Configuration Articles

Featured Article
This document is a 'how to' guide in configuring Captive Portal in a Vwire Deployment. It will provide documentation on implementing either Transparent or Redirect mode with Client Certificate Authentication.   Transparent Mode:   Transparent—The firewall intercepts the browser traffic per the Captive Portal rule and impersonates the original destination URL, issuing an HTTP 401 to invoke authentication. However, because the firewall does not have the real certificate for the destination URL, the browser will display a certificate error to users attempting to access a secure site. Therefore you should only use this mode when absolutely necessary, such as in Layer 2 or virtual wire deployment.   Generate the Captive Portal Server Certificate. In this instance, I'm using the Trusted Root CA also used to sign the intermediate/client certificate. You can certainly create a separate Server Certificate if you wish.       Create the authentication profile to utilize. In this case, LDAP is used to authenticate unknown users.       Enable Captive Portal using Transparent Mode. As noted, we are using the previously created LDAP authentication profile and the Captive Portal Server Certificate.       Configure your Captive Portal Policies: (Note, to trigger CP on SSL enabled websites, SSL Decryption will need to be enabled)     After committing your changes, open up a web-browser on the system (the source IP must be an unknown user otherwise you will not get a captive portal prompt) behind the Vwire Trust zone (Note, make sure this zone is enabled for user identification). My host IP is 192.168.125.111 and it's currently unknown on the PA's ip-user-mapping.   admin@lab-26-PA5050> show user ip-user-mapping all   admin@lab-26-PA5050>     As previously mentioned, when using transparent mode, all browsers will issue a warning indicating that the destination url does not match the common name found in the certificate.       After accepting the exception for the common name mismatch, you will be presented with the Captive Portal Web Form requesting for the credentials to authenticate the user.     Upon completing the web form and entering the correct credentials, users will be redirected to the original requested URL/website.     The session table and IP mapping will appear as follows:   admin@lab-26-PA5050> show user ip-user-mapping all     IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 192.168.125.111 vsys1  CP      rkalugdan                        888            3462 Total: 1 users       admin@lab-26-PA5050> show session id 33570653     Session        33570653             c2s flow:                 source:      192.168.125.111 [vtrust]                 dst:         209.95.138.162                 proto:       6                 sport:       39066           dport:      80                 state:       ACTIVE          type:       FLOW                 src user:    rkalugdan          <==================================== via Captive Portal                 dst user:    unknown             s2c flow:                 source:      209.95.138.162 [vuntrust]                 dst:         192.168.125.111                 proto:       6                 sport:       80              dport:      39066                 state:       ACTIVE          type:       FLOW                 src user:    unknown                 dst user:    rkalugdan             DP                                   : 1         index(local):                        : 16221         start time                           : Tue Jan 27 08:27:52 2015         timeout                              : 3600 sec         time to live                         : 3593 sec         total byte count(c2s)                : 1381         total byte count(s2c)                : 1006         layer7 packet count(c2s)             : 13         layer7 packet count(s2c)             : 12         vsys                                 : vsys1         application                          : web-browsing         rule                                 : vwire         session to be logged at end          : True         session in session ager              : True         session updated by HA peer           : False         layer7 processing                    : enabled         URL filtering enabled                : True         URL category                         : content-delivery-networks         session via syn-cookies              : False         session terminated on host           : False         session traverses tunnel             : False         captive portal session               : False         ingress interface                    : ethernet1/6         egress interface                     : ethernet1/4         session QoS rule                     : N/A (class 4)         end-reason                           : unknown         Redirect Mode:     Redirect—The firewall intercepts unknown HTTP or HTTPS sessions and redirects them to a Layer 3 interface on the firewall using an HTTP 302 redirect in order to perform authentication. This is the preferred mode because it provides a better end-user experience (no certificate errors). However, it does require additional Layer 3 configuration. Another benefit of the Redirect mode is that it provides for the use of session cookies, which enable the user to continue browsing to authenticated sites without requiring re-mapping each time the time outs expire. This is especially useful for users who roam from one IP address to another (for example, from the corporate LAN to the wireless network) because they will not need to re-authenticate upon IP address change as long as the session stays open. In addition, if you plan to use NTLM authentication, you must use Redirect mode because the browser will only provide credentials to trusted sites.   (To use the captive portal in redirect mode, you must enable response pages on the interface management profile assigned to the Layer 3 interface to which you are redirecting the active portal.)     In this example, I've generated a Trusted Root CA, an intermediate CA which is then signing the client certificate for use in client certificate authentication. For the Trusted CA, which will be used as the Captive Portal Server certificate, I will use 'cpcaroot.pantac2008.com' as the CN and the client cert will have its CN as 'renato.' We will use 'renato' to help identify the users being captive portal'd via the client cert profile.       The 'CA_Root', 'intermediate' certificates are exported  in PEM format from the PA and imported into the host client. This can be done more seamlessly in a production environment via GPO.  In this scenario, I've imported them to the Trusted Root and Intermediate CA stores respectively.             The client certificate signed by the intermediate cert will need to be exported in PKCS12 format as it will require both the private and public keys to make this work. It will then be imported into your Personal Certificate store accordingly.             The same Captive Portal Policies apply as shown below.       Create the Certificate Profile to utilize for Client Certificate Authentication. Insert both the Trusted Root CA and Intermediate CA within the CA Certificates option. Username Field will be 'Subject' defaulting to common-name. You can modify this option to help identify your users. As mentioned, we'll be using the CN 'renato' to help identify the Captive Portal user by choosing Subject in the Username Field.       Enable the Captive Portal and choose 'Redirect' mode. This will enable other fields that require your attention. I'm using the same Trusted Root CA as the server certificate. The CN used was 'cpcaroot.pantac2008.com. This will be the redirect host configured and we then point to the client cert profile previously created.       In this example, I will have to make sure my host machine knows how to reach 'cpcaroot.pantac2008.com' so I have to configure the host file accordingly. This should not be a problem in a production environment if DNS is able to resolve the fqdn defined as your Redirect Host which should also match the CN for your server certificate.     