Configuration Articles

Featured Article
To configure a Palo Alto Networks firewall as a DHCP server: Begin by opening a new WebUI management session Navigate to Network > DHCP > DHCP Server  Click the Add button at the bottom of the window. The DHCP Server configuration window will open and the DHCP server options will be displayed. Note: The sections shaded in yellow are the minimum fields necessary for a working DHCP deployment, however additional options may be configured as needed. Select the interface which will be sourcing DHCP leases Specify the default gateway and primary DNS Specify the desired lease range in the 'IP Pools' section. Address ranges may be entered using CIDR notation, or by entering the start and end IP addresses in the range separated by a "-" dash. Click 'OK' Commit the changes to enable DHCP services.   owner: ggarrison
View full article
ggarrison ‎09-17-2018 09:38 AM
12,122 Views
0 Replies
Details For this example, the rule created blocks downloading the file "wrar39b4.exe" Use a packet capture tool to identify a signature for the custom application Create custom application in Objects > Application > New Define specifics in the custom application, specifically the transport layer (TCP/80) and signature (screenshot for details) Create a security policy that denies the custom defined application Commit Review traffic to log to confirm denial for the application   Wireshark Packet Capture   To create a Custom Application from the WebGUI, go to Objects > Applications > New. Give the application a name and a description. Edit the properties of the object and assign it an appropriate category, subcategory, technology, risk class and any characteristics that may apply. Choose the correct port (tcp/80 for this example): In the Signatures tab, create a new signature: and add an OR condition: Define the signature context (http-req-uri-path for this example), with a pattern of "wrar39b4.exe", and a qualifier of "http-method" "GET". Create a security rule to block the application. Monitor the new rule in the traffic log.   owner: panagent
View full article
nrice ‎09-14-2018 10:28 AM
7,217 Views
0 Replies
Although it is not possible to change the port GlobalProtect uses, it is possible to use another port with help from a loopback IP address and security rules.   Here is how to do that: Create a loopback   Make sure the untrust interface can ping the loopback. Assign the loopback as the portal address and the gateway address     In the GlobalProtect Portal > Agent > External tab, set the external gateway to address (10.30.6.56:7000 for example)   Create a Destination NAT rule with service:7000 to 10.30.6.56 (Untrust Interface) translating to 10.10.10.1 (loopback) on service:443 Create a security policy with destination address as the untrust interface and services as 7000 and 443 With this configuration, you will be able to access the global protect portal page on https://10.30.6.56:7000 which will translate to https://10.10.10.1 .Download and install the GlobalProtect client software.   Use the credentials in the username & password fields. In the portal field, use the IP as 10.30.6.56:7000 as shown.             owner: mvenkatesan
View full article
mvenkatesan ‎07-19-2018 06:07 AM
49,427 Views
17 Replies
4 Likes
How to Allow a Single YouTube Video and Block All Other Videos In this example we only want to allow this one youtube video: https://www.youtube.com/watch?v=hHiRb8t2hLM, and block the rest of YouTube.  Please follow these steps to accomplish this.   Steps Block streaming-media in your URL Filtering Profile. Get there in the WebGUI > Objects > Security Profiles > URL Filtering > click on the URL Filtering profile you would like to use. URL Filtering Profile detail showing Streaming-Media being set to Block. Create a Custom URL Category from Objects > Custom Objects > URL Category. Your Custom URL Category must include the following entries: *.youtube.com *.googlevideo.com www.youtube-nocookie.com www.youtube.com/yts/jsbin/ www.youtube.com/yts/cssbin/ ... this will make sure that any youtube page or content you go to is decrypted, so that the full HTTP GET can be read. Add a decryption policy of type SSL Forward Proxy, the decryption policy must be tied to your Custom URL Category in the "Service/URL Category" tab. Please see the following article about configuring SSL Decryption: How to Implement and Test SSL Decryption  Go to your URL Filtering profile, in the Allow list add the following URL's: www.youtube.com/watch?v=hHiRb8t2hLM *.googlevideo.com ... the first entry is the URL for the container page itself, then *.googlevideo.com will allow the media that is fetched from that container page out of Google's content CDN at *.googlevideo.com . Also, make sure that the custom URL category you created is also "allowed" inside of the URL filtering profile. URL filtering profile detail showing the allowed URL List. Commit and test.   Thanks to Milvaldi for the contribution. owner: jdelio    
View full article
‎07-12-2018 11:51 PM
97,443 Views
28 Replies
PAN-OS 6.0 and later   Details Enabling passive DNS monitoring is an opt-in feature in PAN-OS 6.0 or later. It enables the Palo Alto Networks firewall to act as a passive DNS sensor and send select DNS information to Palo Alto Networks for analysis in order to improve threat intelligence and threat prevention capabilities.   The DNS responses are only forwarded to the Palo Alto Networks and are only forwarded when the following requirements are met: DNS response bit is set DNS truncated bit is not set DNS recursive bit is not set DNS response code is 0 or 3 (NX) DNS question count bigger than 0 DNS Answer RR count is bigger than 0 or if it is 0, the flags need to be 3 (NX) DNS query record type are "A,NS,CNAME, AAAA, MX"   To enable the passive DNS monitoring on a Palo Alto Networks firewall (PAN-OS 7.1 and earlier) go to: Objects > Security Profiles > Anti-Spyware Profile > DNS Signatures and check the box Enable Passive DNS Monitoring, and commit the changes:   To enable Passive DNS on PAN-OS 8.0 and later, go to Device > Setup > Telemetry     owner: achalla
View full article
achalla ‎02-09-2018 04:50 AM
12,854 Views
5 Replies
1 Like
Overview This document describes how to enable the opt-out response page to notify users when traffic is inspected or decrypted. The opt-out page can be enabled from the CLI or on the PAN-OS Web GUI. When enabled, the response page below displays once every 24 hours when user traffic is being inspected or decrypted. Note: Edit the response page at Device > Response Pages > SSL Decryption Opt-Out Page.   Steps From the CLI Run the following commands to enable the opt-out page: > configure # set deviceconfig setting ssl-decrypt notify-user yes # commit   From the PAN-OS Web GUI On PAN-OS 6.1, 7.0, 7.1, 8.0: Go to Device > Response Pages. Click 'Disabled' for SSL Decryption Opt-out Page. On the SSL Opt-out Page dialog, check Enable SSL Opt-out Page and Click OK. Commit the Changes.   To verify the setting, run the following CLI command: > show system setting ssl-decrypt setting vsys                          : vsys1 Forward Proxy Ready           : yes Inbound Proxy Ready           : no Disable ssl                   : no Disable ssl-decrypt           : no Notify user                   : yes Proxy for URL                 : yes Wait for URL                  : no Block revoked Cert            : yes Block timeout Cert            : no Block unknown Cert            : no Cert Status Query Timeout     : 5 URL Category Query Timeout    : 5 Use Cert Cache                : yes Verify CRL                    : no Verify OCSP                   : no CRL Status receive Timeout    : 5 OCSP Status receive Timeout   : 5   Command to display the the contents of the cache: > show system setting ssl-decrypt notify-cache   Command to reset the cache so the user can be presented with the opt-out page: > debug dataplane reset ssl-decrypt notify-cache + source   source IP address   <Enter>  Finish input   owner: sraghunandan
