Management Articles

Featured Article
Overview When using the User-ID Agent to identify users on the network, there is a way to ignore certain users. Generally, this is used for service accounts, but any desired username can be entered.   Steps Stop the User-ID service Modify/create a file ignore_user_list.txt in the directory where User-ID Agent is installed. This file will contain all the users to be ignored. The format of the file needs to be one username on each line. Note: It is sometimes required to have two entries for each username, the normal username and the username with netbios name. user1 mydomain\user1 Start the User-ID service.   Starting from PAN-OS 7.1 the ignore user list can also be configured for the Agentless User-ID through the WebUI   See also   How to Add/Delete Users from Ignore User List using Agentless User-ID   owner: sspringer
View full article
sspringer ‎07-20-2018 09:45 AM
42,651 Views
21 Replies
3 Likes
Overview Policies can be set to perform configured actions on session traffic at scheduled times and days.   Steps On the WebGUI, go to Objects > Schedules then click Add. Choose daily, weekly or non-recurring. To select multiple days during the week, choose weekly, day of week, start time, end time, then add. On the CLI: > configure # set schedule schedule-block-youtube recurring daily 09:00-18:00 On the WebGUI go to Policies > Security > Security Policy Rule >  Schedule > Actions. On the CLI: > config # set rulebase security rules block-youtube from L3-Trust to L3-Untrust source any destination any application youtube schedule schedule-block-youtube service any log-end yes action deny Continue adding each day until the list is complete. Commit the change. Note: Sessions begun before the scheduled start time are not affected by the policy if session rematch is not enabled (Device > Setup > Session) AND a manual commit is made. Commit MUST be ran manually via “commit force” from the CLI, or by adding/modifying something in the policy in order to have the option to commit via the WebGUI.   See Also How to Create a Schedule that Spans Two Days   owner: panagent
View full article
nrice ‎02-22-2018 08:41 AM
21,446 Views
4 Replies
Symptoms When Policy Based Forwarding (PBF) is configured with the  "Enforce Symmetric Return" option enabled, but without a Next Hop Address, forwarding may fail occasionally.   See also: How to Configure Symmetric Return Diagnosis When the issue occurs, you can see the return mac entries have reached their maximum level when you run the show pbf return-mac all command. user@firewall> show pbf return-mac all current pbf configuation version:   1 total return nexthop addresses :    0 index   pbf id  ver  hw address          ip address                      return mac          egress port -------------------------------------------------------------------------------- maximum of ipv4 return mac entries supported :     1000 total ipv4 return mac entries in table :           1000 total ipv4 return mac entries shown :              1000 status: s - static, c - complete, e - expiring, i - incomplete pbf rule        id   ip address      hw address        port         status   ttl --------------------------------------------------------------------------------   Note: The maximum number of entries that this ARP table supports is limited by the firewall model and the value is not user configurable. To determine the limit for your model, use the CLI command: show pbf return-mac all . Solution This issue will only occur if the 'Next Hop Address' is not set in a PBF rule that does have symmetric return enabled.  Therfore, please configure a valid peer IP address in the Next Hop Address list to avoid running into the issue. Add a Next Hop Address Setting the Next Hop Address ensures only the appropriate return mac addresses are learned for Symmetric Return     >show pbf return-mac all maximum of ipv4 return mac entries supported : 16000 total ipv4 return mac entries in table : 12800 total ipv4 return mac entries shown : 12800 status: s - static, c - complete, e - expiring, i - incomplete pbf rule id ip address hw address port status ttl -------------------------------------------------------------------------------- symmectric 1 8.0.0.2 00:1b:17:05:f1:17 ethernet1/1 c 737 symmectric 1 8.0.0.3 00:1b:17:05:f1:17 ethernet1/1 c 742 symmectric 1 8.0.0.4 00:1b:17:05:f1:17 ethernet1/1 c 741 symmectric 1 8.0.0.5 00:1b:17:05:f1:17 ethernet1/1 c 743 symmectric 1 8.0.0.6 00:1b:17:05:f1:17 ethernet1/1 c 746 symmectric 1 8.0.0.7 00:1b:17:05:f1:17 ethernet1/1 c 743 symmectric 1 8.0.0.8 00:1b:17:05:f1:17 ethernet1/1 c 742 symmectric 1 8.0.0.9 00:1b:17:05:f1:17 ethernet1/1 c 741 symmectric 1 8.0.0.10 00:1b:17:05:f1:17 ethernet1/1 c 745 symmectric 1 8.0.0.11 00:1b:17:05:f1:17 ethernet1/1 c 746    Author: tsakurai
View full article
tsakurai ‎02-02-2018 12:19 AM
2,669 Views
0 Replies
This article discusses the change in behaviour from PAN-OS 7.0 and higher where the 'deny' action in the security policy results in the application-specific 'deny' action.   From PAN-OS 7.0 branch onwards, the 'deny' policy action is noted as per the default deny action for the application. For example, the default deny action for application 'SSL' is 'drop-reset' and listed in the traffic logs as 'reset-both'.   For checking the default 'deny' action of an application, please refer to Applipedia or Objects > Application on the firewall GUI.   Below is an example showing the action 'Deny' for application 'SSL'            Note the 'Deny Action' for application SSL is 'drop-reset'       The action listed for a security policy with action 'deny' in the previous PANOS version 6.1 can be seen as 'deny' itself          NOTE : The above change in behaviour for action 'deny' may result in the logs and reports capturing results with action as 'reset-both' and this is expected behaviour.   For more details on the change in security policy actions and options, please refer to:   Granular Actions for Blocking Traffic in Security Policy  Configurable Deny Action   Applicable actions with all available options:   1. Action 'Deny'       2. Action 'Allow'       3. Action 'Drop'         4. Action 'Reset-client'       5. Action 'Reset-server'       5. Action 'Reset both client and server'    
View full article
syadav ‎01-08-2018 06:53 AM
5,476 Views
0 Replies
If you know the source IP address, the protocol number and optionally the destination IP, the test command from the CLI will search the security policies and display the best match:   Example:   > test security-policy-match source <source IP> destination <destination IP/netmask> protocol <protocol number>   The output will show which policy rule (first hit) will be applied to this traffic match based on the source and destination IP addresses. Additional options: + application Application name + category Category name + destination-port Destination port + from Source zone + protocol IP protocol value + show-all show all potential match rules until first allow rule + source-user Source User + to Destination zone     While 'destination' is a mandatory parameter, 0.0.0.0/0 can be used if the remote IP is unknown or a subnet if multiple hosts need to be included     owner: sjanita
