Management Articles

Featured Article
How to test if our URL Filtering service is properly enforcing an organization’s policies for malicious and benign URLs. Things can get a bit tricky for gray area categories, such as adult, as you generally don’t want to visit an adult site at work. You obviously don’t want to actually visit a malicious URL either.  We have test URLs for all categories that are 100% benign, and have been categorized to their respective categories for testing purposes. 
View full article
neg273 ‎02-08-2018 02:57 AM
20,056 Views
1 Reply
5 Likes
Overview The lists below show OIDs for Palo Alto Networks Devices and useful OIDs from various MIBs for performing basic SNMP monitoring of the Palo Alto Networks device.   OIDs for Palo Alto Networks Devices PA-200: 1.3.6.1.4.1.25461.2.3.12 PA-500: 1.3.6.1.4.1.25461.2.3.6 PA-2020: 1.3.6.1.4.1.25461.2.3.4 PA-2050: 1.3.6.1.4.1.25461.2.3.3 PA-3020: 1.3.6.1.4.1.25461.2.3.18 PA-3050: 1.3.6.1.4.1.25461.2.3.17 PA-3060:  1.3.6.1.4.1.25461.2.3.19 PA-4020: 1.3.6.1.4.1.25461.2.3.2 PA-4050: 1.3.6.1.4.1.25461.2.3.1 PA-4060: 1.3.6.1.4.1.25461.2.3.5 PA-5020: 1.3.6.1.4.1.25461.2.3.11 PA-5050: 1.3.6.1.4.1.25461.2.3.9 PA-5060: 1.3.6.1.4.1.25461.2.3.8 M-100: 1.3.6.1.4.1.25461.2.3.30 Panorama: 1.3.6.1.4.1.25461.2.3.7 PA-VM: 1.3.6.1.4.1.25461.2.3.29   Useful PAN-OS OID Examples Item Name OID Source MIB Description CPU util on management plane hrProcessorLoad.1 1.3.6.1.2.1.25.3.3.1.2.1 HOST-RESOURCES-MIB CPU load average over last 60 seconds. This value will match the value shown on the GUI dashboard-> resource information-> % CPU in PAN-OS 3.x Utilization of CPUs on dataplane that are used for system functions hrProcessorLoad.2 1.3.6.1.2.1.25.3.3.1.2.2 HOST-RESOURCES-MIB CPU load average over last 60 seconds Management plane memory and dataplane packet buffer hrStorageTable 1.3.6.1.2.1.25.2.3 HOST-RESOURCES-MIB   Names of each interface on the device ifDescr.1 1.3.6.1.2.1.2.2.1.2.1 RFC1213-MIB example: MGMT   ifDescr.2 1.3.6.1.2.1.2.2.1.2.2 RFC1213-MIB example: HA   ifDescr.3 1.3.6.1.2.1.2.2.1.2.3 RFC1213-MIB example: ethernet1/1   ifDescr.4 1.3.6.1.2.1.2.2.1.2.4 RFC1213-MIB example: ethernet1/2   ifDescr.5 1.3.6.1.2.1.2.2.1.2.5 RFC1213-MIB example: ethernet1/3   ifDescr.6 1.3.6.1.2.1.2.2.1.2.6 RFC1213-MIB example: ethernet1/4   ifDescr.7 1.3.6.1.2.1.2.2.1.2.7 RFC1213-MIB example: ethernet1/5   ifDescr.8 1.3.6.1.2.1.2.2.1.2.8 RFC1213-MIB example: ethernet1/6   ifDescr.9 1.3.6.1.2.1.2.2.1.2.9 RFC1213-MIB example: ethernet1/7   ifDescr.10 1.3.6.1.2.1.2.2.1.2.10 RFC1213-MIB example: ethernet1/8 Interface up/down status ifOperStatus.1 1.3.6.1.2.1.2.2.1.8.1 RFC1213-MIB 1: UP 2: DOWN   ifOperStatus.2 1.3.6.1.2.1.2.2.1.8.2 RFC1213-MIB 1: UP 2: DOWN   ifOperStatus.3 1.3.6.1.2.1.2.2.1.8.3 RFC1213-MIB 1: UP 2: DOWN   ifOperStatus.4 1.3.6.1.2.1.2.2.1.8.4 RFC1213-MIB 1: UP 2: DOWN   ifOperStatus.5 1.3.6.1.2.1.2.2.1.8.5 RFC1213-MIB 1: UP 2: DOWN   ifOperStatus.6 1.3.6.1.2.1.2.2.1.8.6 RFC1213-MIB 1: UP 2: DOWN   ifOperStatus.7 1.3.6.1.2.1.2.2.1.8.7 RFC1213-MIB 1: UP 2: DOWN   ifOperStatus.8 1.3.6.1.2.1.2.2.1.8.8 RFC1213-MIB 1: UP 2: DOWN   ifOperStatus.9 1.3.6.1.2.1.2.2.1.8.9 RFC1213-MIB 1: UP 2: DOWN   ifOperStatus.10 1.3.6.1.2.1.2.2.1.8.10 RFC1213-MIB 1: UP 2: DOWN Interface in counters ifInOctets.1 1.3.6.1.2.1.2.2.1.10.1 RFC1213-MIB     ifInOctets.2 1.3.6.1.2.1.2.2.1.10.2 RFC1213-MIB     ifInOctets.3 1.3.6.1.2.1.2.2.1.10.3 RFC1213-MIB     ifInOctets.4 1.3.6.1.2.1.2.2.1.10.4 RFC1213-MIB     ifInOctets.5 1.3.6.1.2.1.2.2.1.10.5 RFC1213-MIB     ifInOctets.6 1.3.6.1.2.1.2.2.1.10.6 RFC1213-MIB     ifInOctets.7 1.3.6.1.2.1.2.2.1.10.7 RFC1213-MIB     ifInOctets.8 1.3.6.1.2.1.2.2.1.10.8 RFC1213-MIB     ifInOctets.9 1.3.6.1.2.1.2.2.1.10.9 RFC1213-MIB     ifInOctets.10 1.3.6.1.2.1.2.2.1.10.10 RFC1213-MIB   Interface in errors ifInErrors.1 1.3.6.1.2.1.2.2.1.14.1 RFC1213-MIB     ifInErrors.2 1.3.6.1.2.1.2.2.1.14.2 RFC1213-MIB     ifInErrors.3 1.3.6.1.2.1.2.2.1.14.3 RFC1213-MIB     ifInErrors.4 1.3.6.1.2.1.2.2.1.14.4 RFC1213-MIB     ifInErrors.5 1.3.6.1.2.1.2.2.1.14.5 RFC1213-MIB     ifInErrors.6 1.3.6.1.2.1.2.2.1.14.6 RFC1213-MIB     ifInErrors.7 1.3.6.1.2.1.2.2.1.14.7 RFC1213-MIB     ifInErrors.8 1.3.6.1.2.1.2.2.1.14.8 RFC1213-MIB     ifInErrors.9 1.3.6.1.2.1.2.2.1.14.9 RFC1213-MIB     ifInErrors.10 1.3.6.1.2.1.2.2.1.14.10 RFC1213-MIB   Interface out counters ifOutOctets.1 1.3.6.1.2.1.2.2.1.16.1 RFC1213-MIB     ifOutOctets.2 1.3.6.1.2.1.2.2.1.16.2 RFC1213-MIB     ifOutOctets.3 1.3.6.1.2.1.2.2.1.16.3 RFC1213-MIB     ifOutOctets.4 1.3.6.1.2.1.2.2.1.16.4 RFC1213-MIB     ifOutOctets.5 1.3.6.1.2.1.2.2.1.16.5 RFC1213-MIB     ifOutOctets.6 1.3.6.1.2.1.2.2.1.16.6 RFC1213-MIB     ifOutOctets.7 1.3.6.1.2.1.2.2.1.16.7 RFC1213-MIB     ifOutOctets.8 1.3.6.1.2.1.2.2.1.16.8 RFC1213-MIB     ifOutOctets.9 1.3.6.1.2.1.2.2.1.16.9 RFC1213-MIB     ifOutOctets.10 1.3.6.1.2.1.2.2.1.16.10 RFC1213-MIB   Interface out errors ifOutErrors.1 1.3.6.1.2.1.2.2.1.20.1 RFC1213-MIB     ifOutErrors.2 1.3.6.1.2.1.2.2.1.20.2 RFC1213-MIB     ifOutErrors.3 1.3.6.1.2.1.2.2.1.20.3 RFC1213-MIB     ifOutErrors.4 1.3.6.1.2.1.2.2.1.20.4 RFC1213-MIB     ifOutErrors.5 1.3.6.1.2.1.2.2.1.20.5 RFC1213-MIB     ifOutErrors.6 1.3.6.1.2.1.2.2.1.20.6 RFC1213-MIB     ifOutErrors.7 1.3.6.1.2.1.2.2.1.20.7 RFC1213-MIB     ifOutErrors.8 1.3.6.1.2.1.2.2.1.20.8 RFC1213-MIB     ifOutErrors.9 1.3.6.1.2.1.2.2.1.20.9 RFC1213-MIB     ifOutErrors.10 1.3.6.1.2.1.2.2.1.20.10 RFC1213-MIB   System uptime hrSystemUptime.0 1.3.6.1.2.1.25.1.1.0 RFC1514-MIB   GlobalProtect gateway utilization panGPGatewayUtilization 1.3.6.1.4.1.25461.2.1.2.5.1 PAN-COMMON-MIB   GlobalProtect gateway % utilization panGPGWUtilizationPct.0 1.3.6.1.4.1.25461.2.1.2.5.1.1 PAN-COMMON-MIB   GlobalProtect gateway max tunnels panGPGWUtilizationMaxTunnels.0 1.3.6.1.4.1.25461.2.1.2.5.1.2 PAN-COMMON-MIB   GlobalProtect gateway active tunnels panGPGWUtilizationActiveTunnels.0 1.3.6.1.4.1.25461.2.1.2.5.1.3 PAN-COMMON-MIB   % session utilization panSessionUtilization.0 1.3.6.1.4.1.25461.2.1.2.3.1.0 PAN-COMMON-MIB   Max Sessions for the device panSessionMax.0 1.3.6.1.4.1.25461.2.1.2.3.2.0 PAN-COMMON-MIB   Per VSYS session utilization panVsysTable 1.3.6.1.4.1.25461.2.1.2.3.9 PAN-COMMON-MIB   VSYS ID panVsysId.1 1.3.6.1.4.1.25461.2.1.2.3.9.1.1.1 PAN-COMMON-MIB   VSYS Name panVsysName.1 1.3.6.1.4.1.25461.2.1.2.3.9.1.2.1 PAN-COMMON-MIB   VSYS session % utilization panVsysSessionUtilizationPct.1 1.3.6.1.4.1.25461.2.1.2.3.9.1.3.1 PAN-COMMON-MIB   VSYS active sessions panVsysActiveSessions.1 1.3.6.1.4.1.25461.2.1.2.3.9.1.4.1 PAN-COMMON-MIB   VSYS max sessions panVsysMaxSessions.1 1.3.6.1.4.1.25461.2.1.2.3.9.1.5.1 PAN-COMMON-MIB   Total Active Sessions panSessionActive.0 1.3.6.1.4.1.25461.2.1.2.3.3.0 PAN-COMMON-MIB   Active TCP Sessions panSessionActiveTcp.0 1.3.6.1.4.1.25461.2.1.2.3.4.0 PAN-COMMON-MIB   Active UDP Sessions panSessionActiveUdp.0 1.3.6.1.4.1.25461.2.1.2.3.5.0 PAN-COMMON-MIB   Active ICMP Sessions panSessionActiveICMP.0 1.3.6.1.4.1.25461.2.1.2.3.6.0 PAN-COMMON-MIB     TRAPS PAN-OS supports the well-known traps, as defined in RFC-1907. Additional traps are sent as configured in the PAN-OS GUI. For example, you can configure the system log messages to be sent via SNMP traps Same is true of the traffic log, threat log, and config log-- each log message can be sent as a trap     See also: Supported MIBs owner: tlozano
View full article
Teresa ‎12-13-2017 09:11 AM
120,944 Views
29 Replies
3 Likes
Issue Inside of the WebGUI > Network> IPSec Tunnels, the IKE Gateway Status (Phase 1) light is red, whereas the IPSec Tunnel (Phase 2) light is green.  However, traffic still continues to flow through the tunnel properly.  After some time, the IKE Gateway Status light returns to green.  Is this normal? VPN Status showing Phase 1 down (Red) but Phase 2 up (Green)   Resolution This is normal behavior. The purpose of Phase 1 (IKE Gateway Status) is to set up a secure channel for subsequent Phase 2 (IPSEC Tunnel) security associations (SA). Once the Phase 2 security associations have been set up, traffic travels on Phase 2 SA. Hence, it is possible that Phase 1 might be down, but traffic across the tunnel still works (because Phase 2 is up). The IKE light will turn red when Phase 1 times out. After a certain period, when Phase 2 is about to timeout, Phase 1 will re-negotiate the encryption key for subsequent Phase 2 negotiations. After these fresh negotiations, the IKE light will turn back to green and this process continues.   This behavior can be seen in the system logs: System logs showing Phase 2 and Phase 1 renegotiating. Description of above events: 21:44:04:  Phase-1 SA timed out.  At this point the IKE Gateway Status light will become red.  Notice the Phase-1 renegotiations have not started right away. 21:45:38:  At this point, Phase-2 SA is about to timeout.  Hence, Phase-1 SA renegotiations started.  IKE Gateway Status light turns back to green. 21:45:38:  Subsequent Phase-2 renegotiations. 21:45:38:  Previous Phase-2 SA expires and is deleted.   See Also For more information on this situation, with more pics and a different explanation, please see: DotW: VPN IPSec Tunnel Status is Red   owner: akhan
View full article
nrice ‎11-17-2017 03:40 PM
27,430 Views
4 Replies
4 Likes
To create a report that includes only SSL decrypted traffic follow the steps below:   Steps Go to Monitor > Manage Custom Reports and click Add Enter the name of the report in Name field and select Database Detailed logs (Slower) Traffic Select the desired Time Frame Select Sort By and Group By as determined In selected columns add Source Address, Destination Address, Flags, and Session ID Create a specific query in order to filter the output Under the Attribute column select Flags Under the Operator column select has Under the Value column select SSL proxy Click Add Click OK and commit this configuration Open the custom report and select the option Run Now Note: If you would like to use this report as a scheduled report, you need to make sure that the Scheduled checkbox is selected.   See also SSL decryption resource list The SSL decryption resource list has a long list of articles dealing with SSL decryption only.    owner: npoprzen
View full article
npoprzen ‎11-13-2017 04:18 PM
8,653 Views
2 Replies
Inside of this article you will learn how to verify if traffic is being offloaded and how to disable this feature.   When session traffic is processed by the dataplane of the Palo Alto Networks firewall, session stats and timers will be updated for every packet.   Most of our high-end platforms have an FPGA chip to entirely offload a session (CTS and STC flows) and bypass the cores completely.    Verification You can verify if a session has been offloaded by using the following  CLI command: > show session id <id_num>   Here's an example of an SSL session that is offloaded because it is not being decrypted. The firewall cannot do any content threat detection, so it is offloaded to hardware for faster processing: admin@PAN_firewall> show session id 96776 Session 96776 c2s flow: source: 172.20.13.132 [L3-Trust] dst: 50.17.226.145 proto: 6 sport: 61973 dport: 443 state: ACTIVE type: FLOW src user: unknown dst user: unknown s2c flow: source: 50.17.226.145 [L3-Untrust] dst: 10.46.198.13 proto: 6 sport: 443 dport: 14690 state: ACTIVE type: FLOW src user: unknown dst user: unknown start time : Thu Oct 12 09:30:35 2017 timeout : 1800 sec time to live : 1799 sec total byte count(c2s) : 54759 total byte count(s2c) : 134469 layer7 packet count(c2s) : 103 layer7 packet count(s2c) : 200 vsys : vsys1 application : ssl rule : Trust-Untrust session to be logged at end : True session in session ager : True session updated by HA peer : False address/port translation : source nat-rule : Trust-NAT(vsys1) layer7 processing : completed URL filtering enabled : True URL category : computer-and-internet-info session via syn-cookies : False session terminated on host : False session traverses tunnel : False captive portal session : False ingress interface : ethernet1/6 egress interface : ethernet1/3 session QoS rule : N/A (class 4) tracker stage l7proc : ctd decoder bypass end-reason : unknown Note:   In PAN-OS 7.1 and later, an offloaded session will have a  tracker stage l7proc  value of  ctd decoder bypass.   All session statistics and timers are maintained in software. So, it's necessary for the offload chip to send regular updates to the software. These updates cannot be sent for every packet, due to performance concerns.   Offloading details - what happens inside Depending on the platform model, different rules apply:   PA3050 - 50xx series Offload chip is sending a per-flow stat message to the dataplane after 16 packets are received on one flow (CTS or STC). The dataplane software will update session statitics and refresh the timer accordingly.   