following suggestions for decryption. 4. Enable SSL Decryption Notification web page (optional) The user can be notified that their SSL connection will be decrypted using the response page found on the Device tab > Response Pages screen. Click "Disabled," check the "Enable SSL Opt-out Page" option and click OK.   The default SSL Opt-out page page can be exported, edited via an html editor, and imported to provide company-specific information: 5. Test Outbound Decryption To test outbound decryption: Make sure that in the outbound policy, the action is to alert for any viruses found. Also enable packet capture on that anti-virus security profile. Commit any changes made. On a PC internal to the firewall, go to www.eicar.org. In the top right corner: Click “Download anti-malware testfile." In the screen that appears, scroll to the bottom. Download the eicar test virus using http. Any of the these four files will be detected. Go to the Monitor tab > Threat log, and look for the log message that detects the eicar file. Click the green arrow in the column on the left to view the captured packets. Click the magnifying class in the far left column to see the log detail. Scroll to the bottom, and look for the field “Decrypted.” The session was not decrypted:   Go back to the www.eicar.org downloads page. This time use SSL enabled protocol HTTPS to download the test virus. Examine the Threat logs. The virus should have been detected, since the SSL connection was decrypted. A log message that shows Eicar was detected in web browsing on port 443 will be visible. View the packet capture (optional) by clicking the green arrow. To the left of that log entry, click the magnifying class. Scroll to the bottom. Under Flags, check to see that “Decrypted” is checked:   The virus was successfully detected in an SSL-encrypted session.   To test the “no-decrypt” rule, first determine what URLs fall into financial services, shopping, or health and medicine categories. For BrightCloud, go to http://www.brightcloud.com/testasite.aspx. For PAN-DB, use Palo Alto Networks URL Filtering - Test A Site , and enter a URL to see what the category is. Once web sites that are classified into categories that will not be decrypted are found, use a browser to go to those sites using https. There should be no certificate error when going to those sites. The web pages will be displayed properly. Traffic logs will show the sessions where application SSL traverses port 443, as expected.   To Test Inbound Decryption: Examine the traffic logs dated before enabling SSL for inbound decryption on the firewall. Look at traffic targeted for the internal servers. In those logs, the application detected should be “ssl" going over port 443. From a machine outside of the network, connect via SSL to a server in the DMZ. There will be no certificate errors, as the connection is not being proxied, just inspected. Examine the logs for this inbound connection. The applications will not be “ssl" but the actual applications found inside the SSL tunnel. Click the magnifying glass icon in those log entries to confirm decrypted connections.   Helpful CLI Commands: To see how many existing SSL decryption sessions are going through the device: > debug dataplane pool statistics | match proxy   Output from a PA-2050, where the first command shows 1024 available sessions, and the output of the second command shows five SSL sessions being decrypted (1024–1019=5): admin@test> debug dataplane pool statistics | match proxy [18] proxy session            :    1019/1024    0x7f00723f1ee0   To see the active sessions that have been decrypted: > show session all filter ssl-decrypt yes state active Maximum number of concurrent SSL decrypted sessions in PAN-OS 4.1, 5.0, 6.0 and 6.1 (both directions combined): Hardware SSL Decypted Session Limit VM-100 1,024 sessions VM-200 1,024 sessions VM-300 1,024 sessions PA-200 1,024 sessions PA-500 1,024 sessions PA-2020 1,024 sessions PA-2050 1,024 sessions PA-3020 7,936 sessions PA-3050 15,360 sessions PA-3060 15,360 sessions PA-4020 7,936 sessions PA-4050 23,808 sessions PA-4060 23,808 sessions PA-5020 15,872 sessions PA-5050 47,616 sessions PA-5060 90,112 sessions PA-7000-20G-NPC 131,072 sessions PA-7050 786,432 sessions   If the limit is reached, all new SSL sessions go through as undecrypted SSL. To drop any new SSL sessions beyond the session limit of the device: > set deviceconfig setting ssl-decrypt deny-setup-failure yes To check if there are any sessions hitting the limit of the device: > show counter global name proxy_flow_alloc_failure To view the SSL decryption certificate: > show system setting ssl-decrypt certificate Certificates for Global SSL Decryption CERT global trusted ssl-decryption x509 certificate version 2 cert algorithm 4 valid 150310210236Z -- 210522210236Z cert pki 1 subject: 172.16.77.1 issuer: 172.16.77.1 serial number(9) 00 b6 96 7e c9 99 1f a8  f7                      ...~.... . rsa key size 2048 siglen 2048 basic constraints extension CA 1 global untrusted ssl-decryption x509 certificate version 2 cert algorithm 4 valid 150310210236Z -- 210522210236Z cert pki 1 subject: 172.16.77.1 issuer: 172.16.77.1 serial number(9) 00 b6 96 7e c9 99 1f a8  f7                      ...~.... . rsa key size 2048 siglen 2048 basic constraints extension CA 1   To view SSL decryption settings: > show system setting ssl-decrypt setting vsys                          : vsys1 Forward Proxy Ready          : yes Inbound Proxy Ready          : no Disable ssl                  : no Disable ssl-decrypt          : no Notify user                  : no Proxy for URL                : no Wait for URL                  : no Block revoked Cert            : yes Block timeout Cert            : no Block unknown Cert            : no Cert Status Query Timeout    : 5 URL Category Query Timeout    : 5 Fwd proxy server cert's key size: 0 Use Cert Cache                : yes Verify CRL                    : no Verify OCSP                  : no CRL Status receive Timeout    : 5 OCSP Status receive Timeout  : 5 Block unknown Cert            : no For a list of resources about SSL Decryption, please refer to the following: SSL Decryption Quick Reference - Resources   For more information on supported Cipher Suites for SSL Decryption, please refer to the following: SSL Decryption Not Working Due to Unsupported Cipher Suites Limitations and Recommendations While Implementing SSL Decryption How to Identify Root Cause for SSL Decryption Failure Issues   Note: If anything else needs to be added to this document, please comment below.   owner: jdelio
