Configuration Articles

Featured Article
Issue The Palo Alto firewall is configured with two interfaces (Untrust and Web-untrust) connected to the same VLAN on a DMZ switch (running VRRP) and bi-directional static NAT's are configured from Trust to Untrust zones. Whenever the firewall is rebooted, the Palo Alto Networks ARPs for some of the NAT addresses using the Web-Untrust MAC address, despite NAT rules that specify Trust to Untrust.  Removing the bi-directional flag and manually creating the inbound portion of the  NAT rule from Trust to Untrust resolves the problem.   Resolution Bi-directional NAT rules were created to simplify the configuration of NAT rules for servers that must be able to initiate outbound sessions (where the source address is translated  and also respond to inbound sessions (where the destination address is translated on incoming packets). For inbound sessions,  bi-directional NAT rules must be able to match connections coming in from internal OR external zones. This requirement stems from the fact that many companies utilize a single DNS entry for services provided to internal users and external users. Because of this requirement, the bi-directional NAT rule will create a static source NAT rule that exactly contains the match criteria specified in the NAT rule (for outbound sessions). It will also create a NAT rule (one that is not shown in the config) to handle destination NAT (for inbound sessions). This rule uses a source zone of 'ANY' so that traffic from internal users (internal zone) and traffic from external users (external zone) will match the NAT rule and may therefore utilize the services offered by that server.   In this particular case, the Palo Alto device is using ARP on the Web-Untrust interface because that interface can be used to access the server being serviced by the bi-directional NAT rule. This is true because the Untrust and Web-Untrust interfaces are on the same subnet. The destination NAT rule automatically created has a source zone of 'ANY' for the reasons described above. If  the configuration were changed to be using two separate NAT rules (one for source NAT for outbound sessions and another for destination NAT for inbound sessions) this problem can be avoided. If the destination NAT rule has a source zone that excludes Web-Untrust, the firewall will no longer ARP for the NAT'ed address on the Web-Untrust interface.   owner:  jnguyen
View full article
nrice ‎09-09-2015 10:20 AM
15,378 Views
5 Replies
Overview This document describes how to configure an 802.1q VLAN tag on 802.3ad/Aggregate Group. Steps Create an aggregate group. Go to Network > Interface and click on Add Aggregate Group. Web UI: CLI: # set network interface aggregate-ethernet <value>  Aggregate interface name: ae1 - ae4 Set the aggregate ethernet interface type as layer2 or layer3: Web UI: CLI: # set network interface aggregate-ethernet ae1 + comment        comment > layer2         Layer2 interface > layer3         Layer3 interface Assign Ethernet interfaces to the aggregate ethernet interface. Select the desire Ethernet interface, and then select "Aggregate Ethernet" as "Interface Type."  Go to Network > Interfaces > Ethernet. Web UI: CLI: # set network interface ethernet ethernet1/1 aggregate-group   ae1      aggregate-ethernet ae1 Add a subinterface on to the aggregate ethernet interface Web UI: Go to Network > Interfaces > Ethernet and click Add Subinterface. CLI: # set network interface aggregate-ethernet ae1 layer2 units   ae1.     ae1.   <value>  name value Assign 802.1q VLAN tag Web UI: CLI # set network interface aggregate-ethernet ae1 layer2 units ae1.1 tag <value>  <1-4094> 802.1q VLAN tag owner: ssastera
View full article
ssastera ‎09-12-2014 10:12 AM
14,569 Views
2 Replies
2 Likes
Issue After configuring SSL decryption Mozilla Firefox shows certificate error: Error: (Error code: sec_error_untrusted_issuer) See the image below for an example of this error message: Cause This occurs because Mozilla Firefox uses different certificate repositories than other browsers such as Internet Explorer (IE) and Google Chrome. Resolution To resolve the certificate error, import the root certificate used for the SSL decryption to the following location: Mozilla > Options > View Certificates > Authorities and click on Import. This will import the root certificate used for the SSL decryption, as shown below: Once the certificate has been imported verify the 'Edit trust settings'. Make sure the following options have been selected: Go to Options > Advanced > Certificates > View Certificates and select the certificate that was imported and select 'Edit Trust'. In the example below, the certificate selected is 172.16.105.1: owner: hshah
View full article
hshah ‎07-21-2014 06:05 AM
