Management Articles

Featured Article
Details   Commit warning message The following warning displays during a commit if a block or allow list contains an entry using multiple wildcards: Warning: Nested wildcard(*) in URLs may severely impact performance. It is recommended to use a single wildcard to cover multiple tokens or a caret(^) to target a single token.       Reason of warning message   The asterisk (*) character is used as a wildcard token in the FQDN and path for custom URL filtering. The Palo Alto Networks firewall accepts multiple wildcard tokens in the field (ex. *.*.domain.com) and processes them appropriately.   However, as the number of wildcard tokens increases, the load on the system CPU increases exponentially (for example, *.*.*.domain.com, or just *.*.domain.com). Therefore, we recommend to avoid Nested asterisk(*)  for practical usage.     Below is Wildcard usage and its example   Wildcard character Usage Example "*" asterisk match with one or more subdomains The asterisk (*) wildcard does not respect the period (.) as a delimiter and will continue as a wildcard until a subdomain, domain or top level domain is matched.   sub1.*.*.com will match sub1.sub2.sub3.com and *.*.sub3.com will match sub1.sub2.sub3.com.  However, this should be avoided as a best practice as nested asterisks can create a performance impact on the device.     Instead, as a best practice you can use:  sub1.*.com or *.sub3.com.  This will match sub1.sub2.sub3.com    "^" caret match with only one subdomains. The caret (^) wildcard does respect the period (.) as a delimliter and will stop matching as a wildcard once a match has occurred.   sub1.^.^.com and  ^.^.sub3.com are able to match with sub1.sub2.sub3.com   Hence, ^.sub3.com and sub1.^.com are not able to match with sub1.sub2.sub3.com,   since "^" caret only matches with one subdomain.   If you'd like to replace "*" with "^", the following replacements are required:    x.*.net is partically covered by the following: x.^.net x.^.^.net x.^.^.^.net (continued...)   Nested carets has a practical limit of 9 carets for the same DP resource usage reason above.      Same limitation for Path This limitation is applied to the pattern matching on path after FQDN. (i.e. http://<FQDN>/<path>), though we don't throw the commit warning message above for path. Practical limit for nested asterisk in path is 2. But we highly recommend to use minimun number of asterisk for better DP utilization (CPU load/ Memory usage).   Side note: Currently we have limitation that asterisk and caret should not be used in the same configuration. As mentioned above, caret cannot be fully replaced with asterisk.  Therefore replacing nested asterisks to single asterisk is considered best solution for most of customers practically.  "1" for  nested asterisk in path and "9" for nested caret are practical number we suggest. Please consider to use lowest number as possible for better DP load (i.e. lower platform).    
View full article
sunright ‎10-23-2018 12:32 PM
15,364 Views
0 Replies
5 Likes
To check the severity of a certain file type supported in file blocking profile on the Palo Alto Networks firewall, run the following command in CLI session:   show threat id <file type ID>   To get a severity of the “zip” file type run the following command:   admin@PA-VM-Dragoslav-1> show threat id 52004   ZIP file upload or download has been detected. A ZIP file is a compressed archive. It can contain only one file or many files in multiple directories. ZIP utilities allow you to extract single files or a complete directory structure. This file detection might also include a JAVA JAR archive file, since the JAR file is based on the ZIP format with an optional manifest file.   low   file-blocking   http://www.pkware.com/index.php?option=com_content&task=view&id=64&Itemid=107
View full article
djoksimovic ‎08-28-2018 10:37 AM
1,968 Views
0 Replies
How to allow access to YouTube videos embedded in a website but block access to other YouTube videos.    Our use case is an administrator of the Palo Alto Networks next-generation firewall who wants to enable students/employees to watch YouTube videos embedded in their website but block access to all other YouTube videos. Here's how we do it!
View full article
sshibiraj ‎07-13-2018 07:42 AM
2,443 Views
0 Replies
1 Like
Question What is the Max Length of Security Rules' Description Field?   Answer In PAN-OS 8.0 and older The description field can be a maximum of 255 characters. The policy name is limited to 31 characters. In PAN-OS 8.1  The policy name has been increased to 63 characters. Description field has not changed and is still limited to 255 characters.   owner: ukhapre
View full article
ukhapre ‎05-10-2018 08:25 AM
3,905 Views
1 Reply
Updated May 2018 kiwi   Issue Active Directory servers configured for Agentless User-ID frequently disconnects from the firewall. Connection status for those servers, under the server Monitoring section for User Mapping, keep flapping between connected and not connected. The User-ID logs have the following error message for each configured AD server : Error: pan_user_id_win_sess_query(pan_user_id_win.c:1241): session query for <server name>  failed: [wmi/wmic.c:216:main()] ERROR: Retrieve result data.   Shown in the screenshot below, see the "not connected" status in the Server Monitoring under Device > User Identification > User Mapping> Server Monitoring:   Cause Agentless User-ID is configured to monitor user session information from the servers in the Server Monitoring list. Session query attempts from the firewall to those AD servers are failing due to permission issues. The domain account, used to access the session information, does not have privileges to read the user session information from the servers. The server operators group and Domain Admin groups will include the session query read permissions.   As shown in the example below, go to Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup and click on the setting to find the User Name, which is used to connect the Agentless User-ID to the AD server (172.30.30.15):   As shown in the example below, in the AD Server (172.30.30.15) see the permissions for the user cr7:   Resolution: Option 1: Grant server operators or domain admin privileges to the service account used under WMI Authentication. In the example below, is shows how to add the Server Operator permission to the user cr7: After adding the Server Operator permission to user cr7, from the example below see that the Agentless User-ID is now connected to the AD server: Option 2: If it is not being used, disable the server session read option: owner: knarra
View full article
knarra1 ‎04-27-2018 08:52 AM
38,572 Views
6 Replies
1 Like
