Configuration Articles

Featured Article
Issue There are instances where we want to source NAT IP addresses to a pool of addresses (Dynamic Pool) and not perform IP and port translations (Dynamic IP and port). The Source NAT would work fine with no traffic issues for the originating sources, until the IP pool is exhausted (no more IP's available to use for NAT). After the pool is exhausted, any session for a new originating source will not be established and this will cause packet drops for this new traffic.   Resolution PAN-OS has a feature called "Fallback Dynamic IP translation" to help resolve this issue. Use this option to create a fall back pool that will perform IP and port translation and will be used if the primary pool runs out of addresses. Addresses can be defined for the pool by using the Translated Address option or the Interface Address option, which is for interfaces that receive an IP address dynamically. When creating a fall back pool, make sure addresses do not overlap with addresses in the primary pool.*   Steps The fallback translating method can be configured to use an alternate way to translate the source IP addresses for the new originating sources, once the pool is exhausted. The fallback is configured under the "Advanced (Dynamic IP/Port Fallback) setting, as follows: Go to the Translated Packet tab of the NAT policy rule. Select "Translated Address" in the drop-down under "Advanced (Dynamic IP/Port Fallback)". Configure another address pool for Dynamic IP. Select "Interface Address" in the drop-down under "Advanced (Dynamic IP/Port Fallback)" Configure Interface-based port translation (Dynamic IP and Port ) Note: When creating a fall back pool, make sure addresses do not overlap with addresses in the primary pool.   *Sourced from the Help Guide > Policies and Security Profiles > Table 148. NAT Rule Settings (Translated Packet Tab)   owner: kprakash
View full article
kprakash ‎09-24-2018 02:34 PM
4,865 Views
0 Replies
1 Like
Note: Customers are not required to modify firewall policies unless the conditions outlined below are in use.   Issue : Firewalls are typically required to act as an ALG to create pinholes for SIP sessions and provide address translation capabilities. The "sip" App-ID creates such pinholes that allow the protocol to function seamlessly when it encounters the firewall. When a SIP server communicating using static NAT in one zone (source) emits traffic that is destined to a SIP server in another zone (destination), the firewall creates a pinhole that consequently allows a host using SIP within destination zone to communicate with the SIP server in the source zone. For example, a SIP server P.Q.R.S in the source zone static NAT-ed to D.E.F.G:5060, dispatches a SIP REGISTER message to an external SIP server A.B.C.D:5060 in the destination zone. This results in the firewall creating a pinhole that accepts incoming connections from hosts in the destination zone addressed to D.E.F.G:5060.   Resolution : The "sip-trunk" App-ID disables the creation of such a pinhole when used in conjunction with an Application Override. This App-ID is meant to be used between known SIP servers. The source and destination addresses of these servers must be specified, with their SIP traffic overridden to the new "sip-trunk" App-ID. In addition, given the lack of a pinhole, administrators are required to configure a Security Policy rule that permits traffic between these servers in the reverse direction. This allows the SIP servers to communicate with each other, and the absence of the pinhole prevents the firewall from accepting inbound connections from other hosts within the destination zone.     Requirements:   SIP Registrar or Proxy is statically NATed through the firewall SIP trunking is being used in the environment Content database version 518 or higher   Note that switching to sip-trunk requires clearing all active SIP traffic, so the process will be disruptive to users.  We recommend scheduling an outage or maintenance window after hours to implement these changes.  Also, any ports other than udp/5060 that are in use by your SIP server will need to be added to the new policies accordingly.   How to Implement:   1) Create an Application Override policy with a rule that allows sip-trunk traffic on udp/5060 as well as any other ports that are being used by this application in your environment.  The policy can be limited in scope to only match the desired SIP traffic by specifying source and destination IP addresses as well as zones.   2) Create a Security policy that blocks the “sip” application. 3) Create a Service object that contains udp/5060 as well as any other ports required by your SIP servers. 4) Create Security policies beneath the rule created in the previous step that allows the “sip-trunk” application.  This policy should be limited in scope to only match the desired SIP traffic by specifying source and destination IP addresses as well as zones.     5) Create a static bi-directional source NAT policy.   6) Commit policy. 7) Clear all current SIP sessions from the CLI ( NOTE : this command will disrupt all active SIP traffic): > clear session all filter application sip   😎 Clear the application cache from the CLI: > clear appinfo2ip