View full article
sjanita ‎01-08-2018 05:18 AM
36,360 Views
15 Replies
Issue Server Message Block (SMB) traffic is blocked and the Windows Explorer window hangs while accessing a shared folder.   Cause This can happen when there is a file blocking profile, with a block action used in a Security Rule that is matched by that session.   Details Under Security Policies > Actions, if a session goes through the Palo Alto Networks firewall and matches a specific allow policy, according to the defined criteria, the action defined in the policy will be taken. In the example below, the Security Policy Rule that is matched is "allow_all", which has a profile for file blocking.   The File Blocking Profile is blocking all PE files (which includes .exe, .msi), any file in that session that matches the file type will take the session into the discard state.   As soon as a user opens the shared folder that has .exe file in it, that session opening will go into discard state and no other files will be able to move between the machines.   > show session all filter destination 10.193.17.10   -------------------------------------------------------------------------------- ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port]) Vsys                                          Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 152568       ms-ds-smb      DISCARD FLOW  NS   192.168.8.136[49158]/Trust-L3/6  (10.193.17.8[32047]) vsys1                                          10.193.17.10[445]/Untrust-L3  (10.193.17.10[445])     See the following example, session is set to discard state by security policy check: > show session id 152568   Session          152568           c2s flow:                 source:      192.168.8.136 [Trust-L3]                 dst:         10.193.17.10                 proto:       6                 sport:       49158           dport:      445                 state:       INIT            type:       FLOW                 src user:    unknown                 dst user:    unknown           s2c flow:                 source:      10.193.17.10 [Untrust-L3]                 dst:         10.193.17.8                 proto:       6                 sport:       445             dport:      32047                 state:       INIT            type:       FLOW                 src user:    unknown                 dst user:    unknown           start time                    : Thu Apr 17 17:12:56 2014         timeout                       : 90 sec         total byte count(c2s)         : 44292         total byte count(s2c)         : 50073         layer7 packet count(c2s)      : 182         layer7 packet count(s2c)      : 176         vsys                          : vsys1         application                   : ms-ds-smb          rule                          : allow_all         session to be logged at end   : True         session in session ager       : False         session synced from HA peer   : False         address/port translation      : source + destination         nat-rule                      : NAT_all_inside_to_out(vsys1)         layer7 processing             : completed         URL filtering enabled         : True         URL category                  : any         session via syn-cookies       : False         session terminated on host    : False         session traverses tunnel      : False         captive portal session        : False         ingress interface             : ethernet1/2         egress interface              : ethernet1/1         session QoS rule              : N/A (class 4)         tracker stage firewall        : mitigation block cont url   As soon as the folder is opened, the SMB session will go into the discard state. If the same folder has .txt files, and if trying to copy them, it will fail because the SMB session is already discarded. This is going to happen even if there is no blocking policy for the .txt files. The user will experience this as their Windows Explorer application hangs and does not return any results after the share folder was opened.   As shown below, the global counters confirms that information too: > show counter global filter packet-filter yes delta yes   Global counters: Elapsed time since last sampling: 58.678 seconds   name                                   value     rate severity  category  aspect    description -------------------------------------------------------------------------------- pkt_recv                                1511       25 info      packet    pktproc   Packets received pkt_sent                                 349        5 info      packet    pktproc   Packets transmitted session_allocated                          2        0 info      session   resource  Sessions allocated session_installed                          2        0 info      session   resource  Sessions installed session_discard                            4        0 info      session   resource  Session set to discard by security policy check flow_fwd_mtu_exceeded                     21        0 info      flow      forward   Packets lengths exceeded MTU flow_ipfrag_frag                          42        0 info      flow      ipfrag    IP fragments transmitted flow_host_pkt_xmt                       1248       21 info      flow      mgmt      Packets transmitted to control plane flow_host_vardata_rate_limit_ok         1227       20 info      flow      mgmt      Host vardata not sent: rate limit ok appid_ident_by_dport                       1        0 info      appid     pktproc   Application identified by L4 dport appid_proc                                 2        0 info      appid     pktproc   The number of packets processed by Application identification appid_use_dfa_1                            2        0 info      appid     pktproc   The number of packets using the second DFA table appid_skip_terminal                        2        0 info      appid     pktproc   The dfa result is terminal nat_dynamic_port_xlat                      2        0 info      nat       resource  The total number of dynamic_ip_port NAT translate called dfa_sw                                   326        5 info      dfa       pktproc   The total number of dfa match using software ctd_run_pattern_match_failure              2        0 info      ctd       pktproc   Run pattern match failure aho_sw                                   507        8 info      aho       pktproc   The total usage of software for AHO ctd_appid_reassign                         5        0 info      ctd       pktproc   appid was changed ctd_pkt_slowpath                         318        5 info      ctd       pktproc   Packets processed by slowpath ctd_detector_discard                       2        0 info      ctd       pktproc   session discarded by detector log_pkt_diag_us                        23585      401 info      log       system    Time (us) spend on writing packet-diag logs -------------------------------------------------------------------------------- Total counters shown: 21 --------------------------------------------------------------------------------   Resolution This is expected behavior because of the nature of the SMB. If there is a Security Rule with a block profile attached to it for SMB sessions, it is best to not mix file types that are supposed to be blocked, with a policy with allowed files.   owner: ialeksov