Details This document is designed to help verify if the DNS Sinkhole function is working properly through a Palo Alto Networks firewall. The following 2 scenarios are covered: Client Using External DNS Server Client Using Internal DNS Server   DNS Sinkhole Configuration For information on How to Configure DNS Sinkhole, please see: How to Configure DNS Sinkhole   Also, we have a Video Tutorial on How to Configure DNS Sinkhole: Video Tutorial: How to Configure DNS Sinkhole   Client Using External DNS Server Note: DNS Sinkhole IP must be in the path of the firewall and the client so you can see logs from it. For example, the Palo Alto Networks firewall sits between an infected client and the data center, but it does not see the internet. In this scenario, if DNS Sinkhole is configured with an internet IP, then the firewall will never see the infected client trying to reach its command & control server.   When the DNS sinkhole feature is configured on the Palo Alto Networks firewall and the client system is using an external DNS server, the DNS query from the client will go through the Palo Alto Networks firewall to the external DNS server (client and DNS server are in different subnets). As expected, the user should be able to see threat logs with the client IP address as a source. The user is trying to access a malicious website. The client system will send the DNS query to an external DNS server to get the IP address of the malicious website. The firewall will receive the DNS query directly from the client system. The  firewall will hijack the DNS query and will give a DNS sinkhole IP address to the client and should be able to see the threat logs with client IP address as a source. Client TCP/IP Properties Configuration Review the following config example:   Threat Logs When using an external DNS server, Threat logs show the Client IP address "192.168.27.192" as a source that is trying to access a malicious website:     Client Output When Using External DNS Server $ nslookup 79fe3m5f4nx8c1.pmr.cc Server:        195.130.131.4 Address:    195.130.131.4#53 Non-authoritative answer: Name:    79fe3m5f4nx8c1.pmr.cc Address: 72.5.65.111 The screenshot above shows a host machine 192.168.27.192 performing a DNS request for "79fe3m5f4nx8c1.pmr.cc" (a suspicious URL) and the response being 72.5.65.111. Thus showing that the DNS Sinkhole is working as desired.   Client Using Internal DNS Server If a client system is using an internal DNS server (client and DNS server are in the same subnet), the DNS query from the client will go to the internal DNS server. The internal DNS server will forward this query to an external DNS server, and threat logs with the internal DNS server IP address will be seen as a source.   Currently, the Palo Alto Networks firewall cannot identify which end client is trying to access a malicious website with the help of the threat logs, because all threat logs will have the internal DNS server IP address as a source. However, the firewall should be able to determine the end client IP address with the help of traffic logs.   Below is an example where the user is trying to access a malicious website. The client system will send the DNS query to an internal DNS server to acquire the IP address of the malicious website. Here, the internal DNS server will forward the DNS query to an external DNS server. The firewall will receive a DNS query from the internal DNS server.   The firewall will hijack the DNS query and give the DNS sinkhole IP address to the Internal DNS server. The internal DNS server will forward the response to the client system and the user should be able to see threat logs with Internal DNS server IP address as a source. However, Palo Alto Networks firewall should able to see client IP address in the traffic logs because client will try to access that website with DNS sinkhole IP address, as shown in the following screenshot:   Client TCP/IP Properties Configuration     Threat Logs In threat logs, the firewall shows only the internal DNS server IP address "10.50.240.101" as a source, because the client system is using the internal DNS server IP. Here the firewall is not able to determine which end client is trying to access that website.     Traffic Logs However, as soon as client get the IP address from DNS server, it will generate traffic towards the sinkhole IP address(72.5.65.111). Therefore, the firewall will show the end client IP address "192.168.27.192" in traffic logs, as shown below:     Client Output When Using Internal DNS Server $ nslookup 4cdf1kuvlgl5zpb9.pmr.cc Server:        192.168.27.189 Address:    192.168.27.189#53 Non-authoritative answer: Name:    4cdf1kuvlgl5zpb9.pmr.cc Address: 72.5.65.111 The screenshot above shows a host machine 192.168.27.192 performing a DNS request for 4cdf1kuvlgl5zpb9.pmr.cc (a suspicious URL) with the response of 72.5.65.111. This verifies that the DNS Sinkhole is working as desired.   See Also How to Deal with Conficker using DNS Sinkhole Where to get suspicious DNS query for testing DNS Sinkhole   For Video Tutorials on DNS Sinkhole, please see: Video Tutorial: How to Configure DNS Sinkhole Video Tutorial: How to Verify DNS Sinkhole   owner: sbabu
View full article
sbabu ‎04-03-2018 12:26 PM
64,624 Views
8 Replies
Question: What Happens When Licenses Expire on the Palo Alto Networks Firewall?   Answer: The following will occur when a license expires on the firewall. Support - Online Software updates will no longer be allowed Threat Prevention - Threat and Antivirus updates will no longer occur. The current database will continue to be utilized. GlobalProtect Subscription - iOS and Android devices will no longer be able to establish a VPN. WildFire - You fall back to the 'free' version of WildFire meaning : WildFire supports only uploading of Portable Executable, or PE, files. The PE filetype is a container that includes .exe, .dll, .scr, and other extentions that match the PE header magic number. Signatures aren't available through the licensed WildFire signature feed (= every 5 minutes) but rather through licensed Threat Prevention updates. URL Filtering BrightCloud - BrightCloud database updates will no longer occur. You can see the overall URL filtering action when the URL Filtering license expires from the WebGUI go to Objects > Security Profiles > URL Filtering, then click on a profile name to see the above window. You will have 2 options, to either allow or to block URL filtering traffic when the URL License expires.  The action selected for Action On License Expiration will be applied for all web traffic handled by the rule that uses the security profile. If the action selected is block, then no web traffic would be allowed by this rule. Likewise, if the action is allow then the traffic would be allowed URL Filtering profile showing Action On License Expiration (BrightCloud) PAN-DB - The PAN-DB cloud will be blocked for lookups and updates. The current database will continue to be utilized for URL categorization. The current URL Filtering security profiles will be used to apply the selected action for each category. If a URL entry exists in the cache, a lookup will return whatever category is in the cache. If the entry has expired or does not exist, the device cannot query the cloud for the latest information. An uncategorized URL will be allowed. URLs in custom categories will still be matched against the custom category/ The URL Filtering security profile does not have an Action On License Expiration option.   When you get a New License When a new license is obtained by the firewall (Inside Device > Licenses) it will immediately resume normal operations associated with that license. Note: It is not necessary to perform a commit or reboot the firewall to start working again.   owner: jjosephs
View full article
nrice ‎03-27-2018 01:33 AM
48,228 Views
18 Replies
2 Likes
Details If a URL has been miscategorized, a change request can be submitted, as shown in the PAN-OS versions below:   From the device WebGUI, the URL filtering log details has a link to request a categorization change: From here, fill out the form with the new suggested category, any applicable comments, and an email address for notifications: The following Palo Alto Networks Support site can also be used to test the categorization of a URL, and to submit a change request if the URL is categorized incorrectly: http://urlfiltering.paloaltonetworks.com/ For customers with a large number of change requests, bulk submissions can be made through the Palo Alto Networks URL Filtering - Bulk Change Request  Note: Please be sure to follow the instructions, as a strict file format must be followed for best results.