View full article
sraghunandan ‎11-14-2017 06:05 AM
8,655 Views
0 Replies
Overview PAN-OS 6.0 introduced a feature to create a copy of decrypted traffic and send it to a mirror port, which enables raw packet captures of the decrypted traffic for archiving and analysis. Note: This feature is available on the Palo Alto Networks PA-3000 Series and PA-5000 Series devices.   Steps Activate the "Decryption Port Mirror" license. Go to Device > Licenses: Reboot the device. After the reboot completes, choose a free interface. Go to Network > Interfaces to use as port mirror interface: Create a Decryption Profile. Go to Objects > Decryption Profile. In this profile, specify which interface the decrypted traffic needs to send: Apply the decryption profile to the SSL Decryption Policy or Policies: Allow forwarding of Decrypted Content. Go to Device > Setup > Content-ID: Commit the configuration. All traffic that matches the SSL Decryption Policy will be decrypted and forwarded to the mirror port, which is ethernet 1/8 in the above example.   Multi-VSYS Configuration When creating a new VSYS, select the option "Allow Forwarding of Decrypted Content," which is shown below. The rest of the configuration is the same as for a single VSYS environment.   Verification After the setup is complete, the sessions that are marked for decryption will be forwarded to the designated port. This can be verified in the session table by filtering all the sessions that are decrypt-mirrored:   > show session all filter decrypt-mirror yes   -------------------------------------------------------------------------------- ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port]) Vsys                                          Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 33557112     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55193]/Untrust/6  (10.193.88.91[28832]) vsys1                                          216.58.209.224[443]/Untrust  (216.58.209.224[443]) 33557161     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55241]/Untrust/6  (10.193.88.91[6770]) vsys1                                          216.58.209.238[443]/Untrust  (216.58.209.238[443]) 33557106     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55190]/Untrust/6  (10.193.88.91[1490]) vsys1                                          216.58.209.230[443]/Untrust  (216.58.209.230[443]) 33557131     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55207]/Untrust/6  (10.193.88.91[44665]) vsys1                                          74.125.71.94[443]/Untrust  (74.125.71.94[443]) 33557084     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55170]/Untrust/6  (10.193.88.91[34083]) vsys1                                          204.79.197.203[443]/Untrust  (204.79.197.203[443]) 33557166     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55244]/Untrust/6  (10.193.88.91[50576]) vsys1                                          216.58.209.226[443]/Untrust  (216.58.209.226[443]) 33557086     facebook-social-plugin ACTIVE  FLOW *NS   10.193.91.111[55172]/Untrust/6  (10.193.88.91[55838]) vsys1                                          31.13.93.3[443]/Untrust  (31.13.93.3[443]) 33557135     youtube-base   ACTIVE  FLOW *NS   10.193.91.111[55210]/Untrust/6  (10.193.88.91[31302]) vsys1                                          216.58.209.224[443]/Untrust  (216.58.209.224[443]) 33557118     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55195]/Untrust/6  (10.193.88.91[33260]) vsys1                                          74.125.206.154[443]/Untrust  (74.125.206.154[443]) 33557141     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55215]/Untrust/6  (10.193.88.91[50351]) vsys1                                          216.58.209.224[443]/Untrust  (216.58.209.224[443]) 33557116     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55194]/Untrust/6  (10.193.88.91[15099]) vsys1                                          216.58.209.238[443]/Untrust  (216.58.209.238[443]) 33557127     flash          ACTIVE  FLOW *NS   10.193.91.111[55202]/Untrust/6  (10.193.88.91[9829]) vsys1                                          216.58.209.230[443]/Untrust  (216.58.209.230[443]) 33557091     twitter-base   ACTIVE  FLOW *NS   10.193.91.111[55179]/Untrust/6  (10.193.88.91[28557]) vsys1                                          199.16.157.105[443]/Untrust  (199.16.157.105[443]) 33557143     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55216]/Untrust/6  (10.193.88.91[54633]) 7316         http-video     ACTIVE  FLOW *NS   10.193.91.111[55238]/Untrust/6  (10.193.88.91[26068]) vsys1                                          173.194.129.178[443]/Untrust  (173.194.129.178[443]) 7238         web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55184]/Untrust/6  (10.193.88.91[28250]) vsys1                                          74.125.195.113[443]/Untrust  (74.125.195.113[443]) 7307         web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55233]/Untrust/6  (10.193.88.91[44945]) vsys1                                          74.125.206.154[443]/Untrust  (74.125.206.154[443])   owner: rvanderveken
View full article
rvanderveken ‎11-09-2017 06:44 AM
31,552 Views
4 Replies
2 Likes
PAN-OS 6.0 and after   Overview Color Coded Tags was introduced in PAN-OS 6.0 and enables the categorization of many types of objects to be visually distinguishable. Administrators can easily determine if their policy was created correctly by scanning a policy and confirming that the color coding of their objects follows their desired scheme.   Details On the Device/Panorama GUI, navigate to the Objects tab. As shown below, the objects tree panel on the left side has a new tree node called "Tags" for color coded tags administration.   A tag objects has three fields: Name Color Comments The Name cannot contain a comma (,) since it is used as a separation character when assigning tags. The Color value of the tag object can be selected from a color palette of 16 predefined colors. The default value is "None," which is no color. The selection of a color is not required when creating a tag.   The following objects in the Palo Alto Networks Device/Panorama can be used with the new tag attribute: Objects > Address Objects > Address Groups Objects > Services Objects > Service Groups Network > Zones Note: When using Tags and Zones the drop down must be used instead of a generic name because the Tag is not selectable while editing the Zone.   Policies already have tags, but will be leveraged to use the new tag object. The above objects will all have a new tag column in their top level grid. Only the first tag in an object may have color.   During the Add/Edit of any of the above objects the tags attribute can be specified, as shown below:   Tags can be selected from existing tags. Also, tag completion is case-insensitive. If the administrator adds a new tag, it is added as a tag object after "ok." The user can select a tag as the "colored tag" for an object while in the object/rule editor. The "colored tag" is saved as the first tag after "ok."   From policy tables, the user will see rule tags. Only the first tag in a rule may have color.   The following is an example of Security Rulebase with no color tags used:   The following is an example of a Security Rulebase with color tags used for Zones and inside of the objects:   Notice that the use of Color Tags makes the policy much easier to read.   Additional Details Tag name length is limited to 127 characters. There are 16 colors only, cannot create custom colors. Multiple tags can use same color. If an item has multiple tags with different colors, then first tag color will be displayed. So, order matters. Config will show in CLI as color# (1-16) (For example, set tag test1 color color4 ) Panorama can push tag color configs. If conflicting with the existing tag on the firewall, then the device config should take priority. Likewise, if there is a conflict between shared and VSYS specific object then VSYS takes precedence.   Logging Configuration logs are generated for add/edit/delete of tag objects and setting of tags to other objects.   Feature Interaction with infrastructure components: High-availability - Tag configuration will be synced, similar to the other object configurations Virtual system - Tag administration and tag assignment can be done per VSYS Panorama - Tag administration and tag assignment is available on Panorama   Panorama The specified objects and zones in Network templates will have configuration for tags. The tag configuration will be pushed to the device groups and devices along with the objects and device templates. If it is conflicting with an existing tag on the firewall, then the device config should take priority. In the Network template on Panorama zones can have tags specified, but no completion (drop down) is available. Users can only type tag names.   Tags can belong to VSYS or shared in a device and a device group, or shared in Panorama.   owner: jdelio