View full article
ialeksov ‎12-06-2017 08:24 AM
27,299 Views
0 Replies
Question Can I use any pre-defined application or custom applications with PBF ? Answer For a PBF policy to work, only the source zone or interface is required:     In the destination, applications can be configured but only pre-defined applications can be added. Custom applications, Application filters and Application Groups cannot be used to create a PBF policy:         Furthermore, as mentioned in the Admin Guide, application-specific rules are not recommended for use with PBF:   PBF rules are applied either on the first packet (SYN) or the first response to the first packet (SYN/ACK). This means that a PBF rule may be applied before the firewall has enough information to determine the application. Therefore, application-specific rules are not recommended for use with PBF. Whenever possible, use a service object, which is the Layer 4 port (TCP or UDP) used by the protocol or application.   However, if you specify an application in a PBF rule, the firewall performs App-ID caching . When an application passes through the firewall for the first time, the firewall does not have enough information to identify the application and therefore cannot enforce the PBF rule. As more packets arrive, the firewall determines the application and creates an entry in the App-ID cache and retains this App-ID for the session.When a new session is created with the same destination IP address, destination port, and protocol ID, the firewall could identify the application as the same from the initial session (based on the App-ID cache) and apply the PBF rule. Therefore, a session that is not an exact match and is not the same application, can be forwarded based on the PBF rule.   Further, applications have dependencies and the identity of the application can change as the firewall receives more packets. Because PBF makes a routing decision at the start of a session, the firewall cannot enforce a change in application identity. YouTube, for example, starts as web-browsing but changes to Flash, RTSP, or YouTube based on the different links and videos included on the page. However with PBF, because the firewall identifies the application as web-browsing at the start of the session, the change in application is not recognized thereafter.   Observation: - The list of available applications does not include the full list of applications, because the identification of some applications require more packets to be captured. You can check the list of available applications under Policies > Policy Based Forwarding > Destination/Application/Services:
View full article
mdumitriu ‎11-26-2017 11:14 AM
2,260 Views
0 Replies
Issue: The SSL Decryption opt-out page will be displayed the first time a user browses to an SSL encrypted site. It does not display again until an extended period of time.  How can this period of time be reduced so that the opt-out page is displayed more frequently?   Resolution: By design, the user's choice to opt-out is honored for a fixed period of 24 hours and cannot be changed. For the purpose of testing the opt-out page, the user may wish to use a different device / different source IP / different user.     owner:  jwoodburn
View full article
panagent ‎11-14-2017 06:19 AM
3,678 Views
0 Replies
Overview This document provides instructions on how to identify decryption failures due to an unsupported cipher suite.   Check out the following compatibility matrix to confirm the currently supported cipher suites : Supported Cipher Suites   Issue In this example, the SSL proxy decryption fails because the server only supports Diffie-Hellman (DH) and Elliptec Curve Ephemeral Diffie-Hellman (ECDHE). Follow these steps to confirm the issue:   Run a packet capture from the Palo Alto Networks device (see How to Run a Packet Capture). Examine Client Hello packets sent by the client and the response packets sent by the server. Look for "Handshake Failure," which is shown below. View the Cipher Suites supported by the client or Palo Alto Networks device in the Client Hello packets. Using the SSL scan tool https://www.ssllabs.com/ssltest/index.html, find out which cipher suites are supported by the server. See this example: The output above confirms that the issue is due to unsupported cipher suites.   Resolution Create a No Decrypt policy. Create a Custom URL Category for that site. Go to > Objects > URL Category. Click on the Add button. Name the Custom URL Category. Click the Add button and then add the server's site and commit. Create a Decryption Policy with a No Decrypt action of that URL site. Go to Policies > Decryption. Select the Decryption Rule. Clone the Decryption Rule. Move the Clone Decryption Policy above the Decryption Policy. Click on the Clone Decryption Policy > URL Category. Click on the Add button. Add the URL site and commit.   owner: ssastera
View full article
ssastera ‎11-14-2017 06:11 AM
48,059 Views
11 Replies
1 Like
Issue With Inbound SSL decryption, after the required configuration and import of all required certificates, the inbound SSL decryption is not working on the web server.   Similarly when using SSL Forward Proxy, sessions are either not getting decrypted and continue to show as application"ssl", or connections are not allowed through as application "ssl" and are instead being interrupted.   Check out the following compatibility matrix to see which cipher suites are supported  according to PAN-OS release and feature or function :   Supported Cipher Suites   Using the following CLI command, look for the type of drop message: > show counter global filter delta yes | match ssl_sess_id_resume_drop   From PAN-OS 6.0 and above, the show counter global command will show if a cipher suite is unsupported. With a PCAP filter applied and using delta counters: > show counter global filter packet-filter yes delta yes or > show counter global filter delta yes | match "ssl_server_cipher_not_supported"   ... ... ssl_server_cipher_not_supported 2 0 warn ssl pktproc The cipher chosen by server is not supported   Resolution Disable the unsupported cipher suites on the web server.   See Also Palo Alto Networks Supported SSL/TLS Version and Cipher Suites for Web UI   owner: panagent
View full article
panagent ‎11-10-2017 04:03 AM
48,448 Views
7 Replies
1 Like
