Management Articles

Featured Article
Issue IOS Native VPN client on 6.1.3 on iPad gets disconnected on GlobalProtect after screen locks out. Previous IOS versions 5.1.1 to 6.1.2 does not appear to exhibit this issue. Cause The issue is caused by a change in iOS behavior. iOS 6.1.3 turns off VPN and disconnects after a few seconds of screen lockout. Note: The GlobalProtect Client for IOS is not affected by the change. The GlobalProtect Client does require a GlobalProtect Gateway license for the Palo Alto Networks device. owner: jlunario
View full article
pagmitian ‎06-16-2013 08:09 PM
1,699 Views
0 Replies
Issue A number of Site-to-Site IPSec VPN between Palo Alto Networks firewall (HQ) and remote sites are experiencing slowness, low throughput and FTP transfer issues. The symptom started to appear after a Palo Alto Networks firewall replaced several VPN devices at the HQ site. Cause The issues may be due to asymmetric routing for the VPN tunnels caused by the multiple ISPs. If the default route was configured to only one ISP, the other links would be underutilized while the main line became overutilized. The problem would not be present before deployment of the Palo Alto Networks firewall if each VPN tunnel was terminated on a different VPN device at HQ. Resolution Configure the VPN tunnels on the Palo Alto Networks firewall to route VPN traffic to the interface or ISP that is receiving the VPN traffic. This will avoid the asymmetric routing and balance the bandwidth utilization on the multiple ISP links. To further illustrate the solution, see the example below. Interfaces E1/1 , E1/2 and E1/3 are all ISP facing interfaces, all under same Virtual Router. Therefore with this setup only one ISP can be configured as a default route. Two VPN tunnels are sourcing from E1/1 and E/12. Static routing configuration below shows E1/3 was chosen to be the main default route, E1/1 as secondary and E1/2 as third. To make sure that VPN tunnel traffic will not exit the main default route to E1/3, a static host route to the peer VPN tunnels were configured. Go to Network > Virtual Router > Default (or VR of choice) > More Runtime Stats This ensures symmetric routing for the VPN tunnels and proper load sharing of ISP bandwidth. owner: jlunario
View full article
pagmitian ‎03-02-2013 08:42 PM
3,661 Views
0 Replies
Issue While creating multiple IPSec tunnels the following error on commit: Tunnel interface tunnel.2 multiple binding with different IKE gateways. IPSec tunnel: Test_tunnel:test_proxy_id_1. IKE gateway: gateway_1. Tunnel interface tunnel.2 multiple binding with different IKE gateways. IPSec tunnel: test_tunnel_2. IKE gateway: gateway_2. Configuration is invalid If the above error is encountered, this means that the same tunnel interface, in this case tunnel.2, is being used. Currently this configuration is not supported. Resolution Create a separate tunnel interface for each IPsec VPN owner: mbutt
View full article
mbutt ‎01-11-2013 10:09 AM
2,858 Views
0 Replies
To modify the GlobalProtect portal login response page: Go to Device Tab Select Response Page Export 'Global Protect Portal Login Page' Open the exported 'factory-default' response page. In this case, I'm using pspad as my editor Modify according to your needs Save the file in .html format Import the file mentioned in step 6 Open GlobalProtect Portal and under Portal Configuration, choose the new 'Custom Login Page' Commit the changes and test by pulling the portal page as shown below. owner: rkalugdan
View full article
gswcowboy ‎10-15-2012 02:40 PM
5,082 Views
0 Replies
1 Like
Overview There is no command to disable a tunnel interface. This is a logical interface which is not tied to a physical interface. Tunnel monitoring can be configured, as that can basically disable the tunnel interface if the VPN is down to influence routing protocols. See Also Sample IPSec Tunnel Configuration - Palo Alto Networks Firewall to Cisco ASA Dead Peer Detection and Tunnel Monitoring How to Verify if IPSec Tunnel Monitoring is Working owner: ppatel
View full article
ppatel ‎10-01-2012 12:02 AM
5,725 Views
0 Replies
Issue When attempting to import a subordinate CA with SHA-512 hash made from a Windows 2008r2 server, it imports properly but attempting to commit results in an error: Error: Certificate 'unsupported' failed to load: parse tbs certificate not supported algorithm." Resolution Redo the certificate and use SHA-256 as SHA-512 is not supported. owner: jnguyen
View full article
jnguyen ‎09-13-2012 11:35 AM
4,285 Views
2 Replies
When packets destined for an IPSec tunnel include QoS information, the firewall will perform the following: The entire original packet, diffserv bits included, will be encrypted. The firewall will respect the QoS priority specified in the original packet The new encrypted IPSec packet will not include the QoS information in the new headers. owner: dwhyte
View full article
npare ‎08-28-2012 02:23 PM
4,286 Views
