Management Articles

Featured Article
Overview The following procedure explains how to configure Radius on Windows 2008 Server.   Details To configure RADIUS (or Network Policy Server, in Windows 2008), add a RADIUS client. Inside the Network Policy Server (Start > Administrative Tools > Network Policy Server), right-click on RADIUS Clients and select New RADIUS Client. Complete the form using the IP address on the Management Interface of the Palo Alto Networks device and the password configured for RADIUS in the Palo Alto Network device. Then click OK. Use the default Connection Request Policy. There is no need to create a new one.   Configure a Network Policy, right-click Network Policies within the Network Policy Server, then click New.   Other User Groups besides the Domain Users group can be used:   Select Unencrypted Authentication (PAP, SPAP):   Click Next, the Defaults are fine.   Click Next, the Defaults are fine.   owner: panagent
View full article
nrice ‎09-14-2018 01:08 PM
7,375 Views
0 Replies
1 Like
While configuring firewalls to forward logs to the logging service based on the steps provided in the following document, you might run into an issue where the drop-down for 'Region' is empty and won't display the region on the Panorama and the firewall.   This is a mandatory step in the configuration to enable log forwarding to the logging-service [Step 4] :-   https://www.paloaltonetworks.com/documentation/10/cloud-services/logging-service-gsg/get-started-with-logging-service/configure-the-firewalls-to-forward-logs-to-the-logging-service#id177S00F0R2G       Logs :   The firewall will show the following error when you attempt to see customerinfo :     lcaas_agent.log for logging-service shows '502 Bad Gateway' error :       To fix this :   You will need to enable the 'Region' on the Panorama CLI using the following command :-   > Login to Panorama CLI > enter configure mode using the command ">configure" > run "set template <template_name> config deviceconfig setting logging logging-service-forwarding enable yes logging-service-regions <region>" > commit    <template_name> is the template the device is part of. <region> can be americas, europe, etc   > Then, push the changes to the firewall. Verify Device > Setup > Management page to make sure the Region populates correctly.    
View full article
ptarra ‎09-12-2018 08:49 AM
2,480 Views
0 Replies
Overview When configuring a Palo Alto Networks Next Generation Firewall, a certificate signed by a trusted public Certificate Authority (CA) may be desired on:   Captive Portal ("CP") pages Response Pages GlobalProtect ("GP") Portal Many public CAs use chained certificates, that is, certificates not signed by the Root CA itself, but one or more Intermediate CAs. These are usually owned and operated by the same CA but gives that CA flexibility and ease of revocation if a problem arises.   Steps 1. Requesting the certificate Depending on which PAN-OS version is installed on the firewall, a private key and CSR may need to be generated on a third-party program such as OpenSSL. If using PAN-OS 5.0, refer to How to Generate a CSR(Certificate Signing Request) and Import the Signed Certificate   2. Creating the combination certificate When a certificate is not signed by the Root CA, the intermediate CAs should be sent to clients in case those clients do not have the intermediate CAs in their trusted key store already. To do that, a combination certificate that consists of the signed certificate (CP, GP, and so on), followed by the intermediate CAs. The image below shows two, but the same process is valid for only one intermediate CA or several.   To get each of these certificates: Open the "Server Cert" file sent by the CA. In Windows, the certificate dialog box has three tabs: General, Details, and Certification Path. Click the Certification Path and click the certificate one step above the bottom. Open that certificate and click the Details tab, then Copy To File. Save the file as a Base-64 encoded X.509 (.CER) formatted certificate. Do the same for all certificates in the chain except the top (Root). Open each certificate .CER file in a plain-text editor (such as Notepad). Paste each certificate end-to-end, with the Server Cert on top and each signer below that. Save the file as a .TXT or .CER file Note: The name of the file cannot contain spaces, as this may cause the import to fail. 3. Importing the Certificate Take the combined certificate and import it on the firewall. In PAN-OS 5.0 and above, the private key is on the firewall already. Follow these steps to import the certificate: How to Generate a CSR and Import the Signed CA Certificate   Workaround In the event that you can not generate a new CSR , but still need to export a certificate, please try these Steps: Export the current Certificate on the Firewall , PEM format and with Private key exported. Open the cert in a Text editor. Separate the public key from the private key in two separate text files (being careful not to add any spaces). Save the private key text file and keep it aside. Edit the file where the public key is and have the public key at the top and add the intermediate CA below it as in the url shared, and save the file. Delete the certificate already on the firewall. Import the private key with the edited certificate.   owner: gwesson
View full article
gwesson ‎08-30-2018 07:00 AM
84,213 Views
6 Replies
3 Likes