View full article
ggarrison ‎08-28-2018 10:32 AM
36,467 Views
0 Replies
3 Likes
Details Previously, the DP would aggregate all packet-diag logs into a single file directly on DP itself. Starting from PAN-OS 5.0, instead of letting DP write the aggregated log, aggregation is performed with a new operational CLI that can be done after the dataplane debug is completed.   Run the following CLI command: > debug dataplane packet-diag aggregate-logs Note: Be sure to do this AFTER disabling the data plane debug logging such as flow basic using command debug dataplane packet-diag set log off. Wait 10 - 20 seconds after the logging is stopped before starting the aggregation into single file. A dataplane (DP) kernel flush needs to occur before all the info in the log files can be retrieved. you can force the flagged session to be ended by executing this command: > debug dataplane packet-diag clear filter-marked-session all   This will result in all DP pan_task logs to be aggregated to single pan_packet_diag.log file. Use tail or less dp-log pan_packet_diag.log to view the output. Note that although we can aggregate each pan_task log within a single DP log file, each DP will generate its own log file. So for multi-DP platforms (PA-5000 and PA-7000 series), each DP log is separate. For 5000 series, use dpX-log instead of dp-log where X is equal to DP number (i.e. dp0-log , dp1-log ). For 7000 series, use sXdpY-log where X is NPC slot number and Y is DP number within that slot (i.e. s1dp0-log , s7dp1-log )   Note: In order for a PA-200 to view the logs use the following CLI command: > less mp-log pan_task_1.log   For more details regarding how to enable flow basic dataplane debug, refer to the following article: Packet Capture, Debug Flow-basic and Counter Commands   owner: rkim
View full article
rkim ‎02-12-2018 12:41 PM
9,640 Views
0 Replies
Issue When a remote user connects to the corporate network with GlobalProtect, the computer will be assigned an IP address from the pool configured on the gateway. It is possible that this IP address overlaps the subnet that the workstation is already in, which will cause issues. For example: A remote employee is connecting from a hotel room where the IP address received locally was in the 10.0.0.0/8 range. The IP pool available for GlobalProtect clients is 10.1.1.0/24. This will cause issues since the IP pool is part of the local subnet. In this case, the following error is generated in System logs on the firewall: "Assign Private IP address failed".   Resolution The recommended solution for this issue is to create a new IP pool in a different subnet and leave that new pool lower on the list. IP pools are used from the top down, but if the client is in a subnet that conflicts with the first IP pool, the firewall will assign an IP address from the second pool automatically. owner: tpiens
View full article
npare ‎12-20-2017 12:45 AM
26,338 Views
4 Replies
2 Likes
Overview This document describes how to change the system clock on a Palo Alto Networks firewall. The system clock can be changed from the web UI and the CLI.   Details   From the Web-GUI, navigate  to Device > Setup > Management and edit General Settings: Change Time and Date from the GUI   Note 1 : The Date and Time settings for the firewall can only be changed on the firewall, even if it's being managed by a Panorama.   From the CLI, run the set clock date command. For example: admin@anuragFW> set clock + date YYYY/MM/DD + time hh:mm:ss <Enter> Finish input admin@anuragFW> set clock date 2017/11/17 time 01:37:45   Note 2: System clock changes occur immediately and do not require a commit.     owner: ansharma
View full article
pchanda ‎11-17-2017 12:38 AM
17,342 Views
1 Reply
Overview This document describes how to view SSL Decryption Information from the CLI.   Details The following show system setting ssl-decrypt commands provide information about the SSL-decryption on the Palo Alto Networks device: Show the list of ssl-decrypt certificates loaded on the dataplane > show system setting ssl-decrypt certificate Show the list of cached certificates loaded on the dataplane > show system setting ssl-decrypt certificate-cache Show the list of cached DNS entries > show system setting ssl-decrypt  dns-cache Show the list of cached servers excluded from decryption > show system setting ssl-decrypt exclude-cache Show the list of Global Protect cookies > show system setting ssl-decrypt gp-cookie-cache Show the list of HSM requests > show system setting ssl-decrypt hsm-request Show the SSL decryption memory usage > show system setting ssl-decrypt memory Show the list of users who's notify option (whether to notify them of SSL decryption or not) has been cached. If the cache is on, the user will not be notified everytime they browse to an encrypted site. > show system setting ssl-decrypt notify-cache Show URL rewrite statistics > show system