View full article
dyang ‎03-12-2018 11:56 PM
30,829 Views
5 Replies
Details A Certificate Signing Request (CSR) with a multi-level organizational unit can be generated from the CLI using the following command:   > request certificate generate   Here are the options: * are required. + ca                   Make this a signing certificate + country-code         Country code + days-till-expiry     Number of days till expiry + digest               Digest Algorithm + email                Email address of the contact person + filename             file name for the certificate + locality             Locality + ocsp-responder-url   ocsp-responder-url + organization         Organization + signed-by            signed-by + state                State/province * algorithm            algorithm * certificate-name     Name of the certificate object * name                 IP or FQDN to appear on the certificate > alt-email            Subject alternate Email type > hostname             Subject alternate name DNS type > ip                   Subject alternate name IP type > organization-unit    Department   Note: in PAN-OS 8.0, the algorithm option is required to generate a CSR.   For example: > request certificate generate organization-unit [OU1,OU2] signed-by external filename csr-site123 certificate-name site123 name site123.paloaltonetworks.com algorithm RSA rsa-nbits 1024   Successfully generated certificate and key pair : site123   The above command will generate a CSR with the following attributes: Certificate Name: site123 Organizational Units: OU1 and OU2 Common Name: site123.paloaltonetworks.com   Inside of the WebGUI: Device > Certificate Management > Certificates > Device Certificates tab You will see the pending certificate. In order to save the CSR request, click the certificate, then Export:     owner: jteetsel
View full article
jteetsel ‎12-27-2017 01:31 PM
7,842 Views
3 Replies
3 Likes
Issue Server Message Block (SMB) traffic is blocked and the Windows Explorer window hangs while accessing a shared folder.   Cause This can happen when there is a file blocking profile, with a block action used in a Security Rule that is matched by that session.   Details Under Security Policies > Actions, if a session goes through the Palo Alto Networks firewall and matches a specific allow policy, according to the defined criteria, the action defined in the policy will be taken. In the example below, the Security Policy Rule that is matched is "allow_all", which has a profile for file blocking.   The File Blocking Profile is blocking all PE files (which includes .exe, .msi), any file in that session that matches the file type will take the session into the discard state.   As soon as a user opens the shared folder that has .exe file in it, that session opening will go into discard state and no other files will be able to move between the machines.   > show session all filter destination 10.193.17.10   -------------------------------------------------------------------------------- ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port]) Vsys                                          Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 152568       ms-ds-smb      DISCARD FLOW  NS   192.168.8.136[49158]/Trust-L3/6  (10.193.17.8[32047]) vsys1                                          10.193.17.10[445]/Untrust-L3  (10.193.17.10[445])     See the following example, session is set to discard state by security policy check: > show session id 152568   Session          152568           c2s flow:                 source:      192.168.8.136 [Trust-L3]                 dst:         10.193.17.10                 proto:       6                 sport:       49158           dport:      445                 state:       INIT            type:       FLOW                 src user:    unknown                 dst user:    unknown           s2c flow:                 source:      10.193.17.10 [Untrust-L3]                 dst:         10.193.17.8                 proto:       6                 sport:       445             dport:      32047                 state:       INIT            type:       FLOW                 src user:    unknown                 dst user:    unknown           start time                    : Thu Apr 17 17:12:56 2014         timeout                       : 90 sec         total byte count(c2s)         : 44292         total byte count(s2c)         : 50073         layer7 packet count(c2s)      : 182         layer7 packet count(s2c)      : 176         vsys                          : vsys1         application                   : ms-ds-smb          rule                          : allow_all         session to be logged at end   : True         session in session ager       : False         session synced from HA peer   : False         address/port translation      : source + destination         nat-rule                      : NAT_all_inside_to_out(vsys1)         layer7 processing             : completed         URL filtering enabled         : True         URL category                  : any         session via syn-cookies       : False         session terminated on host    : False         session traverses tunnel      : False         captive portal session        : False         ingress interface             : ethernet1/2         egress interface              : ethernet1/1         session QoS rule              : N/A (class 4)         tracker stage firewall        : mitigation block cont url   As soon as the folder is opened, the SMB session will go into the discard state. If the same folder has .txt files, and if trying to copy them, it will fail because the SMB session is already discarded. This is going to happen even if there is no blocking policy for the .txt files. The user will experience this as their Windows Explorer application hangs and does not return any results after the share folder was opened.   As shown below, the global counters confirms that information too: > show counter global filter packet-filter yes delta yes   Global counters: Elapsed time since last sampling: 58.678 seconds   name                                   value     rate severity  category  aspect    description -------------------------------------------------------------------------------- pkt_recv                                1511       25 info      packet    pktproc   Packets received pkt_sent                                 349        5 info      packet    pktproc   Packets transmitted session_allocated                          2        0 info      session   resource  Sessions allocated session_installed                          2        0 info      session   resource  Sessions installed session_discard                            4        0 info      session   resource  Session set to discard by security policy check flow_fwd_mtu_exceeded                     21        0 info      flow      forward   Packets lengths exceeded MTU flow_ipfrag_frag                          42        0 info      flow      ipfrag    IP fragments transmitted flow_host_pkt_xmt                       1248       21 info      flow      mgmt      Packets transmitted to control plane flow_host_vardata_rate_limit_ok         1227       20 info      flow      mgmt      Host vardata not sent: rate limit ok appid_ident_by_dport                       1        0 info      appid     pktproc   Application identified by L4 dport appid_proc                                 2        0 info      appid     pktproc   The number of packets processed by Application identification