View full article
‎10-10-2017 07:46 AM
16,676 Views
3 Replies
3 Likes
Here is the FileType list with Threat-ID as of May, 2017. *The Description for each File Type does not included on this page due to contents size limitation.   ID Name File Type Name Min Version Scope File Type Direction 52000  Microsoft PowerPoint  ppt  1.0.1  session  both 52001  Microsoft Word DOC File  doc  1.0.1  session  both 52002  Microsoft Excel XLS File  xls  1.0.1  session  both 52003  Microsoft Cabinet (CAB)  cab  1.0.1  protocol-data-unit  both 52004  ZIP  zip  1.0.1  protocol-data-unit  both 52005  TAR  tar  1.0.1  protocol-data-unit  both 52006  HTA (HTML Application)  hta  1.0.1  session  both 52007  Windows Program Information File (PIF)  pif  1.0.1  protocol-data-unit  both 52008  Windows Registry (REG)  reg  1.0.1  protocol-data-unit  both 52009  Windows Batch (BAT)  bat  1.0.1  session  both 52010  Windows Script (WSF)  wsf  1.0.1  session  both 52011  Microsoft PowerPoint PPT File  ppt  1.0.1  protocol-data-unit  both 52012  Microsoft Word DOC File  doc  1.0.1  protocol-data-unit  both 52013  Microsoft Excel XLS File  xls 5.0.0  protocol-data-unit  both 52014  GZIP  gzip  1.0.1  protocol-data-unit  both 52015  RAR  rar  1.0.1  protocol-data-unit  both 52016  Z Compressed  zcompressed  1.0.1  protocol-data-unit  both 52017  Perl Script  pl  1.0.1  protocol-data-unit  both 52018  Shell Script  sh  1.0.1  protocol-data-unit  both 52019  Windows Dynamic Link Library (DLL)  dll  1.0.1  protocol-data-unit  both 52020  Windows Executable (EXE)  exe  1.0.1  protocol-data-unit  both 52021  Adobe Portable Document Format (PDF)  pdf  1.0.1  protocol-data-unit  both 52022  Microsoft Word 2007 DOCX File  docx  1.0.1  protocol-data-unit  both 52023  Microsoft PowerPoint 2007 PPTX File  pptx  1.0.1  protocol-data-unit  both 52024  Microsoft Excel 2007 XLSX File  xlsx  1.0.1  protocol-data-unit  both 52025  Pretty Good Privacy Format (PGP)  pgp  1.0.1  protocol-data-unit  both 52026  Encrypted ZIP  encrypted-zip  1.0.1  protocol-data-unit  both 52027  GZIP  gzip  1.0.1  protocol-data-unit  download 52028  Microsoft Excel Encrypted XLS File  encrypted-xls  1.0.1  protocol-data-unit  both 52029  Plan Text File  txt  1.0.1  session  download 52030  TIF File  tif  1.0.1  protocol-data-unit  both 52031  MDB File  mdb  1.0.1  protocol-data-unit  both 52032  CSV File  csv  1.0.1  session  download 52033  Microsoft MSOFFICE  msoffice  1.0.1  protocol-data-unit  both 52034  Encrypted RAR File  encrypted-rar  1.0.1  protocol-data-unit  both 52035  Encrypted PGP File  pgp  1.0.1  protocol-data-unit  both 52036  MDI File  mdi  1.0.1  protocol-data-unit  both 52037  PXE File  pxe  1.0.1  protocol-data-unit  both 52038  Microsoft Word Encrypted DOC File  encrypted-doc  1.0.1  protocol-data-unit  both 52039  Microsoft Encrypted PowerPoint File  encrypted-ppt  1.0.1  protocol-data-unit  both 52040  Windows Batch (BAT)  bat  5.0.0  session  download 52041  Activex File  ocx  1.0.1  session  both 52042  Activex CAB File  ocx 2.0.0  protocol-data-unit  download 52043  WRI File  wri  2.1.0.8  protocol-data-unit  both 52044  RTF File  rtf  1.0.1  protocol-data-unit  both 52045  MPEG File  mpeg  2.1.0.8  protocol-data-unit  both 52046  WMV File  wmv  1.0.1  protocol-data-unit  both 52047  FLV File  flv  1.0.1  protocol-data-unit  both 52048  AVI File  avi  1.0.1  protocol-data-unit  both 52049  Quicktime MOV File  mov  1.0.1  protocol-data-unit  both 52050  Download All Files Except TXT HTML and pictures  all  1.0.1  protocol-data-unit  download 52051  All File Upload  all  1.0.1  protocol-data-unit  upload 52052  All File Download  all  1.0.1  protocol-data-unit  download 52053  PCL File  pcl  1.0.1  protocol-data-unit  both 52054  MP3 File  mp3 3.1.0  session  both 52055  PBM File  pbm  2.1.0.8  protocol-data-unit  both 52056  PSD File  psd  2.1.0.8  protocol-data-unit  both 52057  SGI File  sgi  2.1.0.8  protocol-data-unit  both 52058  Softimage PIC File  softimg  2.1.0.8  protocol-data-unit  both 52059  XPM File  xpm  1.0.1  protocol-data-unit  both 52060  Microsoft PE File  PE  1.0.1  protocol-data-unit  both 52061  AI File  ai  1.0.1  protocol-data-unit  both 52062  SVG File  svg  1.0.1  protocol-data-unit  both 52063  SHK File  shk  1.0.1  protocol-data-unit  both 52064  Maya MB File  mb  2.1.0.8  protocol-data-unit  both 52065  Maya ASCII File  ma  1.0.1  protocol-data-unit  both 52066  DPX File  dpx  2.1.0.8  protocol-data-unit  both 52067  CIN File  cin  2.1.0.8  protocol-data-unit  both 52068  EXR File  exr  1.0.1  protocol-data-unit  both 52069  RLA File  rla  2.1.0.8  protocol-data-unit  both 52070  RPF File  rpf  2.1.0.8  protocol-data-unit  both 52071  GIF File  gif  1.0.1  protocol-data-unit  both 52072  JPEG File  jpeg  1.0.1  protocol-data-unit  both 52073  PNG File  png  1.0.1  protocol-data-unit  both 52074  BMP File  bmp  1.0.1  protocol-data-unit  both 52075  IFF File  iff  2.1.0.8  protocol-data-unit  both 52076  WMF File  wmf  1.0.1  protocol-data-unit  both 52077  EMF File  emf  1.0.1  protocol-data-unit  both 52078  EPS File  eps  1.0.1  protocol-data-unit  both 52079  DXF File  dxf  1.0.1  protocol-data-unit  both 52080  MIF File  mif  1.0.1  protocol-data-unit  both 52081  Unknown File  unknown  3.0.0  protocol-data-unit  both 52082  Microsoft Word 2007 IRM Encrypted DOCX File  encrypted-docx  1.0.1  protocol-data-unit  both 52083  Microsoft Excel 2007 IRM Encrypted XLSX File  encrypted-xlsx  1.0.1  protocol-data-unit  both 52084  Microsoft PowerPoint 2007 IRM Encrypted PPTX File  encrypted-pptx  1.0.1  protocol-data-unit  both 52085  Microsoft Word 2007 Encrypted DOCX File  encrypted-docx  1.0.1  protocol-data-unit  both 52086  Encrypted Microsoft Office 2007 File  encrypted-office2007  1.0.1  protocol-data-unit  both 52087  Encrypted Microsoft Office 2007 File  encrypted-office2007  1.0.1  protocol-data-unit  both 52088  ISO File  iso  2.1.0.8  protocol-data-unit  both 52089  MSI File  msi 1.0.0  protocol-data-unit  both 52090  Torrent File  torrent 1.0.0  protocol-data-unit  both 52091  N/A         52092  CMD Windows Script File  cmd 1.0.0  session  both 52093  LZH File  lzh 1.0.0  protocol-data-unit  both 52094  LNK File  lnk  2.1.0.8  protocol-data-unit  both 52095  DWG File Detected  dwg  2.1.0.8  protocol-data-unit  both 52096  GIF File Upload  gif-upload  2.1.0.8  protocol-data-unit  upload 52097  JPEG File Upload  jpeg-upload  2.1.0.8  protocol-data-unit  upload 52098  BMP File Upload  bmp-upload  2.1.0.8  protocol-data-unit  upload 52099  RealMedia File  rm  2.1.0.8  protocol-data-unit  both 52100  PNG File Upload  png-upload 3.1.0  protocol-data-unit  upload 52101  Mac Application Tar Detected  macapp 3.1.0  protocol-data-unit  both 52102  