Management Articles

Featured Article
Steps to activate Magnifier cloud service using an Evaluation Auth Code.
View full article
bfrentz ‎05-09-2018 10:18 AM
5,617 Views
0 Replies
When WF-500 appliance is configured to submit reports to the cloud using either commands   > set deviceconfig setting wildfire cloud-intelligence submit-report yes > set deviceconfig setting wildfire cloud-intelligence submit-sample yes   the WildFire portal will not show corresponding entries for the uploads on the wildfire portal.   The submitted data is used only internally to  contribute to WildFire statistics and threat intelligence.   On the WF-500,  the "show wildfire local statistics  day <1-31>" command can be used to verify the submissions.   > show wildfire local statistics day 7 ---------------------------------------------------------- | General Stats | +--------------------------------------------------------+ Total Disk Usage: 66/1283(GB) (5%) ||+---------------------------+----------+-+-----------+|| ||| Sample Queue ||| ||+-----------------+-------------------+--------------+|| ||| SUBMITTED | ANALYZED | PENDING ||| ||+---------------------------+----------+-+-----------+|| ||| 236 | 236 | 0 ||| ||+--------------------------+-----------+-+----------+||| |+--------------------------+---------------------------+| ||| Verdicts ||| ||+-------------------------+--------------------------+|| ||| Malware | Grayware | Benign | Error ||| ||+-----------------------------+----------------------+|| ||| 2 | 0 | 234 | 0 ||| |+--------------------------+---------------------------+| ||| Session and Upload Count ||| ||+------------------------+---------------------------+|| ||| Sessions | Uploads ||| ||+---------------------------+------------------------+|| ||| 313 | 3 ||| ||+---------------------------+------------------------+||   For WF-500 running PAN-OS 7.1 or earlier, use the "show wildfire statistics" command to verify the submissions.   > show wildfire statistics Last one hour statistics : Total sessions submitted :             456 Samples submitted         :             10   analyzed               :             10   pending                 :             0   malicious               :             6   benign                 :             4   error                   :             0   uploaded               :             1 0 How to Interpret the "show wildfire statistics" Command Output on WF-500
View full article
phrdlicka ‎05-09-2018 10:17 AM
2,558 Views
0 Replies
1 Like
Requirement This article discusses retrieving multiple "User Name" attributes for the same user while fetching group mappings from the Active directory.   Please refer the below article which discusses the behaviour when multiple group mapping profiles are used to fetch different "User Name" attributes for the user belonging to the same user-group: Inconsistent User Name with Multiple Group Mapping Profiles   As discussed in the above article, "User Name" attribute for a user may be overwritten by the group mapping profile refreshing last. In various practical scenarios, it might be required to fetch different "User Name" attributes for the same user like "userPrincipalName" , "sAMaccount" , "E-mail" etc to be used for authentication and authorization. For example, the users logging into their workstation might need to be authenticated/authorized with "sAMaccount" while the global-protect user may require the "userPrincipalName" for the same.     Solution Retrieval of different "User Name" attributes for the same user can be achieved by using different groups for the user and configuring the group mapping profiles to use "Include Groups" option. This option helps in filtering the groups and retrieving the "User Name" attribute protecting it from being overwritten. The following section describes the above solution with an example, where the user "Dennis Lee" belongs to two groups, "marketing-group" and "support-group"     Following are the "User Name" parameters for the user as configured in the Active directory :   "userPrincipalName"   :   dennis.lee@lab333.local "sAMaccount"             :   lab333\dlee   Two group-mapping profiles are being used with "Include Groups" option :   1. Group Mapping Profile 1 :  Retrieves the "sAMaccount"  :           2. Group Mapping Profile 2 :  Retrieves the "userPrincipalName"  :             Both "userPrincipalName" and "sAMaccount" parameters are now being successfully retrieved :   PA-VM-1> show user user-ids User Name Vsys Groups ------------------------------------------------------------------ lab333\dlee vsys1 cn=marketing-group,ou=user-groups,ou=departments,dc=lab333,dc=local lab333\dennis.lee vsys1 cn=support-group,ou=user-groups,ou=departments,dc=lab333,dc=local Total: 3 * : Custom Group    