Note: On PA3050 and 50xx series devices, you can have a scenario where a low-traffic session has been aged-out due to TTL expiration. This can happen if the 16 packets condition has not been met before the end of this timer.   PA70xx series The PA7000 seies devices handle the updates differently. It will send the per-flow stat to the dataplane when one of two following conditions occur: One flow has accumulated 64 packets of stat A scan timer has expired for this particular flow Software will update session statistics and refresh the timer accordingly.   Workaround To avoid the offloading of the sessions, there are several workarounds to achieve this:   Turn off hardware offload temporarily using with the CLI command: (will reset to offloading after a reboot) > configure #  set session offload no   or permanently with: (even after a reboot, the offloading will be disabled) > configure # set deviceconfig setting session offload yes   # commit  Note: This approach can have a noticeable impact on the CPU. Create a custom application and adjust the timeout value for the custom application to accommodate the worst-case scenario. We accept a maximum timeout value of 604800 seconds (1 week). Tune the tcp keepalive timer and interval on the application servers.  
View full article
panagent ‎11-04-2017 07:44 AM
22,584 Views
6 Replies
3 Likes
Everything you need to know related to deploying, managing, and supporting Palo Alto Networks GlobalProtect.
View full article
ekampling ‎10-19-2017 02:58 AM
50,735 Views
1 Reply
6 Likes
This article explains how to filter specific static routes from being advertised into OSPF while still advertising all other static routes.   The method highlighted in this article is useful when firewall has a large number of static routes configured and only some of the routes needs to be filtered.     Details:   PA-1 (12.12.12.1)  ------  (12.12.12.2) PA-2   1- Static routes configured on PA-1:       2- Redistribution profile configured on PA-1:        3- This redistribution profile causes all static routes configured on PA-1 firewall to be redistributed into OSPF:           4- Now, suppose we want that all static routes should be advertised to PA-2 except the static route 4.4.4.0/24. This could be achieved by using Priority value in Redistribution Profile:       Profile "Redist-Static" has a priority of 5 and action set to "Redist". New profile, "Filter-Static" has a priority of 1 and action set to "No Redist". When both profiles are referred in OSPF Export rules, profiles would be evaluated according to the priority assigned.   Lower value means higher priority. This would cause Filter-Static profile to be evaluated first and preferred over "Redist-Static" profile hence route 4.4.4.0/24 would  not be redistributed while other static routes would still be redistributed.             Note: Same configuration can be done for routes learned from other source type also e.g. for filtering specific connected routes to be exported into OSPF etc.
View full article
poagrawal ‎06-08-2017 03:03 AM
4,512 Views
0 Replies
1 Like
The behaviors of Device Administrator roles have changed in PAN-OS 8.0 to have different expected behaviors when it comes to users' access under the Device tab. The Save functionality has now been specifically added separately to where the control of allowing Device Administrators to only Save (instead of allowing all features under the Operations tab) has been isolated.   Previously in PAN-OS 7.1 and earlier, for a Device Administrator (non-Superuser) to be able to Save Configuration via the Save icon in the top-right corner of the WebGUI, the Device tab had to be allowed and the functionality of Device > Setup > Operations had to be Enabled for the user                                                       The above configuration shows the bare minimum requirements for the Save icon in PAN-OS 7.1 and earlier to be present, but it also means that any Device Admins would also have the right to Load configs, import/export, etc. as allowed in Operations.   If attempting to save as a Device Administrator in PAN-OS 7.1 without the Device tab enabled (or, specifically, Device > Setup > Operations enabled) as shown above, users would notice the Save icon had completely disappeared from their available icons entirely       In PAN-OS 8.0 the process has changed to where users can be denied access to the Device tab entirely and still retain functionality of the Save/Revert feature under the Config icon in the top right.       The functionality of the Save feature in PAN-OS 8.0 has been completely isolated from the previously-dependent Operations section under Device. The option for Save For Other Admins can be denied as well and only allow user to Partial Save for the options they themselves have made. If a Device Administrator in PAN-OS 8.0 has had the Save feature Disabled, the Config icon still remains in the top right corner unlike PAN-OS 7.1 and earlier, however functionality is denied and the below error message is presented to the user:  
View full article
cperratore ‎05-04-2017 12:41 PM
2,654 Views
0 Replies
Overview: This article focuses on explaining the meaning of 'error subcode 5 (Connection rejected)' while establishing BGP between two firewalls.   Details: Excerpt from RFC:   If a BGP speaker decides to disallow a BGP connection (e.g., the peer is not configured locally) after the speaker accepts a transport protocol connection, then the BGP speaker SHOULD send a NOTIFICATION message with the Error Code Cease and the Error Subcode "Connection Rejected".   This means that after initial TCP handshake between the BGP peers, when peer A receives a OPEN message from peer B, and peer A does not recognize peer B, it would send Notification message with Subcode "Connection Rejected"   Assume following topology: PA-1 (192.168.30.1)  -----  (192.168.30.2) PA-2   PA-2 has a misconfigured peer IP address: (instead of 192.168.30.1 it is configured as 192.168.30.3)     As soon as PA-2 (192.168.30.2) receives a OPEN message from PA-1, it sends a Notification message:     PA-1 shows this notification message being received and error code in routed.log:       Resolution: Edit the configuration to include correct peer IP address on the firewall.