Mac Application Zip Detected  macapp 3.1.0  protocol-data-unit  both 52103  Mac MPKG Detected  mpkg 3.1.0  protocol-data-unit  both 52104  MP4 Detected  mp4 3.1.0  protocol-data-unit  both 52105  MKV Detected  mkv 3.1.0  protocol-data-unit  both 52106  AVI DIVX Video Detected  avi-divx 3.1.0  protocol-data-unit  both 52107  AVI XVID Video Detected  avi-xvid 3.1.0  protocol-data-unit  both 52108  Android Package File Detected  apk 3.1.0  protocol-data-unit  both 52109  Graphic Data System File Detected  gds 3.1.0  protocol-data-unit  both 52110  Tanner Database File  tdb 3.1.0  protocol-data-unit  both 52111  OrCAD DSN File  dsn 3.1.0  protocol-data-unit  both 52112  EDIF File  edif 3.1.0  protocol-data-unit  both 52113  EDIF File  edif 3.1.0  protocol-data-unit  both 52114  VBScript Encoded File  vbe 5.0.0  session  both 52115  ISO File  iso 3.1.0  protocol-data-unit  both 52116  JAR File  jar 3.1.0  protocol-data-unit  both 52117  Java Class File  class 3.1.0  protocol-data-unit  both 52118  Apple iWork Pages File  iwork-pages 3.1.0  protocol-data-unit  both 52119  Apple iWork Numbers File  iwork-numbers 3.1.0  protocol-data-unit  both 52120  Apple iWork Keynote File  iwork-keynote 3.1.0  protocol-data-unit  both 52121  CorelDRAW File  cdr 4.0.0  protocol-data-unit  both 52122  Design Web Format File  dwf 4.0.0  protocol-data-unit  both 52123  CAD STEP File  stp 3.1.0  protocol-data-unit  both 52124  CAD STEP File  stp 3.1.0  protocol-data-unit  both 52125  N/A         52126  N/A         52127  N/A         52128  Windows BAT  bat 4.0.0  session  both 52129  Windows Script  wsf 3.1.0  protocol-data-unit  both 52130  Encrypted PDF  encrypted-pdf 3.1.0  protocol-data-unit  both 52131  HTML Application  hta 4.0.0  session  both 52132  Android Package File Detected  apk 5.0.0  protocol-data-unit  both 52133  CMD Windows Script File  cmd 5.0.0  session  both 52134  N/A         52135  Android Package File Detected  apk 3.1.0  protocol-data-unit  both 52136  JPEG File Upload  jpeg-upload 3.1.0  protocol-data-unit  upload 52137  PNG File Upload  png-upload 3.1.0  protocol-data-unit  upload 52138  BMP File Upload  bmp-upload 3.1.0  protocol-data-unit  upload 52139  GIF File Upload  gif-upload 3.1.0  protocol-data-unit  upload 52140  Microsoft Word 2007 DOCX File  docx 3.1.0  protocol-data-unit  both 52141  Microsoft Excel 2007 XLSX File  xlsx 3.1.0  protocol-data-unit  both 52142  Microsoft PowerPoint 2007 PPTX File  pptx 3.1.0  protocol-data-unit  both 52143  Email Link  Email-link  6.1.0  protocol-data-unit  both 52144  Windows Screen Saver SCR File  scr 5.0.0  session  both 52145  Adobe Shockwave Flash File  flash 4.0.0  protocol-data-unit  both 52146  N/A         52147  N/A         52148  Windows Help File  hlp 3.1.0  protocol-data-unit  both 52149  Multi-Level Encoding  Multi-Level-Encoding 7.0.0  protocol-data-unit  both 52150  Catpart  catpart 3.1.0  protocol-data-unit  both 52151  DMG File Detected  dmg 5.0.0  protocol-data-unit  both 52152  PKG File Detected  pkg 3.1.0  protocol-data-unit  both 52153  MACH-O File Detected  mach-o 5.0.0  protocol-data-unit  both 52154  MacOSX Universal Binaries File Detected  mach-ub 3.1.0  protocol-data-unit  both 52155  MacOSX APP File Detected  macapp 5.0.0  protocol-data-unit  both 52156  JustSystems Ichitaro Document  ichitaro 3.1.0  protocol-data-unit  both 52157  ARJ File Detected  arj 3.1.0  protocol-data-unit  both 52158  7z File Detected  7z 3.1.0  protocol-data-unit  both 52159  CPL File  cpl 3.1.0  protocol-data-unit  both 52160  CHM File  chm 7.0.0  protocol-data-unit  both 52161  REUSE  msoffice 3.1.0  protocol-data-unit  both 52162  PKG File  pkg 7.0.0  protocol-data-unit  both 52163  Microsoft Word XML File  doc 5.0.0  protocol-data-unit  both 52164  Microsoft Excel XML File  xls 5.0.0  protocol-data-unit  both 52165  Microsoft Word Open XML File  docx 5.0.0  protocol-data-unit  both 52166  PY File  PY 5.0.0  protocol-data-unit  both 52168  MIME HTML File  mht 5.0.0  protocol-data-unit  both 52169  TAR  tar 5.0.0  protocol-data-unit  both 52170  MP3 Detected  mp3 5.0.0  protocol-data-unit  both 52171  Microsoft Word 2007 DOTM File  dotm 5.0.0  protocol-data-unit  both 52172  Windows Script  wsf 5.0.0  protocol-data-unit  both 52173  Deflate64 Compressed ZIP  deflate64-zip 5.0.0  protocol-data-unit  both 52174  ACE File  ace 5.0.0  protocol-data-unit  both 52175  ELF File  elf 5.0.0  protocol-data-unit  both 52177  WEBM File  webm 5.0.0  protocol-data-unit  both 52178  MPEG-TS File  mpeg-ts 5.0.0  protocol-data-unit  both 52179  7ZIP File  7zip 5.0.0  protocol-data-unit  both  
View full article
nrice ‎06-30-2017 04:22 AM
57,278 Views
16 Replies
2 Likes
Steps To configure Agentless User-ID, first create the service account, then modify and verify security settings.   Configure the following on the Active Directory (AD) Server and the Palo Alto Networks device: Create the service account in AD, which is utilized on the device. Be sure the user is part of the following groups: - Distributed COM Users - Event Log Readers - Server Operators Note: Domain Admin privileges are not required for the User-ID service account to function properly, see Best Practices for Securing User-ID Deployments for more information. In Windows 2003, the service account must be given the “Audit and manage security log” user right through a group policy. Making the account a member of the Domain Administrators group provides rights for all operations. The built-in group named “Event Log Readers” is not available in Windows 2003. The device uses WMI Authentication and the user must modify the CIMV2 security properties on the AD server that connects to the device. Run 'wmimgmt.msc' on the command prompt to open the console and select these properties: From the Security tab on WMI Control Properties: 1.) Select the CIMV2 folder. 2.) Click Security, 3.) Click Add and then select the service account from Step 1. 4.) In this case, it is userid@pantac.lab.  5.) For this account, check both Allow for Enable Account and Remote Enable: 6.) Click Apply, 7.) Then click OK. Back in the Palo Alto WebGUI, Select Device > User Identification > User Mapping, then click the edit sproket in the upper right corner to complete the Palo Alto Networks User-ID Agent Setup. Be sure to configure with the domain\username format for username under WMI Authentication tab along with valid credentials for that user. Enable the Server Monitor options and enable the security log/enable session accordingly. Client probing is enabled by default, so disable if desired. If the domain is configured during Setup in the General Settings/Domain field, the user can elect to discover servers with which to connect. If not, manually add a server to the device: Confirm connectivity through the WebGUI or the CLI: > show user server-monitor statistics Directory Servers: Name TYPE Host Vsys Status ----------------------------------------------------------------------------- pantacad2003.pantac.lab AD pantacad2003.pantac.lab vsys1 Connected Confirm that ip-user-mapping is working. > show user ip-user-mapping all IP              Vsys  From    User                            IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ---------- 192.168.28.15    vsys1  AD      pantac\tom                      2576          2541 192.168.29.106   vsys1  AD      pantac\userid                   2660          2624 192.168.29.110   vsys1  AD      pantac\userid                   2675          2638 Total: 3 users Ensure Enable User Identification is enabled on the zones where identifiable traffic will be initiated. Select the zone in Network > Zone.   See also User-ID Agent Setup Tips   owner: rkalugdan
View full article
gswcowboy ‎05-12-2017 08:54 AM
243,305 Views
34 Replies
10 Likes