This article can assist you in importing the policies of an existing Palo Alto Networks firewall into Panorama.   Assumptions You have a configuration on your Palo Alto Networks firewall. An instance of Panorama is up and running with the same version of PAN-OS (or higher). You have Web and CLI administrator access to both the firewall and Panorama. The firewall has been configured to connect Panorama in Device > Setup > Management > Panorama Settings The firewall's serial number has been added to Panorama and a Panorama commit has been completed Panorama shows that the firewall is connected in Panorama > Managed Devices Steps On the Panorama, navigate to Panorama > Setup > Operations Click "Import device configuration to Panorama." Select the appropriate device and name the template and Device Group Name accordingly. For each virtual system (vsys) on the firewall, Panorama automatically creates a device group to contain the policy and object configurations. Once you click “OK” the configuration of the firewall will be imported to the Panorama.       Commit locally to Panorama to save the new Device Group and Template created by the import. Push the imported configuration back to the firewall. On the Panorama, navigate to Panorama > Setup > Operations Click on "Export or push device config bundle" Choose either "Push & Commit" or "Export."    Push & Commit. This option will overwrite any local configuration on the firewall with the firewall configuration stored on the Panorama. This will succeed where a normal commit will generate errors associated with objects and rules existing both in Panorama and the firewall. When you choose "Push & Commit" you will see a job triggerred on the Panorama and will see Job Status details as shown below:   Export: This option will export the configuration to the firewall but not load it. You should manually load the configuration from the CLI by running the command "load device-state." Then the configuration should be committed. When you choose "Export" option you will see a job triggered on the Panorama and see details as shown below:   Note:  The above two options,  ("Push & Commit" & "Export")  are available only for firewalls running PAN-OS 6.0.4 and later releases. After this is performed, you should Push to Devices and select the options  "Merge with Device Candidate Config", "Include Device and Network Templates", and "Force Template Values”.     Caveats and important notes: -If you had previously broken a firewall off from Panorama support under Device > Setup > Panorama Settings > Disable Panorama Policy and Objects/Disable Device and Network Template and were now re-importing it into the same or another Panorama, you WILL have to ensure those options are enabled again to receive the Push and Commit or Export. The Push and Commit would delete all local information but leaving the options to Disable Panorama's config will prevent Panorama from giving it any configuration, including management IP and default gateway (so only Console access would be possible at that time.)   -If multiple devices are being imported and then moved to one device group, they MUST be imported into their own new Device Group/Template and follow steps as mentioned above. Only once they are showing properly in their own Device Groups/Templates and have received all configuration pushed from Panorama can you place them into a single Device Group/Template, after which you must Commit locally to Panorama and then Push to Devices while  selecting "Merge with Device Candidate Config", "Include Device and Network Templates", and "Force Template Values”.   -If importing a new device into Panorama via the Import Device Configuration to Panorama option, after adding it's serial number to Panorama's Managed Devices you must ensure it is NOT a part of a Device Group/Template before performing the import, as it will not show as an available device to import the configuration   -When performing the Import, ONLY the Running Config on the firewall is imported. If any changes were made and are only in the Candidate Config (not pushed to the firewall) then they will NOT be imported.
View full article
achalla ‎08-07-2018 05:36 AM
35,221 Views
6 Replies
3 Likes
This article is to assist anyone who would like to restrict access to Palo Alto Networks OID only with SNMP V3.   Please see the below link and refer to "panSys" for information on Palo Alto Networks OID info here: http://www.oidview.com/mibs/25461/PAN-COMMON-MIB.html   Below is the steps and how we calculate the mask value for the OID:   Inside the WebUI > Device > Setup > Operations > Misc > SNMP Setup, under Views click Add.   screenshot of options.   Inside of the Views window,  you can add one or more Views to define what portion of the MIB tree is accessible. Click Add at the bottom to define new view name, the OID that should be accessible and mask. Each entry will define a portion of the MIB to include or exclude from the user. Click OK when done.   How the mask was calculated The mask is a bitwise mask defining which node of the OID to match. For example, if the OID is 1.3.6.1 and the mask is 0xf0, then the first 4 nodes (f = 1111) must match and the remaining nodes do not need to match. So 1.3.6.1.2 would match the mask and 1.4.6.1.2 would not. If you would like to have all OIDs (full MIB tree .1) you can configure OID as .1 and mask as 0x80 (which is 1000 0000 - which means that only first node must match which is .1).   In our case we are trying calculate mask the value for the OID 1.3.6.1.4.1.25461.2.1.2.1   So considering this the mask should be 0xFFE.   How we arrive at this value is given below: 1.3.6.1.4.1.25461.2.1.2.1 =====>>>MIB 1 1 1 1 1 1 1 1 1 1 1 ====>>> Binary FFE =====>> HEX   Which is 1111 1111 1110 = 0xFFE in HEX
View full article
‎07-30-2018 12:09 PM
1,850 Views
0 Replies
Overview When using the User-ID Agent to identify users on the network, there is a way to ignore certain users. Generally, this is used for service accounts, but any desired username can be entered.   Steps Stop the User-ID service Modify/create a file ignore_user_list.txt in the directory where User-ID Agent is installed. This file will contain all the users to be ignored. The format of the file needs to be one username on each line. Note: It is sometimes required to have two entries for each username, the normal username and the username with netbios name. user1 mydomain\user1 Start the User-ID service.   Starting from PAN-OS 7.1 the ignore user list can also be configured for the Agentless User-ID through the WebUI   See also   How to Add/Delete Users from Ignore User List using Agentless User-ID   owner: sspringer
View full article
sspringer ‎07-20-2018 09:45 AM
42,710 Views
21 Replies
3 Likes