View full article
nrice ‎01-25-2018 02:32 AM
866,824 Views
71 Replies
6 Likes
Overview The Palo Alto Networks firewall can retrieve user-to-group mapping information from an LDAP server, such as, Active Directory or eDirectory. The data can be retrieved through LDAP queries from the firewall (via agent-less User-ID, introduced in PAN-OS 5.0) or by a User-ID Agent that is configured to proxy the firewall LDAP queries. This document describes how to configure Group Mapping on a Palo Alto Networks firewall.   Steps Configure the LDAP server profile:How to Configure LDAP Server Profile Configure how groups and users are retrieved from the LDAP directory by creating a new group mapping entry by navigating to the Device > User Identification > Group Mapping Settings tab and click 'Add'. Refer to screenshot below. Enter a Name. For Palo Alto Networks that support multiple virtual system, a drop-down list (Location) will be available to select from. Specify the LDAP server profile (configured in step 1) in the drop-down list under the Server Profile tab. Note: All Attributes and ObjectClasses will be populated based on the directory server type you selected in the “LDAP Server Profile”. The default update interval for user groups changes is 3600 seconds (1 hour). Enter a value to specify a custom interval. Go to the Group Include List tab. Leave the include list blank if you want to include ALL groups, or select the groups to be included from the left column that should be mapped.   CLI commands to check the groups retrieved and connection to the LDAP server: > show user group-mapping state all > show user group list > show user group name <group name>   owner: apasupulati
View full article
apasupulati ‎01-22-2018 01:47 AM
76,925 Views
12 Replies
Overview This document describes the CLI commands to add/create management users, assign them roles, and set their passwords.   Steps Creating/Adding Users Log in to the CLI Go into configure mode: > configure Create/Add a management user and assign a password # set mgt-config users <name> password Note: If the <name> does not exist, then the user will be created. Set the role for the specified user # set mgt-config users <name> permissions role-based <role profile> custom deviceadmin devicereader superreader superuser Commit # commit   Change the password for a user Go into configure mode: > configure Enter the new password that will override the existing one: # set mgt-config users admin password Commit # commit   WebGUI For information on performing these steps in the WebGUI, All of the information describing how to create granular Admin Role profiles is included inside of the Admin (Administrator's) guides for each version.  I have listed them below for your convenience:   PAN-OS 7.0 Administrator's Guide   PAN-OS 7.1 Administrator's Guide   PAN-OS 8.0 Administrator's Guide   owner: sraghunandan
View full article
sraghunandan ‎01-18-2018 12:04 PM
29,231 Views
7 Replies
1 Like
Overview This document describes how to set the default route for IPv6 traffic.   Steps Go to Network > Virtual Router Add a Virtual Router and go to Static Routes > IPv6. Add a Static Route: Set destination (example, IPV4 0.0.0.0/0) as ::/0 Select the Interface Set the Next Hop IP address Commit the changes.   Note: Make sure IPV6 is enabled on firewall. See How to Enable and Disable IPv6 Firewalling.   owner: ukhapre
View full article
ukhapre ‎12-15-2017 08:26 AM
10,982 Views
0 Replies
Up to PAN-OS 6.1, for later OS versions, see this article   Overview This document describes how to correctly configure group-mapping to avoid inconsistencies in username format for cross-domain users in a multi-domain Active Directory Domain Services (AD DS) forest. If fetching all objects (user or groups) from any other domain in the forest, use AD server defined as Global Catalog in group-mapping. The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain members of the forest.   Important! If not configured properly, there can be issues where some users in group-mapping are formatted as fqdn-domain-name/username (dummy.example.com/username) instead of netbios/domain-name (dummydomain/username), leading to inconsistencies with ip-user-mapping fetched from User-ID Agent or by the agentless User-ID service.   Steps AD server configured as Global Catalog role (usually the root domain) needs to be configured under LDAP server profiles. Connect to this server on port 3268 (or 3269 for SSL). As usual, configure the Domain field to have PAN-OS replace the domain name. Leave it blank otherwise. Note: Be aware that doing this on Global Catalog will replace domain name for ALL users and groups fetched from this server, including those from other domains (members of the forest). Only add a domain name into this field if keeping it blank causes problems. For example, if the domain is "acme.local" but "acme" is needed, then enter "acme" in the Domain field. Use this profile to configure the Group-Mapping (and configured included list if needed) If the Domain Name was not configured manually in step 2, it is mandatory to configure an additional group-mapping using another LDAP server profile, querying the same AD server on regular port 389 (or 636 for SSL). This operation is mandatory to correctly populate domain-map used to normalize user format as netbios_domain_name/username This profile will only be using to fetch domain-map; configuring Domain field is not necessary and may be left blank. The AD server used here can be another Domain Controller of your forest and the partition container we query for domain-map is replicated through all Domain Controllers. Please see the note on Step 2. If Active Directory contains a large number of users and groups, you are advised to configure some search filters for users and groups in the GM-AD setting. This is to mitigate the impact of LDAP query results on the Management-Plane resources for this Group-Mapping. As this Group-Mapping is only used to determine the domain-map, getting and handling the results for users and group is not necessary.   