Details In PAN-OS, we can create address objects which can be further grouped into address groups. The most common method is to use a 'static' type address group. However, the 'dynamic' type address group allows for slight ease of management along with scalability.   Review the example below of a list of address objects: Notice the tag on some objects. This will be relevant later. Now, if we were to create a static address object, we'd choose the ones we want to add.    This is perfectly fine for use in policies, but imagine, having to manage hundreds (if not thousands) of address objects with constant additions/deletions etc.   Note: For every address object you add/remove, you would have to include/exclude that in each address group, where that address object would be used. This can become cumbersome quite easily and makes the configuration prone to (manual) errors.   This is where 'Dynamic' address groups can shine.   With the use of tags when defining the address objects, we can do a simple match criteria for creating an address group. This is much more flexible since any addition/deletion only requires the change on the address objects part. The groups can remain untouched! Let's look at the following demonstration.   Using the same address objects list as before, we'll create a Dynamic address group.   Commit the changes and then click on 'more' to the entries in the group: Only the objects with tags specified as 'Intranet' got included in this group This is where the tags become useful. For this implementation of dynamic address group, make sure to create an address object (or groups too, if you wish to use group within another group) with one or more tags. You can type in a new tag or choose an already created one using the drop-down option. You can create tags on the fly, (see above image) or via Objects->Tags   Moreover, we can have nested address groups with little to no additional overhead, other than adding/removing/editing the objects themselves.   Hopefully, this document helped you in making a smarter and more efficient configuration design.    
View full article
ansharma ‎04-07-2017 06:15 AM
8,674 Views
0 Replies
PAN-OS performs IP Address Region (Country) Mapping through an internal database which is updated weekly via content updates.  In some instances, an incorrect geographical categorization based on source or destination country can be erroneous. In those instances it may be necessary to verify what the Palo Alto Networks device database shows for the country. The source or destination country of a particular address can be confirmed by running the following command from the CLI on the device.   CLI Command Examples: > show location ip 212.124.122.180 212.124.122.180 United States > show location ip 200.54.60.22 200.54.60.22 Chile > show location ip 49.55.72.8 49.55.72.8 China   If there is any descrepency between what shows in the logs/CLI and what is reality, please contact Palo Alto Networks Support to have this issue addressed.   owner: bvandivier
View full article
npare ‎04-06-2017 02:08 PM
19,465 Views
2 Replies
2 Likes
  This article is outdated. Please see the following page with the most accurate information in it here:   Getting Started: Custom applications and app override     Please feel free to visit this new page for the latest info and to comment on this.
View full article
gsamuels ‎03-28-2017 04:05 PM
71,015 Views
0 Replies
3 Likes
Topology Main Site: Dual ISPs Single PAN firewall with dual Virtual Routers and dual VPNs. One ISP is used for all VPN traffic and the other is used for Internet traffic, as well as a backup for the VPN traffic. Remote Site: Single PAN firewall with a single VR and a single ISP. Tunnel156 (in VR2) will be the main VPN tunnel. The workstation will ping the remote site from VR1.  The PBF rule will route the packet to the interface of Tunnel156 in VR2. When the PBF monitor fails the packet uses the default route of the VPN network (tunnel.56) in VR1.   VR1 Setup Configure an IP address on the tunnel interface for PBR monitoring. Setup the static route for VPN/tunnel monitoring traffic.   VR2 Setup Configure IP address for tunnel monitoring. Setup the static route for VPN/tunnel monitoring traffic. Create a return route for the source (route back to the other VR).   PBF Policy   Security Policy   admin@lab‐56‐PA500(active)> show pbf rule all Rule       ID Rule State Action  Egress IF/VSYS NextHop        NextHop Status ====       == ========== ======  ============== ============== ============== VPNtraffic 4  Active     Forward tunnel.156     156.156.156.58 UP Session Flow:   admin@lab‐56‐PA500(active)> show session id 29290 Session 29290   c2s flow:     source: 192.168.56.30[Trust]     dst:    192.168.57.1     proto:  6     sport:  3045    dport:  443     state:   ACTIVE    type:  FLOW     src user: unknown     dst user: unknown     pbf rule: VPNtraffic 4   s2c flow:     source: 192.168.57.1[vr2-vpn]     dst:    192.168.56.30     proto:  6     sport:  443    dport:  3045     state:  ACTIVE  type:  FLOW     src user: unknown     dst user: unknown   start time          : Mon Aug 8 10:16:58 2011   timeout              : 1800 sec   time to live        : 1767 sec   total byte count    : 47632   layer7 packet count  : 129   vsys                : vsys1   application          : ssl   rule                : TrafficVPN   session to be logged at end : True   session in session ager : True   session synced from HA peer : False   layer7 processing    : completed   URL filtering enabled: False   session via syn‐cookies: False   session terminated on host : False   session traverses tunnel : True   captive portal session : False   ingress interface : ethernet1/6   egress interface : tunnel.156   session QoS rule : N/A(class 4)   admin@lab‐56‐PA500(active)> show pbf rule all Rule       ID Rule State Action  Egress IF/VSYS NextHop        NextHop Status ====       == ========== ======  ============== ============== ============== VPNtraffic 4  Active     Forward tunnel.156     156.156.156.58 DOWN   admin@lab‐56‐PA500(active)> show session id 61386 Session 61386   c2s flow:     source: 192.168.56.30[Trust]     dst:    192.168.57.1     proto:  6     sport:  512    dport:  55042     state:   INIT    type:  FLOW     src user: unknown     dst user: unknown     s2c flow:     source: 192.168.57.1[vpn]     dst:    192.168.56.30     proto:  1     sport:  55042  dport:  512     state:  INIT    type:  FLOW     src user: unknown     dst user: unknown     start time          : Mon Aug 8 10:49:18 2011   timeout              : 6 sec   total byte count    : 74   layer7 packet count  : 1   vsys                : vsys1   application          : ping   rule                : TrafficVPN   session to be logged at end : True   session in session ager : False     session synced from HA peer : False   layer7 processing    : enabled   URL filtering enabled: False   session via syn‐cookies: False   session terminated on host : False   session traverses tunnel : True   captive portal session : False   ingress interface : ethernet1/6   egress interface : tunnel.56   session QoS rule : N/A(class 4)   owner: panagent
View full article
panagent ‎01-27-2017 03:25 AM
28,962 Views
3 Replies
Overview The ability to disable SIP ALG was introduced in PAN-OS 6.0. SIP ALG performs NAT on the payload and opens dynamic pinholes for media ports. This may cause issues for some SIP implementations. This document describes how to disable SIP ALG. Note: The option to disable SIP ALG is available on the Palo Alto Networks firewall and is a device-wide option. This feature is not supported on Panorama.   Steps Inside of the WebGUI Disabling this feature will prevent the firewall from translating the payload. Go to Objects > Applications and perform a search for the SIP application, as shown below: Open the SIP application. The ALG setting can be seen in the Options section at the lower right area of the display. Click on Customize to bring up the settings dialog and check Disable ALG:   On the CLI Use the following command to disable the SIP ALG : > configure # set shared alg -override application sip alg -disabled yes|no   If issues still occur with SIP after disabling the ALG, testing can be performed setting up filters with packet captures and running the following CLI commands to gather additional information: > debug dataplane packet- diag set : log feature flow basic log feature ctd basic   Note: Not all phone system implementations use the SIP application. In some cases, vendors like Cisco will use applications such as RTP and RTCP. In these cases, if the phones are experiencing issues it might be necessary to perform an application override for the specific phone traffic.   For more information see :  How to Create an Application Override   owner : rvanderveken
