Management Articles

Featured Article
Overview PBF (Policy Based Forwarding) Monitoring or Tunnel Monitoring sustains uninterrupted connectivity through the configured PBF path or tunnel. For this to be accomplished, ping packets are sent to a configured remote IP to determine if the path is still usable for the desired communication.   Details For the monitoring to work properly, select a remote IP address reachable through the PBF path or configured tunnel. This IP address can be any monitored IP address in the configured remote network or the IP address: On the remote end of the tunnel. Of the next hop.   Note: The ping packets are sourced from the local tunnel interface (for tunnel monitoring), or the interface configured as the egress interface (for PBF monitoring). Generally, tunnel monitoring is used from a Palo Alto Networks firewall to another Palo Alto Networks firewall. If using Palo Alto Networks tunnel monitoring to a non Palo Alto Networks firewall, additional requirements must be met for tunnel monitoring to work with the tunnel monitoring configuration on the Palo Alto Networks firewall. Be sure the following are in place: A policy permitting pings from the Palo Alto Networks firewall tunnel's IP address to the other device. Configured proxy IDs for the monitored traffic on both devices: On the Palo Alto Networks firewall, the local ID is the tunnel's IP, and the remote IP is either the other device's tunnel IP address or the IP address of a node behind the other device (whichever is being monitored). The Proxy IDs on the other device must be a mirror image of what has been specified under the Palo Alto Networks firewall.   If you're using any monitored IP address on the remote network, the local tunnel/egress address does not need to be in the same subnet as the monitored address. Monitoring will still work as long as the monitored device is configured to respond to pings and is reachable through the tunnel or PBF.   Also look at this article in which PBF monitoring through tunnel does not work due to overlapping subnets: PBF Rule is not Working When PBF Monitoring is Enabled for the IPAcross the Tunnel   owner: tasonibare
View full article
tasonibare ‎03-21-2016 07:23 AM
12,417 Views
0 Replies
3 Likes
Issue There is a Policy-Based Forwarding (PBF) rule configured to forward the "SSL" and "web-browsing" applications to a specific destination.  The PBF rule is allowing some port 80 traffic to go out via the default route.   Cause PBF does not work best with applications as match criteria as PBF policy evaluation happens during the initial packets of the traffic. At this stage the application is still unknown. It is advisable to use service as a match criteria if standard ports are used by application or the ports used are known.    The way PAN-OS adds application selection to PBF is to perform “app ID caching.” With APP-ID caching, a PBF rule can reference an application. The first time that application passes through the firewall, the firewall is not aware of what the application is initially and the PBF rule is not applied. However, as more packets arrive, PAN-OS is able to determine the application and it creates an entry in the app ID cache. The next time a new session is created with the same IP source and destination and destination port, PAN-OS assumes it is the same application as the initial session  (based on the app ID cache) and will then apply the PBF rule.   Please read the following document for caveats in this technique: Policy Based Forwarding   Moreover, many web-based applications run over port 80 or SSL. The Palo Alto Networks device will identify them as specific applications and may not classify them as "Web-browsing" or "SSL." In this case, the PBF policy defined will not be used.   Resolution Create a PBF policy for application any, then set the services to http and https. This will cover all apps that run over port 80 and 443. Create another PBF for the application SSL and Web-Browsing and set the service to any. This will cover all other sites that run SSL or Web Browsing over the non standard port.  owner: jteetsel
View full article
panagent ‎03-21-2016 07:18 AM
7,562 Views
0 Replies
1 Like
Details It is possible to block the traffic destined to or sourced from an entire country in the Palo Alto Networks firewall. This works based on the fact that the PAN-OS performs a Public IP Address to region mapping by probing an internal database. This information is updated weekly through content updates and the firewall maintains this in its database.   Steps Go to Policies > Security > Add > in the Source & Destination Fields > Click on Add There are three options to specify: address, address group and regions. As shown in the example, select Regions: Now it is possible to see all the countries in the world, and their corresponding region codes as shown below: Select the country in which to block, the example below shows China (CN): Users can also specify specific Public IP address from the country by clicking on the Add button. The country will now be called in the destination as shown below: The final configured security policy will look like the screenshot shown below. The configuration will block all the traffic sourced or destined to that country based upon where the region is called in the Policy, Source or Destination. Regions can also be created under Object > Regions, as shown below: New regions can also be created by using the Geo Location feature which can be used in the creation of Traffic and Threat maps. This can be done by specifying the exact coordinates of the region Note: Some regions such as EU regions does not fully contain all the EU countries, these countries have to be added in conjunction with the regions.   See Also Region Object Not Working in Security Policy     owner: dantony
View full article
dantony ‎03-03-2016 04:31 AM
73,827 Views
7 Replies
3 Likes
Symptoms When testing multiple ISPs, single ISP failover, or real world ISP issue, all traffic works except SIP. The SIP will not re-establish between phone and server.  Diagnosis This issue is most likely caused by stale sessions due to the default timeout values for SIP traffic. When an ISP failover occurs, these SIP sessions stay alive for 1 hour (3600 seconds) and all SIP traffic is trapped by this session.   To verify, go to an SIP session in the session browser and check the timeout value. It should show something like 3600.  Solution Go to Objects > Applications > SIP. Under TCP Timeout (seconds) change from 3600 to 10. The lowest as changing it to 3 will be changed to 30 seconds.   Change the UDP timeout to 10 seconds.   This will allow the session to timeout in 10 seconds and connect to the new secondary ISP quickly. Using defaults when recovering from an ISP failover would normally result in the same. Changing the timeout allows the session to timeout for the Primary ISP to resume control just as fast.   The phones will also need to have their timeout values adjusted as well to ensure the heartbeat does keep the already established session going or new ones will constantly be created and 10 second old ones will be torn down. Clearing SIP server traffic sessions will also resolve the issue.