Overview This document describes how to move security rules from the CLI.   Details The same options to move a rule in the CLI as in the WebGUI.   If only 1 vsys is being used: > configure # move rulebase security rules <rulename> <action> # commit The actions are:   after,   before,   bottom   and   top.   If more than 1 vsys is being used: > configure # move vsys <vsys#> rulebase security rules <rulename> <action> # commit The actions are:   after,   before,   bottom   and   top.   In the following example, there are three security policies configured:   To move the 3rd policy, DMZ-Trust, to the top through the CLI enter following commands: > configure # move rulebase security rules DMZ-Trust top # commit     After the commit, verify the rule has been moved to the top:   owner: ashaikh
View full article
ashaikh ‎10-23-2017 02:40 PM
8,197 Views
2 Replies
1 Like
Overview Palo Alto Networks firewall can be configured as a collector and redistribute user mapping information to other Palo Alto Networks firewalls on your network. This document describes how to configure a redistribution firewall and verify the configuration from the CLI.   Note: Only the user mapping information collected by the agentless User-ID (PAN-OS User Mapping) feature will be redistributed to the other firewalls. If you have multiple firewalls that need to pull mappings from collector, all of them should specify the collector name in the user id agent tab. The collector will not redistribute the mappings from terminal server - this is expected behavior.   Steps Navigate to Device > User Identification In the User Mapping tab, click the edit icon Configure the collector from the Redistribution tab by entering a Collector Name and a Pre-Shared Key. This information is used by the firewalls that will pull user mapping information. Check for the Collector Name on the Device > User Identification > User Mapping tab. The image below also shows that user mapping has been configured for an Active Directory server. Ensure the User-ID service is enabled on a Management Interface profile Navigate to Network > Network Profiles > Interface Mgmt Open the profile applied to the appropriate interface or add a new profile Enable the User-ID Service in the profile Note: If you are using a Dataplane interface, configure a service route for that interface on the UID Agent selection.         9. Commit the changes. This completes the configuration of the collector.   Configure a Palo Alto Networks firewall to retrieve the IP-user mappings from the collector. Navigate to the User-ID Agents tab at Device > User Identification Click Add and enter values into the fields. The Collector Name and Pre-Shared Key fields should be the same as on the collector. The firewall will connect to collector on port 5007. This cannot be modified. Commit the changes. The user mappings from Collector will appear on the firewall.   Verification The following CLI commands can be used to verify that the collector service is up and the user mapping information is received on the other Palo Alto Networks firewalls. On the collector, display the status of the User-ID service > show user user-id-service status Display the clients/firewalls that are connected to the collector > show user user-id-service client all Display the IP-user mapping on the collector > show user ip-user-mapping all On the firewall which receives information from the collector, display the IP-user mapping > show user ip--user-mapping all   See also   User-ID Best Practices - PAN-OS The collector will redistribute user-ip mappings learned through GlobalProtect.GlobalProtect Users Appear as Coming From User-ID Agent in IP-User Mapping   owner: sdarapuneni
View full article
zarina ‎10-04-2017 11:59 AM
32,958 Views
6 Replies
Steps To create a schedule which spans more than one day, for example from 10pm to 5am: Create a schedule, go to Objects > Schedules. Schedule that spans past midnight should be split between PM and AM Add the schedule to a policy, go to Policies tab.  Click on the Options link for a security policy. Security Policy Actions with a Schedule To display the schedule setting, run command:  admin@myNGFW# show schedule (add 'shared|vsys1|vsys2|...' for multiVSYS) schedule {   multiday {     schedule-type {       recurring {         daily [ 22:00-23:59 00:00-05:00];       }     }   } } [edit]                           If time spanning multiple days is put in a single schedule (eg. start 22:00 end 05:00) an error message will appear: End time is earlier that start time error message   owner: kkondo
View full article
panagent ‎09-28-2017 02:13 AM
8,277 Views
2 Replies
1 Like
Issue When the user commits templates from Panorama to the firewall, the following error is encountered:   Template configuration administratively disabled Cause When managing a Palo Alto Networks firewall with Panorama, it is recommended to commit Panorama templates to the device first. This will ensure the existing Panorama policies will work on the newly upgraded firewall. If you receive the above message, this means that templates have not been enabled yet.     Resolution If the user receives this error, enter the Panorama WebGUI and enable Panorama templates: Go to Device > Setup > Management > Panorama Settings Click the "Enable Device and Network Template" button and click OK. Then, click OK on the confirmation window. No commit is needed. From Panorama, commit templates to the firewall Once this is complete, all of the templates will have been updated Proceed with the normal policy commit from Panorama   From CLI Note: The Device and Network Template can also be enabled on the CLI: > set system setting template enable   owner: jdelio
View full article
‎08-08-2017 12:45 PM
5,954 Views
0 Replies
1 Like
Sometimes we need to know which security policy has a required security profile applied, has a log at session end or start, or is disabled.    To search security policies where —   Antivirus profile AV1 is applied, use the following syntax: profile-setting/profiles/virus/member eq AV1   URL filtering profile UF1 is applied, use the following syntax: profile-setting/profiles/url-filtering/member eq UF1 Antispyware profile AS1 is applied, use the following syntax: profile-setting/profiles/spyware/member eq "AS 1" Vulnerability profile VP1 is applied, use the following syntax: profile-setting/profiles/vulnerability/member eq VP1 File blocking profile FB1 is applied, use the following syntax: profile-setting/profiles/file-blocking/member eq FB1 If we want to search security policies all security policies that are disabled use following syntax disabled eq yes Log at session start is selected, use the following syntax: log-start eq yes Log at session end is selected, use the following syntax: log-end eq yes A schedule profile is called, use the following syntax: schedule eq “Lunch time” To search all security policies that are disabled, use the following syntax: disabled eq yes To search a profile GROUP use the following syntax: profile-setting/group/member eq name-of-group
View full article
pankaku ‎06-20-2017 01:12 AM
41,739 Views
21 Replies
4 Likes