Windows host file output:   # Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 192.168.125.2     cpcaroot.pantac2008.com     In Vwire deployment while using redirect mode, we'll need to burn an L3 interface on the PA device to get this functional. The interface is assigned to the L3-Trust zone and has a mgmt profile enabled with at the very least, response pages. Notice the IP address used is 192.168.125.2, which is what my system will be redirected to once Captive Portal is triggered given the use of the CN 'cpcaroot.pantac2008.com' in the Captive Portal Server Certificate.   Also, keep in mind that the redirected host will need to be in the same broadcasts domain as the client so that it will respond to arp requests accordingly. If the Captive Portal redirect interface is outside the of the clients broadcast domain and the traffic needs to traverse the v-wire you will need to create an exception policy to allow the traffic destine to this interface a Captive Portal intervention       Here's the screenshot of the host attempting to open a socket to www.google.com. The browser then submits the client cert to the PA device as we're using client certificate authentication instead of LDAP in this scenario. I subsequently redirect the browser to www.jimmyr.com and I'm now presented the web page and CP has identified me as 'renato' per my client certificate.           Previously seen as unknown for 192.168.125.223:   admin@lab-26-PA5050> show user ip-user-mapping all     IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 192.168.125.223 vsys1  Unknown unknown                          2              5 Total: 1 users     Upon completing the client certificate authentication, the PA now reflects the following:     admin@lab-26-PA5050> show log system direction equal backward 2015/01/27 09:05:58 info     general        general 0  User admin logged in via CLI from 192.168.125.223 2015/01/27 09:05:58 info     general        auth-su 0  User 'admin' authenticated.   From: 192.168.125.223. 2015/01/27 09:05:40 info     general        general 0  Captive Portal authentication succeeded for user: renato on 192.168.125.223, vsys1 2015/01/27 09:05:40 info     general        general 0  Captive Portal client certificate authentication successful from ::ffff:192.168.125.223.         admin@lab-26-PA5050> show user ip-user-mapping all     IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 192.168.125.223 vsys1  CP      renato                           899            3518 192.168.125.111 vsys1  CP      rkalugdan                        261            1037 Total: 2 users             admin@lab-26-PA5050> show session id 33571113     Session        33571113     c2s flow: source:      192.168.125.223 [vtrust] dst:         216.58.216.2 proto:       6 sport:       51049           dport:      80 state:       ACTIVE          type:       FLOW src user:    renato   <====================================================== dst user:    unknown     s2c flow: source:      216.58.216.2 [vuntrust] dst:         192.168.125.223 proto:       6 sport:       80              dport:      51049 state:       ACTIVE          type:       FLOW src user:    unknown dst user:    renato     DP                                   : 1 index(local):                        : 16681 start time                           : Tue Jan 27 09:05:41 2015 timeout                              : 3600 sec time to live                         : 3580 sec total byte count(c2s)                : 3637 total byte count(s2c)                : 9854 layer7 packet count(c2s)             : 10 layer7 packet count(s2c)             : 14 vsys                                 : vsys1 application                          : web-browsing rule                                 : vwire session to be logged at end          : True session in session ager              : True session updated by HA peer           : False layer7 processing                    : enabled URL filtering enabled                : True URL category                         : web-advertisements session via syn-cookies              : False session terminated on host           : False session traverses tunnel             : False captive portal session               : False ingress interface                    : ethernet1/6 egress interface                     : ethernet1/4 session QoS rule                     : N/A (class 4) end-reason                           : unknown       Here's an example of client certificate authentication using an Ubuntu client with Firefox as the browser. I've installed the Root CA and intermediate certificate in the Trusted store for Firefox whereas the client certificate is associated with 'Your Certificates' store.         Here's Firefox presenting the client certificate upon the user's attempt to access www.jimmyr.com           Finally, the original requested website is presented to the user       PA CLI output fo the syslog and ip-user-mapping below:   admin@lab-26-PA5050> show user ip-user-mapping all IP Vsys   From User IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 192.168.125.111 vsys1  CP renato 893            3561         Total: 1 users dmin@lab-26-PA5050> show log system direction equal backward Time Severity Subtype Object EventID ID Description =============================================================================== 2015/01/27 13:24:07 info general        general 0 Accepted keyboard-interactive/pam for admin fr om 192.168.125.111 port 50672 ssh2 2015/01/27 13:23:45 info general        general 0  User admin logged in via CLI from 192.168.125.1 11 2015/01/27 13:23:44 info general        auth-su 0  User 'admin' authenticated.   From: 192.168.125 .111. 2015/01/27 13:23:11 info general        general 0  Captive Portal authentication succeeded for use r: renato on 192.168.125.111, vsys1 2015/01/27 13:23:11 info general        general 0  Captive Portal client certificate authenticatio n successful from ::ffff:192.168.125.111.   The following is an example from a MacOS client using the Chrome browser. We've copied the same certs using the Keychain Access Certificates and My Certificates folder respectively.           As you can see once again, PA is requesting client certificate authentication and Chrome is presenting said client certificate as expected.             admin@lab-26-PA5050> show user ip-user-mapping all   IP Vsys   From    User                             IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 192.168.125.113 vsys1 Unknown unknown 3              6 Total: 1 users   admin@lab-26-PA5050> show user ip-user-mapping all   IP Vsys   From    User                             IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 192.168.125.113 vsys1 CP      renato                           899            3585 Total: 1 users     Time Severity Subtype Object EventID ID Description =============================================================================== 2015/01/27 13:00:40 info     general        general 0  WildFire update job succeeded  for user Auto update agent 2015/01/27 13:00:39 info     general        general 0  Wildfire package upgraded from version <unknown version> to 51969-58674 by Auto update agent 2015/01/27 13:00:37 info     general        general 0  Installed wildfire package: panup-all-wildfire-51969-58674.tgz 2015/01/27 13:00:35 info     general        general 0  WildFire version 51969-58674 downloaded by Auto update agent 2015/01/27 13:00:34 info     general        general 0  Connection to Update server:  completed successfully, initiated by 10.46.32.26 2015/01/27 13:00:23 info     general        general 0  Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by 10.46.32.26 2015/01/27 13:00:21 info     general        general 0  Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by 10.46.32.26 2015/01/27 13:00:20 info     general        general 0  Captive Portal authentication succeeded for user: renato on 192.168.125.113, vsys1 2015/01/27 13:00:20 info     general        general 0  Captive Portal client certificate authentication successful from ::ffff:192.168.125.113.    