View full article
cagnew ‎02-18-2016 02:02 PM
3,665 Views
0 Replies
Issue When GlobalProtect users try to log in from their clients using their username, ip-user-mapping shows up as just the username instead of domain/username.   Resolution Make sure that the authentication profile in use for GlobalProtect has Netbios domain added in the domain field.   If you are running a verision prior to PAN-OS 7.0, the domain configuration is located under the server profile used in the authentication profile. Go to Device > server profile > LDAP/RADIUS/Kerberos).   When running PAN-OS 7.0 and above, the domain configuration is located under the authentication profile. Go to Device > Authentication Profile.   owner: sraghunandan
View full article
sraghunandan ‎02-17-2016 05:57 PM
3,537 Views
1 Reply
Details When configuring a security policy, it is not evident when looking at the rulebase, what will happen to traffic that does not match any rule. Furthermore, there is no way to alter the treatment for that traffic without creating an explicit rule. In many cases, users simply want to enable logging for this traffic. In some cases, they want to easily change the treatment for intrazone traffic. Currently, this requires configuration of explicit rules for each zone.   In earlier releases of PAN-OS prior to 6.1 there is no classification called "RULE TYPE" in the security policy.This is new feature incorporated in the 6.1 version of PAN-OS. This feature gives us an option to create rules based on the parameters of interzone, intrazone and universal. This feature helps the administrators to have control over what rules are created based on the zones in their network, which can also come in handy during an audit.   On PAN-OS 6.1 and above, the default security rules are appended to the end of the normal security rules, as shown below: A green cog image next to the “intrazone-default” rule name indicates the rule is from “predefined” or from “Panorama”.  A tool tip is available on the image. A double cog image next to the “interzone-default” rule name indicates the rule is in the current VSYS and overriding the values of another rule from “predefined” or Panorama “intrazone-default” rule action is allow “interzone-default” rule action is deny   The table below details the rule types and descriptions: Rule Type Description Universal By default, all the traffic destined between two zones, regardless of being from the same zone or different zone, this applies the rule to all matching interzone and intrazone traffic in the specified source and destination zones. For example, if creating a universal role with source zones A and B and destination zones A and B, the rule would apply to all traffic within zone A, all traffic within zone B, and all traffic from zone A to zone B and all traffic from zone B to zone A. Intrazone A security policy allowing traffic between the same zone, this applies the rule to all matching traffic within the specified source zones (cannot specify a destination zone for intrazone rules). For example, if setting the source zone to A and B, the rule would apply to all traffic within zone A and all traffic within zone B, but not to traffic between zones A and B. Interzone A security policy allowing traffic between two different zones. However, the traffic between the same zone will not be allowed when created with this type, this applies the rule to all matching traffic between the specified source and destination zones. For example, if setting the source zone to A, B, and C and the destination zone to A and B, the rule would apply to traffic from zone A to zone B, from zone B to zone A, from zone C to zone A, and from zone C to zone B, but not traffic within zones A, B, or C.   A user defined security rule can be configured as “universal”, “intrazone”, or “interzone”, as shown below:   When a rule is configured as “intrazone”, the “destination zone” cannot be changed (greyed out). Its value comes from the “source zone”.   The “predefined” or Panorama pushed “intrazone-default” and “interzone-default” rules names or functions cannot be changed. This is indicated by a green boarder around the editor and the “Read Only” wording in the title. To make a change to “predefined” or Panorama pushed “intrazone-default” or “interzone-default” rules, the user must “override” these rules. The “intrazone-default” or “interzone-default” rule can be overridden if it has a green single cog image next to the rule name. The “override” action will bring up a security rule editor that has only two tabs. On the “General” tab, only the “Tags” field can be modified:   On the “Actions” tab, only the “Profile Setting” and “Log Setting” fields can be modified:   To get back the “predefined” or Panorama pushed value, the “revert” action can be performed. On Panorama, the default rules are visible in a separate tree node, below the security pre and post rules. The green single cog image next to the name indicates the rule is from an “ancestor” device group, “shared”, or “Predefined”. The double cog image next to the name indicates the rule is “overriding” that of an “ancestor” device group rule, “shared” rule, or “predefined” rule. The user may “override” the “intrazone-default” or “interzone-default” rules as shown below:   Panorama Both VM and M-100 Panorama support new features. The new default rules will appear below the post security rules.   Further Details Regarding Panorama: Default rules, when pushed to device dataplane will take effect after any other group or shared rules. Changes made to "interzone-default" or "intrazone-default" locally on Palo Alto Networks device takes precedence over any changes pushed from Panorama.   Panorama 6.1 and 5.x/6.0 PAN-OS Devices Interaction: When pushing security rules from 6.1 Panorama to a pre-6.1 PANOS device, the expected behavior is shown below: Predefined default rules removed from rulebase to be pushed Rules with "intrazone" and "interzone" types removed from rulebase to be pushed Rules with "universal" type converted to pre-6.1 rules Panorama presents a warning that not all rules were pushed to pre-6.1 device(s) admin@Panorama> show jobs id 25970   Enqueued            ID Type      Status    Result     Completed -------------------------------------------------------------------------- 2014/07/22 22:03:38 25970        CommitAll FIN        OK 100 %    Warnings: 001606007416 is below 6.1, removing intrazone and interzone rules - 010401000006                   commit succeeded     OK 22:03:39 22:03:57 - 001606007416                   commit succeeded     OK 22:03:39 22:05:15   Upgrade/Downgrade: Upgrades: If a rule already exists with the name "intrazone-default" or "interzone-default" that rule should be renamed to "custom-intrazone-default" or "custom-interzone-default". Note: When upgrading to PAN-OS 6.1, all existing rules in the security rulebase will be converted to universal rules. Downgrades: Remove the type node from all the universal rules. Delete all the intrazone and interzone rules.   See Also PAN-OS 6.1 Administrator's Guide   owner: jdelio
View full article
‎02-03-2016 03:00 PM
35,553 Views
2 Replies
Symptoms Even though the security policy is configured to block all TCP ports from Untrust to Trust zone, when running a port scan from Internet, report shows all TCP ports are open. Diagnosis   The firewall is configured with a destination NAT and security policy to allow only HTTP and HTTPS connections to an internal server from the Internet, however when a port scan is done from the Internet, the port scan report shows that all TCP ports are open.   These symptoms are triggered because of SYN-Cookie feature configured in the zone protection profile for untrust/external zone. When the firewall recevies a SYN packet and if the SYN-Cookie feature is activated, the firewall will send a SYN-ACK and wait for an ACK from the client before processing the connection, which also involes inspecting the security policy.   Please reference this document to learn more about SYN-Cookie feature in detail: https://live.paloaltonetworks.com/t5/Management-Articles/SYN-Cookie-Operation/ta-p/57117   Any TCP port scanning tool that determines the port status based on TCP SYN-ACK packet will show all TCP ports as open. Solution The above behvior is working as expected and in order to avoid this you can do one of the following options.   Disable SYN flood protection. Change the Action from SYN Cookie to Random Early Drop. Increase the threshold for activation.    Please follow the below steps to tweak these changes. Before making these changes take Network security into consideration.   From the GUI Go to Network Tab > Zone Protection Profile > select the appropriate Zone Protection Profile > Flood Protection.     From the CLI: To change from SYN-Cookie to random early drop: > configure # delete network profiles zone-protection-profile untrust-zone flood tcp-syn syn-cookies # commit # exit   To change the activation rate: > configure #  set network profiles zone-protection-profile untrust-zone flood tcp-syn syn-cookies activate-rate "value" # commit # exit
View full article
rashobana ‎01-31-2016 03:47 PM
8,168 Views
0 Replies
1 Like
Issue Unable to perform dynamic updates with "updates.paloaltonetworks.com" FQDN address object in the security rule.   Resolution Make sure that both FQDN "updates.paloaltonetworks.com" and "downloads.paloaltonetworks.com" address objects are in the security rule.   For further details on "updates.paloaltonetworks.com" and " downloads.paloaltonetworks.com" review the following functions: updates.paloaltonetworks.com allows software downloads and licenses retrieval downloads.paloaltonetworks.com allows dynamic updates to download   owner: bsyeda
View full article
bsyeda ‎01-18-2016 07:41 AM
10,186 Views
4 Replies
1 Like
Looking for X-Forwarded-For for User-ID? It is Here!