In this example, search filters are configured with a 'Dummy' string that must be contained in the description field of users and groups to guarantee LDAP query results in 0.   See Also: LDAP Group Mappings in a Mixed 6.x and 7.x Environment with Panorama     owner: nbilly
View full article
nbilly ‎12-01-2017 03:23 AM
43,343 Views
12 Replies
5 Likes
Details It is possible to export/import a configuration file or a device state using the following commands from the CLI:   You can export the running configuration, or a previously saved backup. You can create a backup config:   admin@PA-220> configure Entering configuration mode [edit]                                                                                                                                                                                               admin@PA-220# save config to MyBackup.xml Config saved to MyBackup.xml [edit]                                     Exporting/Import configuration file: admin@PA-220> tftp export configuration from MyBackup.xml to <tftphost> admin@PA-220> scp export configuration from MyBackup.xml to user@<scphost>:/path admin@PA-220> tftp import configuration from <tftphost> file <remotepath> admin@PA-220> scp import configuration from user@<scphost:/path   Exporting/Import device-state: admin@PA-220 > tftp export device-state to <tftphost> admin@PA-220 > scp export device-state to username@<scphost>:/path admin@PA-220 > tftp import device-state from <tftphost> file <remotepath> admin@PA-220 > scp import device-state from username@<scphost:>path   See Also CLI Commands to Export/Import Configuration and Log Files    
View full article
harshanatarajan ‎11-19-2017 11:57 PM
15,413 Views
0 Replies
1 Like
Overview This document describes how to view SSL Decryption Information from the CLI.   Details The following show system setting ssl-decrypt commands provide information about the SSL-decryption on the Palo Alto Networks device: Show the list of ssl-decrypt certificates loaded on the dataplane > show system setting ssl-decrypt certificate Show the list of cached certificates loaded on the dataplane > show system setting ssl-decrypt certificate-cache Show the list of cached DNS entries > show system setting ssl-decrypt  dns-cache Show the list of cached servers excluded from decryption > show system setting ssl-decrypt exclude-cache Show the list of Global Protect cookies > show system setting ssl-decrypt gp-cookie-cache Show the list of HSM requests > show system setting ssl-decrypt hsm-request Show the SSL decryption memory usage > show system setting ssl-decrypt memory Show the list of users who's notify option (whether to notify them of SSL decryption or not) has been cached. If the cache is on, the user will not be notified everytime they browse to an encrypted site. > show system setting ssl-decrypt notify-cache Show URL rewrite statistics > show system setting ssl-decrypt rewrite-stats Show the list of cached sessions > show system setting ssl-decrypt session-cache Show ssl-decryption settings > show system setting ssl-decrypt setting   To display the count of decrypted sessions > show session all filter ssl-decrypt yes count yes Number of sessions that match filter: 2758   To view the decrypted sessions > show session all filter ssl-decrypt yes   To clear the decrypted sessions > clear session all filter ssl-decrypt yes   To reset the ssl-decrypt cache > debug dataplane reset ssl-decrypt <option> certificate-cache       Clear all ssl-decrypt certificate cache in dataplane certificate-status       Clear all ssl-decrypt certificate CRL status cached in dataplane dns-cache                            Clear  ssl-decrypt DNS  cache exclude-cache                   Clear all exclude cache in dataplane hsm-cache                            Clear all ssl-decrypt HSM request in dataplane notify-cache                     Clear all ssl-decrypt notify-user cache in dataplane rewrite-stats                  Clear URL rewrite cache session-cache             Clear all ssl-decrypt session cache in dataplane   The following command checks for any SSL decryption related failures   >show counter global | match proxy proxy_process 1205 0 info proxy pktproc Number of flows go through proxy proxy_no_process 453 0 info proxy pktproc Number of flows donot go through proxy proxy_wqe_held 253 0 info proxy resource Number of wqe held by proxy for notify answer proxy_excluded 78 0 info proxy pktproc Number of ssl sessions bypassed proxy because of exclusion proxy_client_hello_failed 4 0 warn proxy pktproc Number of ssl sessions bypassed proxy because client hello can't be parsed proxy_url_request_pkt_drop 24 0 info proxy pktproc The number of packets get dropped because of waiting for url category request in ssl proxy proxy_url_category_unknown 435 0 info proxy pktproc Number of sessions checked by proxy with unknown url category url_session_not_in_ssl_wait 4 0 error url system The session is not waiting for url in ssl proxy proxy_url_request_pkt_drop               266         0 drop       proxy     pktproc   The number of packets get dropped because of waiting for url category request in ssl proxy proxy_timer_del_session_added       4  0 info     proxy pktproc   Number of timers added for deleting proxy host connection proxy_timer_del_sessions         4  0 info     proxy pktproc   Number of proxy host connections deleted due to timer proxy_proxy_host_not_connected    1 5  0 warn     proxy pktproc   Number of packets proxy_host tried to receive or transmit when not connected url_session_not_in_ssl_wait     40  0 error   url   system     The session is not waiting for url in ssl proxy  