appid_use_dfa_1                            2        0 info      appid     pktproc   The number of packets using the second DFA table appid_skip_terminal                        2        0 info      appid     pktproc   The dfa result is terminal nat_dynamic_port_xlat                      2        0 info      nat       resource  The total number of dynamic_ip_port NAT translate called dfa_sw                                   326        5 info      dfa       pktproc   The total number of dfa match using software ctd_run_pattern_match_failure              2        0 info      ctd       pktproc   Run pattern match failure aho_sw                                   507        8 info      aho       pktproc   The total usage of software for AHO ctd_appid_reassign                         5        0 info      ctd       pktproc   appid was changed ctd_pkt_slowpath                         318        5 info      ctd       pktproc   Packets processed by slowpath ctd_detector_discard                       2        0 info      ctd       pktproc   session discarded by detector log_pkt_diag_us                        23585      401 info      log       system    Time (us) spend on writing packet-diag logs -------------------------------------------------------------------------------- Total counters shown: 21 --------------------------------------------------------------------------------   Resolution This is expected behavior because of the nature of the SMB. If there is a Security Rule with a block profile attached to it for SMB sessions, it is best to not mix file types that are supposed to be blocked, with a policy with allowed files.   owner: ialeksov
View full article
ialeksov ‎12-06-2017 08:24 AM
27,293 Views
0 Replies
  This article discusses how PAN-OS can leverage the SNI (Server Name Indication) field to create a custom application.   What is SNI (Server Name Indication) ? SNI is an extension to the SSL/TLS protocol that indicates what hostname the client is attempting to connect to. SNI inserts the requested hostname (website address) within the TLS handshake (the browser sends it as part of ‘Client Hello’), enabling the server to determine the most appropriate SSL certificate to present to the browser.     When to use SNI to create custom applications In cases where the SNI field is consistent, it can be reliably used to identify the application. A custom application can be defined and used to control the SSL traffic without the need for SSL decryption.     Example of creating a custom application   The following example shows how to create a custom application for YouTube where the SNI field is seen as www.youtube.com (as an example only).   Analyze the traffic for consistency of the SNI field in the Client Hello:   Navigate to Objects > Application > Add. 1. Define the general properties of the application:         2. Define the port and protocol as TCP and 443 respectively, since SSL uses protocol TCP and port 443 for communication. Define the other Timeout settings as required:       3. The last and the most important part of application definition is to select the context as 'ssl-req-client-hello' and     define the required pattern as seen in the client hello SNI field:       Note:   We recommend analyzing the traffic thoroughly before creating an application signature to ensure reliability of the custom application. It is possible for the same web service to use different SNIs on different occasions, hence all possibilities must take that into consideration. The SNI field uses the hostname the client is attempting to connect to the server, hence any change in the request from the client may cease to match custom application.  
View full article
syadav ‎11-29-2017 12:28 AM
17,063 Views
4 Replies
1 Like
The YouTube safety mode setting helps screen out potentially objectionable content on YouTube.   The Safe Search Enforcement option is an option that can be enabled in a URL filtering profile. It is used to prevent users, who are searching the internet using one of the top three search providers: Google, Bing, or Yahoo, from viewing search results, unless the strict safe search option for the search provider is set in the browsers or user account. This option on the URL Filtering Profile will be valid for YouTube the same way it is valid for Google, Yahoo and Bing search providers.    Select the Safe Search Enforcement check box in the URL Filtering Profile (under Objects > Security Profiles > URL Filtering), as shown below:   Safe Search will be enforced whenever a user request matches a security policy rule, with the corresponding URL Filtering security profile attached.   Testing Safe Search Enforcement on YouTube Open YouTube in browser. Search for adult movies. This search will be SUCCESSFUL. The website will display a list of adult videos with thumbnails, but trying to open the videos will fail. If we try to open the adult the video, the firewall will present a block page requesting to change the safe search settings as shown below: An end user can change the safety settings for YouTube at the bottom of the webpage as shown below: Now test YouTube by searching for adult content. The results of the search are mostly filtered for adult content. There might be some videos that still needs to be filtered out. Report such videos to YouTube to make their filters accurate.   owner: ialkesov
View full article
ialeksov ‎11-15-2017 03:36 PM
17,976 Views
3 Replies
3 Likes
Overview   Device Groups (DG) in Panorama are used to build configurations that are shared among the managed firewalls. Policy and address objects configurations are pushed to the managed firewalls within Device Groups.   At times, the Panorama administrator may need to clone a device group for efficiency and make further edits to customize the device group for a new set of managed firewalls. This task can be performed from the CLI using the method described below.   Important: This process requires an administrator account with ‘superuser’ privileges to run the command and issue a commit.   The command, load configure partial <attributes> , can be used to merge the XML elements from a certain XPath in a Panorama configuration.   Notes: The devices from the original device group will be moved to the new device group. For example, 36-AP-500 is being moved to DG_clone. The new device group's Parent Device Group will be Shared. If it is necessary for it to have the same parent as the original, then go to Panorama > Device Groups > DG_clone and change the Parent Device Group to the correct DG   Details First, the configuration must be imported into Panorama. The configuration can be imported from the web-interface or the CLI. The example below will use the predefined ‘running-config.xml’ file which stores the current running configuration on the Panorama server. Whenever a successful commit is completed in Panorama, the configuration is saved to the ‘running-config.xml’ file.   Following is the snapshot of the Device Group, DG_1, as seen from the web-interface:   The Device Group, DG_1, already exists in the Panorama running-config.xml file. This is the Device Group that will be cloned/duplicated, and the new DG will be named, DG_clone. Run the following command to create DG_clone as a clone of DG_1:   # load config partial from running-config.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG_1'] to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG_clone'] mode merge   Config loaded from running-config.xml   [edit] #   The above command uses 'running-config.xml' as the source configuration and DG_clone for the name of the newly created clone configuration. Enter the appropriate configuration file if different from 'running-config.xml'. The mode used in the command must be specified as ‘merge’ (as seen in the above example).   A new DG with the name, DG_clone, is created after the command above is performed. The following screenshot shows DG_clone in the list of Device Groups:   owner: kadak