View full article
poagrawal ‎04-05-2017 07:36 AM
5,507 Views
0 Replies
How to predefine Global Protect portal address using Microsoft Orca Editor Tool   1. Download Microsoft Windows SDK for Windows. Orca software comes as a package inside SDK. Install Orca software   2-.Download Global Protect msi file for installation from support website.   3.Open Global Protect msi file using Orca Editor Tool:           4- Navigate to "Registry" table and select the row with name as "Portal". Right click on it and select "Drop Row"           5- Now select any row with Key as "Software\Palo Alto Networks\GlobalProtect\PanSetup". Right click and select "Copy Row(s)"           6- Scroll to the bottom, right click and select "Paste Row(s)":             7- Edit this row to include Name as "Portal" and Value as "IP address or FQDN of the portal". Do not make any other changes to the field.             8- Save the file and install the Global Protect Agent. Once installation is done, launch the Global Protect Agent and IP address would be pre-defined in the Portal Address:      
View full article
poagrawal ‎04-04-2017 01:46 PM
6,775 Views
7 Replies
Issue How to export logs from GlobalProtect App on iOS or Android devices for troubleshooting purposes.   Steps Prerequisite: Ensure the mobile device has email configured for the device default email client, as the logs are exported through the native email client.   On the iOS device: Open the GlobalProtect Application Click '?' help Click Troubleshooting Make sure Debug Logs is enabled (By default enabled) Click 'Email logs', it will open the email App, enter the email address to send through email.   On the Android device: Open the GlobalProtect App Click 'Settings icon' on left bottom of the device Click Troubleshooting Make sure Debug Logs is enabled (By default enabled) E nter the email address and c lick 'Email logs'.   owner: dreputi
View full article
dreputi ‎02-02-2017 04:01 AM
6,881 Views
3 Replies
1 Like
Overview Security Policies allow users to control firewall operations by enforcing rules and automatically taking action. Security Policies on the Palo Alto Networks firewalls determine whether to block or allow a new network session based on traffic attributes, such as the source and destination security zones, the source and destination addresses and the application and services.   The following table provides a list of valuable resources on understanding and configuring Security Policies:   TITLE DESCRIPTION TYPE BASIC     Security Policy Guidelines Best Practices for Creating Security Policies Document Fundamental Guide on Security Policies Fundamentals of Security Policies Document Tour of PAN-OS Security Policy Configuration Security Policies Configuration Video How to Configure Security Policies on the PAN-OS UI Configure a Security Policy on PAN-OS Video How to Configure Security Policy by Application Configure a Security Policy by App Video INTERMEDIATE     How to Add Groups to Security Policy Add Group to Security Policy Document Can Local User/Group Database be Used in Security Policies? Manually add to Security Policy Document How to Enter an Application Name in Policy Without a Search Delay How to put an application name in the policy Document How to Configure a Security Policy to use a Region Creating a Security Policy to use region instead of IP address Document How to Tag and Filter Security Policy Rules How to add tags and filter security policies Document ADVANCED     How to View Security Policies from the CLI View Security Policies from the CLI Document Security Policies Based on Zone Assignment for VPN Interface Policies based on zone assignment for VPN interface Document How to See Traffic from Default Security Policies in Traffic Logs Describes traffic hitting default policies Document Creating a Security Policy to Block Selective Flash Write a Security Policy to block Adobe Flash and allow flash Document What is Default Value for "Service" Field in the Security Policy in PAN-OS 6.0? PAN-OS 6.0 Default Value for Service Field Document How to Schedule Policy Actions Security Policies can be set to perform configured actions Document Security Policy to Allow/Deny a Certain ICMP Type Cases where ICMP Type should be allowed Document How to Create and View NAT Rules on the CLI Sample Commands to create Bi-Directional NAT Policy & Inbound Security Policy Document How to Configure Email Notifications for Security Policy Changes How to Configure email notifications on Security Policy changes Document DISCUSSION BOARDS     CLI Listing of all Security Policies How to List All Security Policies from the CLI Board Security Policy Organization Organizing Security Policies Board Security Policy Limit Alarms How to Generate Tags Board Adding Users to a Security Policy Add Users to Security Policy Board Security Policy with URLs Create a Security Policy with the Destination Address as a URL Board   Note: If you have a suggestion for an article, video or discussion not included in this list please post a recommendation in the comments below and it will be added to the master list.   owner: asimon
View full article
‎02-01-2017 10:24 AM
98,318 Views
2 Replies
8 Likes
This article shows how to fix the problem of web browsing that fails with an error code SSL_ERROR_RX_RECORD_TOO_LONG. We'll use an example of facebook.com.   Cause Errror code: "SSL_ERROR_RX_RECORD_TOO_LONG" means the web server is sending non-secure (HTTP) data where secure (HTTPS) data is expected by the web browser.     Details Security policy on the firewall:  (refers to URL filtering profile facebook test)       URL Filtering profile on firewall: (social-networking category has action of continue)       With an action of continue on the URL category, the firewall will send a redirect message to the client to prompt users to click Continue to proceed to the web page, as follows:     This Continue redirect message sent by the firewall is an HTTP response:      Note: This redirect message shows the URL category and the security policy rule matched by this traffic.     When browsing to www.facebook.com, the browser makes a request for https://www.facebook.com, as below:   In this case, the firewall sending an HTTP redirect message for continue is treated as an invalid response by the browser and it shows an error, SSL_ERROR_RX_RECORD_TOO_LONG.     Solution Either of the two solutions offered can overcome this issue:   Enable outbound SSL decryption on the firewall. For more information on how to enable SSL decryption on firewall, please click here OR   Run the following command on the firewall. This will allow the SSL handshake to complete before sending an HTTP response page to the client. For more information about this command, please click here. # set deviceconfig setting ssl-decrypt url-proxy yes  
View full article
hagarwal ‎11-22-2016 10:20 AM
3,068 Views
0 Replies
Configure a Data Filtering Profile on the web UI at  Objects > Security Profiles > Data Filtering.   The Alert Threshold and Block Threshold fields specify how many instances of a data match, within a single session, that must be observed before the Palo Alto Networks device performs an alert or block action, respectively.   To configure a Data Filtering Profile that will alert and not block, set the value of the Alert Threshold to a non-zero value and set the Block Threshold to 0.   For example:   owner: jjosephs
View full article
jjosephs ‎09-07-2016 03:58 PM
11,897 Views
6 Replies