View full article
nrice ‎11-08-2017 01:44 AM
37,374 Views
5 Replies
1 Like
PAN-OS 6.0 and after   Overview Color Coded Tags was introduced in PAN-OS 6.0 and enables the categorization of many types of objects to be visually distinguishable. Administrators can easily determine if their policy was created correctly by scanning a policy and confirming that the color coding of their objects follows their desired scheme.   Details On the Device/Panorama GUI, navigate to the Objects tab. As shown below, the objects tree panel on the left side has a new tree node called "Tags" for color coded tags administration.   A tag objects has three fields: Name Color Comments The Name cannot contain a comma (,) since it is used as a separation character when assigning tags. The Color value of the tag object can be selected from a color palette of 16 predefined colors. The default value is "None," which is no color. The selection of a color is not required when creating a tag.   The following objects in the Palo Alto Networks Device/Panorama can be used with the new tag attribute: Objects > Address Objects > Address Groups Objects > Services Objects > Service Groups Network > Zones Note: When using Tags and Zones the drop down must be used instead of a generic name because the Tag is not selectable while editing the Zone.   Policies already have tags, but will be leveraged to use the new tag object. The above objects will all have a new tag column in their top level grid. Only the first tag in an object may have color.   During the Add/Edit of any of the above objects the tags attribute can be specified, as shown below:   Tags can be selected from existing tags. Also, tag completion is case-insensitive. If the administrator adds a new tag, it is added as a tag object after "ok." The user can select a tag as the "colored tag" for an object while in the object/rule editor. The "colored tag" is saved as the first tag after "ok."   From policy tables, the user will see rule tags. Only the first tag in a rule may have color.   The following is an example of Security Rulebase with no color tags used:   The following is an example of a Security Rulebase with color tags used for Zones and inside of the objects:   Notice that the use of Color Tags makes the policy much easier to read.   Additional Details Tag name length is limited to 127 characters. There are 16 colors only, cannot create custom colors. Multiple tags can use same color. If an item has multiple tags with different colors, then first tag color will be displayed. So, order matters. Config will show in CLI as color# (1-16) (For example, set tag test1 color color4 ) Panorama can push tag color configs. If conflicting with the existing tag on the firewall, then the device config should take priority. Likewise, if there is a conflict between shared and VSYS specific object then VSYS takes precedence.   Logging Configuration logs are generated for add/edit/delete of tag objects and setting of tags to other objects.   Feature Interaction with infrastructure components: High-availability - Tag configuration will be synced, similar to the other object configurations Virtual system - Tag administration and tag assignment can be done per VSYS Panorama - Tag administration and tag assignment is available on Panorama   Panorama The specified objects and zones in Network templates will have configuration for tags. The tag configuration will be pushed to the device groups and devices along with the objects and device templates. If it is conflicting with an existing tag on the firewall, then the device config should take priority. In the Network template on Panorama zones can have tags specified, but no completion (drop down) is available. Users can only type tag names.   Tags can belong to VSYS or shared in a device and a device group, or shared in Panorama.   owner: jdelio
View full article
‎10-10-2017 07:46 AM
16,676 Views
3 Replies
3 Likes
Note: The following article outlines additional steps required in the event an app-override needs to be enabled for an active FTP connection. It is not required if app-override is not needed in the first place.     Overview FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.   Details Active FTP: In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20. From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened: FTP server's port 21 from anywhere (Client initiates connection) FTP server's port 21 to ports > 1023 (Server responds to client's control port) FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port) FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port)   Passive FTP: From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened: FTP server's port 21 from anywhere (Client initiates connection) FTP server's port 21 to ports > 1023 (Server responds to client's control port) FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server) FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)   Steps The Palo Alto Networks firewall supports application overrides and helps with applications that have special requirements. To configure override for the FTP protocol the following could apply: Create a custom application that uses the FTP ports: 20,21 and the dynamic ports greater than 1024. Create an Application override Rule Make sure that there is a Security policy allowing the newly defined traffic  ( custom-ftp ) otherwise traffic for this application will be dropped.