View full article
syadav ‎05-09-2018 10:16 AM
2,520 Views
0 Replies
1 Like
This article discusses the issue where the IPSEC VPN traffic fails with the error "Packet dropped, cannot handle IPv4 host bound ESP/AH packet"   Problem   The following section shows the packet-diag logs where the ESP packet is dropped by the firewall. Here the ESP packet is received from source 118.201.215.22 to the destination 103.80.209.5   IP:  118.201.215.22->103.80.209.5, protocol 50 version 4, ihl 5, tos 0x00, len 120, id 19317, frag_off 0x0000, ttl 43, checksum 48553 L4 binary dump: 16 bytes 00000000: d1 9e 2d d2 00 00 00 61  a7 8c a7 7f 18 d5 38 c0    ..-....a ......8. Session setup: vsys 1 Session setup: ingress interface ae1 egress interface loopback.3 (zone 14) Policy lookup, matched rule index 4,  Allocated new session 169972. Packet dropped, cannot handle IPv4 host bound ESP/AH packet Packet dropped, Session setup failed   Following counters can be seen in the output of the global counters:   > show counter global filter delta yes packet-filter yes | match drop flow_host_slowpath_drop       1        0 drop      flow  tunnel ESP/AH host bound packet comes before tunnel finishes installation   Cause   The root cause of this issue is attributed to the configuration issue where the ingress interface of the ESP packet and the  IPSEC VPN terminating interface are in different security zone.   Resolution   To resolve this issue, ensure that both the interfaces are in the same security zone.   In the above example, the ae1 interface (  ingress interface of the ESP packet  ) and the loopback.3 interface ( IPSEC VPN terminating interface  ) should in the same security zone.   To check this, inside of the WebGUI > Network > Interfaces. and see what the Security Zones are for the interfaces.  
View full article
syadav ‎05-09-2018 10:14 AM
5,981 Views
0 Replies
1 Like
Updated May 2018 kiwi   Issue Active Directory servers configured for Agentless User-ID frequently disconnects from the firewall. Connection status for those servers, under the server Monitoring section for User Mapping, keep flapping between connected and not connected. The User-ID logs have the following error message for each configured AD server : Error: pan_user_id_win_sess_query(pan_user_id_win.c:1241): session query for <server name>  failed: [wmi/wmic.c:216:main()] ERROR: Retrieve result data.   Shown in the screenshot below, see the "not connected" status in the Server Monitoring under Device > User Identification > User Mapping> Server Monitoring:   Cause Agentless User-ID is configured to monitor user session information from the servers in the Server Monitoring list. Session query attempts from the firewall to those AD servers are failing due to permission issues. The domain account, used to access the session information, does not have privileges to read the user session information from the servers. The server operators group and Domain Admin groups will include the session query read permissions.   As shown in the example below, go to Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup and click on the setting to find the User Name, which is used to connect the Agentless User-ID to the AD server (172.30.30.15):   As shown in the example below, in the AD Server (172.30.30.15) see the permissions for the user cr7:   Resolution: Option 1: Grant server operators or domain admin privileges to the service account used under WMI Authentication. In the example below, is shows how to add the Server Operator permission to the user cr7: After adding the Server Operator permission to user cr7, from the example below see that the Agentless User-ID is now connected to the AD server: Option 2: If it is not being used, disable the server session read option: owner: knarra
View full article
knarra1 ‎04-27-2018 08:52 AM
38,717 Views
6 Replies
1 Like
Updated 23 April 2018   The latest Palo Alto Networks Visio stencils are attached to this article below.   The attachment is a .ZIP file that contains: Palo Alto Networks.vss   Please let us know if there are any issues with this attachment.