setting ssl-decrypt rewrite-stats Show the list of cached sessions > show system setting ssl-decrypt session-cache Show ssl-decryption settings > show system setting ssl-decrypt setting   To display the count of decrypted sessions > show session all filter ssl-decrypt yes count yes Number of sessions that match filter: 2758   To view the decrypted sessions > show session all filter ssl-decrypt yes   To clear the decrypted sessions > clear session all filter ssl-decrypt yes   To reset the ssl-decrypt cache > debug dataplane reset ssl-decrypt <option> certificate-cache       Clear all ssl-decrypt certificate cache in dataplane certificate-status       Clear all ssl-decrypt certificate CRL status cached in dataplane dns-cache                            Clear  ssl-decrypt DNS  cache exclude-cache                   Clear all exclude cache in dataplane hsm-cache                            Clear all ssl-decrypt HSM request in dataplane notify-cache                     Clear all ssl-decrypt notify-user cache in dataplane rewrite-stats                  Clear URL rewrite cache session-cache             Clear all ssl-decrypt session cache in dataplane   The following command checks for any SSL decryption related failures   >show counter global | match proxy proxy_process 1205 0 info proxy pktproc Number of flows go through proxy proxy_no_process 453 0 info proxy pktproc Number of flows donot go through proxy proxy_wqe_held 253 0 info proxy resource Number of wqe held by proxy for notify answer proxy_excluded 78 0 info proxy pktproc Number of ssl sessions bypassed proxy because of exclusion proxy_client_hello_failed 4 0 warn proxy pktproc Number of ssl sessions bypassed proxy because client hello can't be parsed proxy_url_request_pkt_drop 24 0 info proxy pktproc The number of packets get dropped because of waiting for url category request in ssl proxy proxy_url_category_unknown 435 0 info proxy pktproc Number of sessions checked by proxy with unknown url category url_session_not_in_ssl_wait 4 0 error url system The session is not waiting for url in ssl proxy proxy_url_request_pkt_drop               266         0 drop       proxy     pktproc   The number of packets get dropped because of waiting for url category request in ssl proxy proxy_timer_del_session_added       4  0 info     proxy pktproc   Number of timers added for deleting proxy host connection proxy_timer_del_sessions         4  0 info     proxy pktproc   Number of proxy host connections deleted due to timer proxy_proxy_host_not_connected    1 5  0 warn     proxy pktproc   Number of packets proxy_host tried to receive or transmit when not connected url_session_not_in_ssl_wait     40  0 error   url   system     The session is not waiting for url in ssl proxy  
View full article
nrice ‎11-08-2017 01:44 AM
37,374 Views
5 Replies
1 Like
The following list of supported ciphers for PAN-OS 7.1 include ciphers for FIPS and non-FIPS mode with supported curvesa and limitations.
View full article
‎10-05-2017 10:56 PM
43,566 Views
10 Replies
7 Likes
When submitting application requests or information about a possible bug to Support, please provide the documentation listed by the following types:   App Bugs and App Requests Application Name Application URL Packet Capture Spyware Bugs (All spyware communication related bugs) Threat id range is 10000 to 20000 Threat id Packet Capture Sample of the spyware   Virus (Any sample/malware download/upload false positive, or false negative (bypass the firewall)) Virus threat id range is from 100,000 to over 1,000,000 The threat id triggered Samples URL associated with the bug   Vulnerability (Any vulnerability related bugs, anything related to exploit or attacks) The threat id range for vulnerability is from 30000 to 50000 Threat id Packet Capture Reference URL   owner: panagent
View full article
nrice ‎09-25-2015 01:28 PM
5,549 Views
0 Replies
Details For this scenario, the IP address 192.168.200.1/24 is configured on ethernet1/4 and the user wants to run GlobalProtect on the IP address 192.168.200.2:   Steps There are two options to achieve this: Configure the IP address 192.168.200.2 on the interface itself as 192.168.200.2/32: Now, select this IP address in the GlobalProtect configuration after selecting interface ethernet1/4. The second option is to terminate GlobalProtect on the loopback interface and create a NAT policy to perform a destination NAT from 192.168.200.2 to the loopback IP address. See the following link for more information on creating a NAT policy: How to create NAT and Security Policies from the CLI   See Also Fundamentals Guide: Security Policies How to Create a NAT Rule on the CLI   owner: csharma
View full article
bat ‎09-07-2015 04:23 AM
4,209 Views
0 Replies
For virus or malware infected files to be uploaded to Wildfire, the following needs to be in place: A file blocking policy set to forward or continue forward Direction should be set to both Application set to any File type is at the discretion of the firewall administrator   owner: shasnain
View full article
npare ‎09-04-2015 05:01 AM
