Management Articles

Featured Article
Issue The following error appears after a commit or a high severity system log event: Key generation operation failed - RSA. Detail of system event: domain: 1 receive_time: 2014/11/11 09:13:53 serial: 012345678 seqno: 11128 actionflags: 0x0 type: SYSTEM subtype: general config_ver: 0 time_generated: 2014/11/11 09:13:53 vsys: vsys1 eventid: general object: fmt: 0 id: 0 module: general severity: high opaque: Key generation operation failed - RSA   Cause This error only appears when FIPS (Federal Information Processing Standards 140-2) mode is enabled and: Any certificates included inside of that config are 1024 bits or less SSH key-based authentication is set to 1024 bits or less for Admin logins   This error is only a notification that the certificates are not FIPS compliant, but they are not service impacting.   Per the Admin Guide, requirements when enabling FIPS mode: Self-generated and imported certificates must contain public keys that are 2048 bits or higher. SSH key-based authentication must use RSA public keys that are 2048 bits or higher.   Resolution Any certificates that are inside of the configuration, used or not, need to match the FIPS  requirements. Any certificates or SSH Key based authentication need to be 2048 bit or higher.   Contact Palo Alto Networks Support if any assistance is needed to resolve this issue.   owner: jdelio
View full article
‎09-09-2015 08:07 AM
3,670 Views
0 Replies
Steps The following steps describe how to move a policy before or after another policy in PAN-OS. Go to the Policies tab and select a policy type (Security, NAT) from the left-hand navigation pane. Apply one of the following methods below to move the policy.   Using drag and drop Click on a rule and drag it to the desired position Commit the PAN-OS configuration change(s) for the change to take effect.   Using the move buttons Select a rule Use the move buttons at the bottom of the page to move the rule Commit the PAN-OS configuration change(s) for the change to take effect.   Using the drop down menu Click the drop down arrow next to the name of the rule Select the name of the rule that needs moved Select the name of a rule. The previously selected rule will be moved before or after this rule Click Move Before or Move After, as shown in the example below: Commit the PAN-OS configuration change(s) for the change to take effect.   owner: jdavis
View full article
jdavis ‎09-09-2015 07:56 AM
5,619 Views
6 Replies
Issue The following error occurs when committing changes to a configuration: Error:Duplicate user name 'intranet\USER01' Error:Failed to parse security policy (Module:device) commit failed   Cause This error is actually not due to a duplicate user name. Instead, the problem is caused by the name "USER01" in all capitalized (upper case) letters. There are issues when capital letters are used as part of the domain or names in the user fields. When a capitalized name is parsed, the system may consider it a "Duplicate object" when it is not.   Resolution Make sure that all usernames or domains are in lower case for the User field and the commit error should no longer appear. For example: The value 'intranet\USER01' will return an error. The value 'intranet\user01' will work as expected and commit without issues.   owner: jdelio
View full article
‎09-09-2015 07:48 AM
4,585 Views
1 Reply
Overview There are many rules available on the firewall. Knowing which rule is used the most can identify the one that is allowing or denying the most traffic, along with sourc e and destination IP addresses. This document describes how to determine the most used security rule(s).   Steps Go to Monitor > Manage Custom Reports and click Add. Select Traffic Log as the Database. Select a value for Time Frame. For example: Last 30 Days. Sort by Bytes and group by Rule. In Selected Columns, add the following: Source Zone Destination Zone Source address Destination address Bytes Rule Session ID Click Run Now to view the generated report. The report can be generated as a PDF, CSV or in an XML format.   owner: dantony
View full article
dantony ‎09-09-2015 07:32 AM
5,098 Views
2 Replies