View full article
gswcowboy ‎09-14-2018 11:44 AM
41,498 Views
0 Replies
To open a case with Technical Support, please see the following article that describes how to open a Support Case. How to Use the New Web-Based Case Creation Wizard!
View full article
nrice ‎05-05-2018 04:16 PM
10,440 Views
1 Reply
Enabling SSO on Aperture requires information from your IDP.  The following section provides details on how to add Aperture as an Application on your IDP and then using information from your IDP to configure SSO on Aperture. Okta is used as IDP.
View full article
ptarra ‎04-23-2018 08:33 AM
7,150 Views
3 Replies
To configure Multicast L3 with PIM Sparse Mode when not the rendezvous point: Go to Network > Virtual Routers and select desired virtual router. Click Multicast. Enable Multicast globally by checking the box. 3a. Next, add the Remote Rendenvouz Point by clicking "Add". Go to Interfaces and click Add. Add the interfaces to participate in Multicast. Under Group Permissions, add the multicast groups for which the traffic is permitted. Make sure to enable IGMP on the interface facing the client. Make sure PIM is enabled on the interface connecting to the RP. Configure a security policy to allow the traffic. The destination zone should be 'multicast' and the destination address can be the multicast group addresses. Commit the configuration.   owner: nayubi  
View full article
npare ‎04-20-2018 02:24 PM
18,850 Views
3 Replies
Details Log in using the default username and password: admin/admin hyper terminal settings bits per second 9600 data bits 8 parity none stop bits 1 flow control none   Once logged in, run the following CLI commands: > configure (enter configuration mode) # set deviceconfig system ip-address 10.1.1.1 netmask 255.255.255.0 default-gateway 10.1.1.2 dns-setting servers primary 4.2.2.2 # commit   owner: jnguyen
View full article
jnguyen ‎04-03-2018 11:19 AM
124,060 Views
12 Replies
1 Like
Details Previously, the DP would aggregate all packet-diag logs into a single file directly on DP itself. Starting from PAN-OS 5.0, instead of letting DP write the aggregated log, aggregation is performed with a new operational CLI that can be done after the dataplane debug is completed.   Run the following CLI command: > debug dataplane packet-diag aggregate-logs Note: Be sure to do this AFTER disabling the data plane debug logging such as flow basic using command debug dataplane packet-diag set log off. Wait 10 - 20 seconds after the logging is stopped before starting the aggregation into single file. A dataplane (DP) kernel flush needs to occur before all the info in the log files can be retrieved. you can force the flagged session to be ended by executing this command: > debug dataplane packet-diag clear filter-marked-session all   This will result in all DP pan_task logs to be aggregated to single pan_packet_diag.log file. Use tail or less dp-log pan_packet_diag.log to view the output. Note that although we can aggregate each pan_task log within a single DP log file, each DP will generate its own log file. So for multi-DP platforms (PA-5000 and PA-7000 series), each DP log is separate. For 5000 series, use dpX-log instead of dp-log where X is equal to DP number (i.e. dp0-log , dp1-log ). For 7000 series, use sXdpY-log where X is NPC slot number and Y is DP number within that slot (i.e. s1dp0-log , s7dp1-log )   Note: In order for a PA-200 to view the logs use the following CLI command: > less mp-log pan_task_1.log   For more details regarding how to enable flow basic dataplane debug, refer to the following article: Packet Capture, Debug Flow-basic and Counter Commands   owner: rkim
View full article
rkim ‎02-12-2018 12:41 PM
9,639 Views
0 Replies
Overview This document describes the CLI commands to add/create management users, assign them roles, and set their passwords.   Steps Creating/Adding Users Log in to the CLI Go into configure mode: > configure Create/Add a management user and assign a password # set mgt-config users <name> password Note: If the <name> does not exist, then the user will be created. Set the role for the specified user # set mgt-config users <name> permissions role-based <role profile> custom deviceadmin devicereader superreader superuser Commit # commit   Change the password for a user Go into configure mode: > configure Enter the new password that will override the existing one: # set mgt-config users admin password Commit # commit   WebGUI For information on performing these steps in the WebGUI, All of the information describing how to create granular Admin Role profiles is included inside of the Admin (Administrator's) guides for each version.  I have listed them below for your convenience:   PAN-OS 7.0 Administrator's Guide   PAN-OS 7.1 Administrator's Guide   PAN-OS 8.0 Administrator's Guide   owner: sraghunandan
View full article
sraghunandan ‎01-18-2018 12:04 PM
29,220 Views
7 Replies
1 Like
In PAN-OS 8.0 and later, the security policy rule creation window will not show a legend for each Region Code.    We have created the following table for your reference:  Organized by Region Code A1 Anonymous Proxy A2 Satellite ISPs ISO 3166-1-alpha-2 code Country names AD ANDORRA AE UNITED ARAB EMIRATES AF AFGHANISTAN AG ANTIGUA AND BARBUDA AI ANGUILLA AL ALBANIA AM ARMENIA AO ANGOLA AQ ANTARCTICA AR ARGENTINA AS AMERICAN SAMOA AT AUSTRIA AU AUSTRALIA AW ARUBA AX ALAND ISLANDS AZ AZERBAIJAN BA BOSNIA AND HERZEGOVINA BB BARBADOS BD BANGLADESH BE BELGIUM BF BURKINA FASO BG BULGARIA BH BAHRAIN BI BURUNDI BJ BENIN BL SAINT BARTHELEMY BM BERMUDA BN BRUNEI DARUSSALAM BO BOLIVIA, PLURINATIONAL STATE OF BQ BONAIRE, SAINT EUSTATIUS AND SABA BR BRAZIL BS BAHAMAS BT BHUTAN BV BOUVET ISLAND BW BOTSWANA BY BELARUS BZ BELIZE CA CANADA CC COCOS (KEELING) ISLANDS CD CONGO, THE DEMOCRATIC REPUBLIC OF THE CF CENTRAL AFRICAN REPUBLIC CG CONGO CH SWITZERLAND CI COTE D'IVOIRE CK COOK ISLANDS CL CHILE CM CAMEROON CN CHINA CO COLOMBIA CR COSTA RICA CU CUBA CV CAPE VERDE CW CURACAO CX CHRISTMAS ISLAND CY CYPRUS CZ CZECH REPUBLIC DE GERMANY DJ DJIBOUTI DK DENMARK DM DOMINICA DO DOMINICAN REPUBLIC DZ ALGERIA