View full article
pbalasunda ‎01-18-2016 07:12 AM
11,783 Views
4 Replies
1 Like
Overview   The following table provides a list of valuable resources on configuring and troubleshooting App-ID:   TITLE TYPE Configuration   Not-applicable, incomplete, insufficient data in the application field Document Tips & Tricks: How to create an application override Document How to create an application filter to block high-risk applications Document How to check if an application needs explicitly-allowed dependency apps Document How to configure the 'sip-trunk' App-ID Document How to configure a custom App-ID Video App-IDs for SSL-Secured versions of well-known services Document How to request a new App-ID Document Demonstration of Google SafeSearch custom App-ID Video   How to create an application override for FTP Document Tips & Tricks: What is application dependency? Document What is the APP-ID for Palo Alto Networks updates? Document Troubleshooting   How to validate and report application misidentification Document List of Applications Excluded from SSL Decryption Document How to clear cache for App-ID, Proxy certificates, URL, and user Document How Palo Alto Networks identifies HTTPS applications without decryption Document How to verify the application name change from Unknown-tcp/udp to actual App-ID Document Access to external web services required by dynamic updates and WildFire Document   How much data is necessary to recognize an application Document Custom App without signature not matching security rule Document Other Resources   App-ID Admin Guide Guide Applipedia Database   Note: If you have a suggestion for an article, video or discussion not included in this list please post a recommendation in the comments below and it will be added to the master list.   owner: ekampling
View full article
‎01-14-2016 07:11 AM
12,908 Views
0 Replies
When configuring a Policy Based Forwarding (PBF) rule to forward all the traffic sourced from one zone to internet through an ISP, the rule will take effect only for the workstation behind the Palo Alto Networks firewall and not for the traffic sourced from the firewall.
View full article
dantony ‎01-13-2016 12:03 PM
35,995 Views
28 Replies
5 Likes
Issue In GUI, when seeing Monitor > Logs > Traffic, the rule shown is incorrect. However, when seeing 'show session <session ID>' for the same session ID through CLI, we see that the rule is taking expected rule.   It appears that traffic is taking the wrong security policy or that there is inconsistency while processing traffic.   Cause This is an expected behavior. The firewall tried to match first security rule while still identifying the correct app and decoding the traffic. Once it is available, the correct rule is shown in GUI after some time.   Resolution Go to the Security Policy rule > Actions tab > Log Setting. Disable "Log at Session Start" (if enabled). Only enable "Log at session End."
View full article
rchougale ‎12-18-2015 12:42 PM
2,828 Views
0 Replies
  Issue   The commit finished with an error: phase 2 commit failed: error pre-installing config failed to handle CONFIG_COMMIT error: response from cfgpush.s1.dp1.comm.cfg-dp: error pre-installing config.   The commit shows the job finished with status OK: Enqueued ID Type Status Result Completed -------------------------------------------------------------------------- 2015/02/05 18:13:53 750 Commit FIN OK 18:14:11 Warnings:Error: Error pre-installing config failed to handle CONFIG_COMMIT (Module: device)   The dataplane did not accept the configuration changes. It is possible to see the following logs in the device server logs:   Mar 01 03:14:26 Error: pan_address_parse_address(pan_address.c:128): pan_prefix_compare(): from_addr is larger than to_addr Mar 01 03:14:26 Error: pan_region_from_region_entries(pan_region.c:197): pan_address_parse_address failed   Resolution The issue is with the number of PBF rules with an "symmetric return" configured. The number of rules varies per platform and it can be seen from the system state:   admin@IlijaFW-2> show system state | match cfg.general.max-return-address cfg.general.max-return-address: 0x30   In this case on the PA-5020 it is 0x30 in HEX, which is 48 in the decade system. If there are more rules than 48 PBF that have symmetric return configured this will cause the explained behavior.   Lowering the amount of PBF rules with symmetric return below the hard coded limit will resolve the issue.
View full article
ialeksov ‎12-14-2015 09:12 AM
4,646 Views
0 Replies
  The application column shows not-applicable if the traffic matches an allowing/blocking security rule via a service filter rather than an application filter.   Details The firewall traffic is matched from left to right and top to bottom in the security rules. If traffic hits a security rule that's set to "deny," based on any parameter before the application, the traffic log shows the application as not-applicable . This occurs because the traffic was dropped or denied before the application match could be performed.   Example Security Policy   Traffic Log   Log Details appear when you click the icon in a row of traffic logs.  The log details above show the bytes and packet count as zero since no traffic was allowed, which is why the application is identified as not-applicable .   owner: mbutt
View full article
nrice ‎12-03-2015 03:47 PM
18,622 Views
2 Replies
  When the Palo Alto Networks device is configured to decrypt SSL traffic going to external sites it functions as a forward proxy. In this scenario the Palo Alto Networks device intercepts the client SSL request and generates a certificate on the fly for the site the client was visiting. The resulting secure connection is between the client's computer and the firewall.   To complete the process, the Palo Alto Networks device then initiates another secure channel to the actual server. This process is referred to as a “man in the middle” with the Palo Alto Networks device sitting in the middle of the two secure connections.   There are a few key points to be aware of when implementing the forward SSL Proxy: The validity date on the Palo Alto Networks firewall generated certificate is taken from the validity date on the real server certificate. The issuing authority of the Palo Alto Networks generated certificate is the Palo Alto Networks device. If the device certificate is not part of an existing hierarchy or is not added to a client's browser cache, then the client will receive a warning message when browsing to the secure site. If the actual certificate has been issued by an authority not trusted by the Palo Alto Networks firewall then the decryption certificate will be issued using a second untrusted CA key. This ensures that the user is warned if there are subsequent man in the middle attacks occurring. owner: swhyte
View full article
swhyte ‎12-03-2015 03:44 PM
13,808 Views
1 Reply
PAN-OS offers granular control of selected applications, such as Facebook or WebEx.   While using Policies, 'Application Containers' can be used. These containers are just 'containers,' and not an 'application' in of themselves. There won't be any reference to the logs or reports directly referring to Application Containers because there's no App-ID for 'facebook.'   Here's an example extracted from https://applipedia.paloaltonetworks.com for the Application Container: 'facebook.'     Application Containers can be thought of as pre-defined 'Application Groups,' while 'Application Groups' can be thought of as 'Custom Application Containers.'   Sub-Applications are the applications themselves. If an application is part of an Application Container, it will have a small gear icon on the WebUI: Application Container Sub-Applications, or 'Members' can be listed easily from the WebUI on the Policy view.   Each Sub-Application can have their own 'Dependencies' or 'Implicit Applications.'   For further details on 'Dependencies' and 'Implicit Applications,' please refer to How to Check if an Application Needs to have Explicitly Allowed Dependency Apps   owner: mivaldi
View full article
mivaldi ‎11-17-2015 09:48 AM
2,772 Views
0 Replies
1 Like
Issue Google Drive, drive.google.com, falls into the "online-personal-storage" category. However, when the "online-personal-storage" category is configured with the "block" action (as shown below) and SSL Decryption is enabled, "drive.google.com is still accessible.   Cause Google Drive (drive.google.com) works over the SSL protocol and SSL decryption is required to detect its contents. When SSL decryption is enabled, URL filtering looks at the CN name in the certificate to determine the category. However, "drive.google.com" uses a wildcard certificate *.google.com" and is not detected as "online-personal-storage". Due to this, the Google Drive traffic is allowed.   Resolution To block drive.google.com: On the WebGUI, go to Policies > Security and create a policy which blocks the application "google-drive-web". See the example below: In the above policy: First rule blocks the google-drive-web application Second rule allows the rest of the traffic Note:  SSL decryption is necessary in order to identify the correct app-id " google-drive-web".     See Also Which App IDs Require Decryption?      