Symptom QoS policies are configured and scheduled. Traffic is observed hitting the same old QoS policy even though the new scheduled QOS policy is already in active period.   Cause The QoS policy that is applied to is the policy in use when the session was created. As long as the session remains active, the Palo Alto Networks firewall will still use the same session ID. For long lived sessions, the QoS scheduler will use the QS class set by the policy when the session was initially created.   For example: Two QoS policies are configured and scheduled as follows: QOS_POLICY1  on SCHED1 which is active during 00:00 - 17:40 QOS_POLICY1  on SCHED2 which is active during 17:41 - 23:59   The clock shows that QOS_POLICY1 for SCHED1 should be active: > show clock Wed Dec 11 17:39:15 SGT 2013   Check the active sessions: > show session all filter application ftp -------------------------------------------------------------------------------- ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port]) Vsys                                      Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 43627   ftp            ACTIVE  FLOW  NS   192.168.151.202[4598]/trust/6  (10.129.17.151[51807]) vsys1                                     137.189.4.14[21]/untrust  (137.189.4.14[21])   Session 43627 is using QOS_POLICY1 (class 2) > show session id 43627 Session           43627           c2s flow:                 source:      192.168.151.202 [trust]                 dst:         137.189.4.14                 proto:       6                 sport:       4598            dport:      21                 state:       ACTIVE          type:       FLOW                 src user:    unknown                 dst user:    unknown           s2c flow:                 source:      137.189.4.14 [untrust]                 dst:         10.129.17.151                 proto:       6                 sport:       21              dport:      51807                 state:       ACTIVE          type:       FLOW                 src user:    unknown                 dst user:    unknown                 qos node:    ethernet1/2, qos member N/A Qid 0           start time                    : Wed Dec 11 17:44:51 2013         timeout                       : 1800 sec         time to live                  : 1747 sec         total byte count(c2s)         : 2888         total byte count(s2c)         : 5287         layer7 packet count(c2s)      : 47         layer7 packet count(s2c)      : 56         vsys                          : vsys1         application                   : ftp         rule                          : TrustAndDMZ2Untrust         session to be logged at end   : True         session in session ager       : True         session synced from HA peer   : False         address/port translation      : source + destination         nat-rule                      : Trust-2-Untrust-Global(vsys1)         layer7 processing             : enabled         URL filtering enabled         : True         URL category                  : any         session via syn-cookies       : False         session terminated on host    : False         session traverses tunnel      : False         captive portal session        : False         ingress interface             : ethernet1/2         egress interface              : ethernet1/1         session QoS rule              : QOS_POLICY1 (class 2)   The clock now shows that QOS_POLICY2 for SCHED2 should be active: > show clock Wed Dec 11 17:50:06 SGT 2013   Another FTP session is opened from client to server and the new FTP session is created: > show session all filter application ftp -------------------------------------------------------------------------------- ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port]) Vsys                                      Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 43627   ftp            ACTIVE  FLOW  NS   192.168.151.202[4598]/trust/6  (10.129.17.151[51807]) vsys1                                     137.189.4.14[21]/untrust  (137.189.4.14[21]) 43815   ftp            ACTIVE  FLOW  NS   192.168.151.202[4703]/trust/6  (10.129.17.151[47579]) vsys1                                     137.189.4.14[21]/untrust  (137.189.4.14[21])   Session 43815 is now using QOS_POLICY2 (class 3) since this is a new session and the SCHED2 schedule is currently active. > show session id 43815 Session           43815           c2s flow:                 source:      192.168.151.202 [trust]                 dst:         137.189.4.14                 proto:       6                 sport:       4703            dport:      21                 state:       ACTIVE          type:       FLOW                 src user:    unknown                 dst user:    unknown           s2c flow:                 source:      137.189.4.14 [untrust]                 dst:         10.129.17.151                 proto:       6                 sport:       21              dport:      47579                 state:       ACTIVE          type:       FLOW                 src user:    unknown                 dst user:    unknown                 qos node:    ethernet1/2, qos member N/A Qid 0           start time                    : Wed Dec 11 17:52:40 2013         timeout                       : 1800 sec         time to live                  : 1788 sec         total byte count(c2s)         : 501         total byte count(s2c)         : 1207         layer7 packet count(c2s)      : 8         layer7 packet count(s2c)      : 11         vsys                          : vsys1         application                   : ftp         rule                          : TrustAndDMZ2Untrust         