EC ECUADOR EE ESTONIA EG EGYPT EH WESTERN SAHARA ER ERITREA ES SPAIN ET ETHIOPIA FI FINLAND FJ FIJI FK FALKLAND ISLANDS (MALVINAS) FM MICRONESIA, FEDERATED STATES OF FO FAROE ISLANDS FR FRANCE GA GABON GB UNITED KINGDOM GD GRENADA GE GEORGIA GF FRENCH GUIANA GG GUERNSEY GH GHANA GI GIBRALTAR GL GREENLAND GM GAMBIA GN GUINEA GP GUADELOUPE GQ EQUATORIAL GUINEA GR GREECE GS SOUTH GEORGIA AND THE SOUTH SANDWICH ISLANDS GT GUATEMALA GU GUAM GW GUINEA-BISSAU GY GUYANA HK HONG KONG HM HEARD ISLAND AND MCDONALD ISLANDS HN HONDURAS HR CROATIA HT HAITI HU HUNGARY ID INDONESIA IE IRELAND IL ISRAEL IM ISLE OF MAN IN INDIA IO BRITISH INDIAN OCEAN TERRITORY IQ IRAQ IR IRAN, ISLAMIC REPUBLIC OF IS ICELAND IT ITALY JE JERSEY JM JAMAICA JO JORDAN JP JAPAN KE KENYA KG KYRGYZSTAN KH CAMBODIA KI KIRIBATI KM COMOROS KN SAINT KITTS AND NEVIS KP KOREA, DEMOCRATIC PEOPLE'S REPUBLIC OF KR KOREA, REPUBLIC OF KW KUWAIT KY CAYMAN ISLANDS KZ KAZAKHSTAN LA LAO PEOPLE'S DEMOCRATIC REPUBLIC LB LEBANON LC SAINT LUCIA LI LIECHTENSTEIN LK SRI LANKA LR LIBERIA LS LESOTHO LT LITHUANIA LU LUXEMBOURG LV LATVIA LY LIBYAN ARAB JAMAHIRIYA MA MOROCCO MC MONACO MD MOLDOVA, REPUBLIC OF ME MONTENEGRO MF SAINT MARTIN (FRENCH PART) MG MADAGASCAR MH MARSHALL ISLANDS MK MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF ML MALI MM MYANMAR MN MONGOLIA MO MACAO MP NORTHERN MARIANA ISLANDS MQ MARTINIQUE MR MAURITANIA MS MONTSERRAT MT MALTA MU MAURITIUS MV MALDIVES MW MALAWI MX MEXICO MY MALAYSIA MZ MOZAMBIQUE NA NAMIBIA NC NEW CALEDONIA NE NIGER NF NORFOLK ISLAND NG NIGERIA NI NICARAGUA NL NETHERLANDS NO NORWAY NP NEPAL NR NAURU NU NIUE NZ NEW ZEALAND OM OMAN PA PANAMA PE PERU PF FRENCH POLYNESIA PG PAPUA NEW GUINEA PH PHILIPPINES PK PAKISTAN PL POLAND PM SAINT PIERRE AND MIQUELON PN PITCAIRN PR PUERTO RICO PS PALESTINIAN TERRITORY, OCCUPIED PT PORTUGAL PW PALAU PY PARAGUAY QA QATAR RE REUNION RO ROMANIA RS SERBIA RU RUSSIAN FEDERATION RW RWANDA SA SAUDI ARABIA SB SOLOMON ISLANDS SC SEYCHELLES SD SUDAN SE SWEDEN SG SINGAPORE SH SAINT HELENA, ASCENSION AND TRISTAN DA CUNHA SI SLOVENIA SJ SVALBARD AND JAN MAYEN SK SLOVAKIA SL SIERRA LEONE SM SAN MARINO SN SENEGAL SO SOMALIA SR SURINAME ST SAO TOME AND PRINCIPE SV EL SALVADOR SX SINT MAARTEN (DUTCH PART) SY SYRIAN ARAB REPUBLIC SZ SWAZILAND TC TURKS AND CAICOS ISLANDS TD CHAD TF FRENCH SOUTHERN TERRITORIES TG TOGO TH THAILAND TJ TAJIKISTAN TK TOKELAU TL TIMOR-LESTE TM TURKMENISTAN TN TUNISIA TO TONGA TR TURKEY TT TRINIDAD AND TOBAGO TV TUVALU TW TAIWAN, PROVINCE OF CHINA TZ TANZANIA, UNITED REPUBLIC OF UA UKRAINE UG UGANDA UM UNITED STATES MINOR OUTLYING ISLANDS US UNITED STATES UY URUGUAY UZ UZBEKISTAN VA HOLY SEE (VATICAN CITY STATE) VA VATICAN CITY STATE VC SAINT VINCENT AND THE GRENADINES VE VENEZUELA, BOLIVARIAN REPUBLIC OF VG VIRGIN ISLANDS, BRITISH VI VIRGIN ISLANDS, U.S. VN VIET NAM VU VANUATU WF WALLIS AND FUTUNA WS SAMOA YE YEMEN YT MAYOTTE ZA SOUTH AFRICA ZM ZAMBIA ZW ZIMBABWE   This reference can also be used to determine the meaning for each code:  http://www.ip2country.net/ip2country/country_code.html
View full article
mdensley ‎12-04-2017 05:17 PM
9,928 Views
7 Replies
This document specifies how to apply QoS for streaming media websites.   Refer to the following topology. Ethernet 1/3 is the LAN interface and Ethernet 1/1 is a WAN interface.   Create a QoS profile. Create the QoS profile Categorize the traffic to a specific class with the help of a QoS policy.  QoS policy Name QoS policy Source QoS policy Destination You can add all the applications you want to limit: QoS policy Application And/Or you can set a URL filtering category: QoS policy URL Category And finally set the policy to match the class in the QoS profile you want it to match: QoS policy Class This is important step. A QoS profile will be applied on egressing packets so the profile needs to be attached to the interface where the biggest data stream is going to exit the firewall. In this example internal clients are receiving streaming from the internet so the biggest data flow will go from the internet to the client and the QoS profile on the client side will be applied to limit the flow.  QoS Interface Check  QoS statistics. Go to Network >QoS, then select statistics. QoS bandwidth enforcement   For more information on QoS, check out the following Getting Started article:   Getting Started: Quality of Service  
View full article
pankaku ‎11-30-2017 06:31 AM
37,620 Views
24 Replies
3 Likes
Overview This document explains how to modify the predefined GlobalProtect Portal Login Page to add a company logo.   Steps Navigate to Device > Response pages. Click GlobalProtect Portal Login Page. Export the Predefined page.    3. Modify the HTML code by adding the company logo as shown below. The code in italic type shows the URL where the image is located.   <HTML> <HEAD> <TITLE>Palo Alto Networks - GlobalProtect Portal</TITLE> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <link rel="stylesheet" type="text/css" href="/styles/falcon_content.css?v=@@version"> <img src=" http://cdn.slidesharecdn.com/profile-photo-Palo_Alto_Networks-96x96.jpg?1382722588 "/> <style> td {   font-family: Verdana, Arial, Helvetica, sans-serif;   font-weight: bold;   color: black; /*#FFFFFF; */ } .msg {     background-color: #ffff99;     border-width: 2px;     border-color: #ff0000;     border-style: solid;     padding-left: 20px;     padding-right: 20px;     max-height: 150px;     height: expression( this.scrollHeight > 150 ? "150px" : "auto" ); /* sets max-height for IE */     overflow: auto; } .alert {font-weight: bold;color: red;} </style> </HEAD> <BODY bgcolor="#F2F6FA">   <table style="background-color: white; width:100%; height:45px; border-bottom: 2px solid #888888;">   <tr style="background-image:url(/images/logo_pan_158.gif); background-repeat: no-repeat">   <td align="left"> </td>   </tr>   </table>   <div align="center">   <h1>Palo Alto Networks - GlobalProtect Portal</h1>   </div>   <div id="formdiv"> <pan_form/> </div> </BODY> </HTML>      4. Import the modified response page by navigating to Device > Response Pages > Global Protect Portal Login Page. 5. Go to Network > GlobalProtect > Portals.   On the General Tab choose the Custom Login Page or import the modified page directly from here.           6. The GlobalProtect Portal Login page with the custom logo is displayed as shown below.   Note: Ensure that the image source URL in the HTML code is hosted from a server that is accessible to the remote GlobalProtect users. See also: Customizing Response Pages   owner: gchandrasekaran
