Management Articles

Featured Article
Symptom When using SSL decryption policy to block malware, the block page does not always display. Cause When requesting a web page, browsers tend to allow any response with a header similar to this: Accept: text/html, image/png, */*;q=0.1\r\n The */* indicates any response will be accepted. When requesting a specific object (.zip, .txt, etc.) the client browser may only allow that type of response, limiting what the browser will display. If requesting a .txt file, you may only see: Accept: text/text\r\n When the firewall displays a response page indicating that the request is blocked due to a virus, it displays it as an html page. The mime-type is text/html. This can mean that if the browser is only allowing text/text, the page will not be displayed. During an SSL communication, the client browser may close the request rather than display an error that the mime-type did not match what was requested. This results in the browser just "spinning", not displaying any page until an error is presented after a timeout. owner: gwesson
View full article
gwesson ‎02-06-2013 10:20 AM
5,546 Views
3 Replies
Issue When attempting to import a subordinate CA with SHA-512 hash made from a Windows 2008r2 server, it imports properly but attempting to commit results in an error: Error: Certificate 'unsupported' failed to load: parse tbs certificate not supported algorithm." Resolution Redo the certificate and use SHA-256 as SHA-512 is not supported. owner: jnguyen
View full article
jnguyen ‎09-13-2012 11:35 AM
4,286 Views
2 Replies
Details T he trusted / untrusted root Certificate Authorities (CA) can be viewed and managed by navigating to Device > Certificate Management > Certificates. In PAN-OS 6.1, the following CLI command was added to view the trusted/untrusted certificates: > request certificate show owner: sdurga
View full article
sdurga ‎08-27-2012 08:25 PM
4,255 Views
1 Reply
Symptoms Unable to connect Apple iOS based devices, iPad / iPhone, using GlobalProtect. The same certificate works when using a Macintosh and Windows PC Issue The CN (Common Name) on the certificate must contain either the Portal IP address or the FQDN that resolves to the GlobalProtect Portal IP address. If the server certificate is installed but the CN is misconfigured, a user can type in the address from a PC browser and be prompted with a certificate error message which can be ignored, so that the PC (both Mac and Windows) connects successfully. No such prompt is available for the iOS based devices and as such, the connection fails and the users are prompted with an error message stating "VPN server not responding". Resolution The server certificate CN must match the FQDN or the IP address entered for the GlobalProtect Portal address in the GlobalProtect client. Wildcard SSL certificates are not supported with iOS due to the operating system restraints just discussed. For example, if the CN is GP.DOMAIN.COM then GP.DOMAIN.COM must be entered as the portal address to connect to. The IP address the FQDN resolves to cannot be entered. owner: sjamaluddin
View full article
npare ‎08-06-2012 02:08 PM
12,489 Views
3 Replies
Issue Users of Chrome version 21 are unable to make SSL connections to google.com destinations. When attempting to connect to an SSL-enabled google.com destination, the browser either issues a "This is probably not the site you are looking for" message or produces an error page with the message "Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection without sending any data." This is due to a new http transport protocol currently being tested by Google. More information on SPDY: http://en.wikipedia.org/wiki/SPDY Resolution for Windows Confirm that the process "chrome.exe" is not running in the Task Manager and that all Chrome windows are closed. Open the shortcuts properties. In the Target field, add "--use-spdy=off --use-system-ssl" to the end. Click Apply. Resolution for MAC Open the terminal Applications > Utilities folder Type into terminal to change to Chrome’s Directory using cd /Applications/Google\ Chrome.app/Contents/MacOS Rename Google Chrome to Chrome in the terminal: mv Google\ Chrome Chrome Copy the following 3 lines for the contents of our execution script: #!/bin/sh # This will execute your Google Chrome with SPDY disabled, and set it to use your System SSL /Applications/Google\ Chrome.app/Contents/MacOS/Chrome --use-spdy=off --use-system-ssl Type the following into the Terminal to make a file from what was just copied: pbpaste > Google\ Chrome Type the following into the terminal to it so our new Google Chrome can run: chmod +x Google\ Chrome Close Google Chrome using the Apple menu, or Command-Q: Restart Google Chrome owner: dlorenzen
View full article
dlorenzen ‎08-03-2012 11:53 AM
9,099 Views