session to be logged at end   : True         session in session ager       : True         session synced from HA peer   : False         address/port translation      : source + destination         nat-rule                      : Trust-2-Untrust-Global(vsys1)         layer7 processing             : enabled         URL filtering enabled         : True         URL category                  : any         session via syn-cookies       : False         session terminated on host    : False         session traverses tunnel      : False         captive portal session        : False         ingress interface             : ethernet1/2         egress interface              : ethernet1/1         session QoS rule              : QOS_POLICY2 (class 3)     owner: jlunario
View full article
pagmitian ‎09-09-2015 01:22 AM
4,802 Views
0 Replies
Symptom When viewing a session with the show session id CLI command, the security rule matched is "default" and the final line shows: "appid policy lookup deny".   Cause The behavior may be caused by a policy configured with Application Default as the service. When Application Default is selected as the service on a security rule, the Palo Alto Networks firewall will first check the application of the traffic. Once identified, it will compare the port used with the list of default ports for that application. If a match is not found, the firewall will drop the session with the "appid policy lookup deny" message.   Solution Disable the Application Default part of the rule, or modify the existing application to include the appropriate port(s).   owner: gwesson
View full article
gwesson ‎09-09-2015 12:29 AM
3,210 Views
0 Replies
Overview This document describes how to filter out the Security Policy, which contains either "Log at Session End or Log at Session Start" options enabled.   Steps From the WebGUI, go to Policies > Security: In filter bar, enter filter "log-end eq 'yes' " and it will display the policy/policies which have "log at session end" option enabled. Shown below, the web browsing policy has "log at session end" option enabled and it is displayed in filter result: Also, with the filter " log-start eq 'yes' ", it will display the policy/policies which have "log at session start" option enabled.   owner: tgupta
View full article
tgupta ‎09-08-2015 06:06 AM
1,739 Views
0 Replies
Issue Unable to reach the server's public IP address. Details a second public range is configured on interface e1/2 while physical host is located on e1/3 NAT rules are configured from untrust to untrust. Cause The server's public IP address is in the same address space as the IP address of another interface on the Palo Alto Networks firewall. Example: e1/1, zone untrust, public IP 1.1.1.1/24 e1/2, zone DMZ-Public, IP 2.2.2.2/24 e1/3, zone DMZ-Private, IP 192.168.1.1/24 (server is connected to e1/3, public IP 2.2.2.66/24, private IP 192.168.1.2/24) NAT policy set for "untrust zone to untrust zone". The firewall sees the ingress traffic's destination IP address (2.2.2.66) as destined for the "DMZ-Public" zone. This is because a route lookup returns DMZ-Public as the destination zone for 2.2.2.0/24.   However, the policy specifies that traffic from "untrust to untrust" is allowed.  Therefore, the traffic is dropped. Resolution Edit the NAT policy. Change the destination zone to "DMZ-Public". Changing the destination zone from "untrust" to "DMZ-Public" causes the ingress traffic to properly match source and destination zone, based on route lookups   owner: jdavis
View full article
panagent ‎09-07-2015 06:01 AM
3,141 Views
0 Replies
Issue DNS Proxy traffic is suddenly denied by the Palo Alto Networks firewall. The traffic logs show that the DNS traffic is suddenly identified as "tcp-over-dns", even though DNS traffic is UDP.   Cause The DNS Proxy uses the same source port for DNS(53/UDP) and the Palo Alto Networks firewall will recognize such traffic as "tcp-over-dns". The Microsoft DNS proxy uses one session per each outgoing DNS request, and it is identified by the current algorithm. Therefore, from the customer traffic log, the behavior is the same as Microsoft DNS proxy.   Workaround Add "tcp-over-dns" in the Security Policy.   owner: kkondo
View full article
kkondo ‎09-07-2015 05:39 AM
3,320 Views
0 Replies
1 Like
Symptoms A website is partially loading but components of the website (images for example) aren't loaded The screenshot below shows that soundcloud.com partially loaded but not fully. Issue Websites contain information hosted at a different URLs, which can be classified with a category that isn't allowed by the URL filtering policy.   Resolution To resolve this issue, the domain on which the components are hosted on needs to be allowed by policy. Here is the procedure on how to find that information Open the URL logs to see which URL was accelased and blocked. On the screenshot above, a1.sndcdn.com was accessed and blocked (block-url), and the category for that URL is online-music. From there, two things can be done to resolve the issue: Change the URL policy to allow online-music Add the URL (a1.sndcdn.com in the example) to the allow list (white list) as below owner: kalavi