View full article
hshah ‎10-30-2015 02:08 PM
6,421 Views
0 Replies
  Overview This article discusses Apple FaceTime calls not working due to failing STUN (Session Traversal Utilities for NAT) requests when the connection is traversing the firewall. This behavior can be seen intermittently. FaceTime calls can be initiated/received on Apple devices like iPhone, Mac, iPads and so on. The emphasis of this article is on the failure of STUN requests, which are dropped by the firewall due to misconfiguration.   Details  In simple terms, STUN is a protocol  used to enable a device running behind a NAT device to discover its public IP and port. This protocol is widely used in VOIP communications to mitigate issues arising due to NAT implemented by firewalls and routers.   The standard and widely used port for STUN is 3478/UDP. Apple's implementation of STUN  uses UDP port 3478 along with other non-standard ports ( 3478 through 3497/UDP ). So an Apple STUN client, such as  iPhone, Mac, iPad, and so on,   can send a STUN allocate request on any of the ports, as mentioned above, and the STUN server would reply.   Note: Please refer to Apple technical documentation for any changes in ports used for STUN.   Issue FaceTime calls do not connect or connect only intermittently, with failing STUN requests.   While configuring security policies to allow application facetime, the following applications are required to be allowed due to FaceTime's dependency on them:   ichat-av, sip, ssl, stun, web-browsing    A common notion would be to allow all the above required applications with service as application-default. This is where the problem arises with STUN allocate requests failing. There are a few scenarios to be considered:   STUN requests are sent on port 3478 Works without any issues since the application-default behavior allows traffic on port 3478 STUN requests are sent on any of the ports, 3479 through 3497 Fails since the firewall restricts the application STUN to port 3478 and STUN traffic on any other ports is not allowed STUN requests are sometimes sent on 3478 and sometimes sent on 3479 through 3497 Fails intermittently     Solution There are two solutions that can mitigate the problem of STUN requests being dropped due to use of the service as application-default.   Create a separate policy for application STUN with service as a custom application, which includes all the required  ports such as UDP  3479 through 3497. In the following example, a custom service, STUN_Custom_Service, is configured  and added in the security policy.   Configure the custom service.   Add the custom service in the policy. Create a policy to allow application STUN with service with Any, to allow STUN to use any L4 port.  This alternative is less secure, as it opens all the ports for STUN.   Note: The above discussion is valid for STUN implementation by Apple. Please refer to Apple technical documentation for any changes in ports used for STUN.
View full article
syadav ‎10-30-2015 12:58 PM
4,697 Views
0 Replies
1 Like
Palo Alto AD Integration The Palo Alto Networks firewall can be integrated with Microsoft’s Windows Active Directory through LDAP. The new version of PAN-OS allows agentless authentication with Active Directory Domain controller; however, WMI settings (Windows Management Instrumentation) on the AD Domain Controller must be modified and you must be Domain Admin to do so.   Prerequisites Before you integrate a Palo Alto Networks device with AD, you must create a user ID in AD that you'll use to access LDAP. At a minimum, this account must be a member of the built-in Server Operators group in AD. For security reasons and to be compliant with the best practices, you should adhere to the minimum access rights for this account. For this demonstration, we created a user, paloaltoladap@paynetonline.com, in AD with an appropriate password, and we added this account to Server Operators Group.     Definitions   Windows Management Instrumentation (WMI) is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI uses the Common Information Model (CIM) industry standard to represent systems, applications, networks, devices, and other managed components. CIM is developed and maintained by the Distributed Management Task Force (DMTF).   Obtaining management data from remote computers makes WMI useful. Remote WMI connections are made through DCOM. An alternative is to use Windows Remote Management (WinRM), which obtains remote WMI management data using the WS-Management SOAP-based protocol.   Management applications or scripts can get data or perform operations through WMI in a variety of languages.   Common Information Model version 2 is an open standard that defines how managed elements in an IT environment are represented as a common set of objects and relationships between them. The Distributed Management Task Force maintains the CIM to allow consistent management of these managed elements, independent of their manufacturer or provider.   One way to describe CIM is to say that it allows multiple parties to exchange management information about managed elements. However, this description falls short because CIM not only represents these managed elements and the management information, but also provides means to actively control and manage these elements. By using a common model of information, management software can be written once, then work with many implementations of the common model without complex and costly conversion operations or loss of information.   The Palo Alto Networks operationg system is based on the Unix platform, an open standard that anyone can modify, but the industry also agreed to some standards ensure the devices can talk to each other. This is why you need to make small changes to WMI on the Domain Controller in the agentless integration with AD.     Modifying WMI After you log in as a Domain Admin to Domain Controller, launch WMI by entering wmimgmt.msc on the Start Run menu. The following GUI displays:       Highlight WMI Control (Local), go to the properties and click the Security tab to access the root of CIMV2:       Double-click Root to expand it and navigate to the root of CIMV2. Expand it to get to Security folder, where you add the paloaltoladap@paynetonline.com user account.         Grant Enable Account and Remote Enable permissions to the paloaltoladap@paynetonline.com account.     Save all the changes, and you're ready to configure the Palo Alto Networks integration with the AD.     Overview of the Palo Alto Networks WebGUI   The Web-based GUI is user friendly, but some functions are unique to Palo Alto Networks. Gear boxes allow users to access additional configuration options.     