View full article
kadak ‎11-15-2017 12:33 PM
9,651 Views
3 Replies
2 Likes
Symptom When setting service routes for DNS and NTP on different interfaces, the NTP service route does not work when NTP and DNS server is the same host like Secondary DNS/NTP server in the following example;   For example, see the following sample diagram and configuration:    Pri NTP Srv -+             .20 |                 +----------+                 | (trust zone)    |          |      (untrust zone)    +-+[Router]+-+---------+ (E1/2)+  PA-2020 +(E1/1)+------------+ Pri DNS Srv    |        .1                .2  |          | .2                .20    |         (172.16.100.0/24)    +----------+  (192.168.100.0/24)    |    |    +---- Sec DNS/NTP Srv           .20     (172.16.200.0/24)   Service routes: For DNS, source address set as "192.168.100.2/24 (Eth1/1, untrust)" For NTP, source address set as "172.16.100.2/24  (Eth1/2, trust)"   Primary DNS: 192.168.100.20 (untrust zone side) Primary NTP: 172.16.100.20 (trust zone side) Secondary DNS/NTP : 172.16.200.20 (trust zone side) - same host is used for NTP and DNS service   Service route setting: <route>    <service>      <entry name="ntp">        <source-address>172.16.100.2/24</source-address>      </entry>      <entry name="dns">        <source-address>192.168.100.2/24</source-address>      </entry>   </service> </route>   As shown above, the Palo Alto Networks firewall is configured to use Eth1/1(untrust) for DNS and Eth1/2(trust) for NTP accessing. However, the firewall used Eth1/1 (untrust) for NTP traffic towards to 172.16.200.20, and the packet could be dropped since there no security policy exists that allows NTP traffic to source from the untrust zone. > show ntp   NTP state:     NTP synched to LOCAL     NTP server 172.16.200.020 connected: False << Not connected     NTP server 172.16.100.20 connected: True   Cause Under current architecture, the Palo Alto Networks firewall initiates NTP transactions from the same interface as the DNS service route if NTP and DNS server is the same host.   owner: kkondo
View full article
kkondo ‎11-15-2017 12:28 PM
9,354 Views
2 Replies
1 Like
Overview If you do not want to load your own certificate into the device or use the default self-signed certificate, a new self-signed certificate can be generated through the web interface or CLI. This new self-signed certificate can be used for SSL Decryption or for a GlobalProtect portal or Gateway Certificates.   Steps 1. From the WebGUI, navigate to Device > Certificates. 2. Click Generate at the bottom of the screen. 3. Enter the desired details for the certificate. The details entered here are what users see if they view the CA certificate for an encrypted session using the browser.  Note: If you would like the certificate to be valid for longer than 365 days (1 year), then please change the "Expiration (days) from 365 to a larger value before creating the certificate. Generate a SelfSigned Certificate   4. On the Generate Certificate window, click Generate: Certificate successfully generated   5. To verify that the certificate was created properly, click on the newly generated certificate. Note:  If using this certificate for SSL Decryption, please check "Forward Trust Certificate" and "Forward Untrust Certificate". To delete or remove the certificate, uncheck both options, otherwise an error is generated. Enable Forward Trust and Untrust   6. Commit the changes. When the commit operation completes, the Self-Signed CA certificate isinstalled.   CLI From the CLI, to create a new self-signed certificate, run the following command, <all on one line>(PAN-OS 6.1 only)   > request certificate self-signed country-code US email support @ paloaltonetworks.com locality Alviso state CA organization “Palo Alto Networks” organization-unit “Session inspected by policy” nbits 1024 name “SSL Inspection” passphrase bubba for-use-by ssl-decryption   For PAN-OS 7.0 and after, a very simple self signed certificate can be created with this command:   > request certificate generate name "Firewall-a" certificate-name "ssl test"   You can always use the <tab> or "?" when in the CLI to see what the next commands can be.     For additional info on CLI commands please see this article: Get Started with the CLI     owner: jebel
View full article
PANW1337 ‎11-15-2017 07:14 AM
54,515 Views
8 Replies
Issue After configuring SSL decryption, the commit fails after generating a certificate with the following error:  "Error:vys1 decryption: forward decrypt trust cert is not configured".   Cause The commit fails because the SSL decryption requires a certificate for forward proxy.   Resolution Create a self generated certificate with 'Certificate Authority' checked, as shown below: Once generated, open the certificate (Device tab > Certificate Management > Certificates) and check two options: Forward Trust Certificate Forward Untrust Certificate After clicking OK, the certificate store should look like the following: The commit should now be successful.   owner: kadak
View full article
kadak ‎11-14-2017 06:16 AM
9,588 Views
2 Replies
2 Likes
Overview This document provides instructions on how to identify decryption failures due to an unsupported cipher suite.   Check out the following compatibility matrix to confirm the currently supported cipher suites : Supported Cipher Suites   Issue In this example, the SSL proxy decryption fails because the server only supports Diffie-Hellman (DH) and Elliptec Curve Ephemeral Diffie-Hellman (ECDHE). Follow these steps to confirm the issue:   Run a packet capture from the Palo Alto Networks device (see How to Run a Packet Capture). Examine Client Hello packets sent by the client and the response packets sent by the server. Look for "Handshake Failure," which is shown below. View the Cipher Suites supported by the client or Palo Alto Networks device in the Client Hello packets. Using the SSL scan tool https://www.ssllabs.com/ssltest/index.html, find out which cipher suites are supported by the server. See this example: The output above confirms that the issue is due to unsupported cipher suites.   Resolution Create a No Decrypt policy. Create a Custom URL Category for that site. Go to > Objects > URL Category. Click on the Add button. Name the Custom URL Category. Click the Add button and then add the server's site and commit. Create a Decryption Policy with a No Decrypt action of that URL site. Go to Policies > Decryption. Select the Decryption Rule. Clone the Decryption Rule. Move the Clone Decryption Policy above the Decryption Policy. Click on the Clone Decryption Policy > URL Category. Click on the Add button. Add the URL site and commit.   owner: ssastera
View full article
ssastera ‎11-14-2017 06:11 AM
47,977 Views
11 Replies
1 Like