0 Replies
The encryption type will vary. Two methods can be used to view what encryption type was used: Examine a packet capture Via CLI, run the command show running tunnel flow context <#> Sample output: > show running tunnel flow context 1 key type:               auto keyip auth algorithm:         SHA1 enc  algorithm:         AES128 owner: dlorenzen
View full article
dlorenzen ‎08-03-2012 05:07 AM
3,398 Views
0 Replies
Symptoms When performing a commit, OSPF adjacencies will go down and come back up shortly after. Issue When a policy is committed, the "routed" process is restarted which causes OSPF adjacencies to be taken down. Workaround There are two ways to workaround this issue Exclude Network and Device configuration when performing the commit Schedule the commit so that it is done during off peak hours Note: Palo Alto Networks is currently working on a permanent fix for this issue which will be included in a future release. owner: bnelson
View full article
npare ‎07-11-2012 10:45 AM
4,204 Views
7 Replies
1 Like
Palo Alto Networks firewalls will only accept an FQDN peer ID when the tunnel mode is set to aggressive. If the tunnel is configured for main mode with an FQDN peer ID setup, the following error message will be displayed: IKE phase-1 negotiation failed. When pre-shared key is used, peer-ID must be type IP address. Received type FQDN. owner: sraghunandan
View full article
sraghunandan ‎05-23-2012 07:40 PM
11,908 Views
1 Reply
1 Like
Details The Palo Alto Networks firewall supports a single SSL VPN username accessing multiple concurrent sessions. The details of a user’s connections, including the devices/clients for each, can be reviewed on the WebUI: Navigate to Network > GlobalProtect > Gateways Click on the configured gateway's Remote Users link under the "Info" column, as shown below: In the traffic and other logs, users will be distinguished by the source IP address. owner: lvidovic
View full article
panagent ‎04-23-2012 08:36 AM
7,966 Views
5 Replies
Issue: A site-to-site VPN has been set up with the paloalto firewall on one side and a Cisco ASA on the other. The VPN dropped momentarily and since it came back online, the ASA can access the PA, but the PA can't access the ASA.  How can it be determined which side is causing the problem? Resolution: When an IPSec peer receives a packet for which it cannot find a SA, it sends an INVALID SPI error message to the VPN device which initiated the connection.  In this instance the PA device received the invalid spi message, indicating that the PA device was the initiator.  The  logs from the responder (the ASA) will have more detail. THe ASA sent the invalid spi message, so it may have received data from the PA device that did not match any SAs that it had. This could very well mean that the ASA timed out or brought down an SA for some reason. In any case, the ASA logs should be analyzed to find out why it sent the invalid spi messages. owner:  swhyte
View full article
panagent ‎04-11-2012 11:14 AM
5,492 Views
0 Replies
Issue Traffic from one side sees proper encaps and decaps whereas traffic from the other side does not see decaps. Cause The issue is the tunnel terminates on an interface in a zone different from where the ESP (Encapsulation Security Payloads) packets originate. Example: Tunnel terminating on an IP on Ethernet/2 in DMZ zone. ESP packets ingressing on Ethernet/1 in WAN zone. After the IKE negotiation completes, the Palo Alto Networks firewall will create a tunnel session for ESP traffic to be able to properly encapsulate and decapsulate traffic. Incoming traffic is coming in on Ethernet/1 in the WAN zone.  It will not match the tunnel session because the tunnel session is expecting ESP traffic to ingress on the DMZ zone. Resolution Move the IKE gateway to an interface in the same WAN zone (can be loopback interface). The incoming ESP traffic can be properly matched and then a proper decapsulation can be performed. owner: rkim
View full article
panagent ‎01-10-2012 09:44 AM
10,937 Views
8 Replies
2 Likes
Details The System Log shows the following error message: IKE phase-1 negotiation is failed as responder, main mode. Failed SA: 10.1.1.1[500]-10.2.2.2[500] cookie:32718ea3e053bc01:99d432334b1acc03. Due to timeout. It is not possible to ping from the VPN gateway IP of the PAN to the VPN gateway IP of the firewall at the other end of the tunnel. It is possible to ping from the PAN to the VPN gateway IP of the other firewall if a source IP (PAN VPN gateway IP) is not specified. The IPSec VPN is working correctly. VPN configuration is correct on both firewalls. Security policy configuration is correct on both firewalls. Resolution Check the routing table of devices between the firewalls.  A route table entry may need to be added or removed to provide proper network connectivity. owner: jdavis
View full article
panagent ‎01-03-2012 10:30 AM
17,560 Views
3 Replies
Ask Questions Get Answers Join the Live Community