Locate the Add button at the bottom of the GUI.     Changes to the configuration file do not take effect until you Commit the changes. Saving changes does not commit them. The GUI has three options in the upper right corner: Commit, Lock, and Save:     Commit  is grayed out if there are no changes to the config file — if there are changes, the option is light blue. Lock prevents any changes to the config file. Save allows changes without committing them.   Config changes do not require rebooting.   The main GUI is divided into two sections — tabs on the top and the left pane with configuration settings for each option defined in tabs.     Subtabs allow configuring additional options.     To integrate with the Windows AD, you must enter the IP addresses of the Windows DNS servers and the NTP server. After you log in to the Palo Alto Networks device, click the Device tab and Setup in the left pane. From the subtab menu, click the Services tab, then the Gear box in the corner, as shown in the following example.     Under Services, add IP addresses for the Primary and Secondary DNS servers.        Under NTP, add the IP address for the NTP server.     After you configure DNS settings, familiarize yourself with the following options in the left pane: Administrators, User Identification, Server Profiles > LDAP, and Authentication Profile.       It's a good idea to follow a specific sequence to configure integration with AD to eliminate errors. We recommend starting with LDAP configuration. You will expand the Server Profiles section and navigate to LDAP. In the lower left corner of the GUI, click Add.     LDAP—at the lower left corner of the GUI, click the Add button to add LDAP Server Profile.     The LDAP Server Profile displays, allowing you to configure authentication with the LDAP server. Because you can have more than one LDAP Server Profile, it's important to give each one a logical name.   Have the following information ready before proceeding with the configuration: LDAP server name LDAP server IP address LDAP port number User account and the password that you used in WMI configuration Base pointers Because there are multiple implementations of LDAP and Palo Alto Networks supports SSL to authenticate with the LDAP, the setting for LDAP type is set to other and the SSL option is checked.   You must name the LDAP Server Profile or you'll be unable to save the configuration. Select a clear and logical name, since you may have multiple LDAP Server Profiles. This name can also follow company naming standards. A clear and understandable naming scheme is extremely helpful when troubleshooting.     The LDAP Servers configuration box is divided into columns and rows. Each row has a cell that must be populated with the appropriate values. To populate the cell, click until it turns Yellow and the cursor starts blinking. After you fill out information in the cell, tab to the next one.      For the type of the LDAP server, select active-directory from the drop-down menu.     The Base can be entered manually or it will populate after you enter Bind DN login id and the password.  If you don’t have SSL configured to connect to LDAP, then uncheck the SSL or you won't be able to connect to the LDAP Server.     After you click OK, commit the change to the running config. Now you are ready to establish WMI connection with the Windows Domain Servers.   Click User Identification in the left pane, User Mapping tab, then the Gear box to enter the same credentials you used to configure WMI settings on the Domain server — in this case, the credentials are paloaltoldap.       Specify the domain where the user account resides —i n this case, it is paynetonline\paloaltoldap.     Complete all the steps, then add your Windows Domain Controllers by clicking Discover in the Server Monitoring section. The Domain Controllers self-populates with a status of Connected. This is indicates that you have successfully established connection with the Windows AD LDAP.  A status of Disconnected (Red) means a mistake in the configuration, most likely, an authentication issue.  Verify WMI configuration and account credentials.      The next step is to create the Authentication Profile. There could be several authentication profiles; therefore, it is important to logically name them. Click Authentication Profile in the left pane, then click Add.     It's important to use a clear and logical name for Authentication Profile because you may have multiple profiles with various users’ rights. Secondly, Palo Alto Networks PAN-OS doesn't allow saving an Authentication Profile without a name. Switch Authentication type from Local Database to LDAP by clicking the arrow to expand the drop-down menu.       Select the Server Profile you just created in the previous section and set the Login Attribute to sAMAccountNAme.       sAMAccountNAme is an important setting. This attribute specifies the login name used to support clients and servers running LAN manager and older versions of the operating system, such as Windows NT 4.0, Windows 95, and Microsoft Windows 98.   cn: SAM-Account-Name ldapDisplayName: sAMAccountName attributeId: 1.2.840.113556.1.4.221 attributeSyntax: 2.5.5.12 omSyntax: 64 isSingleValued: TRUE schemaIdGuid: 3e0abfd0-126a-11d0-a060-00aa006c33ed systemOnly: FALSE searchFlags: fPRESERVEONDELETE| fANR | fATTINDEX rangeLower: 0 rangeUpper: 256 attributeSecurityGuid: 59ba2f42-79a2-11d0-9020-00c04fc2d3cf isMemberOfPartialAttributeSet: TRUE systemFlags: FLAG_SCHEMA_BASE_OBJECT |  FLAG_ATTR_REQ_PARTIAL_SET_MEMBER schemaFlagsEx: FLAG_ATTR_IS_CRITICAL   You cannot log in using your Windows login user name if the sAMAccountNAme attribute is undefined.   The last step is to add or create login accounts for the firewall’s administrators. The accounts have to match account naming conventions used in your Active Directory. Click the Administrators link in the left pane, then click Add.     The name must match the user ID in the Active Directory. For the Authentication Profile, select the profile you just created in the previous section — in this case, it is Paynet Admins.     After you switch the Authentication Profile, you do not have to enter any passwords. By default, all the Firewall Admins are set to Superuser.     Firewall Admin rights can be set to: Superuser Superuser (read-only) Device administrator Device administrator (read-only)   Finally, the following is what you see after the configuration is complete. Notice that the Authentication Profile column tells you which profile is being used by each user.    