3 Replies
Overview Users who have implemented a Microsoft Certification Authority are able to seamlessly deploy (assuming Root Certificates have been pushed to all clients) various features such as SSL-Decrypt (forward-proxy) and GlobalProtect. Using Microsoft Certificate Authority can also eliminate errors when accessing the web UI for Management Access. Use the Microsoft Certification Authority with Server 2008 Enterprise to backup/export the Root Certificate hosted on the CA or generate/export a Subordinate CA. This allows the Root CA to remain secured with the subordinate being capable of revocation at any time, which is completely transparent to the clients. Subordinates can be created if the CA includes the ‘Subordinate Certificate Authority’ template through the ‘Advanced Certificate Request’ of the Microsoft Certificate Service web UI. If the certificate services web page does not work, try to generate the certificate from the domain controller command line with the following command: C:\> certreq.exe -submit -attrib "CertificateTemplate:SubCA" <CSR file> If unable to generate a subordinate through the Microsoft Certificate Service, you can export the Root CA (w/ the private key) and import into the Palo Alto Networks firewall to allow signing of ‘on-the-fly’ certificates generated for SSL-Decrypt. Important! This workaround should be exercised with caution. It is highly advisable/recommended to delete the Root CA from the Palo Alto Networks Firewall immediately following the issuing of the subordinate CA. Steps To backup/export the Root Certificate from the CA, launch the Certification Authority snap-in and follow the export wizard as follows: Launch the Certification Authority snap-in and right-click on the CA. In the menu selections that appear, select "All Tasks" and then "Back up CA…" as shown below: Select Next to continue the Backup Wizard. Select the checkbox for "Private key and CA certificate". Without the private key, it will not be possible to sign certificates as a CA, which is a requirement for SSL-Decrypt/Forward-Proxy. Enter a Password and save to a secure location, this will be required during import. Click Finish to complete the backup/export process, which will save the cert/key as a '.p12 format'. Workaround To generate a Subordinate CA with the Root Cert issued by the Microsoft Certificate Authority, temporarily import the Root Cert from the CA into the Palo Alto Networks. Then, generate/sign a new CA off of the Root CA. In this example, the Microsoft Root CA 'InternalCA' is signing the Subordinate CA 'SubordinateCA', which has been generated as a Certificate Authority. Important! Once the certificate is successfully issued, delete the recently imported Root CA. This allows the distribution of the Subordinate CA to various Palo Alto Networks firewalls throughout an organization without compromising the Root CA, which should be deleted from the Palo Alto Networks firewall upon generation of the Subordinate. As long as the Root Cert are installed into the client systems (typically deployed with AD/GPO’s, scripts, etc.), the Subordinate cert would be trusted by default as it was signed directly from the Root. The following example shows a full/valid chain utilized with SSL-Decrypt, with the certificate generated on-the-fly by the subordinate and validated by the Root. With either the Root Certificate imported as a CA or the Subordinate imported/generated as a CA, in addition to benefits associated with seamless SSL-Decrypt deployments (assuming previously deployed to the user community), it will now be possible to sign Server certs for GlobalProtect, Secure WebUI for Admin Access, Client Certs, etc. owner: bryan
View full article
bryan ‎08-01-2012 08:16 PM
44,724 Views
8 Replies
2 Likes
Overview When decryption is enabled, the Palo Alto Networks firewall actively collects data in the certificates for the Certificate Revocation Lists (CRL). The information is used to get details about the revoked certificates and update intervals. A CRL contains the information about when the firewall should be checked again. The CRL is refreshed on the firewall according to the time when the next update interval is given on the certificate itself. For example, the CRL for Google is shown on this image: It is possible to view current CRL information and also clear those lists. If checking the CRL on the Palo Alto Networks firewall the same information will appear for the next update interval. > debug sslmgr view crl http://pki.google.com/GIAG2.crl Current time is: Wed Nov 26 09:02:23 2014 Next update time is Dec 06 05:00:03 2014 GMT Count   Serial Number                            Revocation Date        ------- ---------------------------------------- ------------------------ [1    ] 5C3554B16F8C8D6F                         Oct 29 09:54:02 2014 GMT [2    ] 4FB7E1449E931F22                         Apr 07 14:24:42 2014 GMT [3    ] 78B5252CB70AB2C9                         May 22 10:27:08 2014 GMT [4    ] 0CD37F0CC118D6E1                         Sep 08 14:18:39 2014 GMT [5    ] 0D2AF612383ADA5C                         Jul 09 07:58:39 2014 GMT [6    ] 1E9B268A9545A340                         Apr 11 09:31:20 2014 GMT To delete a list: > debug sslmgr delete crl Note: Deleting a list will not cause it to refresh automatically. A CRL is only accessed when a certificate using the CRL is seen. owner: kfindlen