1,773 Views
0 Replies
Overview This document describes how to modify and add a custom user interface translation mapping files on the Palo Alto Networks firewall. In order to change the labels and terms that appear on the user interface, follow the instructions in this document. Note: This capability was introduced in PAN-OS 5.0.   Requirements SSH or console connection to your Palo Alto Networks next-generation firewall SCP server Text editor   Steps SSH into your Palo Alto Networks firewall and log in Issue the following command to export the UI translation file: scp export ui-translation-mapping from <en | es | fr | ja | zh_CN | zh_TW> to <username@hostname:path> The from options (en, es, fr, ja) are the language files for English, Spanish, French, Japanese, etc. The to option shows the username, hostname (or IP) for your SCP server as well as the path in the format required. Note: There are two additional options for the command:     - The remote-port option allows you to specify the port on the SCP server to connect to.     - The source-ip options allows you to specify the IP address to be used as the source for the connection. For example, to export the Japanese UI translation file to user scpuser's /usr/local/tmp directory on scpserver: scp export ui-translation-mapping from ja to scpuser@scpserver:/usr/local/tmp Edit the translation file with a text editor. Blank lines or lines starting with // will be ignored. Translations are presented as a pair of lines, the first being the original word or phrase, the second being the translated word or phrase. Terms or phrases that are enclosed by parenthesis () should not be modified as they will be replaced with a runtime value. Warning: Do not use an editor with automatic line wrapping to edit the file. Save the modified file with a new name. The modified file cannot have the same name as any of the default UI translation mapping files on the Palo Alto Networks firewall. SSH into the Palo Alto Networks firewall and import the modified file using the following command: scp import ui-translation-mapping from <username@hostname:path> The uploaded file will be available in the Language Preference dialog box. Selecting the uploaded file from the drop down list will cause it to be used immediately. Note: This is a per-person preference, and must be set the first time each user logs in. Subsequent logins will retain this setting.   owner: cstancill
View full article
cstancill ‎09-03-2015 07:20 AM
2,672 Views
0 Replies
The factory default configuration places e1/1 and e1/2 into a virtual wire.  Keep this configuration and configure e1/3 as Tap mode. Go to Network tab > Zones.  Create a new zone, zone type of Tap. give it a name (example, tapzone, intranetzone, etc).     Go to Network > Interfaces. Select the interface to be configured for Tap.  In this example, e1/1 is used.  Edit the interface and change the type to Tap. Then, assign the zone created in step 1.       Go to Policies > Security Rules. Create a single rule and select the zone created in step 1 for the source and destination zone. For example: Name = TAP_Allow Source zone = Tap_Zone Destination zone = Tap_Zone Rule: any any any any any action = allow Optionally, create a threat profile (antivirus, spyware, etc.) and assign it to the rule:   owner: jnguyen
View full article
jnguyen ‎09-01-2015 05:11 AM
29,676 Views
4 Replies
Overview This document describes the steps to configure a security policy to block brute force attacks on the GlobalProtect Portal page.   Steps Create a vulnerability profile. Go Object > Security Profiles > Vulnerability Protection. Click the "Edit" Icon under the Threat Name column to open the Edit Time Attribute dialog. Adjust the number of instances detected from the child signature that is being triggered and adjust the time window to trigger the defined action. The child signature "Palo Alto Networks Firewall VPN Login Authentication Attempt" with ID 32256 is looking for "x-private-pan-sslvpn: auth-failed" from the http response header. The default is 10 hits within a 60-second time window. The screenshot below shows an example of a configured vulnerability profile. When creating the profile, search for the vulnerability ID 40017 in the search bar and check the enable box. Set the action to block-ip. With this option a block time can be configured and tracked by IP source or source and destination. Create a security policy to apply this profile. While creating a security policy, add the IP address of the portal under Destination Address and select the vulnerability profile created in step 1 above.   Follow these steps to test if it is working. This is how the GlobalProtect Portal page appears when users try to authenticate for the first time: Log into the portal using random user names and passwords. The firewall processes incorrect login attempts for the first 9 times. The following screenshot shows the GlobalProtect Portal page during the 9 unsuccessful attempts: After the 9th unsuccessful attempt, the user will not be authenticated even with the correct credentials. The GlobalProtect Portal appears as follows after the 9th unsuccessful attempt: Brute Force Authentication Attempt is identified as the vulnerability threat. This can be seen in the threat logs. Go to Monitor > Logs > Threat. If block-ip action was configured, check the block-list on the CLI with command: debug dataplane show dos block-table   New sessions are set to DISCARD with a tracker stage firewall "mitigation block ip" and end-reason "threat". Global counters show drop counts under the name "flow_dos_drop_ip_blocked", and description "Packets dropped: Flagged for blocking and under block duration by other modules".   owner: schaganti