Symptoms A rule is in place to prevent SSL decryption of a specific URL based on FQDN, but when accessing the website in question, SSL decryption still occurs   Issue In order to determine if a connection needs to be decrypted or not, the firewall relies on the (CN) common name configured within the certificate and compares that to the security policy.   Resolution To fix this issue, the website's certificate needs to be examined to find the common name. To find the common name: Access the website with a browser Open the certificate details Look for the CN in the Subject section In cases where an FQDN is specified within the 'custom url category' and there is a CN mismatch, intended categorization will fail as there will not be an exact match. This can be accomplished by populating the object within the 'custom url category' with the URL contained within CN. In order for an exact category match to occur, the security policy must be created to match the CN specified within the cert as opposed to the FQDN utilized to access the site.   owner: bryan
View full article
bryan ‎11-10-2017 05:45 AM
4,604 Views
0 Replies
Inside of this article you will learn how to verify if traffic is being offloaded and how to disable this feature.   When session traffic is processed by the dataplane of the Palo Alto Networks firewall, session stats and timers will be updated for every packet.   Most of our high-end platforms have an FPGA chip to entirely offload a session (CTS and STC flows) and bypass the cores completely.    Verification You can verify if a session has been offloaded by using the following  CLI command: > show session id <id_num>   Here's an example of an SSL session that is offloaded because it is not being decrypted. The firewall cannot do any content threat detection, so it is offloaded to hardware for faster processing: admin@PAN_firewall> show session id 96776 Session 96776 c2s flow: source: 172.20.13.132 [L3-Trust] dst: 50.17.226.145 proto: 6 sport: 61973 dport: 443 state: ACTIVE type: FLOW src user: unknown dst user: unknown s2c flow: source: 50.17.226.145 [L3-Untrust] dst: 10.46.198.13 proto: 6 sport: 443 dport: 14690 state: ACTIVE type: FLOW src user: unknown dst user: unknown start time : Thu Oct 12 09:30:35 2017 timeout : 1800 sec time to live : 1799 sec total byte count(c2s) : 54759 total byte count(s2c) : 134469 layer7 packet count(c2s) : 103 layer7 packet count(s2c) : 200 vsys : vsys1 application : ssl rule : Trust-Untrust session to be logged at end : True session in session ager : True session updated by HA peer : False address/port translation : source nat-rule : Trust-NAT(vsys1) layer7 processing : completed URL filtering enabled : True URL category : computer-and-internet-info session via syn-cookies : False session terminated on host : False session traverses tunnel : False captive portal session : False ingress interface : ethernet1/6 egress interface : ethernet1/3 session QoS rule : N/A (class 4) tracker stage l7proc : ctd decoder bypass end-reason : unknown Note:   In PAN-OS 7.1 and later, an offloaded session will have a  tracker stage l7proc  value of  ctd decoder bypass.   All session statistics and timers are maintained in software. So, it's necessary for the offload chip to send regular updates to the software. These updates cannot be sent for every packet, due to performance concerns.   Offloading details - what happens inside Depending on the platform model, different rules apply:   PA3050 - 50xx series Offload chip is sending a per-flow stat message to the dataplane after 16 packets are received on one flow (CTS or STC). The dataplane software will update session statitics and refresh the timer accordingly.   Note: On PA3050 and 50xx series devices, you can have a scenario where a low-traffic session has been aged-out due to TTL expiration. This can happen if the 16 packets condition has not been met before the end of this timer.   PA70xx series The PA7000 seies devices handle the updates differently. It will send the per-flow stat to the dataplane when one of two following conditions occur: One flow has accumulated 64 packets of stat A scan timer has expired for this particular flow Software will update session statistics and refresh the timer accordingly.   Workaround To avoid the offloading of the sessions, there are several workarounds to achieve this:   Turn off hardware offload temporarily using with the CLI command: (will reset to offloading after a reboot) > configure #  set session offload no   or permanently with: (even after a reboot, the offloading will be disabled) > configure # set deviceconfig setting session offload yes   # commit  Note: This approach can have a noticeable impact on the CPU. Create a custom application and adjust the timeout value for the custom application to accommodate the worst-case scenario. We accept a maximum timeout value of 604800 seconds (1 week). Tune the tcp keepalive timer and interval on the application servers.  
View full article
panagent ‎11-04-2017 07:44 AM
22,588 Views
6 Replies
3 Likes
Overview The system log shows that the PAN-DB version is updated approximately every 5 minutes.       Details Every 5 to 10 minutes a new version is published, which contains updated categorization data and an incremented version number. Each time the Palo Alto Networks firewall sends a request to the cloud it checks the current version number. If it is different it upgrades the device’s version to the current cloud version.   The updates are this frequent primarily to leverage native integration with WildFire which creates new signatures and records malicious URLs every 5 minutes   owner: ashaikh
View full article
ashaikh ‎09-07-2017 06:06 AM
7,190 Views
3 Replies
Overview Prior to PAN-OS 5.0, in order to allow an application with dependencies, the security policy required all dependencies to be allowed as well.   Since PAN-OS 5.0, applications for some protocols can be allowed without need to explicitly allow their dependencies. The Palo Alto Networks firewall is able to do this for some applications if it can identify the application within a pre-determined point in the live session. If the application is coded by the developer in a way that the Palo Alto Networks device cannot determine the application by the pre-determined point, then the application can be blocked by one of the security rules in the list. For these applications an explicit allow for the list of dependencies is needed.   For the purpose of explaining the process, the following terminology is usually applied: Enabler app: The App-ID that the session initially matches (e.g. web-browsing) Dependent app: The App-ID that the session later matches (e.g. facebook-base)   Note: Always check the dependencies for the applications if planning to allow them. Also, check the implicitly used applications for the dependent application, so that the correct policies can be constructed.   Details For the above mentioned applications that can be correctly identified at a pre-determined point in the live session, the firewall implicitly will allow the enabler app. For this reason the firewall uses the “uses-apps” and “implicit-uses-apps” part of the content updates metadata for the given application. For applications that have a list of apps in the “implicit-uses-apps”, those applications will be implicitly allowed and no separate security rule is needed to allow them. For applications that do not have a list of apps in the “implicit-uses-apps” and have list of apps in the “uses-apps” part of the application definition, there is a need to explicitly allow them (the enabler applications) so that the dependent application is allowed. This can be added in a separate security rule, or in the same rule that is allowing the dependent app.   