23,507 Views
4 Replies
1 Like
Issue The GlobalProtect client cannot connect to the GlobalProtect Portal. The following error appears in the GPS (GlobalProtect Services) log: failed to SetDoc. Message: errors getting GlobalProtect config Cause The error is caused due to user/group-based restrictions under Portal > Client Configuration > User/User Group. GlobalProtect cannot associate the GlobalProtect user with the configured user/group.  This can occur when the user is not a member of the specified group or when there is a malfunction (for example, syntax error) in the group mapping configuration. Resolution Check the group mapping configuration and make sure the user is a part of a specified group. See: Troubleshooting User-ID: Group and User-to-IP Mapping owner: hshah
View full article
hshah ‎01-06-2014 06:37 PM
7,254 Views
0 Replies
Overview This document demonstrates how to create a security policy to deny high-risk (5) file-sharing applications that leverage peer-to-peer technology under the general internet category. Steps Under the Policies Tab, select "Security" and then add a security rule. Enter the necessary information under the General, Source, User and Destination tabs, and select the "Application" tab. Select "Add." Scroll to the bottom of the drop-down and select "Application Filter." Name the Application Filter that you want to create. Since we are interested in high-risk (5) file-sharing applications that use peer-to-peer technology, follow these instructions: Under Category column click to highlight general-internet Select file-sharing under Subcategory Technology will be peer-to-peer Risk is 5 Select "OK" to save. The Application Filter will appear in the rule. Complete the rest of the Security Policy rule. It is recommended to leave Service/Url Category as 'Any'. Action is then set to 'Deny'. By following the above steps, traffic through the firewall will be categorized by the application filter. Note: Application filters are dynamic. If a built-in category is chosen, a group can be made that is usable in rules. This will include everything that matches that category. As applications are re-categorized or as new ones are added to that category, they will be added or removed from the filter dynamically. This can potentially lead to issues because re-categorization can cause applications that were previously allowed to now be disallowed, and vice versa. With an application group, though, applications are being grouped in the same manner as a service-group or address-group. When more applications for allow or block are added, they will need to be added to the application group manually. See Also For an in-depth understanding of application dependencies in order to effectively apply the High-Risk Apps to a security policy, refer to the following document: How to Check if an Application Needs to have Explicitly Allowed Dependency Apps owner: sodhegba
View full article
sodhegba ‎07-25-2013 08:21 AM
40,976 Views
3 Replies
1 Like
Issue When a customer makes a VOIP call, the Palo Alto Networks device receives the INVITE and replies with the appropriate messages and sound when the other side answers. The phone receives these messages and the customer is able to maintain a dialog with the other person for only 30 seconds after which it disconnects. Cause SIP ALG (Application-Level Gateway) is a security component commonly found in router or firewall devices. This feature allows VoIP traffic to pass both from the private to public side of the firewall and vice-versa when using NAPT (Network Address and Port Translation). It inspects and modifies the content of SIP packets to allow SIP traffic to pass through the firewall. The issue may be caused by a missing critical response to the INVITE handshake. If the corresponding ACK to the 200 OK is not received, it disconnects after approximately 30 seconds. Resolution Configure a custom application override for the rtp and sip traffic. (See How to Create an Application Override Policy) For example: The following two screenshots show a sample configuration of a SIP override policy: The following screenshot shows a completed application override configuration: Note: The custom application, "SIP-override", also needs to be allowed in the security policy. owner: pvemuri
View full article
pvemuri ‎07-18-2013 01:51 PM
21,723 Views
2 Replies