View full article
rchougale ‎10-27-2015 08:44 PM
70,983 Views
0 Replies
5 Likes
Overview This article describes how to view, create and delete security policies inside of the CLI (Command Line Interface).   Details To create a new security policy from the CLI: > configure (press enter) # set rulebase security rules <name> from <source zone> to <destination zone> destination <ip> application <application> service <any/application-default/service name> action <allow/deny> (press enter) # exit   Example: # set rulebase security rules Generic-Security from Outside-L3 to Inside-L3 destination 63.63.63.63 application web-browsing service application-default action allow (press enter) Note: For help with entry of all CLI commands use "?" or [tab] to get a list of the available commands.   To view the Palo Alto Networks Security Policies from the CLI: > show running security-policy   Rule       From         Source        To           Dest.           User                Proto Port Range Application  Action ---------- ------------ ------------- ------------ --------------- ------------------- ----- ---------- ------------ ------ Doms DLP   untrust-vwir 10.16.0.92    Untrust-vwir any             any                 any   any        any          allow            trust-vwire                trust-vwire rule4      untrust-vwir any          untrust-vwir  10.16.0.92      any                 any   any        any          allow            trust-vwire                trust-vwire rule3      trust-vwire  any          untrust-vwir  any             any                 any   any        any          allow   The following command will output the entire configuration: > show config running   For set format output: > set cli config-output-format set > configure Entering configuration mode [edit] # edit rulebase security [edit rulebase security] # show set rulebase security rules rashi from trust-vwire set rulebase security rules rashi from untrust-vwire set rulebase security rules rashi to trust-vwire set rulebase security rules rashi to untrust-vwire set rulebase security rules rashi source 10.16.0.21 set rulebase security rules rashi destination any set rulebase security rules rashi service any set rulebase security rules rashi application adobe-meeting-remote-control set rulebase security rules rashi application adobe-meeting set rulebase security rules rashi application adobe-online-office set rulebase security rules rashi action deny set rulebase security rules rashi source-user any set rulebase security rules rashi option disable-server-response-inspection no set rulebase security rules rashi negate-source no set rulebase security rules rashi negate-destination no set rulebase security rules rashi disabled yes set rulebase security rules rashi log-start no set rulebase security rules rashi log-end yes   To switch to the default output:         From configure mode: # run set cli config-output-format default [edit rulebase security] # show security {   rules {     rashi {       from [ trust-vwire untrust-vwire];       to [ trust-vwire untrust-vwire];       source 10.16.0.21;       destination any;       service any;       application [ adobe-meeting-remote-control adobe-meeting adobe-online-office];       action deny;       source-user any;       option {         disable-server-response-inspection no;       }       negate-source no;       negate-destination no;       disabled yes;       log-start no;       log-end yes;       profile-setting {         profiles {           file-blocking rashi_file_alert;           data-filtering rashi_dlp;         }   To view the configuration in XML format: From configure mode: # run set cli config-output-format xml [edit rulebase security] # show <response status="success" code="19">   <result total-count="1" count="1">     <security>       <rules>         <entry name="rashi">           <from>             <member>trust-vwire</member>             <member>untrust-vwire</member>           </from>           <to>             <member>trust-vwire</member>             <member>untrust-vwire</member>           </to>           <source>             <member>10.16.0.21</member>           </source>           <destination>             <member>any</member>           </destination>           <service>             <member>any</member>           </service>           <application>             <member>adobe-meeting-remote-control</member>             <member>adobe-meeting</member>             <member>adobe-online-office</member>           </application>           <action>deny</action>           <source-user>             <member>any</member>           </source-user>           <option>             <disable-server-response-inspection>no</disable-server-response-inspection>           </option>           <negate-source>no</negate-source>           <negate-destination>no</negate-destination>           <disabled>yes</disabled>           <log-start>no</log-start>           <log-end>yes</log-end>           <profile-setting>             <profiles>               <file-blocking>                 <member>rashi_file_alert</member>               </file-blocking>               <data-filtering>   Also, if you want a shorter way to View and Delete security rules inside configure mode, you can use these 2 commands: To find a rule: show rulebase security rules <rulename>   To delete or remove a rule: delete rulebase security rules <rulename>   See Also Command Line Interface Reference Guide Release 6.1 Command Line Interface Reference Guide Release 6.0 Command Line Interface Reference Guide Release 5.0   owner: panagent
View full article
nrice ‎09-15-2015 11:36 PM
51,152 Views
2 Replies
2 Likes
Details Device configurations can be imported or exported from Palo Alto Networks devices using secure file copy from the CLI. Note: By default, the device uses the management interface to communicate with the SCP server. If wanting to use an interface other than the management interface, it must be specified by the source IP in the SCP export/import command.   To export a running configuration using SCP: Log into the CLI using an admin account with superuser or deviceadmin privileges. This can be used if wanting to use a script to perform regularly scheduled configuration backups: > scp export configuration from running-config.xml to username@host-ip:path The path must be a valid directory path on the destination SCP server. The file will be saved on the SCP server with the name running-config.xml.   To import a configuration using SCP: Log into the CLI using an admin account with superuser or deviceadmin privileges: > scp import configuration from name@host:path/xyz.xml Note: The file xyz.xml can be any file name except running-config.xml. Click commit to apply the imported configuration.   owner: sjanita
View full article
sjanita ‎09-15-2015 11:34 PM
29,856 Views
5 Replies
Overview SMB and FTP file transfers generate a large amount of bi-directional traffic. SMB generates a reply packet for almost every data packet generated, and is therefore very chatty. A Palo Alto Networks firewall will, by default, examine traffic in both directions from client-to-server (C2S) and from server-to-client (S2C). For these reasons, SMB and FTP file transfers through the firewall can be slow.   One of the ways of enhancing the performance for that traffic is by using application override to exclude layer 7 inspection and application identification.   If layer 7 inspection is needed and still the performance needs to be improved, check the 'Disable server response Inspection (DSRI)' option on the security policy to which the concerned traffic is hitting. This should only be enabled if the server is trusted. When the box for DSRI is checked, the firewall will only inspect the traffic from C2S and the file transfer rate will increase.   Details To enable DSRI, go to Policies > Security > Actions on the WebUI:   Once the policy is created, an icon will show that the DSRI option is checked for that security rule.   owner: kadak
View full article
kadak ‎09-15-2015 11:30 PM
26,974 Views
2 Replies
1 Like