The application definition can be checked to see if there is a need to explicitly allow the enabler applications. Run with the following command from configuration mode: > configure Entering configuration mode [edit]                       # show predefined application <name-of-app>   Steps As examples for this we will use the "facebook-base" and the "office-on-demand" applications.   Facebook-base Application definition:     # show predefined application facebook-base facebook-base {   ottawa-name facebook;   category collaboration;   subcategory social-networking;   technology browser-based;   alg no;   appident yes;   virus-ident yes;   vulnerability-ident yes;   evasive-behavior no;   consume-big-bandwidth no;   used-by-malware yes;   able-to-transfer-file yes;   has-known-vulnerability yes;   tunnel-other-application yes;   prone-to-misuse no;   pervasive-use yes;   per-direction-regex no;   deny-action drop-reset;   run-decoder no;   cachable no;   references {     Wikipedia {       link http://en.wikipedia.org/wiki/Facebook;     }   }   default {     port tcp/80,443;   }   use-applications [ ssl web-browsing];   tunnel-applications [ facebook-apps facebook-chat facebook-code facebook-file-sharing facebook-mail facebook-posting facebook-rooms facebook-social-plugin facebook- video facebook-voice instagram-base];   implicit-use-applications [ ssl web-browsing];   applicable-decoders http;   risk 4;   application-container facebook; } [edit]                                                         To allow facebook-base, only the security policy that has the application facebook-base is needed. There is no need to allow the ssl and web-browsing because they are implicitly allowed based, on t he following part in the definition of the application:   " use-applications [ ssl web-browsing];"   " implicit-use-applications [ ssl web-browsing];" For facebook-base there is only the allow-facebook security rule that allows only facebook-base. There are no explicit rules to allow web-browsing and ssl. On the contrary, for the purpose of the test, a deny rule for web-browsing and ssl is used:   The logs show that facebook is allowed:   Office-on-demand Application definition:   # show predefined application office-on-demand office-on-demand {   category business-systems;   subcategory office-programs;   technology browser-based;   alg no;   appident yes;   virus-ident yes;   spyware-ident yes;   file-type-ident yes;   vulnerability-ident yes;   evasive-behavior no;   consume-big-bandwidth yes;   used-by-malware no;   able-to-transfer-file yes;   has-known-vulnerability yes;   tunnel-other-application no;   prone-to-misuse no;   pervasive-use yes;   per-direction-regex no;   deny-action drop-reset;   run-decoder no;   cachable no;   file-forward yes;   is-saas yes;   references {     "Office on Demand" {       link http://office.microsoft.com/en-us/support/use-office-on-any-pc-with-office-on-demand-HA102840202.aspx;     }   }   default {     port tcp/80;   }   use-applications [ ms-office365-base sharepoint-online ssl web-browsing];   applicable-decoders http;   risk 3;   application-container ms-office365; } [edit]                                                 For office-on-demand, the "use-applications [ ms-office365-base sharepoint-online ssl web-browsing];"  can be seen, and there is no implicit-use-applications  list with the same applications. This will mean that all of the applications in the list need to be explicitly allowed, so that all the features of office-on-demand will work correctly. The traffic can be seen as allowed for web-browsing and for office-on-demand. The application started as web-browsing and was correctly identified by the Palo Alto Networks DFA, and thus changed to "office-on-demand".   If web is denied in a security policy, the connections can be seen as not established, because the rule to allow the office-on-demand application will never be hit.   owner: ialeksov
View full article
ialeksov ‎08-16-2017 12:24 PM
69,989 Views
20 Replies
6 Likes
  There is a limitation when using the Palo Alto Networks firewall when configured with a File Blocking profile. The Palo Alto Networks firewall must identify a file in the first HTTP packet sent by the server in order to send a continue-block page to the client.     Even if the firewall delivers the block page, a browser would only think that the response page is part of the file instead of interpreting it as a web page and the download will not complete.   Cause This limitation is caused by the way the HTTP protocol works. Simply put, if the file transfer does not start in the first HTTP packet from the server, the browser would not understand the continue page even if we send it, because it already expects the file. This limitation exists for all vendors, not only Palo Alto Networks, and there is not a workaround on the firewall itself.   Workaround The only way to workaround this behavior is to change it on the web-server side (configure web-server in the way it starts sending files in the first packet).   Example of the issue In the example below, the server first sends HTTP response packet (200 OK), then it starts sending file data in the separate packet, even though first HTTP packet is small, and file data could have been sent as part of that packet. In this case, we will not be able to inject the continue-block page.   Server sending 200 OK response: File data transmission starts in the next packet:   Example fixed In the example below, Continue-Block page can be inserted - server is starting to send the file in the first HTTP packet:    
View full article
ijukic ‎08-15-2017 11:49 AM
4,083 Views
0 Replies
Issue When the user commits templates from Panorama to the firewall, the following error is encountered:   Template configuration administratively disabled Cause When managing a Palo Alto Networks firewall with Panorama, it is recommended to commit Panorama templates to the device first. This will ensure the existing Panorama policies will work on the newly upgraded firewall. If you receive the above message, this means that templates have not been enabled yet.     Resolution If the user receives this error, enter the Panorama WebGUI and enable Panorama templates: Go to Device > Setup > Management > Panorama Settings Click the "Enable Device and Network Template" button and click OK. Then, click OK on the confirmation window. No commit is needed. From Panorama, commit templates to the firewall Once this is complete, all of the templates will have been updated Proceed with the normal policy commit from Panorama   From CLI Note: The Device and Network Template can also be enabled on the CLI: > set system setting template enable   owner: jdelio
View full article
‎08-08-2017 12:45 PM
5,948 Views
0 Replies
1 Like