Symptoms When configuring an IPsec VPN between an AWS Virtual Private Gateway and a Palo Alto Networks device, you might get an error. If you are using the  longer format resource IDs  generated by AWS for Palo Alto Networks as the vendor, you might run into errors while editing the VPN and network settings.   This normally is caused by going into the AWS portal, and then going to "VPC > VPN Connections" and then select "Download Configuration". If the VPN gateway is using the longer format resource IDs, then PAN-OS will not accept some of the generated configuration lines. An error similar to the following will be reported. admin@PA-VM# edit network ike crypto-profiles ike-crypto-profiles ike-crypto-vpn-0901877fe35f95b23-0 ike-crypto-vpn-0901877fe35f95b23-0 should be less than or equal to 31 characters   Invalid syntax. Diagnosis The reason of the invalid syntax is because currently in PAN-OS the network profiles name field accept a max of 31 characters. and the IKE crypto profile name field in the generated configuration contains 34 characters after using the longer instance IDs. (for example ike-crypto-vpn-0901877fe35f95b23-0).   Starting June 2018, AWS will switch to use Longer Format Resource IDs for all AWS resources like VPC IDs. Solution To resolve this you need to manually modify the configuration file generated before copy/paste the configuration into a PAN-OS firewall. You should replace all the instance of the ike crypto profile name as the following example: current value: ike-crypto-vpn-0901877fe35f95b23-0 new value: vpn-0901877fe35f95b23-0 Removing the (ike-crypto-) from the name will make the total number of characters equal to 23. And it will be accepted by PAN-OS.   As of 15-Jun-2018, AWS has updated the VPN configuration generator for PAN-OS to shorten the value for ike-crypto-profiles to automatically create a shorter unique name of the format: vpn-0901877fe35f95b23-0  
View full article
melamin ‎07-03-2018 05:54 PM
2,266 Views
0 Replies
Updated May 2018 kiwi   Issue Active Directory servers configured for Agentless User-ID frequently disconnects from the firewall. Connection status for those servers, under the server Monitoring section for User Mapping, keep flapping between connected and not connected. The User-ID logs have the following error message for each configured AD server : Error: pan_user_id_win_sess_query(pan_user_id_win.c:1241): session query for <server name>  failed: [wmi/wmic.c:216:main()] ERROR: Retrieve result data.   Shown in the screenshot below, see the "not connected" status in the Server Monitoring under Device > User Identification > User Mapping> Server Monitoring:   Cause Agentless User-ID is configured to monitor user session information from the servers in the Server Monitoring list. Session query attempts from the firewall to those AD servers are failing due to permission issues. The domain account, used to access the session information, does not have privileges to read the user session information from the servers. The server operators group and Domain Admin groups will include the session query read permissions.   As shown in the example below, go to Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup and click on the setting to find the User Name, which is used to connect the Agentless User-ID to the AD server (172.30.30.15):   As shown in the example below, in the AD Server (172.30.30.15) see the permissions for the user cr7:   Resolution: Option 1: Grant server operators or domain admin privileges to the service account used under WMI Authentication. In the example below, is shows how to add the Server Operator permission to the user cr7: After adding the Server Operator permission to user cr7, from the example below see that the Agentless User-ID is now connected to the AD server: Option 2: If it is not being used, disable the server session read option: owner: knarra
View full article
knarra1 ‎04-27-2018 08:52 AM
38,799 Views
6 Replies
1 Like
Updated 23 April 2018   The latest Palo Alto Networks Visio stencils are attached to this article below.   The attachment is a .ZIP file that contains: Palo Alto Networks.vss   Please let us know if there are any issues with this attachment.
View full article
nrice ‎04-23-2018 01:34 AM
211,121 Views
38 Replies
4 Likes
How To Backup of Config Files Periodically From Palo Alto Networks firewalls:   Introduction The configuration file of any firewall is extremely important since it holds all the customizations made by the user. In the event of hardware failure, if the config files aren't backed up to an external location, the configs will have to be built up from scratch. So it's a good practice to back up and export the config files regularly especially to external locations.   Panorama can do this automatically. But in case Panorama isn't managing the firewalls, this document can be very helpful to export and backup the config file to an external location for safe keeping.   Overview Access the firewall using XML API: Setup the firewall for API access by generating API Key Save the API key and then add that to HTTPs query in the next step Retrieve the running config file using a HTTPS GET: To run HTTPS GET from command prompt, use CURL for windows. For Linux hosts, it might be built-in. Then save the retrieved config to a file. Automate the log export process: Add the commands from the above steps to batch file (or a script for Linux hosts). Then run the batch file on a server which will be always-on. Create a job in Windows Scheduler (or CRON job if Linux server) to call that batch file periodically.   Access the firewall using XML API: For accessing the firewall using XML API, we need to generate the API key first. To generate, see the following: https://<firewall-ip > / api /?type=keygen&user=< username> &password=< password>   The response for that should be in form of an XML with the API Key printed as below: Save the API key somehwere safe. It is like a password.   Retrieve the running config file using a HTTPS GET: Since windows command line doesn't support HTTPS requests, we have to use CURL for windows to do a HTTPS GET to fetch the running configuration.   Note: CURL for Windows can be downloaded from: https://curl.haxx.se/download.html (OR) http://winampplugins.co.uk/curl/   Download and extract CURL to a folder. If CURL command should be accessible universally, then add the extract CURL folder to PATH under Environment variables.   The site shown below, explains how to add a folder to PATH in detail: https://java.com/en/download/help/path.xml   Now for the HTTPS request to retrieve the running config from the firewall.   