View full article
gchandrasekaran ‎11-22-2017 05:47 AM
13,658 Views
9 Replies
Details It is possible to export/import a configuration file or a device state using the following commands from the CLI:   You can export the running configuration, or a previously saved backup. You can create a backup config:   admin@PA-220> configure Entering configuration mode [edit]                                                                                                                                                                                               admin@PA-220# save config to MyBackup.xml Config saved to MyBackup.xml [edit]                                     Exporting/Import configuration file: admin@PA-220> tftp export configuration from MyBackup.xml to <tftphost> admin@PA-220> scp export configuration from MyBackup.xml to user@<scphost>:/path admin@PA-220> tftp import configuration from <tftphost> file <remotepath> admin@PA-220> scp import configuration from user@<scphost:/path   Exporting/Import device-state: admin@PA-220 > tftp export device-state to <tftphost> admin@PA-220 > scp export device-state to username@<scphost>:/path admin@PA-220 > tftp import device-state from <tftphost> file <remotepath> admin@PA-220 > scp import device-state from username@<scphost:>path   See Also CLI Commands to Export/Import Configuration and Log Files    
View full article
harshanatarajan ‎11-19-2017 11:57 PM
15,412 Views
0 Replies
1 Like
Overview This document describes how to change the system clock on a Palo Alto Networks firewall. The system clock can be changed from the web UI and the CLI.   Details   From the Web-GUI, navigate  to Device > Setup > Management and edit General Settings: Change Time and Date from the GUI   Note 1 : The Date and Time settings for the firewall can only be changed on the firewall, even if it's being managed by a Panorama.   From the CLI, run the set clock date command. For example: admin@anuragFW> set clock + date YYYY/MM/DD + time hh:mm:ss <Enter> Finish input admin@anuragFW> set clock date 2017/11/17 time 01:37:45   Note 2: System clock changes occur immediately and do not require a commit.     owner: ansharma
View full article
pchanda ‎11-17-2017 12:38 AM
17,334 Views
1 Reply
PAN-OS 6.0 and after   Overview Color Coded Tags was introduced in PAN-OS 6.0 and enables the categorization of many types of objects to be visually distinguishable. Administrators can easily determine if their policy was created correctly by scanning a policy and confirming that the color coding of their objects follows their desired scheme.   Details On the Device/Panorama GUI, navigate to the Objects tab. As shown below, the objects tree panel on the left side has a new tree node called "Tags" for color coded tags administration.   A tag objects has three fields: Name Color Comments The Name cannot contain a comma (,) since it is used as a separation character when assigning tags. The Color value of the tag object can be selected from a color palette of 16 predefined colors. The default value is "None," which is no color. The selection of a color is not required when creating a tag.   The following objects in the Palo Alto Networks Device/Panorama can be used with the new tag attribute: Objects > Address Objects > Address Groups Objects > Services Objects > Service Groups Network > Zones Note: When using Tags and Zones the drop down must be used instead of a generic name because the Tag is not selectable while editing the Zone.   Policies already have tags, but will be leveraged to use the new tag object. The above objects will all have a new tag column in their top level grid. Only the first tag in an object may have color.   During the Add/Edit of any of the above objects the tags attribute can be specified, as shown below:   Tags can be selected from existing tags. Also, tag completion is case-insensitive. If the administrator adds a new tag, it is added as a tag object after "ok." The user can select a tag as the "colored tag" for an object while in the object/rule editor. The "colored tag" is saved as the first tag after "ok."   From policy tables, the user will see rule tags. Only the first tag in a rule may have color.   The following is an example of Security Rulebase with no color tags used:   The following is an example of a Security Rulebase with color tags used for Zones and inside of the objects:   Notice that the use of Color Tags makes the policy much easier to read.   Additional Details Tag name length is limited to 127 characters. There are 16 colors only, cannot create custom colors. Multiple tags can use same color. If an item has multiple tags with different colors, then first tag color will be displayed. So, order matters. Config will show in CLI as color# (1-16) (For example, set tag test1 color color4 ) Panorama can push tag color configs. If conflicting with the existing tag on the firewall, then the device config should take priority. Likewise, if there is a conflict between shared and VSYS specific object then VSYS takes precedence.   Logging Configuration logs are generated for add/edit/delete of tag objects and setting of tags to other objects.   Feature Interaction with infrastructure components: High-availability - Tag configuration will be synced, similar to the other object configurations Virtual system - Tag administration and tag assignment can be done per VSYS Panorama - Tag administration and tag assignment is available on Panorama   Panorama The specified objects and zones in Network templates will have configuration for tags. The tag configuration will be pushed to the device groups and devices along with the objects and device templates. If it is conflicting with an existing tag on the firewall, then the device config should take priority. In the Network template on Panorama zones can have tags specified, but no completion (drop down) is available. Users can only type tag names.   Tags can belong to VSYS or shared in a device and a device group, or shared in Panorama.   owner: jdelio