View full article
bbolovan ‎08-24-2017 02:34 AM
30,177 Views
7 Replies
6 Likes
Symptom Panorama, deployed as either the Palo Alto Networks M-100 device or as a virtual appliance, stops receiving logs from Palo Alto Networks firewalls. The traffic and threat logs can be viewed when looking directly on the firewalls, but are not visible on Panorama.   Details The Palo Alto Networks firewall keeps track of the logs forwarded to Panorama with a sequence number. When the logs are received, Panorama acknowledges the sequence number. If the firewall is connected to a different Panorama (for example, to an HA peer of a Panorama), these sequence numbers can become out of sync causing the firewall not to forward any logs. The log upload process can also become stuck by a large volume of logs being sent to Panorama.   Resolution   Panorama 6.1, 7.0, 7.1, 8.0 Check current logging status > show logging-status device < serial number > Start log forwarding with buffering, starting from last ack'ed log ID > request log-fwd-ctrl device <serial number> action start-from-lastack Verify if logs are being forwarded > show logging-status device <serial number> If logs are not being forwarded, do the following: Make sure that log forwarding is stopped > request log-fwd-ctrl device <serial number> action stop Start log forwarding with no buffering  (leave in this state for about a minute) > request log-fwd-ctrl device <serial number> action live Start log forwarding with buffering > request log-fwd-ctrl device < serial number > action start   Important! The alphabet characters in the serial number must be all upper case. For example: > request log-fwd-ctrl device 0000C123456 action live scheduled a job with jobid 12   If lower case characters are used, then the following error message is returned: > request log-fwd-ctrl device 0011c123456 action live Server error : failed to schedule a job to do log fwd ctrl from panorama to device 0000c123456   Confirm that the device policies are set with log action forward to Panorama. If the logging gets stuck, restart the log-receiver service with the following command: > debug software restart log-receiver Alternatively, restart the management server (which also restarts the log-receiver service) with the following command: > debug software restart management-server   On PAN-OS 7.0, 7.1 and 8.0 , please use the following command to restart the management server process: > debug software restart process management-server   owner: swhyte
View full article
npare ‎08-08-2017 02:52 AM
57,879 Views
14 Replies
2 Likes
Overview Static ARP (Address Resolution Protocol) entries reduce ARP processing and preclude man-in-the-middle attacks for the specified addresses.   Steps Navigate to the ARP entry configuration: On the WebGUI, go to Network > Interfaces > Ethernet. Select the appropriate L3 interface. Click Advanced. Click ARP Entries.   From the CLI > configure # set network interface ethernet ethernet1/5 layer3 arp 10.101.10.10 hw-address F0:1F:AF:02:96:36 # commit   Note: It's not possible to change the Palo Alto Networks interface MAC address.   owner: panagent
View full article
nrice ‎07-10-2017 12:58 AM
24,501 Views
2 Replies
Details The IPv6 firewalling can be enabled or disabled through the WebUI or the CLI. In PAN-OS 5.0 and greater, this feature is enabled by default.   WebUI The IPv6 firewalling can be enabled under Device > Setup > Session:   PAN-OS 7.0:   PAN-OS 8 and up   CLI > configure # set deviceconfig setting session ipv6-firewalling [yes|no] # commit   Interface configuration example:   To enable or disable IPv6 on an interface via CLI: # set network interface ethernet ethernet1/3 layer3 ipv6 enabled [yes|no] # commit   owner: sraghunandan
View full article
sraghunandan ‎05-23-2017 07:41 AM
19,305 Views
0 Replies
 This article is deprecated.  All documentation is now available at http://pansplunk.readthedocs.io   Overview Splunk for Palo Alto Networks is a security reporting and analysis tool, and is the result of a collaboration between Palo Alto Networks and Splunk. This document describes how to configure Splunk for Palo Alto Networks, and covers most problems in configuring Splunk for the first time. Note: Download Splunk for Palo Alto Networks directly from the Splunk site at: http://apps.splunk.com/app/491/. Depending on the OS of the server that's running Splunk, follow the installation recommendations from the Splunk website.   If there are separate indexers and search head, install the application on all of them.   Steps On the Splunk Server: The Palo Alto Networks Next-generation Firewall uses udp/514 for syslog by default, but since this port is often used by other syslogs, we'll use udp/5514 in our examples. Choose any desired port. TCP and SSL syslogs are available in PAN-OS 6.0 and later.   