The URL below, should print the config file if ran from a browser:  https://192.168.1.1/api/?type=export&category=configuration&key=<api_key> To capture the Config XML to a file, we have to retrieve the HTTPS URL using CURL. The command is as below (this should be run from the server): > curl -kG "https://192.168.1.1/api/?type=export&category=configuration&key=<api_key>" > running-config.xml   The above command, when run from command line, will create a file named running-config.xml in the folder from which the command was run.   Note: If CURL's extracted path isn't added to the PATH, then it should be run from the folder where CURL was extracted.   Automate the log export process: Now that we have the command to fetch the running config in XML format, we can create a batch file and then call that in Windows Scheduler. Scheduling it on a server which is always on would be a good idea.   Contents of the batch file:   cd\ cd curl\bin curl -kG "https://192.168.1.1/api/?type=export&category=configuration&key=<api_key>" > c:\running-config.xml To Append Date to the Config File Name: curl -kG "https://192.168.1.1/api/?type=export&category=configuration&key=<api_key>" > c:\running-config_%date%.xml   Note: This is assuming that CURL has been extracted to C drive's root. And the config file will be saved to the C drive itself. Change the <api_key> with the key obtained in the previous step. Follow the instruction in the below URL to run the batch file periodically (like everynight 1 A,M.). http://www.computerhope.com/issues/ch000785.htm#windows-   
View full article
shganesh ‎04-20-2018 02:37 PM
48,149 Views
19 Replies
3 Likes
  Overview SSL decryption gives the Palo Alto Networks firewall the ability to see inside of secure HTTP traffic that would otherwise be hidden. SSL decryption can be used to monitor for any signs that a company's valuable intellectual property might be exiting through their network. Palo Alto Networks firewall is able to perform SSL decryption by opening up SSL traffic through an inspection process.   The following table provides a list of valuable resources on understanding and configuring SSL Decryption: TITLE DESCRIPTION TYPE BASIC     How to implement and test SSL decryption Describes how to implement and test SSL decryption Document Limitations and recommendations while implementing SSL decryption Limitations and recommendations while implementing SSL decryption Document How to view SSL decryption information from the CLI How to view SSL decryption information from the CLI Document List of applications excluded from SSL decryption List of applications that cannot be decrypted by the Palo Alto Networks device Document How to exclude a URL from SSL decryption Details the CLI commands for adding URLs to the SSL exclude list Document SSL decryption certificates How to manage SSL certificates for decrypting and inspecting SSL traffic Document How to temporarily disable SSL decryption How to temporarily disable SSL decryption without modifying the decryption policy Document How to enable/reset the opt-out page for SSL decryption How to enable the opt-out response page Document How to serve a URL response page over an HTTPS session without SSL decryption How to configure a device to serve a URL response page over an HTTPS session w/o SSL decryption Document Difference between SSL forward-proxy and inbound inspection decryption mode SSL forward-proxy and SSL inbound inspection modes Document How to create a report that includes only SSL decrypted traffic Create a report that includes only SSL decrypted traffic Document How to view decrypted traffic View decrypted traffic Document INTERMEDIATE     How to configure a decrypt mirror port on PAN-OS 6.0 Create a copy of decrypted traffic and send to a mirror port Document ADVANCED / TROUBLESHOOTING     Troubleshooting SSL Decryption using Dynamic Address Groups Automation example using the Palo Alto Networks firewall and Dynamic Address Groups (DAGs) Document How to identify root cause for SSL decryption failure issues How to identify decryption failures due to an unsupported cipher suite Document SSL vulnerability non-detection behavior is seen when inbound SSL decryption policy is set Detection of SSL relevant vulnerability by the security profile failed Document Troubleshooting slowness with traffic, management, or intermittent SSL decryption Troubleshooting intermittent SSL decryption Document SSL decryption not working due to unsupported cipher suites After configuration and import of required certificates the inbound SSL decryption is not working Document Unable to post pictures on Facebook after enabling SSL decryption After SSL decryption is enabled, user cannot connect to Facebook using HTTPs Document After configuring SSL decryption Mozilla Firefox presents certificate error SSL decryption on Mozilla Firefox showing certificate error Document SSL decryption policy is decrypting traffic for no-decrypt rules SSL Decryption policy is decrypting traffic for No-Decrypt Rules Document SSL decryption rules not matching FQDN SSL decryption rules not matching FQDN Document Google services do not work in Chrome with SSL decryption Google not working in Chrome with SSL Decryption Document Commit error received after configuring SSL decryption for certificate generation Configuring SSL decryption - commit fails after generating a certificate error Document Inbound SSL decryption fails when SSL compression is enabled Inbound SSL decryption fails Document SSL decryption stops working on Firefox after changing SSL decryption certificate After changing the SSL Decryption certificate, SSL decryption does not work for the Firefox browser Document SSL decryption opt-out timeout Display the opt-out page more frequently Document Wrong certificate used when SSL decryption is enabled Untrusted certificate presented when performing SSL Decryption Document   Note: If you have a suggestion for an article, video or discussion not included in this list please post a recommendation in the comments below and it will be added to the master list  
View full article
‎03-26-2018 02:53 AM
78,982 Views
0 Replies
5 Likes