View full article
‎10-10-2017 07:46 AM
16,671 Views
3 Replies
3 Likes
Details The IPv6 firewalling can be enabled or disabled through the WebUI or the CLI. In PAN-OS 5.0 and greater, this feature is enabled by default.   WebUI The IPv6 firewalling can be enabled under Device > Setup > Session:   PAN-OS 7.0:   PAN-OS 8 and up   CLI > configure # set deviceconfig setting session ipv6-firewalling [yes|no] # commit   Interface configuration example:   To enable or disable IPv6 on an interface via CLI: # set network interface ethernet ethernet1/3 layer3 ipv6 enabled [yes|no] # commit   owner: sraghunandan
View full article
sraghunandan ‎05-23-2017 07:41 AM
19,305 Views
0 Replies
Overview The Maximum limit of Custom URL Categories listed per Pan-OS version. (All hardware has the same limit)   PAN-OS  Version  Custom URL Category Limit PAN-OS 8.0 500 PAN-OS 7.1 500 PAN-OS 7.0 50 PAN-OS 6.1 50   owner: mbutt
View full article
mbutt ‎05-11-2017 01:27 AM
15,070 Views
4 Replies
Overview(Configuration template support in Panorama) When a virtual system (VSYS) configuration is pushed from a Panorama template to a managed Palo Alto Networks device, the following algorithm is applied on the device: The device first attempts a name match. If successful, then the configuration for the matching vsys on the device will receive the configuration pushed from Panorama. If the name match fails, the device will perform a VSYS ID match on an unnamed vsys If an ID match succeeds on an unnamed VSYS, then it will receive the name and configuration pushed from Panorama Finally, if the VSYS ID match fails, a new vsys will be created on the device with the name and configuration pushed from Panorama. The new vsys will be assigned the next available ID   For example, a templated VSYS is created as vsys3 (ID of 3), and pushed to a managed Palo Alto Networks device. If the name, vsys3, is not found, then the device will attempt to find an unnamed VSYS with ID of 3. If an unnamed vsys with ID 3 does not exist, then a new vsys will be created with the name vsys3 (and assigned the next available ID).   Note: In general, it is recommended to apply meaningful names to virtual systems (for example: Finance, Marketing, etc.) instead of the label name “vsys3”, which may be assumed to mean the same as ID = VSYS 3.   owner: apasupulati
View full article
apasupulati ‎04-21-2017 12:10 PM
12,548 Views
2 Replies
Starting from PAN-OS 8.0, we have an option to have a secure communication, with the help of certificates, between the firewall and the User-ID Agent. NOTE: This requires the firewall to be on PAN-OS 8.0 (or later) as well as the User-ID agent to be on 8.0 (or later).   In this process, the UIA (User-ID Agent) will present a certificate to the firewall to validate. The firewall will check this certificate as per the certification profile configured. If it passes all the checks in the certificate profile, the firewall will accept the connection from the UIA. This can ensure safety against "rogue" UIAs.     Here's a step-by-setup walkthrough to configure this:   1. Launch the UIA, you should see a new option called 'Server Certificate':   2. We need to create a new CSR for the UIA and get it signed by either an external CA, in-house CA or a self-signed certificate present in the firewall. (Note: We will need the CA certificate to be present on the firewall so we can use it in the Certificate profile and validate the UIA's certificate).   3. Once we have a certificate, we can import it in the UIA along with its private key. Make sure to commit the configuration.    4. Create a new certificate profile and use the CA used to sign the UIA's CSR.   5. You should see a new tab under Device >User Identification, called 'Connection Security':   6. Choose the certificate profile created in step 4.   7. If the commit goes well, you should see the UIA connected successfully with the firewall.     Failure Scenario   If an incorrect or no certificate is present on the UIA while Connection Security is enabled on the firewall, you will see the following log entry in the System (and userid) logs: For the same failure, on the agent, you would see the following logs (under Monitoring->Logs):   Hope this helped. Stay safe!
View full article
ansharma ‎03-13-2017 05:02 AM
5,144 Views
1 Reply
Overview This document demonstrates how to configure conditional advertisment on Border Gateway Protocol (BGP).   Firewall FW-A have two routes 55.55.55.0/24 and 100.100.100.0/24. Firewall FW-C have one route 60.60.60.0/24.   Requirement is that if FW-B is having routes 100.100.100.0/24, 55.55.55.0/24 in its local-rib it should not advertise 55.55.55.0/24 route to FW-C but it should advertise 100.100.100.0/24. If route 100.100.100.0/24 is not in local rib of FW-B only then it should advertise 55.55.55.100 route to FW-C.   How to Achieve This? This can be achieved by configuring conditional advertisement on FW-B . With the help of conditional advertisement we can be specific on which route should be advertised when some network/route is down. To accomplish this, we have to configure non-existent filter. Below, we specify that if 100.100.100.0/24 doesn’t exist, then advertise what ever we have specified in Advertise filters.         FW-A have 55.55.55.0/24 and 100.100.100.0/24 in its local rib.     FW-A advertising both route to 55.55.55.0/24 and 100.100.100.0/24 to FW-B.     FW-B have received both route from FW-A.     FW-B sending only 100.100.100.0/24 route to FW-C.     FW-C getting 100.100.100.0/24 from FW-B.     On FW-A 100.100.100.0/24 went down.     FW-A advertising only 55.55.55.0/24.     FW-B got 55.55.55.0/24 from FW-A.     FW-B started adverting route 55.55.55.0/24 to FW-C.     FW-C got 55.55.55.0/24 from FW-B.  