Check the settings in the Splunk inputs.conf file and verify that no other configuration is using the UDP or TCP port you chose for syslogs from the firewall. Check the inputs.conf in the following directories: Note: See the "Configuration file precedence" section in the Splunk Enterprise Admin Manual for more on the way precedences are checked on Splunk. $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/ $SPLUNK_HOME/etc/system/local/ In the inputs.conf file, add the following configuration. For UDP syslogs, make sure to include the line no_appending_timestamp = true . [udp://5514] index = pan_logs sourcetype = pan_log connection_host = ip no_appending_timestamp = true Reset the Splunk service on the server running the Splunk for Palo Alto Networks app.   After configuring the data input, access and configure the app.   The first time running the app from the WebUI, a setup screen displays. You need the credentials only if you want to use the custom commands pantag, panblock, and panupdate . The WildFire API is required only for WildFire subscribers who want Splunk to index WildFire analysis reports from the cloud when a malware sample is analyzed. These credentials are stored in Splunk using encryption the same way other Splunk credentials are stored.   If you don't want to use these extra features, skip the setup screen by clicking Save. Go to Apps > Splunk for Palo Alto Networks. Add the appropriate username/password credentials for the Palo Alto Networks firewall and the WildFire API key. Note: After logging into the WildFire Portal for WildFire subscribers, access the WildFire API key under the account. Copy and paste the key into the WildFire API Key (see example).   On the Palo Alto Networks device: After completing setup on the Splunk site, set up the Palo Alto Networks device to send syslogs to Splunk. Go to Device > Server Profiles > Syslog. Configure the details for the Splunk server, including the UDP port (5514, for this example). Note: Do not set a Custom Log Format. The logs must be in the default format or Splunk won't parse them. Configure a logging mechanism on the firewall to use the syslog server. For example, configure a security policy rule with a Log Forwarding Profile that uses the Splunk syslog server. Or configure the firewall to log config or system events to the Splunk syslog server. Security policy rules are under Policies > Security. Other configurable syslog events are under Device > Log Settings.   Test the configuration The easiest way to test that everything is working is to configure the firewall to syslog all config events. Go to Device > Log Settings > Config and commit. Make any configuration change and the firewall produces a config event syslog. You don't have to commit the change for the syslog to be produced--any uncommitted change to the configuration produces a log. You can verify the log reached Splunk by going to the Splunk for Palo Alto Networks app, click Search in the navigation bar, and enter:       index=pan_logs sourcetype=pan_config   If Splunk is getting the syslogs from the firewall and parsing them correctly, then you'll see the config event syslogs show up here from the changes you made on the firewall configuration.   Troubleshooting Steps 1.  Check that all initial configuration is complete Verify inputs.conf is set up per the instructions above inputs.conf must have the line "no_appending_timestamp = true" Check the other inputs.conf configurations for other inputs using the same port Check that the firewall is not using a Custom Log Format (must use default) Check that the firewall is set to log something like system events, config events, traffic events, and so on. Check that the clocks on the firewall and Splunk server are the same.  If they are different, logs will not show up correctly. If using a TCP or SSL port for syslogs, try UDP instead first, then switch to TCP or SSL once UDP is working   2.  Verify logs are indexed Use the method described in Test the configuration to produce some syslogs. Verify the logs are reaching the Splunk server by navigating to the Splunk for Palo Alto Networks app, click Search in the navigation bar, then enter:     index=pan_logs   If no logs show up, then the logs are not getting indexed correctly. Use these steps to find the problem: Verify the configuration from the Troubleshooting section above. Switch the search timeframe to All Time. If logs show up, verify the timestamp is correct on the logs. If time is wrong, check that the clocks on the Splunk server and firewall are the same. Use tcpdump or Wireshark on the Splunk server to verify the logs are actually reaching it. Also, verify that the pan_logs index exists.   3. Verify logs are parsed correctly Use the method described above in the section Test the configuration to produce some syslogs. Verify the logs are reaching the Splunk server by navigating to the Splunk for Palo Alto Networks app, click 'Search' in the navigation bar, and enter the following search:     index=pan_logs sourcetype=pan_config   If logs showed in step 2, but no logs show up now, then try sourcetype=pan_logs instead of sourcetype=pan_config .  