View full article
npare ‎09-07-2015 04:11 AM
4,186 Views
0 Replies
Issue File sharing cannot be blocked over Remote Desktop Protocol (ms-rdp).   Cause Remote Desktop Protocol (RDP) is a multi-channel protocol that allows a user to connect to a networked computer. The ms-rdp characteristics are as follows: As seen in the above image, the ms-rdp application is capable of transferring files. However, it uses a proprietary form of encryption that is not supported by the Palo Alto Networks firewall. This means that the specific actions occurring within an RDP session cannot be inspected , and the firewall can only be configured to allow or block RDP traffic.   Workaround Disable file sharing over RDP using Group Policy Objects (GPO) on the end client.   owner: rvanderveken
View full article
rvanderveken ‎09-04-2015 04:10 AM
4,739 Views
0 Replies
Details In an environment where several Palo Alto Networks firewalls are being managed with Panorama, it can be an inconvenience when an administrator has to switch context every time they want to view local rules on the firewall.   The following are a few examples that conveniently allow the administrator to view local rules. Under Panorama > Device, there is an option called Preview Rules, as shown below. With this feature the complete rule base for each device can be accessed and managed by Panorama. However, it will not work unless at least one device group has been committed to the managed devices.   Local rules are identified as the non grayed-out rules, while the Panorama pushed rules are the grayed out rules, as shown below.   In addition to previewing local Security policies on a managed device, other rules such as, NAT, QoS, Policy Based Forwarding, Decryption, Application Override, Captive Portal and DoS Protection can be previewed as well.   owner: sodhegba
View full article
sodhegba ‎09-04-2015 04:08 AM
4,414 Views
0 Replies
Issue Inbound SSL sessions matching a decryption rule (inbound-inspection) fail to be decrypted and  are seen as SSL applications by the Palo Alto Networks device. These sessions may be dropped if a decryption profile is configured to drop sessions using unsupported cipher suites.   Cause The behavior is due to an unsupported cipher-suite chosen by the server during SSL handshake. During SSL handshake, the client and server negotiate a master key from which a session key is derived. This session key is used to symmetrically encrypt data.   In an RSA-based key exchange mechanism, the master key is encrypted and sent by the client using server’s public key (asymmetric encryption paradigm). As the Palo Alto Networks device has the server’s private key, this master key can be decrypted and the data inspected.   However, with the Diffie-Hellman protocol the client and server use mathematical algorithms to generate the master key without directly exchanging it. The Palo Alto Networks device cannot detect it, and cannot decrypt the underlying session. Therefore, the Diffie-Hellman system is not compatible with the decryption mechanism used by the Palo Alto Networks device.   Resolution All cipher-suites using Diffie-Hellman (DHE for Ephemeral Diffie-Hellman) protocol for session key exchange must be excluded from available cipher-suites in the targeted web server configuration. Note: The cipher-suites modification on the web server should be performed by a web server administrator.     owner: nbilly
View full article
nbilly ‎09-03-2015 06:09 PM
6,066 Views
2 Replies
2 Likes
When you create a custom app but don't use it in app override, it will participate in the appid process, so packets will be inspected up to Layer 7 and a corresponding application will be assigned to it.   Example: If you build a custom app that triggers on a host header www.mywebsite.com, the packets first get identified as web-browsing and then morph into your custom app (on top of web-browsing).  You can still have it scanned for content and vulnerabilities as it resides in layer7 scanning. If you create an app override, you will forcibly stop an application from rising above Layer 3.  The custom app name is assigned to the session to help identify it in the logs, but there will be no scanning performed on the session.   owner: tpiens
View full article
panagent ‎09-03-2015 05:20 AM
5,342 Views
0 Replies
2 Likes