Symptom The output to show session id does not show the security rule that the traffic is hitting. In the example below the security rule matched by the traffic is not present: > show session id 4960 Session            4960         c2s flow:                 source:      192.168.9.1 [trust_9999]                 dst:         192.168.7.2                 proto:       17                 sport:       60909          dport:    162                 state:       ACTIVE         type:     FLOW                 src user:    panrcks\administrator                 dst user:    unknown           s2c flow:                 source:      192.168.7.2 [trust_8888]                 dst:         192.168.9.1                 proto:       17                 sport:       162            dport:    60909                 state:       ACTIVE         type:     FLOW                 src user:    unknown                 dst user:    panrcks\administrator           start time                    : Sun Feb  3 03:10:53 2013         timeout                       : 327 sec         time to live                  : 202 sec         total byte count(c2s)         : 1124         total byte count(s2c)         : 590         layer7 packet count(c2s)      : 1         layer7 packet count(s2c)      : 1         vsys                          : vsys1         application                   : snmp-trap         session to be logged at end   : True         session in session ager       : True         session synced from HA peer   : False         layer7 processing             : enabled         URL filtering enabled         : False         session via sun-cookies       : False         session terminated on host    : Ture         session traverses tunnel      : False         captive portal session        : False         ingress interface             : ethernet1/3         egress interface              : ethernet1/2         diffserv marking IP DSCP      : 0x34         session QoS rule              : N/A (class 4)   Cause Session information with missing security rule information will appear if a security rule is modified or deleted, but there are still active sessions that match the rule. The sessions will continue to exist due to the traffic, but the rule information will not be present as the rule has been modified or no longer exists. The traffic logs will still show the security rule and all other information accurately.   Note: If it is required that a session should be checked against the new security rules after the configuration change, then the rematch sessions feature should be turned on. See the following document for details on session rematch:How Session Rematch Works.   owner: sdurga
View full article
sdurga ‎09-11-2015 02:21 AM
3,606 Views
0 Replies
Details In this scenario, when the user was accessing "https://exchange.leapfile.com/", they hit the "Deny-App" rule for dropping, but can see the following traffic log:   See the following traffic logs: =========================================================================== traffic logs - NG case =========================================================================== Receive_T  Dest_addr       Rule       App          S_Port D_Port Action  Category 8/25 9:55  54.227.253.124  url block web-browsing 55888  443    allow    online- storage-and-backup   After disabling "url block" rule, hitting to "Deny-App" rule as expected. =========================================================================== traffic logs - OK case =========================================================================== Receive_T  Dest_addr       Rule       App          S_Port D_Port Action  Category 8/25 9:56  54.227.253.124  Deny-App   leapfile     55895  443    deny     online- storage-and-backup   As configured, "set deviceconfig setting ssl-decrypt url-proxy yes" on the Palo Alto Networks firewall, the firewall will send the URL block page in the case of a matched URL. In this case, the firewall send the URL block page before Palo Alto Networks firewall had a chance to set the application to "leapfile". While in the first rule Deny-App, make sure there is no URL block policy. Palo Alto Networks firewall does not send the URL block page before identifying the app. When the app is set, the application will be denied by the "Deny-App" rule.   For more information on configuring see the following link:  How to Configure the Palo Alto Networks Device to Serve a URL Response page Over an HTTPS Session without SSL Decryption   Enable the Palo Alto Networks device's ability to inject URL filtering response pages within an HTTPS session with the following configuration command: > set deviceconfig setting ssl-decrypt url-proxy yes   owner: kkondo
View full article
kkondo ‎09-10-2015 02:28 PM
8,484 Views
0 Replies
1 Like
Overview The Palo Alto Networks device permits the use of duplicate Shared Service Object names if applied in a different vsys. For example, the screenshot below shows: HTTP (TCP port 8080,shared Object) HTTP (TCP port 888,vsys Object)   Issue The vsys Service Object has higher precedence than the shared one. The Vsys object overrides it in a specific vsys. However, when an attempt is made to delete the duplicated Shared Service Object name in a rule (in which same name vsys Sevice Object is set), the error below appears:          1- Failed to delete Service - HTTP HTTP cannot be deleted because of references from: vsys -> vsys1 -> rulebase -> security -> rules -> [policy name] -> service   Resolution Remove the service object from the security policy which uses it. Delete the object. Add the shared one back into the policy.   See Also Address/Address Group Objects Must Have Different Names   owner: tshimizu
View full article
TShimizu ‎09-10-2015 05:32 AM
3,380 Views
0 Replies
Overview In some scenarios where threat protection is used as a defense for brute force attacks involving FTP or SSH, there can be cases where an unwanted IP address is blocked and needs to unblocked immediately.   Details To unblock an IP address, run the following CLI commands: Verify blocked addresses: > debug dataplane show dos block-table   entp:0x80000000efc69c10, bucket:183, entry:0   Key:     vsys_id:1, src_zone:3     ip:x.x.x.x, dst_ip:10.0.0.5     is_ipv6:0, is_src_dst_both:1   Value:    block_until:1989416 (Unblock after:16 sec) -------------------------------------------------------------------------------   Remove Specific Address in Block-Table & Leave Other Addresses Blocked > debug dataplane reset dos zone L3_Untrust block-table source x.x.x.x   Remove All Addresses in Block-Table: > debug dataplane reset dos block-table   Note: The discarded sessions may need to be cleared. Run the following commands to view and clear discarded sessions. > show session all filter source x.x.x.x -------------------------------------------------------------------------------- ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port]) Vsys                                          Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 45629        ssh            DISCARD FLOW       x.x.x.x[36437]/L3_Untrust/6  (x.x.x.x[36437]) vsys1                                          10.0.0.5[22]/L3_Untrust  (10.0.0.5[22])   > clear session id 45629 session 45629 cleared   owner: jperry
View full article
jperry1 ‎09-10-2015 05:30 AM
14,151 Views
0 Replies
3 Likes
What is App-ID? Application Identification or App-ID is a main component of Palo Alto Networks devices. It is a patented mechanism presented only on a Palo Alto Networks device and is responsible for identifying applications traversing the firewalls independently of its port, protocol and encryption (SSL or SSH). This identification of applications ensures the success of proper Layer 7 inspections at the packet load level, compared with Palo Alto Networks Application Signatures (today over 2,000 individual App-IDs), Application Protocol Decoders, and heuristics. These elements are responsible for the visibility of this Layer 7 (L7) traffic traversing the Palo Alto Networks firewalls.   The engine behind the App-ID component is driven by a series of pre-determined contexts. These contexts use decoders to help identify applications that have been tunneled within the main application, (for example, Google Talk within Gmail). The applications are categorized and classified by the PAN-OS App-ID engine, allowing proper identification and usage of Application Groups at the security policy level.   During this classification process, Palo Alto Networks defines main applications (Parent App) and some directly dependent (or Child App), which are part of these main applications. For instance, by classifying an App, such as “uploading”, as the Parent App in a newly created App-ID that will use file transfer from the web (browser-based file-sharing). This allows the Child App to be properly identified as part of the Parent “uploading” App, and provides visibility to the appropriate application under the correct categorization.   Even though we classify, categorize, and create several known applications within PAN-OS there are still several applications that are not on the Palo Alto Networks devices database. These applications are called “unknown,” meaning unknown to PAN-OS at that time, but not known to PAN-OS. In these cases, custom App-ID signatures may be created to properly identify and classify them.   How Does App-ID Work? While traffic is traversing the Palo Alto Networks firewalls, the App-ID engine is always providing constant visibility of the logs (Monitor tab) in PAN-OS, but the sequence before that visibility looks like the following:   The traffic needs to match a security policy and allow signatures. These signatures are applied to the traffic to identify the application/applications based on the applications unique characteristics. If the application is using its standard service ports then "application default" should be used in the Services field. If non-standard ports are used, then those TCP or UDP ports will need to be specified in the Services column of the traffic rule.   