View full article
nrice ‎04-23-2018 01:34 AM
210,235 Views
38 Replies
3 Likes
How To Backup of Config Files Periodically From Palo Alto Networks firewalls:   Introduction The configuration file of any firewall is extremely important since it holds all the customizations made by the user. In the event of hardware failure, if the config files aren't backed up to an external location, the configs will have to be built up from scratch. So it's a good practice to back up and export the config files regularly especially to external locations.   Panorama can do this automatically. But in case Panorama isn't managing the firewalls, this document can be very helpful to export and backup the config file to an external location for safe keeping.   Overview Access the firewall using XML API: Setup the firewall for API access by generating API Key Save the API key and then add that to HTTPs query in the next step Retrieve the running config file using a HTTPS GET: To run HTTPS GET from command prompt, use CURL for windows. For Linux hosts, it might be built-in. Then save the retrieved config to a file. Automate the log export process: Add the commands from the above steps to batch file (or a script for Linux hosts). Then run the batch file on a server which will be always-on. Create a job in Windows Scheduler (or CRON job if Linux server) to call that batch file periodically.   Access the firewall using XML API: For accessing the firewall using XML API, we need to generate the API key first. To generate, see the following: https://<firewall-ip > / api /?type=keygen&user=< username> &password=< password>   The response for that should be in form of an XML with the API Key printed as below: Save the API key somehwere safe. It is like a password.   Retrieve the running config file using a HTTPS GET: Since windows command line doesn't support HTTPS requests, we have to use CURL for windows to do a HTTPS GET to fetch the running configuration.   Note: CURL for Windows can be downloaded from: https://curl.haxx.se/download.html (OR) http://winampplugins.co.uk/curl/   Download and extract CURL to a folder. If CURL command should be accessible universally, then add the extract CURL folder to PATH under Environment variables.   The site shown below, explains how to add a folder to PATH in detail: https://java.com/en/download/help/path.xml   Now for the HTTPS request to retrieve the running config from the firewall.   The URL below, should print the config file if ran from a browser:  https://192.168.1.1/api/?type=export&category=configuration&key=<api_key> To capture the Config XML to a file, we have to retrieve the HTTPS URL using CURL. The command is as below (this should be run from the server): > curl -kG "https://192.168.1.1/api/?type=export&category=configuration&key=<api_key>" > running-config.xml   The above command, when run from command line, will create a file named running-config.xml in the folder from which the command was run.   Note: If CURL's extracted path isn't added to the PATH, then it should be run from the folder where CURL was extracted.   Automate the log export process: Now that we have the command to fetch the running config in XML format, we can create a batch file and then call that in Windows Scheduler. Scheduling it on a server which is always on would be a good idea.   Contents of the batch file:   cd\ cd curl\bin curl -kG "https://192.168.1.1/api/?type=export&category=configuration&key=<api_key>" > c:\running-config.xml To Append Date to the Config File Name: curl -kG "https://192.168.1.1/api/?type=export&category=configuration&key=<api_key>" > c:\running-config_%date%.xml   Note: This is assuming that CURL has been extracted to C drive's root. And the config file will be saved to the C drive itself. Change the <api_key> with the key obtained in the previous step. Follow the instruction in the below URL to run the batch file periodically (like everynight 1 A,M.). http://www.computerhope.com/issues/ch000785.htm#windows-   
View full article
shganesh ‎04-20-2018 02:37 PM
47,892 Views
19 Replies
3 Likes
Problem As a part of our management interface feature, the "Permited IP Addresses" area helps to restrict access from unwanted hosts/subnets to the management interface.   This option can be found in the WebGUI > Device > Setup > Interfaces:   In PAN-OS 8.0, the management interface screen looks like this:   In PAN-OS 8.1, the management interface screen looks like this:   This feature not only strictly filters the source IP from accessing remote hosts, but also blocks legitimate ICMP response for attempts from the management interface itself to the remote host. (Please refer to the below list.)   The following attempts from the management interface does not work if permit-ip configuration blocks the source IP of "ICMP error."   Note: The source of ICMP error is not the destination IP for your attempt most of the time.   Traceroute: ICMP TTL Exceeded(Type11) is used to detect Layer3 devices in the path. Source IP address for the error will be Layer3 device in the path. PathMTU discovery: ICMP destination unreacheable/Fragment needed(Type3/Code4) is used to deliver the error and suggested MTU. Source IP of the ICMP error will be Layer3 device in the path ICMP redirect: ICMP redirect message(Type5) is used, then Layer3 device in default gateway which has better next hop gateway in the same subnet of management interface. Reason This is as per design to block traffic from the unwanted IP/subnet.   The only exception is ICMP echo reply(Type0/Code0) for echo request from the management interface. Hence ping from the management interface will not be affected by the permit-ip feature.   Solution Add source IP/subnet for the source of ICMP error.   Note: In the scenario of Path MTU discovery for SSL/SSH connection, DF bit is commonly set for an encrypted packet. So dropping "ICMP destination unreacheable/Fragment needed" by permit-ip can cause a severe connection problem.  