View full article
npare ‎07-19-2012 11:25 AM
5,464 Views
0 Replies
Overview The Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) each maintains a list of certificates which have been revoked by the Certificate Authority. If the private key associated with a certificate is lost or exposed, then any authentication using that certificate should be denied. Similarly, people will change jobs, names, and companies. When their certificates are replaced, the old certificates have to be marked as invalid. The purpose of the CRL and OCSP is to maintain the lists of certificates which are valid, but that have been revoked. Those lists are cached on both Management Plane (MP) and Data Plane (DP) on the firewall. Details The following are useful commands when to view/delete/check the CRL and OCSP caching. To view the CRL/OCSP cache: > debug sslmgr view crl <value> > debug sslmgr view ocsp all | <OCSP URL> To delete CRL/OCSP cache: On MP     > debug sslmgr delete crl all | <CRL to delete>     > debug sslmgr delete ocsp all | <CSP cache of URL> On DP > debug dataplane reset ssl-decrypt certificate-status To  check for CRL and OCSP statistics: > debug sslmgr statistics owner: kadak
View full article
kadak ‎07-11-2012 11:33 AM
9,124 Views
2 Replies
2 Likes
Details In PAN-OS 5.0, SSL decryption works on desktop computers, but when using the internet with an iPad or iPod device, decryption does not work. Utilizing TLSv1.2, when implementing forward-proxy, will continue to pass though, but will not be decrypted. In PAN-OS 6.0 and above, SSL decryption works on Safari, but when using Google Chrome with a iPad or iPod, decryption does not work and Chrome warns that the certificate is not trusted. This is a limitation within the iOS framework with third party apps. owner: bryan
View full article
npare ‎06-12-2012 09:45 AM
4,634 Views
2 Replies
Overview Enter the following CLI commands to: View SSL-decrypt cached certificates: > show system setting ssl-decrypt certificate-cache Clear the cache of all SSL-decrypt certificates from the Dataplane: > debug dataplane reset ssl-decrypt certificate-cache owner: jdavis
View full article
panagent ‎01-03-2012 12:19 PM
5,210 Views
0 Replies
Issue While updating the content filter, an error is displayed even though the update shows that it has downloaded. > request content upgrade check However,  running show jobs id <id number> returns the following error: Resolution A license fetch will trigger a content update and a forced license update can be achieved with the following commands: > request license fetch Download and install the content: > request content upgrade check > request content upgrade download latest > request content upgrade install version latest owner: panagent
View full article
nrice ‎07-16-2010 04:20 PM
4,890 Views
0 Replies
1 Like
Overview This document describes the steps to delete certificates on the Palo Alto Networks firewall via the WebGUI and CLI. Note: Please make sure the certificate to be deleted is not currently in use, as it will not allow you to delete a certificate that is currently being used inside of the config. Steps On the WebGUI Go to Device > Certificate Management > Certificates Select the certificate to be deleted Click Delete at the bottom of the page, and then click Yes in the confirmation dialog Commit the configuration On the CLI Run the following CLI commands to delete the web server certificate: > configure # delete deviceconfig system web-server-certificate # commit # exit To delete the shared ssl-decrypt certificates: > configure # delete shared ssl-decrypt <value> forward-trust-certificate                                        CA certificate for trusted sites forward-untrust-certificate                                 CA certificate for untrusted sites root-ca-exclude-list                                                  List of predefined root CAs to not trust ssl-exclude-cert                                                          ssl-exclude-cert trusted-root-CA                                                            trusted-root-CA owner: schaganti
View full article
nrice ‎07-15-2010 03:54 PM
10,987 Views
0 Replies
Ask Questions Get Answers Join the Live Community