Overview   The following table provides a list of valuable resources on configuring and troubleshooting User-ID:   TITLE DESCRIPTION TYPE BASIC     Agentless User-ID agent Configuration Video User-ID agent setup tips Configuration Document How to install the Palo Alto Networks User-ID agent Configuration  Document How to configure active directory server profile for group-mapping and authentication Configuration Document User-ID best practices Configuration  Document How to configure group mapping settings Configuration Document Architecting User-ID deployments Configuration Document How to configure eDirectory and LDAP authentication Configuration Document How to configure group-mapping in a multi-domain active directory domain services (AD DS) forest Configuration Document How to install and configure terminal server agent Configuration Document How to collect the User-IP mappings from a Syslog sender using a User-ID agent Configuration Document   User-ID agent as LDAP proxy for group-mapping and authentication Configuration Document   Correct group and IP to user-mapping in multi-domain AD forest using global catalog Configuration Document INTERMEDIATE     Best practices for securing User-ID deployments Configuration Document How to check users in LDAP groups Troubleshooting Document Unknown user for User-ID IP-User mapping cache timers Troubleshooting Document IP-to-User mappings have inconsistent domain prefix Troubleshooting Document User-ID agent access control list Configuration Document How to determine the NetBIOS domain for LDAP server profile in Windows 2003 and 2008 server Configuration Document Improve LDAP authentication during disaster recovery Configuration Document ADVANCED     Agentless User-ID 'access denied' error in server monitor Troubleshooting Document Troubleshooting User-ID: Group and User-to-IP mapping Troubleshooting Document Agentless User-ID connection to active directory servers intermittently connect and disconnect Troubleshooting Document Useful CLI Commands for troubleshooting User-ID agent software Troubleshooting Document Unexpected traffic seen from the User-ID agent Troubleshooting Document Which login credentials does Palo Alto Networks User-ID agent see when using RDP? Troubleshooting Document How the User-ID agent include/exclude list works Configuration Document How to upgrade User-ID agent Configuration Document User-IP mappings not redistributed from collector Troubleshooting Document Why are some users not identified by the User-ID agent? Troubleshooting Document Terminal Server Agent Registry Tuning for Better Port Allocation and Handling, Time Wait State Troubleshooting Document How to Create Ignore_User_List with Special Characters in User-ID Agent Troubleshooting Document DISCUSSION BOARDS     PAN AD Useragent - Excluding users? Configuration Discussion   Note: If you have a suggestion for an article, video or discussion not included in this list please post a recommendation in the comments below and it will be added to the master list.   owner: ekampling
View full article
ekampling ‎08-10-2016 01:30 PM
50,029 Views
9 Replies
9 Likes
Scenario   For username-to-IP address mapping, the software-based and agentless User-ID agent installs the most recently learned mapping. Consider an example where user1 is mapped to ip1 and this mapping is learned via an agentless userid agent, then the source is A. Now, if user1 launches a VPN connection via GlobalProtect from the same PC and is assigned a new IP address, then the username-to-IP mapping would change on the firewall to user1 and ip2 ,and the source is GlobalProtect. Hence, the old user cache of user1 and ip1 is overwritten by the new entry of user1 and ip2.   Similarly, groups retrieved from an active directory domain controller should be unique in each group mapping profile. It can be argued that groups are often referenced in security policies and it doesn't matter which group-mapping profile we get this information from, but in some cases it does matter and may well turn the tables completely.   In the following scenario, you'll notice that the same group, when referenced from two different group mapping profiles, can cause issues in matching the security policy due to failure to match a user against the active directory group to which it belongs.   A group mapping profile is configured with user domain under Domain Settings as test, where test is the netbios domain name equivalent of the FQDN domain name test.kunaldc.com.       A group, cn=group2,cn=users,dc=test,dc=kunaldc,dc=com is fetched using this group mapping profile.     A user gptest belongs to this group and its username is stored as domain\username format on the firewall as test\gptest.       Now configure another group mapping profile, AD-FQDN-FORMAT, where the user domain is not overridden and is test.kunaldc.com instead of test.   Use the include group option to include only the above AD group in this group-mapping profile.   Commit this change.       When the group-mapping refresh is complete, then check the group-mapping state.   Now the same AD group, cn=group2,cn=users,dc=test,dc=kunaldc,dc=com, is also fetched by the new group-mapping profile AD-FQDN-FORMAT.   Carefully look at the usernames that belong to this group. The username format has been changed from netbios\user to fqdn\user. The source has also been changed from the old group-mapping profile - GPOUP-MAPPING-TEST to the new one, AD-FQDN-FORMAT.     The primary issue that arises now is that the username learnt via any User-ID mechanism (agent or agentless User-ID / GlobalProtect /captive portal, etc.)  doesn't match the username format in the group-mapping table.   Traffic from the same user would fail to match the security policy where this user group is referenced.  
View full article
kbiswas ‎07-25-2016 04:13 PM
2,329 Views
0 Replies
1 Like
Details The Palo Alto Networks device deletes the oldest log data when the logdb-quota is reached. The device purges logs based upon categories seen in show system logdb-quota . Refer to When are Logs Purged on the Palo Alto Networks Devices? for behavior of purging on different platforms.   The root partition can become full, requiring manual file deletion. If the root is full, the device cannot to perform maintenance tasks such as content installs (AV, APP/Threat, URL, DB) or generate tech support files.  To check the status of the root partition, use the show system disk-space command. Core files consume large amounts of disk space: show system files . Delete large core files: delete core management-plane file <filename>.   Use these commands to view and delete core files:   > show system disk-space   Filesystem            Size  Used Avail Use% Mounted on /dev/sda3            3.8G  3.8G    0 100% / /dev/sda5            7.6G  3.4G  3.8G  48% /opt/pancfg /dev/sda6            3.8G  2.7G  940M  75% /opt/panrepo tmpfs                493M  36M  457M  8% /dev/shm /dev/sda8              51G  6.6G  42G  14% /opt/panlogs   Check the output of show system file to see core files using up a large amount of disk space. > show system files /opt/dpfs/var/cores/: total 4.0K drwxrwxrwx 2 root root 4.0K Jun 10 20:05 crashinfo /opt/dpfs/var/cores/crashinfo: total 0   /var/cores/: total 115M drwxrwxrwx 2 root root 4.0K Jun 10 20:15 crashinfo -rw-rw-rw- 1 root root 867M Jun 12 13:38 devsrvr_4.0.3-c37_1.gz -rw-rw-rw- 1 root root  51M Jun 12 13:39 core.20053   /var/cores/crashinfo: total 16K -rw-rw-rw- 1 root root 15K Jun 10 20:15 devsrvr_4.0.3-c37_0.inf o   Delete unnecessary core files: > delete core management-plane file devsrvr_4.0.3-c37_1.gz (this example deletes a device server core file from the management-plane). Report deletion can be done from the command line as well.  To delete a set of summary reports starting with 864: > delete report summary scope shared report-name predefined file-name 864* Delete rotated files and files with extention .old as follows. These files contain monitoring details and service related logs on the firewall. Hence they can be deleted safely if you don't need them. If TAC investigates an ongoing issue,  you may prefer to keep them until you upload the tech support file to the case manager.    > delete debug-log mp-log file *.1 > delete debug-log mp-log file *.2 > delete debug-log mp-log file *.3 > delete debug-log mp-log file *.old           owner: bpappas
View full article
panagent ‎06-14-2016 03:50 AM
113,273 Views
29 Replies
4 Likes
  Here are the steps to activate a license for a Palo Alto Networks VM-Series firewall installed on an ESXi server that does not have direct internet access.   Steps Access the web interface of the firewall. Navigate to Device > Licenses and click 'Activate Feature using Auth Code.'  Click 'Download Authorization File' to download an 'authorizationfile.txt' file on the client machine. Copy the above file to a computer that has access to the internet and log into the support portal. Click 'My VM-Series Auth-Codes' and select the applicable auth-code from the list. Then click “Register VM." On the Register VM Device tab upload the authorization file. This will complete the registration process and the serial number of the VM-Series firewall will be attached to the record on the support site. Navigate to the My Devices tab and search for the VM-Series device just registered and click the PA-VM link. This will download the VM-Series license key to the client machine. Copy the license key to the machine that can access the web interface of the VM-Series firewall and navigate to Device > License' tab. Click 'Manually Upload License' and enter the license key. The license will be activated on the device and the device will reboot. Log into the device and confirm that the dashboard displays a valid serial number. If it is unknown it means the device was not licensed. On the Device > Licenses tab, verify that the “PA-VM” license was added to the device.   See also To license a VM-Series firewall with internet access, see: How to Authorize or Register a VM .   owner: nmassman