View full article
sunright ‎04-17-2018 04:26 PM
5,759 Views
0 Replies
Scenario Dynamic updates are set to download, or download and install on a schedule. The firewall can reach the update server, and manual updates work normally. There is a threshold defined.   Example We'll use a schedule for antivirus updates for this example. Here we happen to have configured the 'Threshold' to 48 hours. ...note that underneath the Threshold value we're hinted 'Content must be at least this many hours old for any action to be taken'   We see that antivirus updates are actually released daily:   The following error is observed on the log-file ms.log:   admin@pan> grep after-context 1 before-context 11 pattern "threshold=" mp-log ms.log --2015-03-05 01:00:01--  https://updates.paloaltonetworks.com/Updates/UpdateService2.asmx/CheckForVirusUpdate Resolving updates.paloaltonetworks.com... 199.167.52.13 Connecting to updates.paloaltonetworks.com|199.167.52.13|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 4432 (4.3K) [text/xml] Saving to: `/tmp/.avinfo.xml.10073.tmp'        0K                                                      100% 11.2M=0s   2015-03-05 01:00:02 (11.2 MB/s) - `/tmp/.avinfo.xml.10073.tmp' saved [4432/4432]   2015-03-05 01:00:02.886 -0500 Content time below threshold 2015/03/04  04:00:02 threshold=48 diff=18 2015-03-05 01:00:02.886 -0500 No new Antivirus updates available for download   Description of Behavior The hours value under 'Threshold' is a setting that checks the 'maturity' of the *latest* available package. Note that it is not checking the list to find the "next one over" that is at least '48' hours older (so that you could skip updates). The way that the example above is set up (48 hours), would therefore prevent *any* update from deploying.   The reason for this is that the frequency of the antivirus releases is daily (every 24 hours), therefore, the maturity (Threshold) would have to be set to anything less than 24 hours.   Recommendation Observe the frequency of releases of your dynamic update, and set a schedule. If the value of the threshold is bigger than the release frequency, dynamic updates will never deploy.   Note: Change of Behavior The behavior of the 'threshold' feature has changed since PAN-OS 8.0.5 with issue ID PAN-80465. With this fix, PAN-OS checks the last five content release versions, instead of just the newest version, and performs the action for the latest version that matches the threshold you specified. For example, if content update version 701 is available for 24 hours and version 700 is available for 72 hours, and you set the threshold to 48 hours for Applications and Threats content updates, PAN-OS performs the action for version 700. PAN-OS checks the last five content release versions for Antivirus updates also.   owner: mivaldi
View full article
mivaldi ‎04-13-2018 01:02 AM
23,282 Views
9 Replies
2 Likes
Details Verify the logs are being written. Run the following commands from CLI: > show log traffic direction equal backward > show log threat direction equal backward > show log url direction equal backward > show log url system equal backward If logs are being written to the Palo Alto Networks device then the issue may be display related through the WebGUI.   Run the following command from CLI: > debug software restart process management-server note: restarting the management-server will reset your ssh connection. owner: bryan
View full article
panagent ‎04-04-2018 01:06 AM
45,279 Views
3 Replies
Details This document is designed to help verify if the DNS Sinkhole function is working properly through a Palo Alto Networks firewall. The following 2 scenarios are covered: Client Using External DNS Server Client Using Internal DNS Server   DNS Sinkhole Configuration For information on How to Configure DNS Sinkhole, please see: How to Configure DNS Sinkhole   Also, we have a Video Tutorial on How to Configure DNS Sinkhole: Video Tutorial: How to Configure DNS Sinkhole   Client Using External DNS Server Note: DNS Sinkhole IP must be in the path of the firewall and the client so you can see logs from it. For example, the Palo Alto Networks firewall sits between an infected client and the data center, but it does not see the internet. In this scenario, if DNS Sinkhole is configured with an internet IP, then the firewall will never see the infected client trying to reach its command & control server.   