If the App-ID engine determines that the traffic is being encrypted (SSL or SSH), a decryption policy needs to be in place that to allow the App-ID engine to inspect the traffic.   PAN-OS is a context-based engine. Decoders, for some known protocols, are also applied and will be responsible to identify other “embedded” applications that maybe tunneled within the protocol (for example, Gmail Google Chat used across the HTTP). Some applications may still try to evade and may not be identified through the signatures and decoders. A heuristics or behavioral analysis may be used to identify the application. If after all these steps the application is not properly identified, it will be classified as “unknown” for further analysis and proper identification from the security operations team. If it is still an unknown application, it can be blocked or not be part of an approved applications list placed in the security policy.   How Does PAN-OS Handle Unknown Applications? When working with any App-ID adoption process, whether through a Migration Tool or manually by analyzing logs, the first step on adopting App-IDs is to separate unknown to known traffic. The known traffic are the applications already identified on Palo Alto Networks firewall logs. The unknown are subject for analysis and must be properly identified. It must have an App override rule created that will be known as “fast path” if it only contains the service ports and will only use Layer 3 and 4 inspection not going to the Layer 7.   These rules can be used to provide visibility during the investigation process of the unknown traffic. Once the proper packet information is inserted and further analysis is carried on to the TCP Stream, a full Layer 7 App-ID signature may be created and will provide visibility and Layer 7 inspection with no need for an App Override rule. For traffic that could not be identified, further analysis is required. Palo Alto Networks logs may provide valid information during this process.   Knowing the reason why an application was marked as unknown-traffic is key and in PAN-OS there are two main types of classification for unknowns: Incomplete data, which happens after a handshake was executed but no data came through before the timeout. Insufficient data, which happens when after a handshake is completed, some data is sent through but not enough packets were sent to identify the application.   These cases are usually network related or some unconventional applications that communicates in a singular manner. At this point we know enough about the unknown application, but we need a packet capture (PCAP) to properly identify a pattern within a TCP Stream until this session is closed.   With the PCAP on hand, and after proper analysis, use the application within the network to replicate the traffic. Create a PCAP from the firewall to have enough detail and then establish a proper pattern that will be used by creating a Custom App-ID signature or it might be sent to Palo Alto Networks support and it will be created for you. Note:  More than a single packet stream will be needed.   A custom App-ID needs to be created with the same criteria, all other applications are inserted into the PAN-OS App-ID repository. It also needs proper characteristics, classification, category and sub-category, as well as risk level and service port and timeouts.   How to Create a PCAP Perform a PCAP in order to help identify the unknown traffic. Please see the following document and video to learn more about creating a Packet Capture: How to Run a Packet Capture Video Link : 1355   The video mentioned above demonstrates how to: Configure and run a basic PCAP from the PAN-OS UI Download the produced PCAP files Open the PCAP files for analysis   Create a Custom App-ID After you have analyzed your TCP stream and a pattern is found, that is constant and not related to the infrastructure around the payload (MAC addresses, hardware manufacture data, NIC information), we can now use this chunk of data into our new custom App-ID signature. Note: Use the hexadecimal format in your REGEX .   See Also Custom Application Signatures   owner: efurtado
View full article
EmmaF ‎09-10-2015 02:49 AM
12,132 Views
0 Replies
Issue While in the process of adding a security policy (with a destination zone of 'Multicast' and the multicast IP address 224.0.0.251, and port is udp/5353) on the device, adding 224.0.0.251 to the Group List in Multicast > Rendezvous of the default virtual router. When committed, the following error is displayed:   Multicast group address 224.0.0.251/32 is not valid.(Module: routed). Commit failed.   Resolution The commit is failing because multicast range 224.0.0.0/24 is reserved for local multicast. It is not to be used, as the IGMP address receives the mcast traffic.   owner: pchanda
View full article
pchanda ‎09-09-2015 02:10 PM
4,773 Views
2 Replies
2 Likes
Issue While attempting to commit changes, the following error message is displayed:   Error: Number of dynamic-ip-and-port rules (451) exceeds vsys capacity (450) Error: Failed to parse nat policy (Module: device) Commit failed   Note: This error will occur when too many rules are in place, but the first number (451 in this example) will always be 1 above the limit regardless of how many actual rules are in the policy. This is because the error triggers as soon as the firewall exceeds the it's limit.   Resolution There is a maximum number of NAT rules that can be configured per virtual system (VSYS) and this error will occur if the number of NAT rules in the policy exceeds that number.   The solution is to consolidate NAT rules to lower the number of active rules in the policy to be installed.   See Also For information on finding out the limit on NAT rules please see the following article: How to view the Maximum limit of NAT rules   owner: swhyte
View full article
npare ‎09-09-2015 02:01 PM
2,141 Views
0 Replies
Issue The URL block page does not work for web sites when the web browser has cache information before applying it.   Details If the user accesses a website before the URL block page is implemented, the URL block page will not be applied if the users web browsers cache already has the site to be blocked in its cache. For example, apply the URL filter block page for "streaming media" category and access to http://gyao.yahoo.co.jp/korean/ and http://gyao.yahoo.co.jp/ct/music/ .   > test url gyao.yahoo.co.jp/korean/ gyao.yahoo.co.jp streaming-media (Base db)   > test url gyao.yahoo.co.jp/ct/music/ gyao.yahoo.co.jp streaming-media (Base db)   Both are categorized as streaming-media as shown above, but block page does work for http://gyao.yahoo.co.jp/ct/music/   Look at the following HTTP request and response header for each site, see the difference on the response header provided by the web server. There is "Cache-Control" attribute and "Pragma: no-cache" on response, the server will not use web a cache object store on the client's browser. But there is no such cache-control for http://gyao.yahoo.co.jp/korean/, so the client browser will use cache rather than accessing to the site, hence the block page will not be supplied by Palo Alto Networks firewall.   ===================================================================== HTTP request and response header for http://gyao.yahoo.co.jp/korean/ ===================================================================== GET /korean/ HTTP/1.1 Host: gyao.yahoo.co.jp User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:26.0) Gecko/20100101 Firefox/26.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: ja,en-us;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://gyao.yahoo.co.jp/korean/ Cookie: B=6rahmo59c29vd... Connection: keep-alive HTTP/1.1 200 OK Date: Tue, 21 Jan 2014 06:03:59 GMT P3P: policyref=" http://privacy.yahoo.co.jp/w3c/p3p.xml ", CP="..." Cache-Control: public Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Content-Encoding: gzip   ===================================================================== HTTP request and response header for http://gyao.yahoo.co.jp/ct/music/ ===================================================================== GET /ct/music/ HTTP/1.1 Host: gyao.yahoo.co.jp User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:26.0) Gecko/20100101 Firefox/26.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: B=6rahmo59c29vd... Connection: keep-alive HTTP/1.1 200 OK Date: Tue, 21 Jan 2014 06:04:02 GMT P3P: policyref=" http://privacy.yahoo.co.jp/w3c/p3p.xml ", CP="..." Cache-Control: public Expires: Mon, 26 Jul 1997 05:00:00 GMT Last-Modified: Tue, 21 Jan 2014 06:04:02 GMT Cache-Control: private, no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Content-Encoding: gzip   Workaround Clear the cache on the client browser cache, then block page will work as designed.   See the links below for examples on how to clear the cache on the designated browsers: Mozilla Firefox: How to clear the Firefox cache | Firefox Help Internet Explorer: https://kb.wisc.edu/page.php?id=15141   owner: kkondo
View full article
kkondo ‎09-09-2015 12:00 PM
5,175 Views
0 Replies
1 Like
Ask Questions Get Answers Join the Live Community