Details To view all security policies on a Palo Alto Networks device, run the following command (supported on all PAN-OS versions): > show running security-policy   In PAN-OS 4.1, the command to view only the pushed configuration is as follows: > show config pushed   PAN-OS 5.0 introduced Templates and the ability to push device templates to the managed devices. The following CLI commands were made available from PAN-OS 5.0 and 6.0 to view the pushed configurations and templates on the managed device:   To view only the Panorama pushed configurations, which displays policies and objects pushed from Panorama: > show config pushed-shared-policy   To view the shared policy pushed to the device per vsys: > show config pushed-shared-policy vsys <value>   To view the template pushed to the device: > show config pushed-template   To view templates pushed from Panorama, along with the local running config on the firewall: > show config merged   Note: The above CLI outputs are displayed in XML format. Setting the config-output-format to "set" or "XML" ( > set cli config-output-format ) is useful to view only the local running configuration in configuration mode.   See Also Viewing the Configuration in Set and XML Format   owner: apasupulati
View full article
apasupulati ‎09-03-2015 04:08 AM
10,627 Views
0 Replies
1 Like
Details Palo Alto Networks has identified an issue in PAN-OS affecting the stripping of X-Forwarded-For (XFF) HTTP headers in outgoing HTTP requests.   When the “Strip X-Forwarded-For Header” feature is enabled, the XFF header may not be reliably stripped from certain outgoing HTTP request headers. This can result in complete or partial exposure of the contents of the XFF header field, typically an internal IP address. This issue is being addressed in the next PAN-OS 6.1 maintenance release (6.1.1) scheduled for release in mid-December. A fix for the issue is also being investigated for PAN-OS 6.0. Until an update is available, customers concerned about this issue are advised to review their XFF header insertion configuration on proxies, load balancers, and other devices to determine if XFF insertion can be temporarily disabled or restricted to only apply to internal traffic.
View full article
panagent ‎09-02-2015 08:25 AM
19,485 Views
1 Reply
Issue A custom URL category for CSV files is entered into a URL filtering profile for the purposes of monitoring the downloading of a CSV file from a server. However, when the CSV file is accessed and downloaded, a URL filtering log entry is not generated.   Details The following screenshot displays an example of custom URL category for a CSV file:   The custom URL category is entered into a URL Filtering Profile:   The session information from the Palo Alto Networks firewall indicate that the custom URL category has been detected: > show session all --------------------------------------------------------------------- ID      Application    State Type Flag  Src[Sport]/Zone/Proto Vsys Dst[Dport]/Zone --------------------------------------------------------------------- 2 web-browsing  ACTIVE  FLOW 172.16.1.200[4001]/TapZone/6 vsys1 172.16.1.100[80]/TapZone   > show session id 2 Session 2         c2s flow:           source:      172.16.1.200 [TapZone]           dst:        172.16.1.100           proto:      6           sport:      4001            dport:      80           state:      ACTIVE          type:      FLOW           s2c flow:           source:      172.16.1.100 [TapZone]           dst:        172.16.1.200           proto:      6           sport:      80              dport:      4001           state:      ACTIVE          type:      FLOW         start time                    : Fri Nov 30 06:47:06 2012         timeout                      : 30 sec         time to live                  : 21 sec         total byte count(c2s)        : 4038         total byte count(s2c)        : 45020         layer7 packet count(c2s)      : 23         layer7 packet count(s2c)      : 34         vsys                          : vsys1       application                  : web-browsing         rule                          : URL Filtering     <- URL Filtering rule triggered         session to be logged at end  : True         session in session ager      : True         session synced from HA peer  : False         layer7 processing            : enabled         URL filtering enabled        : True         URL category                 : CSV                        <- Custom URL category         ingress interface            : ethernet1/3         egress interface             : ethernet1/3   Resolution Check the "Content-Type" of http response header from the web server. Example: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 expires: 0 Content-Disposition: attachment;filename="download_test_file.csv" Content-Type: text/csv                  <- Note that the value for content-type is: text/csv Pragma: no-cache Cache-control: max-age=0 Connection: close Transfer-Encoding: chunked   To resolve the issue, add the text/csv content-type to the Container Pages on the Palo Alto Networks firewall: Navigate to the Device > Setup > Content-ID page Click Container Pages Click Add and add an entry for text/csv owner: kkondo