View full article
rvanderveken ‎12-19-2016 01:19 PM
54,634 Views
9 Replies
3 Likes
Details This document describes how to configure the Palo Alto Networks device to serve a URL response page over an HTTPS session without SSL decryption.   Requirements Create a URL Filtering profile that blocks the unwanted HTTP and HTTPS websites. Create a Security Policy with an action of "allow" and then link the URL Filtering profile to it. Response pages must be enabled. This cannot be performed on a VWire interface, VWire requires SSL decryption to be able to serve a response page Network > Network Profiles > Interface-Mgmt Create an interface management profile with response pages enabled Network > Interfaces > Ethernet?/? > Advanced > Management Profile Select your management profile A certificate to be used for Forward Trust on the Palo Alto Networks device. where it is one of the following: A self-signed/self-generated certificate with which the box for "Certificate Authority" has been checked  Note: if using a self-signed/sef-generated certificate it will be necessary to import this certificate into the client machine's certificate store to avoid unwanted browser certificate errors An intermediate CA certificate installed on the Palo Alto Networks device which was generated by an organization's internal CA. A certificate to be used for Forward Untrust, which is a self-sign/self-generated cetificate with which the box for "Certificate Authority" has been checked. This certificate is NOT to be trusted by any client that receives it Note: If using dynamic URL filtering with BrightCloud, be sure to enable dynamic URL filtering on all URL filtering profiles as well as dynamic URL filtering globally. From the configure mode on the CLI of the device, enter the following command: # set deviceconfig setting url dynamic-url yes The above command will work only if the firewall is licensed for BrightCloud URL Filtering. It does not work for PAN-DB URL filtering.   Once the above requirements have been met, enable the Palo Alto Networks device's ability to inject URL filtering response pages within an HTTPS session with the following configuration command. This command works with either BrightCloud or PAN-DB URL filter: # set deviceconfig setting ssl-decrypt url-proxy yes   Client machines browsing through the Palo Alto Networks device will now be served a URL filtering response within an HTTPS session as dictated by URL Filtering policy.   Caveats with Continue and Override Today's websites server content comes from many sources, if serving a URL Response Page for an action of type Continue or Override, it is possible that some content on the page may not be rendered properly. This will happen if the content is coming from a site that is in a category for which the action is set to Block, Continue or Override. The firewall will not present the Continue and Override page for each embedded link.   Note: After you replace the certificate to renew expiration date, restart Dataplane or the device. It removes the expired certificate cache in the Dataplane.   owner:  bvandivier
View full article
bvandivier ‎10-19-2016 09:15 AM
68,726 Views
24 Replies
4 Likes
Overview When configuring a template on the M-100/Panorama, the UI for Group Include List does not display a list of available groups to select from.   Details On the Palo Alto Networks firewall, the group mapping list can be pulled directly once the LDAP Profile has been configured:   However, when configuring templates on the Panorama/M-100 for the Group Mapping Include list, the available groups are not displayed. Instead, the groups for the Group Include List must be manually added using the correct syntax:       Available Groups are not visible as Panorama is not equipped with pulling the User-Group  info directly from the LDAP Active Directory. The User-ID information is pulled up on the Panorama using Master Device in the device group.   Under template the administrator will have to manually configure LDAP settings and push to the device. It will not self populate. Administrator will need base and bind information handy before configuring. When pushing those templates to device and information is correct, then Panorama will be able to pull group information. Group mapping settings templates are different on Panorama and device by design. While pushing it as a template, Administrator will need to have group information ready. Once it is pushed to the device, the group information will appear in same format as device's group mapping setting.       owner: dwhyte
View full article
panagent ‎10-13-2016 02:34 AM
9,845 Views
3 Replies
2 Likes
Overview PAN-OS 6.0 introduced the ability to capture more than a single packet (up to 50) for threats that are logged on the Palo Alto Networks firewall. Extended Packet Capture can be useful for: Determining if an attack is successful Learning more about the methods used by the attacker Validating maliciousness of traffic with more context Note: Extended Packet Capture is only available on Anti-Spyware and Vulnerability profiles.   Steps Go to Device > Setup > Content-ID and edit Threat Detection Settings. Configure the amount of packets you would like to capture (max. 50 Packets) : Go to Objects > Security Profiles > Vulnerabilities Protection. Enable "extended-capture" mode for Packet Capture on a vulnerability protection profile: Note: This screenshot shows how to create a policy that will collect extended captures for any vulnerability which is an example. You can edit your more granular policy and enable extended captures only for particular level of severity. If you need to enable extended captures for only one vulnerability, please read this article. Apply this profile on a Security Policy. It is also possible to change the logdb quota (max. 90% quota) for Extended Packet Capture: Important: If the "action" of the profile is set to block, only a single packet will be captured.   owner: rvanderveken
View full article
rvanderveken ‎10-13-2016 02:34 AM
8,183 Views
1 Reply
1 Like
A Newer version of this document has been created and is located here:   How to Verify DNS Sinkhole Function is Working  
View full article
sbabu ‎10-03-2016 02:48 PM
24,398 Views
0 Replies
2 Likes