View full article
NoahMH ‎02-09-2016 01:11 PM
17,467 Views
0 Replies
1 Like
  The application column shows not-applicable if the traffic matches an allowing/blocking security rule via a service filter rather than an application filter.   Details The firewall traffic is matched from left to right and top to bottom in the security rules. If traffic hits a security rule that's set to "deny," based on any parameter before the application, the traffic log shows the application as not-applicable . This occurs because the traffic was dropped or denied before the application match could be performed.   Example Security Policy   Traffic Log   Log Details appear when you click the icon in a row of traffic logs.  The log details above show the bytes and packet count as zero since no traffic was allowed, which is why the application is identified as not-applicable .   owner: mbutt
View full article
nrice ‎12-03-2015 03:47 PM
18,605 Views
2 Replies
This document explains the different actions available for vulnerability profiles. Actions can be specified for each rule in a security profile and for specific threat ID exceptions .   Action Type Action Where Action Details Default Pre-defined action based upon severity Rule Apply pre-defined action that is selected for each threat Allow Allow session, but do not log in Threat Log Rule This enables one to create an exception for an event so that there is no entry in the Threat Log Alert Allow session, log in Threat Log Rule This enables the logging for all threats, regardless of severity Block Drop all packets for that session Rule Drop that packet. Note that TCP will try to retransmit the packet again, which we will drop again. So essentially, the entire session is blocked for all practical purposes. reset-server Send RST packet to server Exception Drop the packet and send a TCP reset towards server side of TCP connection reset-both Send RST packet to both Exception Drop the packet and send a TCP reset to both client and server reset-client Send RST packet to client Exception Drop the packet and send a TCP reset towards client side of TCP connection drop-all-packets Drop all packets for that session Exception Drop all packets for that session drop Drop just that packet Exception Drop that packet. Note that TCP will try to retransmit the packet again, which we will drop again. So essentially, the entire session is blocked for all practical purposes. block-ip Drop all packets from a source IP address Exception Block all sessions for a specified period of time from a source IP address.   *The word session is used as a reference to the firewall table when the protocol is UDP.   *Action recorded in Threat log may be different from Default Action definition of each threat signature depending on the protocol. For example, "Drop-all-packets" is recorded in Action field for TCP sessions and "Drop" will be recorded for UDP sessions while "drop" is set in the security profile.   owner: jjosephs    
View full article
nrice ‎11-10-2015 01:44 AM
23,642 Views
4 Replies
1 Like
Frequently Asked Questions   Can the OSS be configured for remote management? Yes, a management IP can be configured on the OSS for remote management.   Can the software be kept up-to-date even though it has no licensing? App-only content can be updated from Panorama but PAN-OS needs to be uploaded manually using the image file. The system cannot be upgraded from the license servers since this requires license validation.   Can the OSS be configured as a third device in a HA cluster? Because the spare unit doesn't require a license, it needs to remain completely off the network until used to replace an active licensed unit. Cables from the failed device would need to be physically moved to the OSS.   Can the license transfer be done without either device being on the network? Yes, the license transfer is done on the Support Portal and neither device needs to be connected. Instead of retrieving license keys from the server, they can be downloaded to a PC and uploaded to the unit.   See also Refer to How to Transfer Licenses to a Spare Device   owner: panagent
View full article
nrice ‎11-02-2015 09:50 AM
12,290 Views
4 Replies
This week's Tips & Tricks looks at the Application Command Center, (ACC), which provides visibility into the network traffic passing through your firewall. The ACC is sometimes overlooked inside the WebGUI, but it is a very powerful tool to help you manage and see the traffic flowing through your network.   Note: I'll be showing you about the ACC on PAN-OS 5.0, 6.0 and 6.1. PAN-OS 7.0 changes the look and feel of the interface, which I will cover in a different segment of Tips & Tricks.   In order to learn more about the ACC, we'll explore the following areas: What is the Application Command Center (ACC)? Parts of the Application Command Center (ACC) and how to get more information from the ACC   What is the Application Command Center (ACC)? The Application Command Center (ACC) page visually depicts trends and a historic view of traffic on your network. It displays the overall risk level for all network traffic, the risk levels and number of threats detected for the most active and highest-risk applications on your network, and the number of threats detected from the busiest application categories and from all applications at each risk level. The ACC can be viewed for the past hour, day, week, month, or any custom-defined time frame. Risk levels (1=lowest to 5=highest) indicate the application’s relative security risk, based on criteria such as whether the application can share files, is prone to misuse, or tries to evade firewalls. Parts of the Application Command Center (ACC) and how to get more information from the ACC   We will start with the Dashboard tab:   ACC Risk Factor Inside the WebGUI, on the Dashboard tab, you'll see ACC Risk Factor. This information shows the risk factor over the last 60 minutes based upon information inside the ACC tab.   This is a general 'threat temperature' of the traffic. If you find it higher than normal, then you can use the main ACC to drill down and investigate what is causing the temperature to be higher than normal.   If you'd like to see this, and it is not being displayed on your Dashboard page, enable it from the Dashboard > Widgets > Application > ACC Risk Factor.   Top Applications You also will see the 'Top Applications' if you have enabled this widget. This widget displays the applications with the most sessions. The block size indicates the relative number of sessions (mouse-over the block to view the number), and the color indicates the security risk—from green (lowest) to red (highest). Click an application to view its application information, as well as a full breakdown where that application has been seen inside the ACC page.   This is a great way to see the applications in use at a glance. If you would like to see this, it can be enabled from the Dashboard > Widgets > Application > Top Applications.   Now let's move on to the ACC tab: On the ACC tab, you will see the following sections that make up the Application Command Center: Time/Sort By/Top (at the top of the window) Application  URL Filtering Threat Prevention Data Filtering HIP Matches   1. Time/Sort By/Top At the top of the window, you'll see the Time/Sort By/Top options. This controls the all the display options inside the ACC.   Time — You have options for the time that range from the last 15 minutes until the Last Calendar Month and even a Custom option. The default is Last Hour. Sort By — You can sort the charts in descending order by number of sessions, bytes, or threats. The default is by number of sessions. Top — You have an option for the 'Top' number to be displayed per section. This ranges from 5 up to 500. The Default is 25. Press the green arrow to make your selection take effect. Lastly, the green plus sign is a Set Filter option you can apply that allows you to filter bt Application, Source or Destination IP, Source or Destination User, Machine Name, HIP, Source or Destination Zone, Risk and URL Category. Note: There are 2 other parts of the ACC that I didn't document with a screen shot —t hey are as follows: Virtual System — If virtual systems are defined, you can select it from this drop down. Data Source (for Panorama only) — Select the Data Source that is used to generate the graphical display on traffic trends.The default Data Source for new installations is Panorama; Panorama uses the logs forwarded by the managed devices. To fetch and display an aggregated view of the data from the managed devices, you now have to switch the source from Panorama to Remote Device Data.  