View full article
kkondo ‎09-02-2015 07:09 AM
2,566 Views
0 Replies
Symptom If a custom URL is used in any of the policy, and traffic does not match the custom URL policy, it hits any deny rule. The user will receive a URL Block Page (Response Page), even though the deny rule has no URL filtering profile. The Palo Alto Networks firewall generates only the traffic log with no URL filtering log. There are no URL filtering logs with the URL Block Page, while using the custom URL.   Cause The traffic appears as normal traffic logs. For the screenshot example below, see the following rule functions: The first rule allows DNS Traffic The second rule allows custom URL "google-custom-url", which contains *.google.com. It is used to match any site which has google.com in it. The third rule is simple, deny any without URL filtering profile. If a user tries to access facebook.com, which does not meet the first rule, it does not match the second rule, which allows sites containing the google.com word in the URL. Now it matches the third rule, deny any rule. The user is prompted the block page, even though the deny rule is not configured with any URL filtering profile.   owner: hshah
View full article
hshah ‎09-02-2015 04:15 AM
10,896 Views
0 Replies
1 Like
Issue An address object, called "address_object", is created as Shared in Panorama. The object is pushed to multiple devices and used in some local security policies on each of the devices. Rename object "address_object" to "address1_object" and commit and push changes to devices. The commit on Panorama is OK. The push to the device groups that use the shared object, returns Error, the object is used in a rule of "device name"   Cause When an object is renamed the policies using the object are updated during the commit process.  In this case, the policy is local to the device but the object is pushed from Panorama.  Panorama is unable to update the policy/rule on the local device thus the validation check fails.   Resolution There are three options to resolve this issue: Option 1 Move the security policies which reference the shared object to Panorama.   Option 2 Create a new address object reflecting the new object name.  Update the local policies to use the new object then delete the old address object.   Option 3 When pushing the config to the device\device group, select the advanced options and check the "Merge with Device Candidate Config" checkbox.   owner: jteetsel
View full article
panagent ‎09-02-2015 03:58 AM
6,647 Views
9 Replies
Details Althought it's not possible to import a custom logo for the captive portal block page, the browser can be redirected to a site with a file containing the logo. The browser must be able to reach the file in order for this procedure to work.   An example of a custom block page with a logo is located at: www.mysite.com/logo.jpg   <html> <head> <title>Web Page Blocked</title> <img src="www.mysite.com/logo.jpg" data alt="Logo"> <style> #content{border:3px solid#aaa;background-color:#fff;margin:40;padding:40;font-family:Tahoma,Helvetica,Arial,sans-serif;font-size:12px;}   h1{font-size:20px;font-weight:bold;color:#196390;}   b{font-weight:bold;color:#196390;} </style> </head> <body bgcolor="#e7e8e9"> <div id="content"> <h1>Web Page Blocked</h1> <p>Access to the web page you were trying to visit has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p> <p><b>User:</b> <user/> </p> <p><b>URL:</b> <url/> </p> <p><b>Category:</b> <category/> </p> </div> </body> </html>   owner: panagent
View full article
nrice ‎08-28-2015 03:52 PM
4,362 Views
0 Replies
Symptoms When testing a Data Filtering profile that's configured to block credit card numbers, administrators can generate a file containing 16-digit numbers to check against the Data Filtering profile. If these numbers are not valid credit card number formats, the Data Filtering condition does not trigger an alert or block.   Issue For security reasons, don't test using valid credit card numbers. Palo Alto Networks firewalls use the Luhn Algorithm to test valid credit card numbers, substantially reducing the likelihood of a false positive, but also making testing more challenging.   Solution The following ten numbers were pseudo-randomly generated using a Luhn algorithm, and were subsequently checked against a ruleset on several firewalls to ensure accuracy. They are of a MasterCard style, but should suffice for the general credit card test.   5376-4698-9386-4886 5564-8017-1758-1316 5464-9730-1302-5263 5257-2750-0534-2578 5564-9616-5310-6823 5483-3128-3984-7229 5352-9543-2663-9003 5130-0484-5710-3076 5210-3641-5712-1745 5559-4615-4452-4711   owner: gwesson
View full article
gwesson ‎08-28-2015 07:27 AM
7,925 Views
2 Replies
1 Like