When the DNS sinkhole feature is configured on the Palo Alto Networks firewall and the client system is using an external DNS server, the DNS query from the client will go through the Palo Alto Networks firewall to the external DNS server (client and DNS server are in different subnets). As expected, the user should be able to see threat logs with the client IP address as a source. The user is trying to access a malicious website. The client system will send the DNS query to an external DNS server to get the IP address of the malicious website. The firewall will receive the DNS query directly from the client system. The  firewall will hijack the DNS query and will give a DNS sinkhole IP address to the client and should be able to see the threat logs with client IP address as a source. Client TCP/IP Properties Configuration Review the following config example:   Threat Logs When using an external DNS server, Threat logs show the Client IP address "192.168.27.192" as a source that is trying to access a malicious website:     Client Output When Using External DNS Server $ nslookup 79fe3m5f4nx8c1.pmr.cc Server:        195.130.131.4 Address:    195.130.131.4#53 Non-authoritative answer: Name:    79fe3m5f4nx8c1.pmr.cc Address: 72.5.65.111 The screenshot above shows a host machine 192.168.27.192 performing a DNS request for "79fe3m5f4nx8c1.pmr.cc" (a suspicious URL) and the response being 72.5.65.111. Thus showing that the DNS Sinkhole is working as desired.   Client Using Internal DNS Server If a client system is using an internal DNS server (client and DNS server are in the same subnet), the DNS query from the client will go to the internal DNS server. The internal DNS server will forward this query to an external DNS server, and threat logs with the internal DNS server IP address will be seen as a source.   Currently, the Palo Alto Networks firewall cannot identify which end client is trying to access a malicious website with the help of the threat logs, because all threat logs will have the internal DNS server IP address as a source. However, the firewall should be able to determine the end client IP address with the help of traffic logs.   Below is an example where the user is trying to access a malicious website. The client system will send the DNS query to an internal DNS server to acquire the IP address of the malicious website. Here, the internal DNS server will forward the DNS query to an external DNS server. The firewall will receive a DNS query from the internal DNS server.   The firewall will hijack the DNS query and give the DNS sinkhole IP address to the Internal DNS server. The internal DNS server will forward the response to the client system and the user should be able to see threat logs with Internal DNS server IP address as a source. However, Palo Alto Networks firewall should able to see client IP address in the traffic logs because client will try to access that website with DNS sinkhole IP address, as shown in the following screenshot:   Client TCP/IP Properties Configuration     Threat Logs In threat logs, the firewall shows only the internal DNS server IP address "10.50.240.101" as a source, because the client system is using the internal DNS server IP. Here the firewall is not able to determine which end client is trying to access that website.     Traffic Logs However, as soon as client get the IP address from DNS server, it will generate traffic towards the sinkhole IP address(72.5.65.111). Therefore, the firewall will show the end client IP address "192.168.27.192" in traffic logs, as shown below:     Client Output When Using Internal DNS Server $ nslookup 4cdf1kuvlgl5zpb9.pmr.cc Server:        192.168.27.189 Address:    192.168.27.189#53 Non-authoritative answer: Name:    4cdf1kuvlgl5zpb9.pmr.cc Address: 72.5.65.111 The screenshot above shows a host machine 192.168.27.192 performing a DNS request for 4cdf1kuvlgl5zpb9.pmr.cc (a suspicious URL) with the response of 72.5.65.111. This verifies that the DNS Sinkhole is working as desired.   See Also How to Deal with Conficker using DNS Sinkhole Where to get suspicious DNS query for testing DNS Sinkhole   For Video Tutorials on DNS Sinkhole, please see: Video Tutorial: How to Configure DNS Sinkhole Video Tutorial: How to Verify DNS Sinkhole   owner: sbabu
View full article
sbabu ‎04-03-2018 12:26 PM
64,655 Views
8 Replies
Overview Once the username is added to the Ignore User list, it is important to delete the user's IP-mapping (if it already exists) from both the dataplane (DP) and the management plane (MP) after committing the changes. A common mistake is to delete the mapping from the DP, but not from the MP, which pushes the mapping to the DP and the user remains identified.   Details Verify if the user is being ignored by tailing the useridd.log (if using agentless). If using an agent, these logs will be seen in the Uadebug.log file in the User-ID Agent's directory: > tail follow yes mp-log useridd.log Oct 21 11:44:22 pan_user_id_ipuser_add(pan_user_id_ipuser.c:601): user domain\username is in ignore list Oct 21 11:44:22 pan_user_id_ipuser_add(pan_user_id_ipuser.c:601): user domain\username is in ignore list   To turn on debug-level logging for User-ID, run the following commands: > debug user-id on debug > debug user-id set userid basic   Use the commands below to turn off the debug level and the User-ID basic logging, after a specific duration: > debug user-id on info > debug user-id unset all   The following commands can be used to clear the mapping: > clear user-cache-mp ip <IP-address>  //user-cache-mp    (Clear management plane user cache) > clear user-cache ip <IP-address>  //user-cache       (Clear dataplane user cache)   > show user ip-user-mapping ip <ip> No matched record   See Also Refer to the following articles to add or delete users on the Ignore User list when using the Agentless User-ID, or using the User-ID Agent: How to Add/Delete Users from Ignore User List using Agentless User-ID How to Ignore Users in User-ID Agent   owner: apasupulati