Overview Policies can be set to perform configured actions on session traffic at scheduled times and days.   Steps On the WebGUI, go to Objects > Schedules then click Add. Choose daily, weekly or non-recurring. To select multiple days during the week, choose weekly, day of week, start time, end time, then add. On the CLI: > configure # set schedule schedule-block-youtube recurring daily 09:00-18:00 On the WebGUI go to Policies > Security > Security Policy Rule >  Schedule > Actions. On the CLI: > config # set rulebase security rules block-youtube from L3-Trust to L3-Untrust source any destination any application youtube schedule schedule-block-youtube service any log-end yes action deny Continue adding each day until the list is complete. Commit the change. Note: Sessions begun before the scheduled start time are not affected by the policy if session rematch is not enabled (Device > Setup > Session) AND a manual commit is made. Commit MUST be ran manually via “commit force” from the CLI, or by adding/modifying something in the policy in order to have the option to commit via the WebGUI.   See Also How to Create a Schedule that Spans Two Days   owner: panagent
View full article
nrice ‎02-22-2018 08:41 AM
21,467 Views
4 Replies
Overview There are circumstances where routers need to advertise default routes to its peers . This document illustrates how we redistribute default routes to peer with/without having the default route in the routing table of the box.   Details Enabling the "Allow Redistribute Default Route" with the redistribution profile having the default route is mandatory to have the default route advertised to its peers. The procedure is same for OSPF and BGP.   If the default route is not available on the routing table , you can directly add the default route(0.0.0.0/0) in the redistribution profile of the protocols in the BGP-Network--BGP---Redistribution profile, Network--OSPF--Exportrule and enable the Allow redistribute default route tab and distribute the route.   The significance of having the Allow Redistribute default route tab  is to validate whether the default route needs to be propogated even if it is part of the redistribution profile, which has all the routes including default.         Troubleshooting - CLI To check if the default route is propogated , check the following CLI commands   OSPF > show routing protocol ospf dump lsbd 1                 1.1.1.1         0.0.0.0 /0          type-5 (External)    0x80000001 0x0000CEFE    29                    Options: [External]             Mask 0.0.0.0 , type 2, tos 0 metric: 1, forward 0.0.0.0 , tag 0.0.0.0   BGP > show routing protocol bgp rib-out | match 0.0.0.0/0  0.0.0.0/0           10.46.40.1       peer-110   0.0.0.0          advertised  no aggregation  65001  0.0.0.0/0           10.46.40.1       subint-2   0.0.0.0          advertised  no aggregation  65001  0.0.0.0/0           10.46.40.1       tunnelpeer 0.0.0.0          advertised  no aggregation  65001   Troubleshooting - WebGUI For BGP,  the same information can be checked on the WebGUI as well, but not for OSPF. This is found in the Virtual Router > BGP > RIB Out screen.   owner: mchandrase
View full article
kprakash ‎02-22-2018 03:17 AM
18,701 Views
5 Replies
La Automatización de Palo Alto Networks a partir de PAN-OS 8.0, y los Dynamic Address Group (DAG). El mismo tiene una utilidad importante para lograr generar un Data Center auto-defendido, sin necesidad de tener que aplicar políticas manualmente.
View full article
MarceloRey ‎02-06-2018 12:49 AM
3,292 Views
0 Replies
2 Likes
Symptoms When Policy Based Forwarding (PBF) is configured with the  "Enforce Symmetric Return" option enabled, but without a Next Hop Address, forwarding may fail occasionally.   See also: How to Configure Symmetric Return Diagnosis When the issue occurs, you can see the return mac entries have reached their maximum level when you run the show pbf return-mac all command. user@firewall> show pbf return-mac all current pbf configuation version:   1 total return nexthop addresses :    0 index   pbf id  ver  hw address          ip address                      return mac          egress port -------------------------------------------------------------------------------- maximum of ipv4 return mac entries supported :     1000 total ipv4 return mac entries in table :           1000 total ipv4 return mac entries shown :              1000 status: s - static, c - complete, e - expiring, i - incomplete pbf rule        id   ip address      hw address        port         status   ttl --------------------------------------------------------------------------------   Note: The maximum number of entries that this ARP table supports is limited by the firewall model and the value is not user configurable. To determine the limit for your model, use the CLI command: show pbf return-mac all . Solution This issue will only occur if the 'Next Hop Address' is not set in a PBF rule that does have symmetric return enabled.  Therfore, please configure a valid peer IP address in the Next Hop Address list to avoid running into the issue. Add a Next Hop Address Setting the Next Hop Address ensures only the appropriate return mac addresses are learned for Symmetric Return     >show pbf return-mac all maximum of ipv4 return mac entries supported : 16000 total ipv4 return mac entries in table : 12800 total ipv4 return mac entries shown : 12800 status: s - static, c - complete, e - expiring, i - incomplete pbf rule id ip address hw address port status ttl -------------------------------------------------------------------------------- symmectric 1 8.0.0.2 00:1b:17:05:f1:17 ethernet1/1 c 737 symmectric 1 8.0.0.3 00:1b:17:05:f1:17 ethernet1/1 c 742 symmectric 1 8.0.0.4 00:1b:17:05:f1:17 ethernet1/1 c 741 symmectric 1 8.0.0.5 00:1b:17:05:f1:17 ethernet1/1 c 743 symmectric 1 8.0.0.6 00:1b:17:05:f1:17 ethernet1/1 c 746 symmectric 1 8.0.0.7 00:1b:17:05:f1:17 ethernet1/1 c 743 symmectric 1 8.0.0.8 00:1b:17:05:f1:17 ethernet1/1 c 742 symmectric 1 8.0.0.9 00:1b:17:05:f1:17 ethernet1/1 c 741 symmectric 1 8.0.0.10 00:1b:17:05:f1:17 ethernet1/1 c 745 symmectric 1 8.0.0.11 00:1b:17:05:f1:17 ethernet1/1 c 746    Author: tsakurai
View full article
tsakurai ‎02-02-2018 12:19 AM
2,669 Views
0 Replies
After matching a custom application, the Palo Alto Networks firewall cannot create the PREDICT session by ALG, which might result in  'file transfer failed on ftp data connection.'  We have a solution.