On an upgrade, the default data source is Remote Device Data. Adding a filter comes in handy if you are looking for specific traffic.   Note: You'll also see the same ACC Risk Factor in the upper right, as well as a set of 5 icons.   The icons are shortcuts to logs, in the following order: Traffic Log Threat Logs URL Filtering Log Data Filtering Log HIP Match Log These shortcuts come in handy when you would like to jump straight to the Threat logs, but do not want to click on Monitor > Threat logs.   2. Application   The first section you'll see is the Application section.   This section displays information organized according to the menu selection. Information includes the number of sessions, bytes transmitted and received, number of threats, application category, application subcategories, application technology, and risk level, as applicable. The following subcategories are available by using the drop-down on the right side: Applications High Risk Applications Categories Sub Categories Technology Risk This is the section where you can start to investigate questionable traffic as it passes through your network, in or out. By clicking on the Application name, or using the drop-down to look at the Application data differently.   For example, let's say that 'msrpc' traffic is high, and you want to know more about this traffic. Simply click on msrpc and you will see the following: Application Information — general information about the application, including its Name, Description, and all other information specifically for this application and how it communicates. Top Applications—shows session and bytes information Top Sources Top Destinations Top Source Countries Top Destination Countries Top Security Rules Top Ingress Zones Top Egress Zones URL Filtering Threat Prevention Data Filtering You can continue to click on each area to get more detailed information. Sometimes the information you need is only one click down—more involved investigations might take make more drill-downs to get the information you need.   3. URL Filtering Displays information organized according to the menu selection. Information includes the URL, URL category, repeat count (number of times access was attempted, as applicable). URL Categories URLs Blocked URL Categories Blocked URLs This is a great way to see what URL filtering categories are being used.   4. Threat Prevention Displays information organized according to the menu selection. Information includes threat ID, count (number of occurrences), number of sessions, and subtype (such as vulnerability), as applicable. The following sections are available: Threats Types Spyware Spyware Phone Home Spyware Download Vulnerabilities Viruses If you want to know about Threat Prevention, you'll really appreciate this section and the information it can show you.   5. Data Filtering Displays data from the data filtering policy that has been created. The following sections are available: Content/File Types Types File Names If you use data filtering, this comes in handy to quickly show how many files are created and the repeat count of each type.   6. HIP Matches This area displays Host Information Protocol information gathered from GlobalProtect. The following sections are available: • HIP Objects • HIP Profiles   If you're using HIP with GlobalProtect, then this area can prove very helpful.      I hope this Tips & Tricks article has helped you understand the Application Command Center better, as well as provide you with some insight into better ways to access and use the information in the ACC.   As always, we welcome all feedback and suggestions and we're happy to take requests for future Tips & Tricks —leave a  comment below.   Stay secure, Joe Delio  
View full article
‎10-30-2015 02:35 PM
24,294 Views
8 Replies
4 Likes
Overview This document describes the CLI commands that can be used to verify a successful connection to the LDAP server for pulling groups.   Details During LDAP server configuration, the device automatically pulls the Base DN if the connection is successful. The Base and Bind DN are configured under  Device > Server Profiles > LDAP:   Use the show user group-mapping state all command to view the LDAP connectivity if using the server profile for group mapping. For example: > show user group-mapping state all Group Mapping (vsys1, type: active-directory) : grp_mapping   Bind DN    : pantac2003\adminatrator   Base       : DC=pantac2003,DC=com   Group Filter: (None)   User Filter: (None)   Servers    : configured 1 servers           10.46.48.101 (389)                   Last Action Time: 2290 secs ago(took 71 secs)                   Next Action Time: In 1310 secs   Number of Groups: 121   cn=administrators,cn=builtin,dc=pantac2003,dc=com   cn=ras and ias servers,cn=users,dc=pantac2003,dc=com   cn=s,cn=users,dc=pantac2003,dc=com   If the Bind DN entered on the Palo Alto Networks device under Device > Server Profiles > LDAP is incorrect, the output of the command will display "invalid credentials". The example output below shows a scenario in which "cn=Administrator12" was entered, but the correct value was "cn=Administrator": > show user group-mapping state all Group Mapping (vsys1, type: active-directory) : grp_mapping   Bind DN    : CN=Administrator12,CN=Users,DC=pantac2003,DC=com   Base       : DC=pantac2003,DC=com   Group Filter: (None)   User Filter: (None)   Servers    : configured 1 servers           10.46.48.101 (389)                   Last Action Time: 0 secs ago(took 0 secs)                   Next Action Time: In 60 secs                    Last LDAP error: Invalid credentials   Number of Groups: 0   Errors can be pulled from the useridd log using the following command: > less mp-log useridd.log Dec 30 15:59:07 connecting to ldap://[10.46.48.101]:389 ... Dec 30 15:59:07 Error: pan_ldap_bind_simple(pan_ldap.c:466): ldap_sasl_bind result return(49) : Invalid credentials Dec 30 15:59:07 Error: pan_ldap_ctrl_connect(pan_ldap_ctrl.c:832): pan_ldap_bind()  failed Dec 30 15:59:07 Error: pan_gm_data_connect_ctrl(pan_group_mapping.c:994): pan_ldap_ctrl_connect(grp_mapping, 10.46.48.101:389) failed Dec 30 15:59:07 Error: pan_gm_data_connect_ctrl(pan_group_mapping.c:1061): ldap cfg grp_mapping failed connecting to server 10.46.48.101 index 0 Dec 30 15:59:07 Error: pan_gm_data_ldap_proc(pan_group_mapping.c:1942): pan_gm_data_connect_ctrl() failed Dec 30 15:59:14 Warning: pan_ldap_ctrl_construct_groups(pan_ldap_ctrl.c:546): search aborted Dec 30 15:59:16 Error: pan_ldap_ctrl_query_group_membership(pan_ldap_ctrl.c:2384): pan_ldap_ctrl_construct_groups() failed Dec 30 15:59:16 Error: pan_gm_data_update(pan_group_mapping.c:1431): pan_ldap_ctrl_query_group_membership()  failed Dec 30 15:59:16 Error: pan_gm_data_ldap_proc(pan_group_mapping.c:1976): pan_gm_data_update() failed Dec 30 16:00:07 connecting to ldap://[10.46.48.101]:389 ... Dec 30 16:00:07 Error: pan_ldap_bind_simple(pan_ldap.c:466): ldap_sasl_bind result return(49) : Invalid credentials Dec 30 16:00:07 Error: pan_ldap_ctrl_connect(pan_ldap_ctrl.c:832): pan_ldap_bind()  failed Dec 30 16:00:07 Error: pan_gm_data_connect_ctrl(pan_group_mapping.c:994): pan_ldap_ctrl_connect(grp_mapping, 10.46.48.101:389) failed   Command to re-establish the link to the LDAP server > debug user-id reset group-mapping <grp_mapping_name>   Command to set LDAP debug > debug user-id set ldap all   Command to turn on debug > debug user-id on debug   Command to turn off debug > debug user-id off   Command to capture LDAP traffic if using management port > tcpdump filter "port 389"   Command to capture LDAPS (SSL) traffic if using management port > tcpdump filter "port 636"   Command to view the pcap taken off the management port > view-pcap mgmt-pcap mgmt.pcap   Command to export the pcap to an external host by scp or tftp > scp export mgmt-pcap from mgmt.pcap to username@host:path > tftp export mgmt-pcap from mgmt.pcap to <tftp host>   owner: sdarapuneni
View full article
nrice ‎09-15-2015 11:28 PM
37,266 Views
0 Replies
1 Like
Two licenses and two serial numbers are needed to support Panorama in HA.   Attempting to configure two Panorama HA VMs with the same serial number will result in a suspend state on both.   owner: rkim
View full article
panagent ‎09-02-2015 11:12 AM
2,199 Views