View full article
schaganti ‎09-01-2015 04:24 AM
13,763 Views
2 Replies
4 Likes
Issue Unknown users are not redirected to the Captive Portal page when attempting to reach an HTTPS/SSL site, but are redirected when attempting an HTTP site. The Captive Portal policy has been configured properly with options to hijack 'service-http' and 'service-https', but browsing to an HTTPS site times out instead of getting redirected to the Captive Portal page. Resolution SSL Decryption/Forward-Proxy would need to be configured for the URL category in order for Captive Portal to work for HTTPS sites. For more information on how to configure SSL Decryption for the URL category, refer to the following document:  How to Implement SSL Decryption Below is a high-level overview of the Captive Portal operation for both HTTP and HTTPS: HTTP Client sends SYN, Palo Alto Networks firewall permits it Server sends SYN/ACK, firewall permits it Client sends ACK, firewall permits it Client sends HTTP GET, firewall injects a 302 redirect to Captive Portal HTTPS without decryption Client sends SYN, firewall permits it Server sends SYN/ACK, firewall permits it Client sends ACK, firewall permits it Client sends Client Hello to start HTTPS session. Firewall injects a RST because the user is unknown. This would be seen on CLI as a DISCARD session and client's browser would timeout at this point. HTTPS with decryption Same as above Same as above Same as above Client sends Client Hello to start HTTPS session The firewall responds with a Server Hello (Proxy) When the HTTPS session has been established, the firewall will see the encrypted HTTP GET message and then we can inject the appropriate 302 redirect message Inbound HTTPS Captive Portal: For inbound HTTPS sessions, the decryption would still need to be Forward-Proxy to trigger Captive Portal, not Inbound-Inspection. Inbound Inspection is a transparent decryption that the firewall does check the embedded data in an encrypted packet, to make sure the server does not surfer any vulnerabilities after the payload is delivered. The firewall should only open up the packet, scan for virus/vulnerability/spyware and forward the packet to the server untouched if there are no threats detected. In this mode, the firewall should not modify the packet in any way. In the case of the forward-proxy, however, the firewall acts as a man-in-the-middle, where it is an active participant in the SSL connection. When the user (on the internet) initiates a connection to the server (on the internal network), the firewall in forward-proxy mode, can inject the appropriate 302 Temporarily moved HTTP response to the internet-user, causing the user to be redirected to the Captive Portal interface/page. For more information about the differences between the Forward-proxy and Inbound Inspection, review the following document: Difference Between SSL Forward-Proxy and Inbound Inspection Decryption Mode See Also Troubleshooting Captive Portal Redirect Page Issues Using Captive Portal with HTTP/HTTPS Proxy owner: tasonibare
View full article
tasonibare ‎07-02-2014 12:05 PM
16,154 Views
3 Replies
Overview This document describes the steps to configure a DHCP relay on the Palo Alto Networks firewall. The following example scenario will be used in the configuration steps: Steps Configure which interface will be acting as DHCP relay (for example, Trust E1/5) From the Web UI, go to Network > DHCP > DHCP Relay Click Add and configure the IP address of the DHCP server Note: This can be configured with up to four DHCP Server IP addresses. Configure security rules to allow DHCP traffic between zones: Trust to Trust - for client to/from DHCP Relay interface communication (broadcast/unicast) Trust to DMZ - for DHCP Relay interface to/from DHCP Server Communication (unicast) The following diagram is based on a typical DHCP session. The diagram shows communication between DHCP relay interface and DHCP server are all unicast. The following screenshot shows a packet capture of a working example on the DHCP server side: Example of a configured security policy: Commit Verification Test on a client. For example, a Windows Client: ipconfig /release ipconfig /renew ipconfig /all Note: The DHCP Server must route the DHCP traffic to the Palo Alto Networks firewall for this configuration to work. Issues will arise if the DHCP server has another default gateway instead of the Palo Alto Networks firewall (or is not directly connected and routing the return traffic somewhere else). The DHCP traffic is then considered asymmetric. If the DHCP server traffic is asymmetric, the session is not setup properly on the firewall and the complete DHCP communication is not complete. owner: jlunario