Overview This document provides resources for obtaining support from Palo Alto Networks, and includes how to use the customer support portal, how to manage support cases online, and tips on utilizing the online community.   Customer Support Portal and Case Management Quick Reference Guide: Welcome to Support This PDF document includes: How to create your user account on the Customer Support Portal How to register your Palo Alto Networks assets, including products and licenses Links to Online tools, and helpful resources How to escalate your case Global support numbers How to Open a Case with Technical Support Details how to open a support case by Web or phone.   Support Portal: User Documents Contains links to articles and videos on how to navigate and utilize the features on the Customer Support Portal Related: Support Portal FAQs Supported Browsers Lists the supported web browsers for the Customer Support Portal and the online Palo Alto Networks Community     Palo Alto Networks Community Community Disclaimer This is the community disclaimer. If you are a first-time user of the community, please read this brief document. Related:  Palo Alto Networks Terms of Use Tour the New Live Community (video) Video overview of the Live Community, how to navigate, search and subscribe to areas inside of the Live Community. Getting Around in the Live Community  Getting started article about the Live Community, where things are in the community and how to navigate and search. How to Change Your Community Display Name Describes how to change your display name, or username, on the community How to Keep Your Personal Content Private Shows how to select the proper options to control visibility of your private content How to Receive Email Notification for Community Announcements Describes how to configure your settings to receive email notifications on community announcements Supported Browsers Lists the supported web browsers for the Customer Support Portal and the online Palo Alto Networks Community  
View full article
panagent ‎06-01-2017 08:52 AM
9,437 Views
0 Replies
1 Like
Symptoms This document provides a walk through into policy enforcement based on user groups retrieved from Active Directory   Pre-requisites You should have a working knowledge of:   Active Directory   User-Id feature on the Palo Alto Networks firewall   Components Used The information in this document is based on these software and hardware versions:   Palo Alto Networks VM firewall running PANOS 7.1.7     Active Directory Services running on Microsoft 2012 r2 server, configured as a Domain controller   The information in this document was created from the devices in a specific lab environment. If your network is live, make sure that you understand the potential impact of any command   Consider a security policy which is configured with groups retrieved from active directory domain controllers using LDAP The policy appears as below, with the groups configured under the "user" section Let us take a look how does the PAN firewall enforce policies based on the groups configured in the security policies  Diagnosis Workflow            1.  The firewall performs a top down lookup through the policy rulebase to find a match and uses the group as one of the key fields.    2.  The User-id feature on the Palo Alto Networks firewalls enumerates usernames with ip address. It fetches the IP address from the source IP address field of the IP header of the packets, ingressing on the security zone of the firewall where user-id feature is enabled   Consider the security policy above which is configured with groups named "captive portal" and "sme_group" retrieved from active directory using LDAP , under the "user" section In the above example the security policy is configured from zone "dmz" or "trust" hence it is imperative that user-id should be enabled on these security zones   3.  Once enabled the firewall attempts to resolve the username for every IP address during the session installation phase, also known as 'slowpath' For username to ip mapping it may leverage any of the methods such as  Software based User-id agent , PANOS or Agentless userid, Syslog, XMLAPIs or Captive Portal etc 4.  Once the firewall gets the username corresponding to the source IP address of the packet the next step is to determine the groups to which this user belongs In most of the enterprises firewall retrieves groups from active directory domain controllers using LDAP 5.  Now it compares the username from the username-ip cache with the username in the group-mapping cache on the Data Plane 6.  If the username exactly matches between the two caches then the firewall is able to determine the IP address with it's username and its corresponding group membership With the group name or membership retrieved it can perform a top down policy look up to find a matching policy Solution Troubleshooting and Checklist    1. Ensure that groups are retrieved from active directory      In this scenario the two groups namely captive_portal and sme_group are retrieved from Active directory      2.  Check the membership within these groups       In this you can explicitly look for the users which are a part of the group "sme_group" or similarly for "captive_portal" 3. Group-mapping cache showing the membership of the users with the respective groups it belongs to on the active directory      4. Note the username and its format in the user-ip cache on the data plane (DP)       It's the same as the one in the group-mapping cache         Since the username "test\testuser" in the ip-user cache matches exactly with the username in the group-      mapping cache so the firewall can find all the policies where these groups are being used         Look closely at the "Groups that the user belongs to (used in policy)" section and the groups under it      It lists all the groups to which the user "test\testuser" belongs and which are referenced in the policies        If the username were not to be a mis-match then these groups would not be present    Please refer Avoid fetching duplicate groups in group-mapping profile for more information on this
View full article
kbiswas ‎05-04-2017 12:09 PM
3,456 Views
0 Replies
To create a custom report to see the least used rules based on the number of bytes/packets, go through the following steps.   Steps Create one custom report from Monitor > Manage Custom Reports and click on Add. Load Template and select “Top security rules”. Set Database to Traffic Log. The Selected Columns on the right must contain "Rules", "Bytes" and "Count" only. Set Time Frame as desired. Sort by “Bytes” or “Packets”.  All other options can be left as is. You can schedule the report or hit “Run now” to get the report instantly. The output of the report should be similar to the one below. owner: aciobanu
View full article
aciobanu ‎03-17-2017 07:06 AM
9,220 Views
5 Replies