Symptoms Testing a URL using the test url  command shows the correct category, but when a user visits the same web page, the page gets categorized as unknown in the logs.  The issue persists even with the dynamic URL filtering option turned on in the URL filtering profile.   Issue This could be a result of not configuring URL filtering profile on all the security rules.   Example: Rule 1: User A is allowed anywhere on the internet and no URL filtering policy is configured on this rule Rule 2: A URL Filtering policy is in place to 'deny access to'   When User A browses websites, Rule 1 matches all the connections and because no URL filtering profile is enabled on that rule, logs do not contain a URL category for the websites that were accessed.  Traffic logs show source and destination IP address, but URL filtering logs don't show those connections.     Resolution Configure a URL filtering profile on all necessary security policies where URL filtering is desired. A URL filtering profile can be created that allows everything, and applied to the rule allowing all categories (Rule 1 in the example below).  Rule 2 would use the more restricted URL filtering policy.   Alternatively, you can configure a setting via the CLI that uses dynamic-url global setting for rules that don't have URL filtering profiles enabled: > configure # set deviceconfig setting url dynamic-url yes # commit   This configuration option is available beginning with PAN-OS 4.1.3. You must also clear the URL cache for the new configuration to take effect going forward. The command to clear the URL cache is: > clear url-cache all   If clearing the URL cache doesn't  help, then the dynamic url must be deleted manually (per host or all) with the following command: > delete dynamic-url host name/all   Note: URL filtering logs are generated only when the action is set to Alert, Block, or Continue.   owner: sdurga
View full article
sdurga ‎08-27-2015 07:44 PM
7,729 Views
3 Replies
1 Like
There's no way to allow or create exceptions under the file blocking profile. The file blocking profile is “type” based and decoders are used to identify the file type, not the file's extension.   Workaround Create a Custom URL category and have include the source of file and added in the security rule. Go to Objects > Custom URL Category. Type the source of the exe file. Go to Policies > Security and create a rule to include the custom URL category in Service/URL category of the rule and URL profiles to "allow" the category. . Create a security rule above the existing rule to block exe file types from the file blocking profile. Commit the configurations. wrar420.exe will be downloaded based on the rule "Allow winrar"   Another workaround is to develop a custom signature in custom applications and add it to the security rule.   owner: ppatel
View full article
ppatel ‎08-26-2015 05:56 PM
14,678 Views
5 Replies
1 Like
Symptom A session is in the DISCARD state and a new policy is then added to allow that particular traffic. However, with "Rematch Session" enabled, that session does not change state from DISCARD to ACTIVE.   Cause The session will still stay in the DISCARD state, as the current logic will only rematch ALLOW sessions. PAN-OS will not process and change the DISCARD state of the existing session. Any future sessions will be allowed and will not be discarded.   Resolution If the packets are still hitting the existing DISCARD session, clear that session to allow the new one with the following command: > clear session <session id>   See Also How Session Rematch Works   owner: kalavi
View full article
kalavi ‎08-26-2015 07:32 AM
4,970 Views
0 Replies
2 Likes
The following applications are recommended for inclusion to security policies on a Palo Alto Networks device to allow Cisco VPN: ciscovpn ike ipsec-ah ipsec-esp ipsec-esp-udp ssl   Ike, ipsec-esp and ciscovpn are almost always seen in the logs, while the other applications in the list are seldom seen.   owner: pvemuri
View full article
pvemuri ‎08-26-2015 06:21 AM
2,564 Views
0 Replies
Issue Commit operations fail with the following error: Error updating NAT IP pools failed to handle CONFIG_UPDATE_START.   Cause The commit error is due to the current NAT configuration exceeding memory limitations on the device.   The NAT pool total memory is allocated at 50% for current running config, 50% for a candidate config being committed. The memory is split 50/50 because we cannot clear the memory and allocate for the new candidate configuration, as that operation would disrupt existing sessions which are using NAT. Any configuration being committed to the device must stay below the 50% limit of the NAT memory pool. If the 50% limit is exceeded, a new candidate configuration which has modified NAT policies will experience a commit failure similar to the one encountered.   In PAN-OS 4.1.x, the process which validates that the configuration does not exceed the 50% limit is not implemented. As a result, NAT can be configured in a way that exceeds the limit, causing subsequent NAT changes to fail during the commit when memory is attempted to be allocated.   