If the logs start showing up after that change, then the logs are not getting parsed correctly: Check that you are not using a Custom Log Format in the syslog server setting on the firewall. Check that the inputs.conf file is configured with the line "no_appending_timestamp = true" If you're using a third-party syslog forwarder between the Palo Alto Networks device and Splunk, verify the forwarder isn't modifying the logs.   4.  Check acceleration and summary indexing Check that the dashboards are populating with data. The Overview dashboard doesn't use acceleration, so it should work at this point. If it doesn't show data, then go back to troubleshooting. For all the other dashboards, after 5-8 minutes of syslogging to the Splunk server, the dashboards should populate with data. If the dashboards are populating, then acceleration and summary indexing are working. If not, check the following:   App Version 4.0 and earlier:   Uses TSIDX for acceleration. Verify that saved searches for log collection are in the savedsearches.conf file. Check that they haven't been changed or overwritten.   App Version 4.1 and later:   Uses Data Model for acceleration. Check acceleration settings in the data model under Settings > Data Model > Palo Alto Networks Logs, then edit the Acceleration settings and verify they are enabled for a reasonably large timeframe. Click the arrow next to the Palo Alto Networks logs data model and check data model build percentage. It should be 100% or very close to it. If the build percentage is stuck at less than 90%, the cause might be limited resources on the Splunk server being consumed by other apps. Check if Splunk CIM or Splunk ES apps are running on the Splunk server. If they are, try disabling both apps, and see if the build percentage increases over 90%. If it does, open a case with Splunk support to report the resource contention issue between the apps and get advice on how to proceed.   owner: ialeksov
View full article
ialeksov ‎05-19-2017 07:00 AM
63,343 Views
6 Replies
2 Likes
Overview The Maximum limit of Custom URL Categories listed per Pan-OS version. (All hardware has the same limit)   PAN-OS  Version  Custom URL Category Limit PAN-OS 8.0 500 PAN-OS 7.1 500 PAN-OS 7.0 50 PAN-OS 6.1 50   owner: mbutt
View full article
mbutt ‎05-11-2017 01:27 AM
15,085 Views
4 Replies
Overview: This document demonstrates how to configure the Palo Alto Networks Firewall to send SNMPv3 Traps. The SNMPv3 trap receiver used in this exampe is 'snmptrapd' running on Ubuntu.   Steps In the following example, the firewall has IP: 172.17.128.23 and the SNMPv3 Trap receiver has IP: 172.17.128.17. To setup SNMPv3 polling.  Go to Device > Setup > Operation > SNMP Setup, then click "v3". All passwords set to 'paloalto'. The polling setup does not need the engineID. However, polling configuration is necessary to retrieve the engineID from the device which is used in the SNMPv3 Trap Server profile under Device > Server Profiles > SNMP Trap. Once the device starts responding to SNMPv3 GETs/Walks, an SNMPv3 GET needs to be issued against the device for the OID 1.3.6.1.6.3.10.2.1.1.0.  This GET should respond with the engineID (in HEX). Issue an SNMPv3 GET against the OID 1.3.6.1.6.3.10.2.1.1.0 to retrieve the engineID $ snmpget -v 3 -u test -l authPriv -a SHA -A paloalto -x AES -X paloalto 172.17.128.23 1.3.6.1.6.3.10.2.1.1.0 iso.3.6.1.6.3.10.2.1.1.0 = Hex-STRING: 80 00 1F 88 04 30 30 30 30 30 34 39 35 32 36 30 37 The engine ID retrieved above is : 0x80001f8804303030303034393532363037 (Hex) Once the backend SNMPv3 Trap receiver is configured, complete the SNMPv3 Server profile setup. Configure the SNMPv3 Trap Server profile under Device > Server Profiles > SNMP Trap: All passwords set to 'paloalto'. The engineID retrieved in Step #2 is required to configure the SNMP Trap Server profile.            4. Assign the SNMP Trap profile created in Step #3 to the relevant logs needed to be forwarded as Traps. For example, configure System log to be sent out as Traps. To do so, navigate to Device > Log Settings > System:        5. To Verify For verification, the SNMPv3 Trap receiver used is snmptrapd running on a linux system. The user 'traptest' used in Step #4 needs to be created in the trap receiver configuration file: ~$ cat /tmp/snmptrapd.conf createUser -e 0x80001f8804303030303034393532363037 traptest SHA paloalto AES paloalto authuser log traptest Now, snmptrapd is started using the configuration file created above: ~$ sudo snmptrapd -f -C -c /tmp/snmptrapd.conf -Le A system log is generated as follows: Its corresponding SNMPv3 trap recorded on the Linux machine as follows: 2013-01-29 06:49:45 172.17.128.23 [UDP: [172.17.128.23]:34722->[172.17.128.17]]: iso.3.6.1.2.1.1.3.0 = Timeticks: (33979763) 3 days, 22:23:17.63 