0 Replies
Symptom The Captive Portal is a component of User-ID and provides a means to authenticate users to map username to IP address. For users without user-IP-mappings, that are trying to access the internet and Captive Portal is enabled on the Palo Alto Networks device, will be prompted to authenticate through Captive Portal in order to access the internet site. If the user does not authenticate when prompted by Captive Portal, then no HTTP data will be sent to the client trying to access the site and therefore it will not log the attempt to access the site on the Palo Alto Networks logs.   Details Since no data has been transferred after the TCP handshake has completed, the attempt to access the site by a user, that does not authenticate will not be logged on the Palo Alto Network device. When a non-authenticated user tries to go to a web server, a SYN packet will be passed from the client to the server through the firewall.   The response which is a SYN+ACK from the web server, which will be passed to the client through the firewall. The client will then respond back using ACK to complete the handshake with the server. Once the TCP handshake is complete, the client will send a HTTP data packet with "Get Request". The firewall take the "Get Request" and will not forward that to the server, instead the firewall will send a response packet to client asking the client to authenticate for the Captive Portal.   Palo Alto Networks is not forwarding 'any data' packets to the server. Captive Portal requires the TCP handshake to complete. Since no data traffic was allowed to flow from the client that did not authenticate to the web server, the session will not be logged on the Palo Alto Network logs, which is the expected behavior.   owner: gcapuno
View full article
gcapuno ‎09-02-2015 08:22 AM
4,076 Views
0 Replies
1 Like
Steps Go to Monitor > Custom Reports and click New Enter a Name for the report and configure the following values: Database: Threat Summary Time Frame: Last 24 Hrs Select the columns to be displayed in the report, as needed. Under Query Builder, configure the following query: "(threatid eq 36416) or (threatid eq 36418) or (threatid eq 40039)" Note: In this last snapshot, the Time Frame has been changed to Last Calendar Day because Scheduled was enabled.   The following is a description of the three threat ID numbers: 36416: OpenSSL TLS Heartbeat Information Disclosure Vulnerability - Heartbleed This signature analyzes the request and response lengths to look for abnormalities.  This does require the server to be vulnerable, due to the data that this signature analyzes and compares.  It is effective against a single "probe", meaning it does not need bulk requests to trigger. 40039: OpenSSL TLS Heartbeat Brute Force - Heartbleed This signature triggers on a high rate of heartbeat requests.  This does NOT require that the server be vulnerable, because it is only looking at client-side, however it does require multiple heartbeat requests indicative of a more "real world" attack, so a single "test probe" will not trigger the signature. 36418: OpenSSL TLS Malformed Heartbeat Response Found - Heartbleed This signature triggers on a malformed server response.  This does require the server to be vulnerable, due to the data that this signature analyzes and compares.  It is effective against a single "probe", meaning it does not need bulk requests to trigger.   owner: jjosephs
View full article
jjosephs ‎09-02-2015 07:53 AM
3,161 Views
0 Replies
Symptom On a Palo Alto Networks PA-5000 Series firewall, the system logs may show the following messages: 2012/11/30 19:21:41 info     general        general 0  New Disk Pair maint detected. 2012/11/30 19:21:41 info     general        general 0  New Disk Pair sysroot0 detected. 2012/11/30 19:21:41 info     general        general 0  New Disk Pair sysroot1 detected. 2012/11/30 19:21:41 info     general        general 0  New Disk Pair pancfg detected. 2012/11/30 19:21:41 info     general        general 0  New Disk Pair panrepo detected. 2012/11/30 19:21:41 info     general        general 0  New Disk Pair swap detected. 2012/11/30 19:21:41 info     general        general 0  New Disk Pair panlogs detected. 2012/11/30 19:21:41 medium   general        general 0  Disk Pair panlogs is degraded and missing a device. 2012/11/30 19:21:41 medium   general        general 0  Disk Pair swap is degraded and missing a device. 2012/11/30 19:21:41 medium   general        general 0  Disk Pair panrepo is degraded and missing a device. 2012/11/30 19:21:41 medium   general        general 0  Disk Pair pancfg is degraded and missing a device. 2012/11/30 19:21:41 medium   general        general 0 Disk Pair sysroot1 is degraded and missing a device. 2012/11/30 19:21:41 medium   general        general 0  Disk Pair sysroot0 is degraded and missing a device. 2012/11/30 19:21:41 medium   general        general 0  Disk Pair maint is degraded and missing a device. Cause By default, the PA-5000 Series firewalls expect two hard disk drives installed in a RAID configuration. If the unit has one hard disk, then the messages are normal and may be safely ignored. To confirm the disk status, enter the following CLI command: > show system raid detail owner: ukhapre
View full article
ukhapre ‎02-06-2013 05:05 PM
6,975 Views
1 Reply
Overview The Palo Alto Networks firewall is configured to host a service. For this example, the firewall is configured to perform destination NAT towards a web server in the Trust network. A policy is now needed for protection against DoS attacks. Steps Create a custom DoS Protection Profile Navigate to Objects > DoS Protection Click Add Configure the DoS Protection Profile (see example below) Create a DoS Protection Policy using the profile created in step 1. Navigate to Policies > DoS Protection Click Add to bring up a new DoS Rule dialog Associate the Dos Protection profile created earlier Set the action to Protect. Default action is Deny, which will deny all traffic matching this flow. Note: The example from above reflects lab environment values for the thresholds. When deploying the setup in production, the values need to be in accordance to the traffic that is expected to be handled by the network. owner: sberti
View full article
sberti ‎01-29-2013 02:42 PM
31,620 Views
2 Replies
OSPF can be used for inter-VR routing provided physical interface and cabling is done between the virtual routers. Physical interface and cabling is required since OSPF neighbor has to be point to point or broadcast. OSPF does not support routing via static routes to its neighbor. The alternate way to implement dynamic routing between Virtual Routers is via BGP which would not require any physical interface/cabling since BGP allows routing to its peer. owner: mvenkatesan
View full article
mvenkatesan ‎10-30-2012 11:55 AM
4,270 Views
0 Replies
Symptoms XBox or Playstation games & applications are not able to connect to Xbox Live/PlayStationNetwork due to strict NAT being detected Issue When connecting to the Xbox Live service or PlayStation Network the console establishes client connections to the service.  When hosting some games, or using some applications, a connection from the Xbox Live service or PlayStation Network inbound to the console is required. If these inbound connections can not be established then the console will report that strict NAT has been detected. The consoles are compatible with uPnP devices to allow dynamic opening of TCP and UDP ports to forward traffic required for connectivity to the service. uPnP-enabled routers allow port forwarding to be configured on the device dynamically based on requests coming from internal devices. In a uPnP environment, the console will request the appropriate ports be forwarded to allow the traffic. Palo Alto Networks firewalls are not compatible with uPnP.  Requests from a console via uPnP to open ports will be ignored by the firewall. A 1-to-1 static NAT mapping must be created to forward the appropriate ports to the console from the Xbox Live service or PSN. Further information on how the Xbox360 uses uPnP with NAT can be found here. Resolution Create a static NAT entry to forward all external traffic destined to a particular public IP to the private IP of the console. Each console behind the firewall will require a public IP and an appropriate NAT mapping. For information on how to configure a static 1-to-1 destination NAT policy, or bi-directional NAT mapping please refer to the Understanding PAN-OS NAT document. owner: kfindlen
View full article
kfindlen ‎09-10-2012 12:55 PM
25,675 Views
20 Replies