Issue The Palo Alto Networks Firewall is configured with multiple L2 interfaces belonging to the same VLAN. End clients are located behind these interfaces, but they cannot communicate with each other. Cause This issue is encountered when the layer 2 interfaces have not been assigned to layer 2 zones. On the Palo Alto Networks firewall, the Security Policies permit or deny traffic to pass between the same or different zones. Whether the interfaces are configured as Layer 3, Layer 2, VWire or tap, traffic will not pass through these interfaces unless they are bound to zones. So even if they are Layer 2 interfaces, you have to assign them to layer 2 zones and configure a policy, as needed. Resolution Assign the interfaces to Layer 2 zones and commit the changes. Configure a policy if the interfaces are not assigned to the same zone or if a default deny rule has been configured. owner: kprakash
View full article
kprakash ‎06-13-2013 07:27 AM
5,635 Views
1 Reply
Overview This document describes how to verify MTU size and configure it on the interface. Details Look for the following global counters which indicate a drop on flow_fwd_mtu_exceeded: > show counter global filter packet-filter yes delta yes :flow_fwd_mtu_exceeded    7   0 info      flow     forward   Packets lengths exceeded MTU :flow_fwd_ip_df    5        0 drop      flow   forward   Packets dropped: exceeded MTU but DF bit present The above counters appear when the MTU size is less than 1500. If drops are seen on the counters specified above, set the MTU size for the applicable interface to 1500. Go to Network > Interface > Ethernet1/3 > Advanced > MTU to configure the MTU value. Also, via the CLI, you can check the MTU size with the following command: > show interface ethernet1/3 -------------------------------------------------------------------------------- Name: ethernet1/3, ID: 18 Link status:   Runtime link speed/duplex/state: 1000/full/up   Configured link speed/duplex/state: auto/auto/auto MAC address:   Port MAC address 00:1b:17:a6:41:12 Operation mode: layer3 Untagged sub-interface support: no -------------------------------------------------------------------------------- Name: ethernet1/3, ID: 18 Operation mode: layer3 Virtual router default Interface MTU 1500 Interface IP address: 10.66.24.60/23 Interface management profile: ping-only   ping: yes  telnet: no  ssh: no  http: no  https: no   snmp: no  response-pages: no Verify if the DF bit (Do not Fragment) is set to 1 in the packets received on the Palo Alto Networks firewall by looking at WireShark captures. Check for the MTU value of the packets received by the firewall and the MTU value of the interface. If the value on receiving packets exceed the value set on the interface, then the firewall would drop the packets giving the above counter values. Note: When MTU size is exceeded, it may cause issues loading some websites. owner: ssunku
View full article
Phoenix ‎05-01-2013 08:29 AM
22,966 Views
0 Replies
1 Like
Issue Site-to-Site IPSec VPN has been configured between Palo Alto Networks firewall and Cisco router using Virtual Tunnel Interface (VTI). However, the IKE Phase 2 traffic is not being passed between the Palo Alto Networks firewall and Cisco router. In summary, the VPN is down: The Interface Tunnel is Down IKE Phase 1 Up but IKE Phase 2 Down Cause The issue may be caused by an IKE Phase 2 mismatch. PFS mismatch. Resolution Configure the Palo Alto Networks Firewall and the Cisco router to have the same PFS configuration. On the Palo Alto Networks firewall, go to Network > IPSec Crypto. Select the crypto profile applied to tunnel as follows and make sure the DH Group values match the ones on the Cisco router. On the Cisco router, set the PFS to match the settings on the Palo Alto Networks Firewall. Below is an output on Palo Alto Networks Firewall CLI running tail follow yes ikemgr.log . The first highlighted box shows message for a PFS mismatch. The second highlighted box shows the messages after correcting the PFS mismatch. On the Palo Alto Networks firewall, run show vpn flow tunnel-id <id-number> to check whether encap and decap packets are incrementing. On the Cisco router, enter show crypto ipsec sa to check whether encap and decap pcakets are incrementing. owner: jlunario
View full article
pagmitian ‎02-24-2013 04:23 AM
30,913 Views
0 Replies
1 Like
This document demonstrates IPSec interoperability between Palo Alto Network firewalls and Cisco ASA firewall series. We will also detail IPSec configuration, statistics, and CLI outputs from both PAN-OS and Cisco ASA. owner: ksomu
View full article
panagent ‎02-14-2012 01:20 PM
27,818 Views
3 Replies
Overview This document describes how to use General Policy Objects (GPO) to push SSL decryption certificates to the end-user. Steps Note: Actual screen displays will vary between Windows releases and environments. Export the SSL-Decryption certificate from the Palo Alto Networks firewall. Create a GPO profile. Import the SSL-Decryption cert to GPO (Cert should be on trusted root folder). owner: wtam
View full article
nrice ‎04-06-2011 01:27 PM
7,089 Views
0 Replies
1 Like
Ask Questions Get Answers Join the Live Community