Overview Palo Alto Networks recommends using an LDAP browser to find the proper LDAP information.   Finding the Proper Bind Information To find the Bind DN, run the following command with the example username of test1 from the command line of the AD server: dsquery user -name test1 should receive the Bind DN "CN=test1, OU=outest2, OU=outest, DC=pantac2, DC=org"   Or use an LDAP browser to find the Bind DN:   The Base DN is where the PAN will start searching in the directory structure. The Bind DN is the username that will be used to do the searching and request the authentication.   Note: In Active Directory, a blank folder icon represent Containers (CN) while folders with icons are Organizational Units (OU).   For example, if the admin account is in the user's container, the Bind DN information is cn=admin,cn=users,dc=pantac2,dc=org   In the following example, the test1 account is in the OUtest2 Organizational Unit (OU), and OUtest2 is in OUtest.   Configuring LDAP Device > Server Profile> LDAP For the above example, active directory is used and no SSL encryption is configured. the port field can be left empty for the default ports to be used: TCP port 389 is the standard port for unencrypted LDAP, port 636 is used when Require SSL/TLS secured connection is selected.     LDAP information Type: active-directory If the server list has been populated and the servers are reachable by the management interface, the Base DN will auto populate when you click the drop-down arrow Base DN: DC=paloalto, DC=com Bind DN supports ldap, UPN and down-level   ldap-auth@paloalto.com CN=ldap-auth, OU=Users, DC=paloalto, DC=com   Configure Your Group-Mapping Profile Device tab > User Identification> Group Mapping Settings: make sure to set the User Domain Click the Group Include List Tab. Click the + sign next to the Base in the Left column to drop the list of available folder to search for the groups you want to Query for Click on the groups listed starting with the "cn=" that you want to have on the firewall to use in policies and click the + sign in the middle to add them to the included list of groups. Warning! If there are no groups in the include list to the right, all groups in AD will be queried and may cause load issues. Commit. Verify the connection to the LDAP server with the following CLI command > show user group name all   Configure your LDAP authentication in Device > Authentication Profile. Include any groups that you are querying for that will be used in the Authentication Profile This Profile can be used for Captive Portal, Global Protect, User log on, or any authentication through the firewall. You can create other Authentication profiles for different functions if the groups in the allow list will be different. If required, the input username can be modified to accomodate down-level or UPN username formats   owner: bnitz
View full article
npare ‎09-01-2016 05:52 AM
77,214 Views
11 Replies
5 Likes
Issue In some instances, File Blocking profile rules are not following a top-down order of operations when applying actions.   Cause Overlapping File Blocking Profile rules exist with different actions.  The File Blocking Profile rulebase does not follow a normal "top-down" approach when applying rule actions. When a file is seen in a traffic flow matching a Security policy with a File Blocking Profile applied, it will be checked against the configured File Blocking policy.  When there is a single match, action is taken accordingly. In the case of multiple matches, the highest precedence action will be used.  The options to move rules up/down the list are used purely for organization and cosmetic reason.   Action Precedence There are five actions that can be applied to File Blocking Profile rules. The order of precedence among the actions in PAN-OS 6.1 and earlier is as follows: continue-forward forward continue block alert For example, if you configure rules with "alert" and "continue-forward", the "continue-forward" action takes precedence and will be the action that is applied.   Having said that let us say, for example, if an e-mail contains both email-link and PNG/JPG file, email-link will take the continue-and-forward Action and PNG/JPG file will take the alert Action, as the firewall can forward only the following file formats to WildFire cloud. apk—Android Application Package (APK) email-link—HTTP/HTTPS flash—Adobe Flash applets jar—Java applets ms-office—Microsoft Office files pe—Portable Executable (PE) files pdf—Portable Document Format   owner: sspringer
View full article
panagent ‎05-31-2016 02:09 PM
21,740 Views
10 Replies
2 Likes
Issue GlobalProtect must be set up on a firewall with an internal IP address sitting behind an edge Internet device:   Resolution Topology: Internal Network > PAN ( 192.168.10.2/24) > (192.168.10.1/24) Internet Router (2.2.2.2/24)---(2.2.2.1/24) ISP   Setup instructions: In the above setup, the Edge Internet Router (2.2.2.2) is performing NAT to the PAN's untrust interface (192.168.10.1). This could also be accomplished via DynDNS in some home/small office environments where the Internet Router is assigned  a dynamic IP address from the ISP but via DynDNS always resolves to the latest Dynamic public address received by the Internet router. For example,  homexyz.dyndns.com ->resolves to 2.2.2.2 or to the latest Dynamic public address received by the Internet router. In such an implementation, the GlobalProtect Portal and GlobalProtect Gateway would be set up on the PAN untrust interface with IP address 192.168.10.2, as shown in the screen shots below: However, the Client Configuration section under the Portal needs to have the public IP addresses/FQDNs of the edge device as illustrated in the screen shot below.  This list of gateways gets pushed to the PC which will try to tunnel and connect to them.   owner: achitwadg
View full article
panagent ‎04-28-2016 02:51 PM
8,162 Views
2 Replies
  PAN-OS 6.0, 6.1, 7.0   Question How to Clear IP Addresses in a Dynamic Address Group.   Resolution The following CLI command can be used to clear a specific IP addresses in a Dynamic Address group: > debug object registered-ip clear ip <ip/netmask>   The following CLI command can be used to delete all registered IPs: > debug user-id clear registered-ip all   Note: In order for the IP's to be cleared properly, the User-ID process may have to restarted with the command: PAN-OS 6.1 and earlier versions: > debug software restart user-id   PAN-OS 7.0 and newer versions: > debug software restart process user-id   owner: saryan
View full article
saryan ‎04-13-2016 03:04 PM
5,144 Views
0 Replies
In PAN-OS 7.1, when a security policy rule is configured with the Application setting 'Any' and the Service setting 'application-default', the rule Action is now applied only on the standard ports for any application.
View full article
‎04-01-2016 06:16 PM
48,683 Views
6 Replies
12 Likes
To change the threshold value under the timing vulnerability signature, do the following: Open the vulnerability profile and search for the Threat ID Click on the "Pencil" icon, before the threat name, as shown below: The Edit Time Attribute pop window is displayed. Set the threshold as required: Make sure the Exception is enabled  Commit the changes.   Note: Not all threats/vulnerability signatures can be modified. There are signatures that do not have any changeable attributes. For example, TID 30003 is a signature for which the attributes cannot be modified. Also, attributes for threat IDs can only be changed if the particular Palo Alto Networks firewall has a valid threat licenses. Otherwise, commits would fail with the following error: Error: Profile compiler : can not set time attribute on tid <> . See: Unable to Commit Changes to Threat Attributes   owner: kalavi
View full article
kalavi ‎03-08-2016 07:38 AM
3,638 Views
0 Replies
About Regions Regions have addresses based on coordinates, which are either depicted using Latitude & Longitude or in Degrees. The firewall supports creation of policy rules that apply to specified countries or other regions. The region is available as an option when specifying source and destination for security policies, decryption policies, and DoS policies. You can choose from a standard list of countries or use the region settings described in this section to define custom regions to include as options for security policy rules.   Multiple coordinates If you are trying to find out a radius of a coordinate and check whether it overlaps any other region in your address book, please use the Calculator. This can be used as a conversion tool for coordinates between Latitude & Longitude format and Degrees This can also be used to draw range rings around a coordinate in Google Maps under the section "Draw range rings around a point". Triangulation and range rings shows an example of range rings.    