View full article
tsakurai ‎02-01-2018 08:23 AM
5,909 Views
0 Replies
Symptoms Currently, if you want to assign 4 CPU cores to a Palo Alto Networks VM series firewall inside VMWare ESXi version 6.5.0 build 4887370,  you are limited to 2  CPU cores, per socket. The only way that it will allow you to use 4 CPU cores is by using 2 cores per socket.  Please see image below. VM edit screen VMWare ESXi version 6.5.0 build 4887370 showing number of CPU Cores and Sockets. Diagnosis It has been discovered that this issue is specific to VMWare ESXi version 6.5.0 build 4887370.  NOTE: This is NOT a Palo Alto Networks VM issue, this is an issue withVMWare. You can apply as many CPU cores with VMWare ESXi version 6.5.0 update01 build 5969303.   Solution You have 2 options: You can upgrade the ESXi software to VMWare ESXi version 6.5.0 update01 build 5969303. As a workaround, the OVA file (Example:  PA-VM-ESX-8.0.5.ova), can be modified to alow a higher number of cores. See the following example of what was changed in the OVA file.   Old Entry:         <vmw:CoresPerSocket ovf:required="false">2</vmw:CoresPerSocket>   New Entry :         <vmw:CoresPerSocket ovf:required="false">16</vmw:CoresPerSocket>   Edit screen showing 4 CPU cores and 1 socket. NOTE: If more than two sockets are used, then you might experience performance issues because the packets may have to travel across the sockets.
View full article
hshah ‎01-11-2018 06:55 PM
3,029 Views
0 Replies
This article discusses the change in behaviour from PAN-OS 7.0 and higher where the 'deny' action in the security policy results in the application-specific 'deny' action.   From PAN-OS 7.0 branch onwards, the 'deny' policy action is noted as per the default deny action for the application. For example, the default deny action for application 'SSL' is 'drop-reset' and listed in the traffic logs as 'reset-both'.   For checking the default 'deny' action of an application, please refer to Applipedia or Objects > Application on the firewall GUI.   Below is an example showing the action 'Deny' for application 'SSL'            Note the 'Deny Action' for application SSL is 'drop-reset'       The action listed for a security policy with action 'deny' in the previous PANOS version 6.1 can be seen as 'deny' itself          NOTE : The above change in behaviour for action 'deny' may result in the logs and reports capturing results with action as 'reset-both' and this is expected behaviour.   For more details on the change in security policy actions and options, please refer to:   Granular Actions for Blocking Traffic in Security Policy  Configurable Deny Action   Applicable actions with all available options:   1. Action 'Deny'       2. Action 'Allow'       3. Action 'Drop'         4. Action 'Reset-client'       5. Action 'Reset-server'       5. Action 'Reset both client and server'    
View full article
syadav ‎01-08-2018 06:53 AM
5,498 Views
0 Replies
Symptoms During certificate/CSR creation, one can change the number of bits used in the RSA and SHA algorithms to something higher than the default. One should also be able to change the algorithms to Elliptic Curve DSA and MD5 for hashing. The available values for RSA and SHA (as of 8.0) are:   RSA: 512 1024 2048 (default) 3072 4096   SHA: SHA1 SHA256 (default) SHA384 SHA512   However, in some cases an admin might not be seeing any options in the drop-down for either algorithm.   Diagnosis The PHP debugs will show the following errors:   [2017/12/29 17:43:04] user=1282626187103044 Call to [PanDirect.run] /Certificate.completeCertificateNbits from router.php [2017/12/29 17:43:04] user=1282626187103044 ========= RemoteCall: Certificate.completeCertificateNbits ========= [2017/12/29 17:43:05] user=1282626187103044 <request cmd="op" complete="operations/request/certificate/generate/algorithm/RSA/rsa-nbits" cookie="1282626187103044"/> [2017/12/29 17:43:05] user=1282626187103044 <response status="error"><msg><line>You need superuser privileges to do that</line></msg></response> [2017/12/29 17:43:05] user=1282626187103044 Call to [PanDirect.run] /Certificate.completeCertificateNbits from router.php took 0.179s [2017/12/29 17:43:06] user=1282626187103044 Call to [PanDirect.run] /Certificate.completeCertificateDigest from router.php [2017/12/29 17:43:06] user=1282626187103044 ========= RemoteCall: Certificate.completeCertificateDigest ========= [2017/12/29 17:43:06] user=1282626187103044 <request cmd="op" complete="operations/request/certificate/generate/digest" cookie="1282626187103044"> <algorithm>rsa</algorithm> </request> [2017/12/29 17:43:06] user=1282626187103044 <response status="error"><msg><line>You need superuser privileges to do that</line></msg></response> [2017/12/29 17:43:06] user=1282626187103044 Call to [PanDirect.run] /Certificate.completeCertificateDigest from router.php took 0.167s   Solution Log in with any 'superuser' account and you should be able to change the bits and algorithms to any of the available options.
View full article
ansharma ‎01-03-2018 08:25 AM
2,006 Views
0 Replies
  This article discusses how PAN-OS can leverage the SNI (Server Name Indication) field to create a custom application.   What is SNI (Server Name Indication) ? SNI is an extension to the SSL/TLS protocol that indicates what hostname the client is attempting to connect to. SNI inserts the requested hostname (website address) within the TLS handshake (the browser sends it as part of ‘Client Hello’), enabling the server to determine the most appropriate SSL certificate to present to the browser.     When to use SNI to create custom applications In cases where the SNI field is consistent, it can be reliably used to identify the application. A custom application can be defined and used to control the SSL traffic without the need for SSL decryption.     Example of creating a custom application   The following example shows how to create a custom application for YouTube where the SNI field is seen as www.youtube.com (as an example only).   Analyze the traffic for consistency of the SNI field in the Client Hello:   Navigate to Objects > Application > Add. 1. Define the general properties of the application:         2. Define the port and protocol as TCP and 443 respectively, since SSL uses protocol TCP and port 443 for communication. Define the other Timeout settings as required:       3. The last and the most important part of application definition is to select the context as 'ssl-req-client-hello' and     define the required pattern as seen in the client hello SNI field:       Note:   We recommend analyzing the traffic thoroughly before creating an application signature to ensure reliability of the custom application. It is possible for the same web service to use different SNIs on different occasions, hence all possibilities must take that into consideration. The SNI field uses the hostname the client is attempting to connect to the server, hence any change in the request from the client may cease to match custom application.  