View full article
pankaku ‎12-06-2016 07:13 AM
2,779 Views
0 Replies
Issue When SSH public key authentication is configured from the GUI, the configuration works. But, when configuring from the CLI it fails with the following error message, 'Invalid public key format':   Confirm that valid algorithms, number of bits, version and SSH key formats are being used. Note: Supported key file formats are IETF SECSH and OpenSSH. Supported key algorithms are DSA (1024 bits) and RSA (768-4096 bits).   Resolution The generated public key should be encoded in Base64 format before pasting the key to CLI: While importing the file from the GUI, the error cannot be seen because the GUI automatically does the Base64 encoding while importing the file, b ut while configuring the CLI, this has to be addressed by the administrator.   See Also Please refer to the following guide for configuration steps from the WebGUI: PAN-OS® Administrator’s Guide Version 7.0    
View full article
prb ‎11-09-2016 10:18 AM
5,921 Views
0 Replies
Overview There are certain environments that require all internet bound traffic to be sent through the proxy server. This traffic could also include Palo Alto Networks traffic updates. This article describes the basic points that need to be addressed to allow Palo Alto Networks updates through the proxy server.   Details Topology used for this article:  Palo Alto Networks (management port) --- Proxy server ---- (Trust port) PA (Untrust Port) ---- Internet   Configuration     Proxy server configuration is done under, Device > Set up > Services Proxy server port will be the port that the proxy server is configured to, listen for HTTP requests. Username and password is the one that proxy server is configured for authentication. Palo Alto Networks firewall will send HTTP Connect method on configured proxy port to the proxy server to make connections to the updates server on port 443. The Palo Alto Networks firewall will use the Basic Proxy Authentication method where it sends the credentials in the Proxy-Authorization header. The Proxy server should be configured to accept the Basic Proxy Authentication method and should not prompt for username and password to be entered. If the proxy server connects to the internet through Palo Alto Networks firewall trust interface (as used in this topology), the security policy should be configured to allow the application "paloalto-updates". Once the proxy server is able to connect to the Palo Alto Networks update server, it will send a Connection Established message to the firewall management interface, and then SSL handshake and further communication will start to fetch updates through proxy. Note: Source IP in snippet is another NIC on proxy server used for internet connectivity through the Palo Alto Networks firewall  
View full article
hagarwal ‎11-09-2016 07:40 AM
7,903 Views
2 Replies
Equal Cost Multipath Routing (ECMP), new for PAN/OS version 7.1, enables the firewall to use up to four equal-cost routes to the same destination. Without this feature, the virtual router uses only one route if if there are multiple equal-cost routes to the same destination, unless there is a failure. Learn the benefits of deploying ECMP, and review a basic topology to configure ECMP in your network.
View full article
‎10-21-2016 05:52 PM
5,540 Views
2 Replies
2 Likes
  There is a newer version of this document here: Getting Started: Preparing the Firewall for Its First Use   See Also Getting Started: The Series
View full article
Teresa ‎08-30-2016 09:14 AM
37,143 Views
2 Replies
Overview It is possible to allow access to the Palo Alto Networks firewall using non-default ports on any interface. This document describes how to configure HTTPS and SSH access to the firewall from the Untrust zone, using a loopback interface in the Trust zone.   Steps Configure a loopback interface on the firewall and assign an interface Management Profile permitting the desired type of access. Note: - The management profile permitting access only needs to be on the loopback interface, and not the Untrust interface.            - The IP assigned to the loopback interface should be unique and not identical to a dataplane or management interface Configure custom services for the non-default ports that will allow access to the firewall. In this example, TCP/7777 is chosen for HTTPS and TCP/7778 for SSH access. Configure individual destination NAT policies to translate the custom ports to the default access ports. Configure a security policy allowing inbound access to the Untrust interface. Optionally, the specific ports to be allowed in this security policy can be included. Commit the changes. After the commit operation is completed, access to the firewall should be available on its Untrust interface using the custom ports configured to allow access.   owner: tasonibare
View full article
tasonibare ‎08-24-2016 06:33 AM
30,966 Views
10 Replies
This document covers the configuration of a multi-site VPN scenario with dual ISPs and quadruple VPN tunnels at each site. This scenario has three sites, two remote branches and one main site. Each location has two ISP connections, the remote branches do not connect directly to each other, only to the main site but with a full mesh configuration (4 tunnels per remote site).   This design will support the loss of a single connection at all of the three sites concurrently while maintaining full connectivity.