View full article
rchougale ‎11-16-2015 11:08 AM
3,888 Views
0 Replies
Overview   WildFire allows users to submit files to the Palo Alto Networks secure, cloud-based, virtualized environment where they are automatically analyzed for malicious activity. Palo Alto Networks lets the file run in a vulnerable environment and watches for specific malicious behaviors and techniques, such as modifying system files, disabling security features, or using a variety of methods to evade detection. Zipped and compressed HTTP (GZIP) files are inspected and any internal EXE and DLL files can be submitted for analysis. The WildFire portal can be used to view the detailed analysis of the analyzed files to see which users were targeted, applications used, and malicious behavior observed. The WildFire portal can also be configured to send email notifications when results are available for review.   Topology   How to configure: Go to Device > Setup > WildFire tab. Choose the default-cloud, maximum file size of 2MB. Specify the information to be forwarded to the WildFire server. Source IP—Source IP address that sent the suspected file. Source Port—Source port that sent the suspected file. Destination IP—Destination IP address for the suspected file. Destination Port—Destination port for the suspected file. Vsys—Firewall virtual system that identified the possible malware. Application—User application that was used to transmit the file. User—Targeted user. URL—URL associated with the suspected file. Filename—Name of the file that was sent.   By default, all the options are selected but they are not required for WildFire to work. Deselect any information that shouldn't be sent to the WildFire cloud.   If a Decryption policy is used, WildFire can be enabled to upload the decrypted files. Go to Device > Setup > Content-ID > Enable “Allow Forwarding of Decrypted Content.”                     By default, files that are decrypted will not be forwarded to the WildFire cloud, so adjusting this value in PAN-OS 6.0 will change the behavior. Go to Objects > Security Profiles > File Blocking. Add a rule, by Name. Enter a rule name (up to 31 characters). • Applications— select any. • File Types—Select the file types exe, dll. • Direction—Select the direction of the file transfer (Upload, Download, or Both). • Action—Select the action taken when the selected file types are detected: forward (The file is automatically sent to WildFire).     Apply the File Blocking profile in Policies > Security > to the rule on which WildFire protection should be applied. Click OK. Commit the configuration.     WildFire CLI commands After the basic configuration is complete, the following commands provide the details of the best server selected. To test the connectivity: > test wildfire registration This test may take a few minutes to finish. Do you want to continue? (y or n) Test wildfire         wildfire registration:        successful         download server list:        successful         select the best server:      va-s1.wildfire.paloaltonetworks.com   Initial registration can be done only on the active unit in an Active/Passive cluster.   Note: Do not use PING to test connectivity to the server. Ping requests are disabled on the WildFire server. Best practice to test connectivity is to Telnet to the server on port 443.   To verify, if any files have been forwarded to the server, use the following command: > show wildfire status Connection info:         Wildfire cloud:                default cloud         Status:                        Idle         Best server:                  va-s1.wildfire.paloaltonetworks.com         Device registered:            yes         Service route IP address:      10.30.24.52         Signature verification:        enable         Server selection:              enable         Through a proxy:              no Forwarding info:         file size limit (MB):                  2         file idle time out (second):            90         total file forwarded:                  0         forwarding rate (per minute):          0         concurrent files:                      0   The total file forwarded counter will provide the number of files being forwarded to the server.   To view WildFire Logs Go to the Monitor > Logs > Data Filtering page:   Use data filtering logs to check the status of the file. If you see only “forward” with no “wildfire-upload-success” or “wildfire-upload-skip,” then the file is either signed by a trusted file signer, or a benign sample the cloud has already seen.   Below is an explanation of the possible actions:   Forward Data plane detected a Potentially Executable file on a WildFire-enabled policy.  The file is buffered in the management plane. If only “forward” is displayed for a specific file, then the file is either signed by a trusted file signer, or a benign sample that the cloud has already seen.  In either case, no further action is performed on the file, and no further information is sent to the cloud (not even session information for previously seen benign files).  There will not be an entry in the WildFire Web portal for these files.   To view the count of how many PE files have been checked, found to be clean or uploaded, issue the command: > show wildfire statistics statistics for wildfire DP receiver reset count:                  12 File caching reset cnt:                  12 FWD_ERR_CONN_FAIL                        1 data_buf_meter                            0% msg_buf_meter                            0% ctrl_msg_buf_meter                        0% fbf_buf_meter                            0%   wildfire-upload-success This means that the file wasn't signed by a trusted signer, and the file hasn't yet been seen by the cloud.  In this case, the file (and session info) was uploaded to the cloud for analysis.   wildfire-upload-skip This means the file was already seen by the cloud. If the file had been previously determined to be malicious, then the report, previously generated when the verdict was made, appears on the WildFire server. If the file was not malicious and was determined to be benign, then the report is not shown on the WildFire server.   WildFire Portal To access the WildFire portal, go to https://wildfire.paloaltonetworks.com and log in using your Palo Alto Networks support credentials or your WildFire account. The portal opens to display the dashboard, which lists summary report information for all of the firewalls associated with the specific WildFire account or support account, as well as any files that have been uploaded manually. The display includes the number of analyzed files and indicates how many are infected with malware, benign, or pending analysis.     Other useful commands are show wildfire disk-usage debug wildfire dp-status   See Also Not All Files Appear on the WildFire Portal When Logs Show the Wildfire-Upload-Skip Message   owner: rhirannaiah
View full article
rhirannaiah ‎10-28-2015 12:24 AM
80,259 Views
18 Replies
1 Like
When submitting application requests or information about a possible bug to Support, please provide the documentation listed by the following types:   App Bugs and App Requests Application Name Application URL Packet Capture Spyware Bugs (All spyware communication related bugs) Threat id range is 10000 to 20000 Threat id Packet Capture Sample of the spyware   Virus (Any sample/malware download/upload false positive, or false negative (bypass the firewall)) Virus threat id range is from 100,000 to over 1,000,000 The threat id triggered Samples URL associated with the bug   Vulnerability (Any vulnerability related bugs, anything related to exploit or attacks) The threat id range for vulnerability is from 30000 to 50000 Threat id Packet Capture Reference URL   owner: panagent
View full article
nrice ‎09-25-2015 01:28 PM
5,549 Views
0 Replies
Details To install custom response pages in languages such as, Japanese or Chinese on the Palo Alto Networks firewall, save the HTML page in UTF-8 encoding.   In this example, a "URL Filtering and Category Match Block Page" translated to Japanese is being deployed: From the Palo Alto Networks firewall go to Device > Response Pages Select "URL Filtering and Category Match Block Page", check the Predefined box on the left and click on Export, a url-block-page.txt file will be downloaded by the browser: (Windows) Open the downloaded url-block-page.txt file with Notepad (Linux or Mac) Open the downloaded url-block-page.txt file with vi As shown in the example below, the file encoding us-ascii (ansi), edit the file with vi: Translate the text wanted to the target language, this can be done with a tool like Google Translate. For this example, Japanese is being used, select the Japanese text and paste it on Notepad or vi (Windows) As shown below, Japanese text pasted in Notepad: Save the file in Notepad using the "Save As" option. From the Encoding drop down list, select "UTF-8" for the file encoding. (Linux or Mac). For vi, enter the following commands before pasting: :set bomb :set fileencoding=utf-8 As shown below, paste the text in Japanese: Save and quit with command: :wq Verify that the file is now encoded with UTF-8, as shown in the following example: Go back to the firewall WebUI, select "URL Filtering and Category Match Block Page", click "Import", browse for the modified url-block-page.txt file, and click OK Commit, the response page with foreign language characters will now be installed   Note: The custom response pages is a global setting (per vsys). If saving the format as "Unicode", there will be an error when importing the HTML file to the firewall   owner: mivaldi
View full article
mivaldi ‎09-11-2015 02:36 AM
6,399 Views
0 Replies
Issue When trying to delete a custom URL category that is being used in a URL filtering profile, the following error appears: 1-Failed to delete Custom URL Category - custom.   Resolution Go the the appropriate URL Filtering Profile and select "none" for the action. For example: The custom URL category can now be successfully deleted.   See Also How to Delete a Custom URL Category on the CLI   owner: rrajendran
View full article
rrajendran ‎09-10-2015 05:35 AM
2,231 Views
0 Replies
Ask Questions Get Answers Join the Live Community