iso.3.6.1.6.3.1.1.4.1.0 = OID: iso.3.6.1.4.1.25461.2.1.3.2.0.600        iso.3.6.1.4.1.25461.2.1.3.1.2 = STRING: "2013/01/29 06:49:46"   iso.3.6.1.4.1.25461.2.1.3.1.3 = STRING: "0009C101956"        iso.3.6.1.4.1.25461.2.1.3.1.4 = STRING: "SYSTEM"        iso.3.6.1.4.1.25461.2.1.3.1.5 = STRING: "general"       iso.3.6.1.4.1.25461.2.1.3.1.7 = ""      iso.3.6.1.4.1.25461.2.1.3.1.8 = STRING: "40867" iso.3.6.1.4.1.25461.2.1.3.1.9 = STRING: "0x0"        iso.3.6.1.4.1.25461.2.1.3.1.300 = STRING: "general"     iso.3.6.1.4.1.25461.2.1.3.1.301 = ""    iso.3.6.1.4.1.25461.2.1.3.1.302 = STRING: "general"     iso.3.6.1.4.1.25461.2.1.3.1.303 = STRING: "informational"    iso.3.6.1.4.1.25461.2.1.3.1.304 = STRING: "User admin accessed Monitor tab"   owner: achitwadgi
View full article
goku123 ‎05-10-2017 02:42 PM
21,696 Views
3 Replies
2 Likes
There are 3 ways to see what configuration changes will be made in a commit.   WebGUI 1. When you perform a commit, you are presented with an option to "Preview Changes".   If you click Preview Changes, you will be presented with a window asking how many lines of context before and after changes to give you an idea where the changes are in the config. Default is 5 lines.   If you click OK, then a Pop-Up window will show up. (NOTE: Your browser might block this pop-up window, so you will have to allow it to see it.)  You will see it color coded what the changes are.   2. The second way to see the changes is with the use of the Config Audit.  (Device > Config Audit) This can be used to view the difference between the running and candidate configurations. After choosing 2 configurations to compare, a double pane window appears. Configuration differences are clearly highlighted by different colors for review, letting the administrator view changes in the present and past configurations. It lists what admin made the change, along with what time it was performed. Config Audit window showing the difference between the Running and Candidate configs.   CLI 3. From the CLI, To see the changes between the running configuration and candidate configuration, you can run the following command to see what is different from the running config to the candite config.   > show config diff risk 1; preview yes; } + confluence-downloading { + category collaboration; + subcategory social-business; + technology browser-based; + description "This App-ID identifies confluence downloading traffic."; + alg no; + appident yes; + virus-ident yes; + spyware-ident yes; + file-type-ident yes; + vulnerability-ident yes; + evasive-behavior no; + consume-big-bandwidth no; + used-by-malware no;   owner: sjanita
View full article
sjanita ‎05-10-2017 02:01 PM
35,048 Views
8 Replies
Details In PAN-OS, we can create address objects which can be further grouped into address groups. The most common method is to use a 'static' type address group. However, the 'dynamic' type address group allows for slight ease of management along with scalability.   Review the example below of a list of address objects: Notice the tag on some objects. This will be relevant later. Now, if we were to create a static address object, we'd choose the ones we want to add.    This is perfectly fine for use in policies, but imagine, having to manage hundreds (if not thousands) of address objects with constant additions/deletions etc.   Note: For every address object you add/remove, you would have to include/exclude that in each address group, where that address object would be used. This can become cumbersome quite easily and makes the configuration prone to (manual) errors.   This is where 'Dynamic' address groups can shine.   With the use of tags when defining the address objects, we can do a simple match criteria for creating an address group. This is much more flexible since any addition/deletion only requires the change on the address objects part. The groups can remain untouched! Let's look at the following demonstration.   Using the same address objects list as before, we'll create a Dynamic address group.   Commit the changes and then click on 'more' to the entries in the group: Only the objects with tags specified as 'Intranet' got included in this group This is where the tags become useful. For this implementation of dynamic address group, make sure to create an address object (or groups too, if you wish to use group within another group) with one or more tags. You can type in a new tag or choose an already created one using the drop-down option. You can create tags on the fly, (see above image) or via Objects->Tags   Moreover, we can have nested address groups with little to no additional overhead, other than adding/removing/editing the objects themselves.   Hopefully, this document helped you in making a smarter and more efficient configuration design.    
View full article
ansharma ‎04-07-2017 06:15 AM
8,673 Views
0 Replies
Ask Questions Get Answers Join the Live Community