View full article
pagmitian ‎06-12-2014 02:18 AM
34,182 Views
8 Replies
3 Likes
Overview The Palo Alto Networks device has a built-in device reader role that has only read rights to the firewall. The superreader role gives administrators read-only access to the current device. This document describe how to configure the superreader role for RADIUS servers running on Microsoft Windows 2008 and Cisco ACS 5.2. The principle is the same for any predefined or custom role on the Palo Alto Networks device. Roles are configured on the Palo Alto Networks device using Radius Vendor Specific Attributes (VSA). Note: The RADIUS servers need to be up and running prior to following the steps in this document. Steps Windows Server 2008 Radius On the Palo Alto Networks device, go to Device > Server Profile > RADIUS and configure the RADIUS Server Profile using the IP address, port, and the shared secret for the RADIUS server. Go to Device > Authentication Profile and create an Authentication Profile using RADIUS Server Profile. Go to Device > Setup > Authentication Settings and choose the RADIUS Authentication Profile that was created in Step 1 (shown above): On the Windows Server, add the firewall as a client. Under NPS > RADIUS Clients and Servers > RADIUS Clients, create the client profile using the IP address of the firewall and a shared secret that will be used for the firewall: On the Windows Server, configure the Palo Alto Networks RADIUS VSA settings. Under NPS > Polices > Network Policies, create a specific policy that will be used by the firewall: Add the Vendor-Specific Attributes for the Palo Alto Networks firewall. Use 25461 as a Vendor code. In Configure Attribute, configure the “superreader” value that will give only read-only access to the users that are assigned to the group of users that will have that role: The setup should look similar to the following: On the Windows Server, configure the group of domain users to which will have the read-only admin role.  Under NPS > Polices > Network Policies, select the appropriate group in the Conditions tab of the policy: Test the login with the user that is part of the group After login, the user should have the read-only access to the firewall. No changes are allowed for this user (every window should be read-only and every action should be greyed out), as shown below: The connection can be verified in the audit logs on the firewall. The role that is given to the logged in user should be "superreader" If any problems with logging are detected, search for errors in the “authd.log” on the firewall by using the following command: > tail follow yes mp-log authd.log Cisco ACS 5.2 Follow Steps 1, 2 and 3 of the Windows 2008 configuration above, using the appropriate settings for the ACS server (IP address, port and shared secret). On the ACS, under RADIUS VSA create the PaloAlto VSA using the Vendor ID: 25461. After that, select the Palo Alto VSA and create the RADIUS Dictionaries using the Attributes and the IDs. Keep in mind that all the dictionaries have been created, but only the PaloAlto-Admin-Role (with the ID=1) is used to assign the read-only value to the admin account. Under Users on the Users and Identity Stores section of the GUI, create the user that will be used to login to the firewall. Under Policy Elements, create an Authorization Profile for the “superreader” role which will use the PaloAlto-Admin-Role Dictionary. In the Authorization part, under Access Policies, create a rule that will allow the access to the firewall’s IP address using the Permit read access PA Authorization Profile that was have created before. Test the login with the user that is part of the group. After login, the user should have the read-only access to the firewall. No changes are allowed for this user. The connection can be verified in the audit logs on the firewall. If any problems with logging are detected, search for errors in the “authd.log” on the firewall using the following command: > tail follow yes mp-log authd.log See Also Radius Vendor Specific Attributes (VSA) - For configuring admin roles with RADIUS running on Win 2003 or Cisco ACS 4.0. owner: ialeksov
View full article
ialeksov ‎03-05-2014 03:03 PM
31,109 Views
0 Replies
1 Like
Issue The Palo Alto Networks Firewall is configured with multiple L2 interfaces belonging to the same VLAN. End clients are located behind these interfaces, but they cannot communicate with each other. Cause This issue is encountered when the layer 2 interfaces have not been assigned to layer 2 zones. On the Palo Alto Networks firewall, the Security Policies permit or deny traffic to pass between the same or different zones. Whether the interfaces are configured as Layer 3, Layer 2, VWire or tap, traffic will not pass through these interfaces unless they are bound to zones. So even if they are Layer 2 interfaces, you have to assign them to layer 2 zones and configure a policy, as needed. Resolution Assign the interfaces to Layer 2 zones and commit the changes. Configure a policy if the interfaces are not assigned to the same zone or if a default deny rule has been configured. owner: kprakash