In PAN-OS 5.0.x, a check is made prior to any commit to validate that the configured NAT policies will not exceed the 50% threshold. This added validation would cause the configuration on a PAN-OS 5.0 device to fail to commit even after a dataplane restart.   Resolution 1. Remove some NAT policies. 2. Reduce the IP address pool size in the NAT policies.   From : (in reference to Issue 48497) Environments with a large number of NAT DIP/DIPP rules may experience an error condition committing or upgrading to PAN-OS 5.0: Error updating NAT IP pools failed to handle CONFIG_UPDATE_START . To help you reconfigure NAT rules to use less memory, information about memory usage has been added to the show running nat-policy CLI command showing NAT rule memory usage by VSYS. You can either delete unnecessary NAT rules or compress NAT rules to reduce memory utilization. For example, you could compress DIPP NAT translation from a /27 address range to a /32 IP address.   owner: pvemuri
View full article
pvemuri ‎08-26-2015 06:18 AM
4,582 Views
0 Replies
1 Like
Symptom A security policy configured with group matching from Active Directory (AD) on a Palo Alto Networks device stops working after making modifications to the domain.   Details The security policy on the Palo Alto Networks device uses the Distinguished Name (DN) in AD to match user groups. If the device cannot find the group that is used in the policy and the policy has not been updated accordingly, the GUI will display a user icon in front of the group name instead of the normal group icon. This indicates that the Palo Alto Networks device is seeing the input value as a user and not a group. Events in Active Directory that can cause the symptom include the deletion of the group or a change in the DN path.   Resolution To resolve this issue, remove the group from security policy and then reselect it from the drop-down list. The drop-down list will contain group names with current and valid DN paths retrieved from AD.   owner: mdjeric
View full article
mdjeric ‎08-26-2015 05:52 AM
3,369 Views
0 Replies
Issue When next hop address list is specified in PBF, commit failed with the following error message:   vsys1     Error: pbf rule 'PBF': Source cannot be zone if nexthop list is specified.     Error: pbf rule 'PBF': Fail to parse symmetric return.     Error: Failed to parse pbf policy (Module: device) Commit failed   Resolution Under Policies > Policy Based Forwarding > Source > Type, zone is not supported as source when next hop address list is used, use Interface instead.   owner: mzhou
View full article
mizhou ‎08-26-2015 05:29 AM
2,114 Views
0 Replies
Issue Rules have been added to block the Facebook application. and there is no SSL decryption policy, yet Facebook is able to be blocked. Traffic logs also shows the application as 'facebook-base' rather than SSL.   Cause Some websites, such as facebook.com, have been using SSL to deliver content, so the end PC establishes an SSL channel to facebook.com. Then the firewall loses visibility into the traffic and sees only the traffic going through the application as 'SSL.'   An inspection is done before the SSL handshake is completed on the client hello, as shown below. If the extension is: server_name=www.facebook.com, the firewall sends a TCP RST packet to the client immediately by using the server's source IP address to terminate the session. This is how the session is blocked and how the firewall recognizes the application as 'facebook-base' rather than just generic SSL.     owner: mzhou
View full article
panagent ‎08-25-2015 03:04 PM
5,927 Views
0 Replies
Issue When the Palo Alto Networks device is configured to decrypt outbound traffic, iOS devices are unable to connect to the iTunes and App Store directly from their applications, even if the certificate used for decryption has been imported into the device and works for regular browsing.   The error returned on the iPhone or iPad is "Cannot connect to the iTunes Store."   Cause The App Store and iTunes application expect the server certificate to be signed by Apple and close the connection if signed by a different CA.   Resolution Configure a custom URL Category that contains all known FQDNs related to the iTunes and App Store (wildcards can be used). Note: For iOS 8 and later, also add "*.mzstatic.com" to the above list.   Add a Decryption policy to bypass decryption based on the customer URL category just created. Note: While "itunes.apple.com" and "*.itunes.apple.com" should be enough to catch all iTunes and App Store related sites others have been reported.  The list might be incomplete and/or change over time.   owner: sberti
View full article
sberti ‎08-25-2015 02:59 PM
13,801 Views
7 Replies
2 Likes
Ask Questions Get Answers Join the Live Community