Details Creating a vulnerability exception will add a particular exemption for all the traffic specified on the security rule, this will function globally for all the IP addresses specified in the subnet called under that rule. However, it is also possible to make this exemption to specifically exempt only for one particular source and one particular destination of the subnet called in the security rule.   Use the IP Address Exemptions column to add IP address filters to a threat exception. If IP addresses are added to a threat exception, the threat exception action for that signature will only be taken over the rule's action if the signature is triggered by a session having either the source or destination IP matching an IP in the exception.    Steps 1. Inside of the WebGUI, go to Objects > Security Profiles > Vulnerability Protection > click on the Exceptions tab and enter the Threat ID and click Enable. Give both the Source and Destination IP addresses to be exempted on the exception list.   2. After specifying the Source and the Destination IP address, the Palo Alto Networks firewall will still be able to exempt based upon the Source IP address 200.1.1.10.  In order to track the destination, specify the action as block IP and specify both the Source and Destination IP address for tracking, also specify the time interval.   3. Now the firewall will be able to look into both the Source and Destination IP address for exemption, and if either the Source or the Destination IP address is there in the exception list, then the rule will block the traffic for 3600 seconds.   For more information on configuring exceptions, please see: How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats     owner: dantony
View full article
dantony ‎02-24-2017 03:49 PM
14,118 Views
10 Replies
2 Likes
Overview Security Policies allow users to control firewall operations by enforcing rules and automatically taking action. Security Policies on the Palo Alto Networks firewalls determine whether to block or allow a new network session based on traffic attributes, such as the source and destination security zones, the source and destination addresses and the application and services.   The following table provides a list of valuable resources on understanding and configuring Security Policies:   TITLE DESCRIPTION TYPE BASIC     Security Policy Guidelines Best Practices for Creating Security Policies Document Fundamental Guide on Security Policies Fundamentals of Security Policies Document Tour of PAN-OS Security Policy Configuration Security Policies Configuration Video How to Configure Security Policies on the PAN-OS UI Configure a Security Policy on PAN-OS Video How to Configure Security Policy by Application Configure a Security Policy by App Video INTERMEDIATE     How to Add Groups to Security Policy Add Group to Security Policy Document Can Local User/Group Database be Used in Security Policies? Manually add to Security Policy Document How to Enter an Application Name in Policy Without a Search Delay How to put an application name in the policy Document How to Configure a Security Policy to use a Region Creating a Security Policy to use region instead of IP address Document How to Tag and Filter Security Policy Rules How to add tags and filter security policies Document ADVANCED     How to View Security Policies from the CLI View Security Policies from the CLI Document Security Policies Based on Zone Assignment for VPN Interface Policies based on zone assignment for VPN interface Document How to See Traffic from Default Security Policies in Traffic Logs Describes traffic hitting default policies Document Creating a Security Policy to Block Selective Flash Write a Security Policy to block Adobe Flash and allow flash Document What is Default Value for "Service" Field in the Security Policy in PAN-OS 6.0? PAN-OS 6.0 Default Value for Service Field Document How to Schedule Policy Actions Security Policies can be set to perform configured actions Document Security Policy to Allow/Deny a Certain ICMP Type Cases where ICMP Type should be allowed Document How to Create and View NAT Rules on the CLI Sample Commands to create Bi-Directional NAT Policy & Inbound Security Policy Document How to Configure Email Notifications for Security Policy Changes How to Configure email notifications on Security Policy changes Document DISCUSSION BOARDS     CLI Listing of all Security Policies How to List All Security Policies from the CLI Board Security Policy Organization Organizing Security Policies Board Security Policy Limit Alarms How to Generate Tags Board Adding Users to a Security Policy Add Users to Security Policy Board Security Policy with URLs Create a Security Policy with the Destination Address as a URL Board   Note: If you have a suggestion for an article, video or discussion not included in this list please post a recommendation in the comments below and it will be added to the master list.   owner: asimon
View full article
‎02-01-2017 10:24 AM
98,341 Views
2 Replies
8 Likes
GOM VPN is an extension in the Chrome browser that enables blocked websites to be browsed through the firewall by encrypting the data inside the SSL connection.   In order for blocked websites to still be blocked, the GOM VPN SSL connection needs to be blocked through the firewall. There are two approaches to block GOM VPN. This article outlines both approaches.     Method 1 to block GOM VPN   Note: This approach requires URL filtering license and database on the firewall. To understand the behavior in case the license expires, please click here   The GOM VPN connection is categorized as "proxy-avoidance-and-anonymizers". Some of the hosts that GOM VPN tries to connect to are "b-7.gomcomm.com", "b-4.gomcomm.com", "b-9.gomcomm.com" etc. To check the category of the URL, the following websites can be used:   BrightCloud's URL Test site: http://www.brightcloud.com/tools/url-ip-lookup.php   Palo Alto Networks URL Test site: https://urlfiltering.paloaltonetworks.com/testasit e.aspx     Step 1. Set the action for "proxy-avoidance-and-anonymizers" to "block" in the URL filtering profile (Objects > Security Profiles > URL Filtering) as follows:       Step 2. Use this URL filtering profile in the security policy that allows the traffic to Internet.       Step 3. URL filtering logs depicting GOM connection being blocked:       Method 2 to block GOM VPN   Note: This approach can be used even if there is no URL filtering license on the firewall. (since predefined-categories would not be used)   Step 1. Since GOM VPN connection are made to hosts "*.gomcomm.com" and "gomcomm.com", these URLs can be used in custom URL category (Objects > Custom Objects > URL Category) as follows:       Step 2. When done, either use a URL filtering profile in the security policy and set the action of this custom category to "block" in URL filtering profile or, use this custom URL category directly in security policy with the action of security policy set to "deny".   Note:   You would get "No valid URL filtering license" warnings when this custom URL category is referred in URL filtering profile and there is no URL filtering license on the firewall. There would be no warning when this custom URL category is used directly in security policy even if there is no URL filtering license.