View full article
kprakash ‎06-13-2013 07:27 AM
5,636 Views
1 Reply
Overview FQDN refresh timers are used to check the mapping between an IP address and a fully-qualified domain name. By default, Palo Alto Networks devices perform this check every 30 minutes. Details The FQDN refresh timers can be configured from the CLI only, with the following commands: > configure # set deviceconfig system fqdn-refresh-time <1800-14399> # commit Beginning in PAN-OS 6.1, the fqdn-refresh time down can be reduced to 10 minutes, although the default refresh time would still be 30 minutes. > configure # set deviceconfig system fqdn-refresh-time <600-14399> (in seconds) # commit For example, while running PAN-OS 6.1, the following output shows that the refresh happened in ten minutes. On all PAN-OS versions, t he FQDN refresh time change can be verified with the show jobs all command. The following output example shows the FQDN refresh time set to 1 hour: >show jobs all Enqueued                     ID             Type    Status Result Completed -------------------------------------------------------------------------- 2013/05/13 15:49:16          11      FqdnRefresh       FIN     OK 15:49:16 2013/05/13 14:49:13          10      FqdnRefresh       FIN     OK 14:49:14 2013/05/13 13:49:10           9      FqdnRefresh       FIN     OK 13:49:11 owner: nayubi
View full article
nayubi ‎05-13-2013 03:13 PM
21,880 Views
3 Replies
Symptoms Site-to-Site IPSec VPN has been configured between a Palo Alto Networks firewall and a Cisco router. However, the VPN is unstable or intermittent. Cause The issue may be due to a Dead Peer Detection (DPD) configuration mismatch. Resolution Check and modify the Palo Alto Networks firewall and Cisco router to have the same DPD configuration. On the Palo Alto Networks firewall, go to Network > Network Profiles > IKE Gateways as follows:   Confirm that the same configuration is made on the Cisco router: owner: jlunario
View full article
pagmitian ‎02-24-2013 04:38 AM
12,719 Views
0 Replies
1 Like
Issue By default, LDAP communication from a Palo Alto Networks device occurs through the Management (MGT) interface on the device. In some deployment network environments, the LDAP server may not be reachable from the MGT interface. Note: In some cases, the Palo Alto Networks device is able to pull group mappings even though LDAP authentication fails from the same LDAP server. Details LDAP authentication by default uses the Management interface for authentication and there is no service route configuration option specifically for LDAP. For group mapping information, the Palo Alto Networks device uses the User-ID Agent service route or Management interface by default. Therefore, if the User-ID Agent service route is configured, then it is possible that the group mapping information is successfully retrieved. Resolution Configure a service route for the LDAP server with the source as one of the dataplane interfaces. Navigate to Device > Setup > Services Click on Service Route Configuration Click Select (if not already selected) in the Service Route Configuration dialog Add a new service route The Destination address field should be the LDAP server IP address. The Source address field should be the IP address assigned to the Dataplane interface, which can access the LDAP server.   Note: The address convention in Destination field is host based, ie /32. Defining a subnet (for example, 192.168.1.0/24) should be avoided. Note: Make sure that "Administrator Use Only" is checked in the LDAP Server Profile for use as Authenticating Server PA for Admin Access. owner: akawimandan
View full article
Ameya-Kawimandan ‎01-17-2013 11:58 PM
6,795 Views
1 Reply
Issue High Availability (HA) config sync will synchronize the running configuration, but the actual HA settings are not synchronized. If using HA Path Monitoring, the options are to add a Virtual Wire, VLAN, or Virtual Router that will be monitored. When you change the name of a Virtual Router used by the HA Path Monitoring setting on the active device, the Virtual Router change on the device is made but the HA Path Monitoring will still reference the old Virtual Router name. Resolution To fix this sync issue: On the passive device, go to Device > High Availability > Link and Path Monitoring Change the Virtual Router name to the new name. It will be available from a drop-down list of all Virtual Routers Commit the change and wait for the commit to finish On the active device, sync the configuration manually or wait for the sync settings to automatically sync To do a configuration sync: - On the dashboard in the High Availability widget, click the Sync Config link - In CLI, enter the command: > request high-availability sync-to-remote running-config owner: gwesson