View full article
syadav ‎11-29-2017 12:28 AM
17,119 Views
4 Replies
1 Like
Symptoms There are two settings for source port allocation under Palo Alto Networks TS agent System Source Port Allocation Range: Displays the port range for system processes that are not associated with individual users. Format is low-high (default 1025-5000). Source Port Allocation Range: This range of ports will be allocated to the user sessions. This setting controls the source port allocation for processes belonging to remote users (default 20000-39999). If a port allocation request comes from system services that cannot be identified as a particular user process, the TS agent lets the system allocate the source port from the system port range, excluding system reserved source ports.   Issue If the user establishes a console connection to the server where the TS is installed or does an administrative login via  RDP connection (with a " /admin" switch), that user will be always unknown.   What is happening/explanation The /admin switch bypasses the Terminal Server software and just hits the built-in RDP functionality that comes with every install of server. The switch will cause the RDP session to bypass the Terminal Services which are used to run administrative tasks on the TS and thus utilizes "System Source Port Allocation Range" The Terminal Server maps the ip-address to the source port from the "Source Port Allocation Range" hence the domain user who logs in administratively will always remain unknown.   owner: ppatel
View full article
ppatel ‎11-21-2017 12:20 PM
7,258 Views
5 Replies
Issue When using a group in the "allow list" for the authentication profile that Global Protect uses, the login attempt fails with the following error: "Reason: User is not in allowlist"   However, the login works fine if the allow list is set to "all" in the authentication profile.   Resolution Confirm that the group you are using is in the include list in a Group Mapping configuration under Device > User Identification > Group Mapping Settings: Group Mapping Confirm that the group in question contains the user attempting to login. Run the CLI command: show user group name <value> For example: > show user group name pantac\vpn-user short name:  pantac\vpn-user source type: ldap source:      Pantac2003 [1     ] pantac\user1 [2     ] pantac\admin1 [3     ] pantac\administrator [4     ] pantac\user2 [5     ] pantac\user4 Confirm that the LDAP server profile used for your Group Mapping and your Global Protect authentication profile contain the Netbios domain name (short name) in the domain field. Do not use the DNS name for the domain (domainname.com) In most cases this is the same profile. This can also be left blank in many cases. The LDAP server profile is under Device > Server Profiles > LDAP In PAN-OS 7.0 and later, the domain section was moved to Device > User Identification > Group Mapping Settings :  User Domain   In PAN-OS 8.0 the User Domain can also be controlled in the Authentication Profile User Domain in the Authentication Profile Confirm that the group name in the allow list in the Global Protect authentication profile is listed with the long name of the group. This value can be pasted into this value from the output of the "show user group list" CLI command. Authentication Profile Allow List   owner: jteestel
View full article
jteetsel ‎11-20-2017 05:04 AM
91,874 Views
23 Replies
1 Like
The YouTube safety mode setting helps screen out potentially objectionable content on YouTube.   The Safe Search Enforcement option is an option that can be enabled in a URL filtering profile. It is used to prevent users, who are searching the internet using one of the top three search providers: Google, Bing, or Yahoo, from viewing search results, unless the strict safe search option for the search provider is set in the browsers or user account. This option on the URL Filtering Profile will be valid for YouTube the same way it is valid for Google, Yahoo and Bing search providers.    Select the Safe Search Enforcement check box in the URL Filtering Profile (under Objects > Security Profiles > URL Filtering), as shown below:   Safe Search will be enforced whenever a user request matches a security policy rule, with the corresponding URL Filtering security profile attached.   Testing Safe Search Enforcement on YouTube Open YouTube in browser. Search for adult movies. This search will be SUCCESSFUL. The website will display a list of adult videos with thumbnails, but trying to open the videos will fail. If we try to open the adult the video, the firewall will present a block page requesting to change the safe search settings as shown below: An end user can change the safety settings for YouTube at the bottom of the webpage as shown below: Now test YouTube by searching for adult content. The results of the search are mostly filtered for adult content. There might be some videos that still needs to be filtered out. Report such videos to YouTube to make their filters accurate.   owner: ialkesov
View full article
ialeksov ‎11-15-2017 03:36 PM
18,030 Views
3 Replies
3 Likes
Details There is an option to allow users to verify/test the URL categorization used from the GUI under Objects > Security Profiles > URL Filtering Profile. This is handy to check while troubleshooting an issue or while configuring new URL's to determine what category needs to be allowed or blocked.   Depending on the URL filtering license that is activated, this link will open a web page to the BrightCloud or Palo Alto Networks website verification tool.   The URL's are as follows:   BrightCloud's URL Test Site: http://www.brightcloud.com/tools/url-ip-lookup.php   Palo Alto Networks URL Test site: https://urlfiltering.paloaltonetworks.com/   URL categorization can still be verified from the CLI with the following command below: admin@myNGFW> test url yahoo.com yahoo.com internet-portals (Base db) expires in 93000 seconds yahoo.com internet-portals (Cloud db) admin@myNGFW>   several test categories are available for pandb:   http://pandb.paloaltonetworks.com/test-malware http://pandb.paloaltonetworks.com/test-phishing ... http://pandb.paloaltonetworks.com/test-(replace with category)   For the category which contains space characters, replace space character with hyphen.  For example, for "Recreation and Hobbies" category, the link will be, http://pandb.paloaltonetworks.com/test-recreation-and-hobbies And it must be all lower case. Otherwise, 404 error is returned.