View full article
poagrawal ‎01-03-2017 03:00 AM
4,859 Views
0 Replies
This article shows how to fix the problem of web browsing that fails with an error code SSL_ERROR_RX_RECORD_TOO_LONG. We'll use an example of facebook.com.   Cause Errror code: "SSL_ERROR_RX_RECORD_TOO_LONG" means the web server is sending non-secure (HTTP) data where secure (HTTPS) data is expected by the web browser.     Details Security policy on the firewall:  (refers to URL filtering profile facebook test)       URL Filtering profile on firewall: (social-networking category has action of continue)       With an action of continue on the URL category, the firewall will send a redirect message to the client to prompt users to click Continue to proceed to the web page, as follows:     This Continue redirect message sent by the firewall is an HTTP response:      Note: This redirect message shows the URL category and the security policy rule matched by this traffic.     When browsing to www.facebook.com, the browser makes a request for https://www.facebook.com, as below:   In this case, the firewall sending an HTTP redirect message for continue is treated as an invalid response by the browser and it shows an error, SSL_ERROR_RX_RECORD_TOO_LONG.     Solution Either of the two solutions offered can overcome this issue:   Enable outbound SSL decryption on the firewall. For more information on how to enable SSL decryption on firewall, please click here OR   Run the following command on the firewall. This will allow the SSL handshake to complete before sending an HTTP response page to the client. For more information about this command, please click here. # set deviceconfig setting ssl-decrypt url-proxy yes  
View full article
hagarwal ‎11-22-2016 10:20 AM
3,068 Views
0 Replies
Issue When using URL Filtering with Response Pages, if attempting to load a URL that contains page elements from another URL category, the response page does not load or content embedded content within the page fails to load completely.   Example 1: A response page is configured (Continue , Override or Block) for the Spam category. When browsing to a site in the Auctions category which includes various page content from the Spam category, the response page does not display and some parts of the web page are not loaded correctly.   To identify if this is related to a web page display problem, create a temporary URL filtering policy to disable the response pages and verify if the page loads correctly.   Example 2: Another option to isolate issues with embedded content failing to load would be to install a 3rd party debugging utility such as Firebug or or HttpWatch where you can view status of each individual GET request to see which content is timing out/failing to load. Example below has a URL Profile ( Continue , Override or Block ) configured strictly for  'content-delivery-networks'.   Using Firebug as an example, launch the console, access the page in question, then sift through the Net console & search for message '302 Moved' ('Failed to load the given URL'). Right-clicking on the image(s) that are failing to load & selecting 'View Image In f o' will highlight the specific URL which was failing (which is also referenced in the Net console as previously mentioned). Reference the Domain field (in this case 'd2o307dm5mqftz.cloudfront.net') & use the test command via CLI to determine the categorization of the blocked site: You can also view 'live' session status of discarded sessions via CLI as follows: Notice that Session State = Discard & URL category is categorized as 'content-delivery-networks' which in this example was in fact blocked/defined via the URL Filtering profile configured for this test. Discarded sessions will also be logged via the Monitor Tab->Logs->URL Filtering. Example below sourcing IP of client which shows URL's blocked (referencing .jpg images which were not being displayed) along with Action 'block-continue'.   Resolution This is expected behavior of the product as embedded content will not have the capability to prompt for a continue or override option. Additionally, the main site being accessed could be categorized by a site being permitted by the URL Filtering profile, bypassing Response Pages all together.   owner: ppolizzi
View full article
ppolizzi ‎09-06-2016 02:59 AM
7,510 Views
0 Replies
Scenario   For username-to-IP address mapping, the software-based and agentless User-ID agent installs the most recently learned mapping. Consider an example where user1 is mapped to ip1 and this mapping is learned via an agentless userid agent, then the source is A. Now, if user1 launches a VPN connection via GlobalProtect from the same PC and is assigned a new IP address, then the username-to-IP mapping would change on the firewall to user1 and ip2 ,and the source is GlobalProtect. Hence, the old user cache of user1 and ip1 is overwritten by the new entry of user1 and ip2.   Similarly, groups retrieved from an active directory domain controller should be unique in each group mapping profile. It can be argued that groups are often referenced in security policies and it doesn't matter which group-mapping profile we get this information from, but in some cases it does matter and may well turn the tables completely.   In the following scenario, you'll notice that the same group, when referenced from two different group mapping profiles, can cause issues in matching the security policy due to failure to match a user against the active directory group to which it belongs.   A group mapping profile is configured with user domain under Domain Settings as test, where test is the netbios domain name equivalent of the FQDN domain name test.kunaldc.com.       A group, cn=group2,cn=users,dc=test,dc=kunaldc,dc=com is fetched using this group mapping profile.     A user gptest belongs to this group and its username is stored as domain\username format on the firewall as test\gptest.       Now configure another group mapping profile, AD-FQDN-FORMAT, where the user domain is not overridden and is test.kunaldc.com instead of test.   Use the include group option to include only the above AD group in this group-mapping profile.   Commit this change.       When the group-mapping refresh is complete, then check the group-mapping state.   Now the same AD group, cn=group2,cn=users,dc=test,dc=kunaldc,dc=com, is also fetched by the new group-mapping profile AD-FQDN-FORMAT.   Carefully look at the usernames that belong to this group. The username format has been changed from netbios\user to fqdn\user. The source has also been changed from the old group-mapping profile - GPOUP-MAPPING-TEST to the new one, AD-FQDN-FORMAT.     The primary issue that arises now is that the username learnt via any User-ID mechanism (agent or agentless User-ID / GlobalProtect /captive portal, etc.)  doesn't match the username format in the group-mapping table.   Traffic from the same user would fail to match the security policy where this user group is referenced.  
View full article
kbiswas ‎07-25-2016 04:13 PM
2,329 Views
0 Replies
1 Like
URL category will only apply to traffic that is valid HTTP/HTTPS.  In the case of non-http traffic, the URL category is ignored as a matching criteria by design. URL categorization will happen for SSL regardless of whether it is HTTP inside or not. It is not possible to tell what protocol is inside without SSL Decryption so the categorization is done either by IP or via the Common Name from the SSL certificate or Server Name Indication (SNI).    owner: ppatel
View full article
ppatel ‎07-25-2016 06:44 AM
4,965 Views
1 Reply
Please follow these following steps to allow a single Vimeo video (Example - player.vimeo.com/video/71574621), for all users while blocking all other Vimeo videos: Create a custom URL category inside Objects > Custom Objects > URL Category and click add to create a new URL category, then click add again to add the URL as below.  player.vimeo.com/video/71574621 Next, go to Objects > Security Profiles > URL Filtering. Click on the URL filtering name you want to use and then inside the allow list of the url filtering profile, add the following URLs:         player.vimeo.com/video/71574621         *.vimeo.com         *.vimeocdn.com         player.vimeo.com/log         player.vimeo.com/crossdomain.xml         av.vimeo.com/crossdomain.xml         player.vimeo.com/play_redirect         a.vimeocdn.com/p/2.1.18/js/player.js         a.vimeocdn.com/p/2.1.18/css/player.css         *.*.vimeocdn.com Add this URL filtering profile in the security policy to restrict/allow this Vimeo video. Commit to make these changes take affect.   Note: This allows all users to access this single Vimeo video while blocking the rest of Vimeo. A decryption policy may need to be enabled, so that the Palo Alto Networks firewall can identify the Vimeo link properly.