View full article
gwesson ‎09-13-2012 04:02 PM
6,188 Views
0 Replies
Issue Created a custom app and used it in the security rule and the traffic never hits the rule. Resolution If the custom app defined is port based, an Application Override rule has to be created to identify at port level. If it is signature based, including the custom app in the security rule will suffice as the app engine works based off the signature. To create a port based app and use it in the app override rule: Open the Objects > Applications page and Click Add Create the Custom App Open the Advanced tab and select the ports Go to Policies > Application Override Configure the rule to allow the traffic After the changes are committed, traffic matching the ports configured will match the app override rules. show session id <id> can be used to verify the application that matched the connection owner: sdarapuneni
View full article
npare ‎08-09-2012 01:48 PM
4,913 Views
3 Replies
If the traffic is coming to the firewall (e.g firewall sits between the load balancer and webserver), enabling the XFF feature on the Palo Alto Networks device will show the ip address in the username column of the URL log. To enable XFF: # configure # set deviceconfig setting ctd x-forwarded-for yes|no Or, it can be changed from operational command (not-persistent): # set ctd x-forwarded-for yes|no owner: mbutt
View full article
panagent ‎07-30-2012 04:29 PM
3,685 Views
0 Replies
Issue The SIP traffic gets dropped after a two hour session and needs to be reconnected. At the two hour mark, the keep-alive packets are dropped for TCP port 5060. Cause If the firewall does not see traffic on an established session, it will continue to downcount the session Time-To-Live (TTL). When the TTL expires, the session is cleared on the firewall which causes the connection to terminate. Resolution Increasing the timeout value of that custom application will enable the Polycom conference calls to maintain their session uninterrupted for longer periods of time. Perform the following steps to increase the timeout value of the custom application: Go to Objects > Applications and click Add > Configuration to create a custom application for TCP port 5060 In the Advanced tab, configure the Timeout values for that custom application only to 604800. Go to Policies > Security to allow the custom application: Note: Custom applications take precedence over predefined applications (including new applications released in content updates) for matching traffic types when the traffic matches both a custom and local pattern. This is also true for VSYS specific custom applications (applications defined for individual VSYS). owner: kadak
View full article
kadak ‎07-02-2012 10:24 AM
9,646 Views
1 Reply
1 Like
Symptoms OSPF Neighborship stuck in extstart state. Resolution In the majority of cases, a mismatch in MTU is the cause of this issue. Every router participating in the OSPF network needs to be configured with the exact same MTU value. If a "deny all" rule is part of the firewall's policy, it is also possible that the OSPF unicast packets get dropped by that rule. Examine the logs to determine if those packets are rejected. If it's the case, add a rule to the OSPF protocol. The new Cisco Nexus have the option  VPC, this option reduce the TTL by one affecting OSPF unicast. This will also cause the firewall to be stuck in the exstart state. owner: sraghunandan
View full article
sraghunandan ‎05-25-2012 11:21 AM
7,340 Views
2 Replies
1 Like
Issue Some applications must be blocked in order to stop Psiphon traffic. Resolution Psiphon is a tunneling application for evading censorship, however it provides no additional security for communications. The Psiphon site states, "Psiphon is designed to provide a channel to access content that is normally filtered. It is not a replacement for a secure communication environment. Psiphon will not secure e-mail, encrypt hard drive, or provide the user with end-to-end anonymity." Psiphon uses 3 protocols: Http Proxy, which is based on newer revision documentation. SSL support has been added. SSH VPN: Ike/Ipsec/l2tp In order to block the Psiphon, SSL and SSH decryption, as well as VPN traffic to internal segments, must be blocked. It is very important to correctly block internal users only from using VPN related applications. Creating a rule that is too broad could potentially cause connectivity issues with remote sites. owner: ppolizzi
View full article
panagent ‎04-30-2012 07:48 AM
16,507 Views
1 Reply
Issue Is there a way to allow access to specific URLs within a site, while not allowing access to the root or other URLs in that site? For example: Block - news.yahoo.com Allow - news.yahoo.com/world Resolution Create a custom URL category for news.yahoo.com and set the action to block. Put the news.yahoo.com/world in the allow list of a URL filtering profile. owner:  shasnain
View full article
shasnain ‎04-23-2012 08:24 AM
4,502 Views
0 Replies
Ask Questions Get Answers Join the Live Community