View full article
panagent ‎11-15-2017 12:35 PM
33,643 Views
6 Replies
1 Like
Yes, there is a limit on the number of Gateways that can be defined, refer to the following table:   Model Max # of External Gateways PA-200 PA-220 6 PA-500 6 PA-820 6 PA-850 12 PA-2020 PA-2050 11 PA-3020 PA-3050 PA-3060 11 PA-4020 26 PA-4050 131 PA-5020 26 PA-5050 PA-5060 131 PA-5220 PA-5250 PA-5260 131 PA-7050 PA-7080 131 VM-50 VM-100 VM-200 6 VM-300 VM-1000-HV 11 VM-500 26 VM-700 26 owner: ashaik
View full article
ashaikh ‎11-15-2017 12:31 PM
9,483 Views
6 Replies
Overview This document describes how to configure WildFire to block files that are given the "malicious" verdicts, as seen in the threat logs.   Requirements: Valid WildFire subscription license Enable WildFire file submission & signature update. Verify that it is function correctly. Steps From the WebGUI, go to Objects > Security Profiles > Antivirus Choose the appropriate profile (existing or new) Note: The "default' profile cannot be used for WildFire blocking For each appropriate protocol, modify the action to "reset-both" or "drop" as seen approrpriate (for PAN-OS 6.1 and earlier, set action to "block". Then, click OK.   Note: The protocol limitation of POP3/IMAP is not appropriate to set to reset/drop/block action.    4. Go to Policies > Security. Select the appropriate security rule (edit existing or create new), then apply Antivirus profile from Step 2 (Go to the Actions tab and look for Profile Setting). 5. Commit   Additional Notes WildFire is not meant to be a complete replacement of Antivirus, rather a compliment function for day-1 attack. WildFire may encounter more false positive due to its architecture and design nature. Use extra care when start blocking with WildFire. See Also WildFire Overview Fundamentals Guide: Security Policies owner: spiromruen
View full article
spiromruen ‎11-15-2017 12:28 PM
20,095 Views
5 Replies
1 Like
To create a report that includes only SSL decrypted traffic follow the steps below:   Steps Go to Monitor > Manage Custom Reports and click Add Enter the name of the report in Name field and select Database Detailed logs (Slower) Traffic Select the desired Time Frame Select Sort By and Group By as determined In selected columns add Source Address, Destination Address, Flags, and Session ID Create a specific query in order to filter the output Under the Attribute column select Flags Under the Operator column select has Under the Value column select SSL proxy Click Add Click OK and commit this configuration Open the custom report and select the option Run Now Note: If you would like to use this report as a scheduled report, you need to make sure that the Scheduled checkbox is selected.   See also SSL decryption resource list The SSL decryption resource list has a long list of articles dealing with SSL decryption only.    owner: npoprzen
View full article
npoprzen ‎11-13-2017 04:18 PM
8,676 Views
2 Replies
Issue With Inbound SSL decryption, after the required configuration and import of all required certificates, the inbound SSL decryption is not working on the web server.   Similarly when using SSL Forward Proxy, sessions are either not getting decrypted and continue to show as application"ssl", or connections are not allowed through as application "ssl" and are instead being interrupted.   Check out the following compatibility matrix to see which cipher suites are supported  according to PAN-OS release and feature or function :   Supported Cipher Suites   Using the following CLI command, look for the type of drop message: > show counter global filter delta yes | match ssl_sess_id_resume_drop   From PAN-OS 6.0 and above, the show counter global command will show if a cipher suite is unsupported. With a PCAP filter applied and using delta counters: > show counter global filter packet-filter yes delta yes or > show counter global filter delta yes | match "ssl_server_cipher_not_supported"   ... ... ssl_server_cipher_not_supported 2 0 warn ssl pktproc The cipher chosen by server is not supported   Resolution Disable the unsupported cipher suites on the web server.   See Also Palo Alto Networks Supported SSL/TLS Version and Cipher Suites for Web UI   owner: panagent
View full article
panagent ‎11-10-2017 04:03 AM
48,488 Views
7 Replies
1 Like
We limit the number of entries to 64 for our GlobalProtect Client Settings configuration ( Network > GlobalProtect > Gateways > Agent > Client Settings ).   Notice how the "OK" button is disabled once you go over 65 entries :          This limitation applies to any PANOS in all of our appliances, including Hardware and VMs.    
View full article
SuperMario ‎11-09-2017 02:17 AM
7,919 Views
0 Replies
Overview This document describes how to temporarily disable SSL decryption without modifying your decryption policy. This may be useful for troubleshooting purpose.   Details To temporarily disable SSL decryption, use the following command: > set system setting ssl-decrypt skip-ssl-decrypt yes   Note: This command is immediate, it does not require a commit. Also, this state is not persistent and will not be maintained after a reboot.   To re-enable decryption, use the following command: > set system setting ssl-decrypt skip-ssl-decrypt no   owner: nbilly
View full article
nbilly ‎11-08-2017 01:51 AM
6,425 Views
2 Replies
2 Likes
Ask Questions Get Answers Join the Live Community