This document describes how to use Anti-Spyware, Vulnerability Protection, and Antivirus Exceptions to change actions for specific threats on Palo Alto Networks firewalls.     Anti-Spyware or Vulnerability Protection Exceptions For example: Add an Anti-Spyware Exception for threat ID #30003 to an existing profile named "Threat_exception_test_profile" Go to Objects > Security Profiles > 'Anti-Spyware' or 'Vulnerability Protection' Select the existing profile click the "Exceptions" tab. First, check the "Show all signatures" checkbox at the lower left hand part of the profile window. In the search field, enter a string as "( ex. 'microsoft' )" or simply enter the threat ID number itself (ex. 30003). Press enter or click the green arrow to initiate the search. Note: If the signature being searched for was just applied in the latest dynamic update operation and it is not being returned in the search results, log out of the Web UI and then log back in to clear the GUI cache. The results will return "Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability" (which is threat ID #30003). Note: Threat IDs can be easily determined from the threat logs. To enable this exception, check the 'Enable' box change the default 'Action' value to handle the non-excluded traffic. To allow the traffic, select Allow, or to drop the traffic select Drop. Threat Action detail - change default action. Use the IP Address Exemptions column to add IP address filters to a threat exception. If IP addresses are added to a threat exception, the threat exception action for that signature will only be taken over the rule's action if the signature is triggered by a session having either the source or destination IP matching an IP in the exception. You can add up to 100 IP addresses per signature. With this option, you do not have to create a new policy rule and new vulnerability profile to create an exception for a specific IP address.  In order to exclude certain IP addresses, and not all traffic, please click on the blank under "IP Address Exemptions", click Add at the bottom, and then add up to 100 IP's as you want into the list.  IP Address Exemption detail. Make sure that Anti-Spyware and or Vulnerability Protection profiles are applied to the appropriate security policies. Commit changes to enable the Exception.    Antivirus Exceptions For example, to add an antivirus exception for threat ID #253879 to an existing profile named "AV_exception_test_profile": (Note: Be aware that if you exclude a Virus from bring checked against, this is all or nothing, you cannot exclude just an IP from this protection, it would be all that is allowed on that rule/antivirus policy). Go to Objects > Security Profiles > Antivirus. In the existing the profile, click on the Virus Exception tab. Enter the ID value (for this example, 253879 ) into the Threat Id field at the bottom of the page, and click Add. Note: The threat id can be determined from the threat logs. For this example, an exception for "Win32/Virus.Generic.koszy" is created. AntiVirus - Virus Excemption window detail. Make sure that Antivirus profiles are applied to the appropriate security policies. There is no option to exclude just certain IP addresses with an AntiVirus Exception. Commit the changes to make this take affect.   owner: kadak
View full article
kadak ‎07-14-2017 04:19 AM
26,743 Views
3 Replies
1 Like
Sometimes we need to know which security policy has a required security profile applied, has a log at session end or start, or is disabled.    To search security policies where —   Antivirus profile AV1 is applied, use the following syntax: profile-setting/profiles/virus/member eq AV1   URL filtering profile UF1 is applied, use the following syntax: profile-setting/profiles/url-filtering/member eq UF1 Antispyware profile AS1 is applied, use the following syntax: profile-setting/profiles/spyware/member eq "AS 1" Vulnerability profile VP1 is applied, use the following syntax: profile-setting/profiles/vulnerability/member eq VP1 File blocking profile FB1 is applied, use the following syntax: profile-setting/profiles/file-blocking/member eq FB1 If we want to search security policies all security policies that are disabled use following syntax disabled eq yes Log at session start is selected, use the following syntax: log-start eq yes Log at session end is selected, use the following syntax: log-end eq yes A schedule profile is called, use the following syntax: schedule eq “Lunch time” To search all security policies that are disabled, use the following syntax: disabled eq yes To search a profile GROUP use the following syntax: profile-setting/group/member eq name-of-group
View full article
pankaku ‎06-20-2017 01:12 AM
41,649 Views
21 Replies
4 Likes
Follow the steps below to display the members of an address group though the REST API: Generate the API key https://x.x.x.x/api/?type=keygen&user=admin&password=admin <response status="success"> - <result>   <key>LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09</key>   </result>   </response> Displaying the members of an address group https://x.x.x.x/api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group/entry[@name='test']&key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09 Note: 'test' is name of the address group <response status="success" code="19"> <result total-count="1" count="1"> <entry name="test"> <member>1.1.1.1</member> <member>2.2.2.2</member> </entry> </result> </response> Note: 1.1.1.1 and 2.2.2.2 are address object names)   owner: saryan
View full article
saryan ‎05-31-2017 01:35 AM
11,800 Views
2 Replies
1 Like
  Panorama can only be configured for one of the URL DBs (BrightCloud or PAN-DB). However, Panorama includes support for auto-migration of URL categories between non-matching vendors when pushing policies to managed devices.   When a mismatch is detected between the URL DB configured on Panorama and URL DB configured on the managed device, the device can convert the URL profiles and categories to match its URL Filtering vendor. The conversion/migration will take into account that a single category can translate into multiple categories and vice versa. For the category mapping, see: BrightCloud to PAN-DB Category Mapping     owner: sjanita
View full article
panagent ‎05-10-2017 06:24 AM
9,002 Views
4 Replies
Issue When attempting to upgrade PAN-OS with an older Content Database version, an error is displayed. For example: version 257 of the Content Database is required for the upgrade . Note: This applies to any major platform upgrade. Check the error message for the required Content Database version in order to perform the upgrade.   Resolution Upgrade the Content Database to the latest version then perform the upgrade: On the CLI > request content upgrade download latest > request content upgrade install version latest On the WebGUI Go to Device > Dynamic Updates Click 'Check Now' Reference Applications and Threats section to install the latest Content Database version   If the Content Database update fails due to this error: Content Filter Update Error "No matching apps package" , run the following command through the CLI to upgrade the database: > request license fetch   owner: akawimandan
View full article
npare ‎05-10-2017 06:20 AM
19,221 Views
6 Replies
2 Likes
    Security Profile Dynamic Updates Used Purpose Antivirus Antivirus Antivirus signatures   WildFire (public and private) WildFire antivirus signatures Anti-Spyware Application & Threat Anti-spyware signatures   Antivirus DNS signatures   WildFire (public and private) WildFire DNS signatures Vulnerability Protection Application & Threat Vulnerability signatures URL Filtering URL Filtering (BrightCloud only) BrightCloud URL database updates Application & Threat New URL categories WildFire (private) Malware URL category updates File Blocking Application & Threat Configuration of new applications WildFire Analysis Application & Threat Configuration of new applications Data Filtering Application & Threat Configuration of new applications DoS Protection None None
View full article
nanderson ‎05-08-2017 05:18 AM
2,681 Views
0 Replies
This article is out of date and no longer valid.  A Newer article exists here: How Does the Device Manage Offloaded Session?
View full article
sjamaluddin ‎03-22-2017 09:12 AM
10,612 Views
0 Replies
1 Like