View full article
mlutgen ‎05-09-2016 02:54 PM
10,138 Views
0 Replies
Up to PAN-OS 6.1, for later OS versions, see below   Details In most cases, the NetBIOS domain should be configured in the Domain field. Note: In most cases, the full domain should not be used (for example, use 'pantaclab' and not 'pantaclab.com').   Here is an example of what happens when the full domain is used: > show user user-IDs User Name Vsys Groups ------------------------------------------------------------------ pantaclab.com\user01 vsys1 cn=group1,cn=users,dc=pantaclab,dc=com   Notice that the user is pantaclab.com\user01 which is likely not to match what is configured in active directory.   When configuring pantaclab as domain instead of pantaclab.com, the result is very different, the user is listed as pantaclab\user01 which is what matches the active directory user. > show user ip-user-mapping IP Ident. By User Idle Timeout (s) Max. Timeout (s) --------------- --------- -------------------------------- ---------------- ---------------- 192.168.208.100 AD pantaclab\user01 2995 2995   If domain name in the LDAP profile is different with the one set in ip-user-mapping, it affects user/group name look up. For example, if a security policy is configured with source user "group1" (from above example), the user at 192.168.206.100 will not be taken as a member of "group1".   See Also How to Determine the NetBIOS Domain for LDAP Server Profile in Windows 2003 and 2008 Server   LDAP Group Mappings in a Mixed 6.x and 7.x Environment with Panorama     owner: yogihara
View full article
npare ‎04-28-2016 02:10 AM
8,842 Views
2 Replies
Using the new PAN-OS 7.0 DHCP Options to push static routes
View full article
mivaldi ‎04-15-2016 10:23 AM
17,557 Views
0 Replies
2 Likes
Access domains allow restricting access for administrator accounts to specific Vsys(on Firewall) and specific Device Group, Templates and Context Switch (on Panorama).   When you are managing a Vsys-enabled firewall from Panorama, you might want to create Panorama Administrators, allowing access to only particular Vsys on the Managed Firewall.   In that case, you must have the target Vsys bound to a unique Device Group. You cannot control per Vsys Administration for Panorama administrators if Multiple Vsys from the firewall are part of same Device Group.   Steps:   Create Specific Device Groups for Specific Vsys under: Managed Multi-VSYS Firewall Create Access Domain for Managing Vsys1 Device Group and corresponding context switch Create Administrator for Administrator Type "Device Group and Template Admin" and bind the access domain created above: Do a Panorama commit and log in using the Vsys1Admin user account Verify that you are able to access only Device Group 1, and do context switch to Vsys1 of the firewall:    
View full article
abjain ‎04-14-2016 07:52 AM
11,136 Views
0 Replies
1 Like
To change the threshold value under the timing vulnerability signature, do the following: Open the vulnerability profile and search for the Threat ID Click on the "Pencil" icon, before the threat name, as shown below: The Edit Time Attribute pop window is displayed. Set the threshold as required: Make sure the Exception is enabled  Commit the changes.   Note: Not all threats/vulnerability signatures can be modified. There are signatures that do not have any changeable attributes. For example, TID 30003 is a signature for which the attributes cannot be modified. Also, attributes for threat IDs can only be changed if the particular Palo Alto Networks firewall has a valid threat licenses. Otherwise, commits would fail with the following error: Error: Profile compiler : can not set time attribute on tid <> . See: Unable to Commit Changes to Threat Attributes   owner: kalavi
View full article
kalavi ‎03-08-2016 07:38 AM
3,638 Views
0 Replies
This document explains on how to transfer URL filtering objects from one Palo Alto Networks firewall to another. Copying configurations between any two firewalls may be done in the following two ways. The same process may be applied for transferring other configurations like Anti-virus profiles, security policies and more.   Note: This document is recommended for copying simple and independent entities like security profiles, security policies, NAT policies etc only. However, these methods become complicated with complex issues like IPSec tunneling, SSL-VPN, GlobalProtect, User-ID due to interdependence of various entities. Also, the commands for Method-2 may vary based on the type of configurations to be copied.   Method 1 Copying part of the configuration from firewall "A" and adding it to firewall "B" Generate config file for firewall A. From the GUI, navigate to: Device > Setup > Operations > Save named configuration snapshot. For example, give it a name: Config_FWA. Save the configuration on the computer. From the GUI, navigate to: Device > Setup > Operations > Export named configuration snapshot. Choose file Config_FWA to save it on PC. Similarly generate a config file for firewall B and name it Config_FWB. Open Config_FWA in a text editor. Locate the section of code that needs to be transferred and copy it. For example, to copy a URL filtering object named "BlockWikipidia_TEST", copy the content starting from <entry name="BlockWikipidia_TEST"> to </entry>. Open Config_FWB in the text editor and paste it in its respective location. For example, in our case it should be placed immediately after <Profiles><URL-filtering> as shown below: Save the changes to Config_FWB Import the Config_FWB to firewall B From the GUI, navigate to: Device > Setup > Operations > Import named configuration snapshot. Choose file Config_FWB Click OK. Load the configuration onto the firewall. From the GUI, navigate to: Device > Setup > Operations > Load named configuration snapshot. Choose file Config_FWB Click OK. Warnings regarding invalid references might occur. For example, if the "BlockWikipidia_TEST" contains some custom url categories configured, they will not be transferred to firewall B unless the same custom URL categories are configured in firewall B too. In such cases, it will show as invalid reference. Commit the changes on firewall B.   The appended configuration should now show up on firewall B as well. Method 2 By using the following CLI commands, this method generates a set of CLI commands that define the configurations of firewall A, which can be copied and pasted in firewall B's CLI. Initially, change the settings for CLI window to log the session and also set the lines of scrollback to a bigger value like 10,000. Use the following command to set the CLI output format to display "set" commands in configuration mode: >set cli config-output-format set Set paging to off using the command: >set cli pager off Enter configure mode: >configure Edit the profiles in configure mode: #edit profiles url-filtering <name> (For this example it should be: #edit profiles url-filtering BlockWikipidia_TEST ) Use the show command to display all the URL filtering profile commands: #show Copy the above commands that are displayed either from CLI or from the log file of CLI. In the CLI for firewall "B", enter the configure mode and right click at the cursor which will paste all the copied content. Note: Make sure that everything was copy/pasted to the other firewall. Commit the changes on firewall B.   The appended configuration should now show up on firewall B as well.   Related documents: How to Load Partial Configurations How to Load Partial Config for Application Groups   owner: dreputi
View full article
dreputi ‎02-25-2016 09:08 AM
17,524 Views
1 Reply
  The Palo Alto Networks PA-200 and VM-Series firewalls only support HA lite configuration without session synchronization.   Follow these steps to configure HA lite. Configure an interface as HA1 link. This step is optional; you can also use management interface as HA1. Go to Network > Interfaces > and select the available interface. Select the interface type as 'HA.' Select the interface Device > High Availability. Specify the IP address of the HA1 link. If HA port links are directly connected, then this IP address can be any arbitrary IP address. It just needs to be within the same subnet of the peer's HA1 control link IP address. Enable HA from Setup. Specify the peer HA1 IP Address. Specify common Group ID on both units. Specify the Device Priority. The device with the lower numerical value, and therefore higher priority, is designated as active and manages all traffic on the network.
View full article
ukhapre ‎02-04-2016 03:22 PM
5,624 Views
0 Replies
1 Like
Ask Questions Get Answers Join the Live Community