View full article
rchougale ‎07-18-2016 02:08 PM
8,749 Views
4 Replies
Overview This document describes a test to generate a "Generic Cross Site Scripting" event in the threat log.   Details Create a policy that allows the web-browsing and SSL applications. Apply the DEFAULT Vulnerability Protection security profile associated with the policy. Go to any web page and look for an entry box that allows any typed entries. Enter the following text into the entry box: <script>alert(XSS Test)</script> For example, the following image shows the amazon.com website with the given text entered into the "Search" box: In the example above, when Enter is pressed after entering the text, the browser was busy for a while before displaying a message that the connection was reset. Go to Monitor > Threat on the PAN-OS Web GUI, and an alert appears in the threat log. The action shows that a TCP RESET was sent to the server. The global counters can also be viewed to confirm that the firewall has sent TCP reset packets: > show counter global | match RST flow_action_close      4       0 drop      flow      pktproc   TCP sessions closed via injecting RST   See Also For additional examples: XSS Filter Evasion Cheat Sheet - OWASP Threat Prevention Deployment Tech Note   owner: skrall
View full article
skrall ‎06-15-2016 06:47 AM
15,386 Views
1 Reply
1 Like
Symptoms With Inbound SSL decryption is enabled for server example.com, the system logs show:   reverse proxy key example.com doesn't match certificate issued to example1.com Diagnosis The above error indicates that the server certificate, including its private key, which was imported into the device for enabling inbound SSL decryption, does not match the certificate presented by the server. In this case, the server presented a certificate with name example1.com. Solution To verify this behavior: Take a packet capture on the client or the firewall for the entire transaction: How to Run a Packet Capture Find the packet which contains the SSL handshake message “Certificate”  (Coming from Server to Client) Expand the packet, locate the certificate/s and take a note of the serialNumber of the Server Certificate. Or you can right click on the certificate that you want and select on Export selected packet bytes and then save it with a name. Match the serial number and validity in this certificate with the serial number/ validity of the certificate loaded into the firewall and used in the decryption policy. NOTE: If you are hosting multiple servers on the same machine 1.2.3.4 (same IP), then make sure that the SSL decryption policies are not configured with IP address as match condition.   For example: SSL Decryption Policy 1 Source : Any Destination : 1.2.3.4 Service : service-https Action : Decrypt with certificate example.com   SSL Decryption Policy 2 Source : Any Destination : 1.2.3.4 Service : service-https Action : Decrypt with certificate example1.com   In this case, if a traffic comes for example1.com, when SSL decryption policy will be looked up, it will always match the first policy, even though the policy is binded to Certificate with hostname as example.com. The certificate is not a valid match condition for firewall for policy lookup.   Thereby when the example1.com will present its certificate it will not match with the certificate loaded which is for example.com   Resolution To avoid this situation, create custom URL categories for each URL and use them in the match conditions.   SSL Decryption Policy 1 Source : Any Destination : 1.2.3.4 Service : service-https URL Category: Category_Example   (contains example.com) Action : Decrypt with certificate example.com   SSL Decryption Policy 2 Source : Any Destination : 1.2.3.4 Service : service-https URL Category: Category_Example1    (contains example1.com) Action : Decrypt with certificate example1.com
View full article
abjain ‎04-11-2016 06:34 PM
13,996 Views
1 Reply
Symptoms Some SSL websites are not opening even after the URL has been included in  ssl-exclude-cert, despite following instructions in How to Exclude a Site from SSL Decryption   The websites' failure to open holds true for implicitly excluded URLs provided by Palo Alto Networks in List of Applications Excluded from SSL Decryption Diagnosis If a URL category is included in the Decryption Rules, when the traffic for a website matching that URL category hits for the first time on the device, even if that website is excluded from Decryption using SSL-Exclude-Certificate settings, the firewall will not skip decryption based on SNI (Server Name Indication) included in Client Hello Packet.   The firewall still does a forward proxy for the connection, and sends a list of Supported Cipher Suites to the server.   If the server accepts the Client Hello proposed by the firewall, and sends a Server Hello / Certificate, the firewall then inspects the Server Certificate for the Common name and matches it against the configured SSL Exclude Certificate Settings. If it matches, then Server  address and TCP port are added to the exclude cache for the particular rule they match. This exclude cache is then used for future connections matching the same parameters and will cause the firewall to even skip the proxy.   In case the server does not support the Cipher Suites send (overwritten) by the firewall, the Server might send an SSL error message or just send a TCP RST to the connection. Solution   If the firewall is sending cipher suites that are unsupported by the Server, even after including the certificate in the SSL-Exclude-Certificate settings, then perform the following steps to resolve this issue.   Inside Objects > URL Category, click Add to create a new custom URL Category - ex ExcludeSSLdescryption, then add the URLs inside this category that you do not want decrypted. Inside Policies > Decryption, Create a No-Decrypt rule above the SSL decryption rule which is being used for decrypting the rest of the traffic. Place the newly created URL Category -  ExcludeSSLdescryption in the URL Category. This way, the traffic for the URL Category will be excluded from the decryption policy. Commit this change for it to take effect.    
View full article
abjain ‎04-11-2016 06:01 PM
9,237 Views
1 Reply
Issue After allowing dependent applications in a different security policy, a commit on the Palo Alto Networks firewall displays an application dependency warning: Application Dependency Warning   Resolution   Create new services at Objects > Services, as shown in the example, by identifying the ports used by dependent-app under Objects > Applications: Applications Ports used by application Citrix: Citrix ports Ports used by application Socks (dependent-app): Socks ports Go to Policy > Security and select desired policy. Click Service/URL Category. Add the services created in the previous steps. Services Sample configuration committed successfully with no warnings: No warnings For more information on enabler-app and dependent-app, refer to the following document: How to Check if an Application Needs to have Explicitly Allowed Dependency Apps   owner: hyadavall
View full article
hyadavalli ‎04-04-2016 03:23 PM
9,917 Views
0 Replies
2 Likes
Ask Questions Get Answers Join the Live Community