View full article
apasupulati ‎04-03-2018 05:17 AM
27,589 Views
0 Replies
1 Like
Support Portal User Roles Super User Standard User Limited User Threat Researcher  AutoFocus Trial role Group Super User Group Standard User Group Limited User Group Threat Researcher                     Manage Company Account Information X                 Create New User X                 Manage Members X Read Only Read Only             Manage Assets X X X X X         Manage Groups X                 Create New User X                 Case Management X* X*               Auto Focus Portal (Subscription only)       X X         Licensing API X Ready Only               Group Level Access                   Creat New Group User           X       Manage Group Members           X Read Only Read Only   Manage Group Assets           X X X    X   Case Management           X* X*     Auto Focus Portal (Subscription only)                 X Wildfire Portal X X X     X X X   Threat Vault X X X     X X X   Applepedia X X X     X X X       *All users in the main account and groups  with Case Management visibility will be able to view each others cases.  Cases are not segmented by group.        
View full article
nrice ‎03-27-2018 12:17 PM
30,385 Views
2 Replies
1 Like
Question: What Happens When Licenses Expire on the Palo Alto Networks Firewall?   Answer: The following will occur when a license expires on the firewall. Support - Online Software updates will no longer be allowed Threat Prevention - Threat and Antivirus updates will no longer occur. The current database will continue to be utilized. GlobalProtect Subscription - iOS and Android devices will no longer be able to establish a VPN. WildFire - You fall back to the 'free' version of WildFire meaning : WildFire supports only uploading of Portable Executable, or PE, files. The PE filetype is a container that includes .exe, .dll, .scr, and other extentions that match the PE header magic number. Signatures aren't available through the licensed WildFire signature feed (= every 5 minutes) but rather through licensed Threat Prevention updates. URL Filtering BrightCloud - BrightCloud database updates will no longer occur. You can see the overall URL filtering action when the URL Filtering license expires from the WebGUI go to Objects > Security Profiles > URL Filtering, then click on a profile name to see the above window. You will have 2 options, to either allow or to block URL filtering traffic when the URL License expires.  The action selected for Action On License Expiration will be applied for all web traffic handled by the rule that uses the security profile. If the action selected is block, then no web traffic would be allowed by this rule. Likewise, if the action is allow then the traffic would be allowed URL Filtering profile showing Action On License Expiration (BrightCloud) PAN-DB - The PAN-DB cloud will be blocked for lookups and updates. The current database will continue to be utilized for URL categorization. The current URL Filtering security profiles will be used to apply the selected action for each category. If a URL entry exists in the cache, a lookup will return whatever category is in the cache. If the entry has expired or does not exist, the device cannot query the cloud for the latest information. An uncategorized URL will be allowed. URLs in custom categories will still be matched against the custom category/ The URL Filtering security profile does not have an Action On License Expiration option.   When you get a New License When a new license is obtained by the firewall (Inside Device > Licenses) it will immediately resume normal operations associated with that license. Note: It is not necessary to perform a commit or reboot the firewall to start working again.   owner: jjosephs
View full article
nrice ‎03-27-2018 01:33 AM
48,421 Views
18 Replies
2 Likes
  Overview SSL decryption gives the Palo Alto Networks firewall the ability to see inside of secure HTTP traffic that would otherwise be hidden. SSL decryption can be used to monitor for any signs that a company's valuable intellectual property might be exiting through their network. Palo Alto Networks firewall is able to perform SSL decryption by opening up SSL traffic through an inspection process.   The following table provides a list of valuable resources on understanding and configuring SSL Decryption: TITLE DESCRIPTION TYPE BASIC     How to implement and test SSL decryption Describes how to implement and test SSL decryption Document Limitations and recommendations while implementing SSL decryption Limitations and recommendations while implementing SSL decryption Document How to view SSL decryption information from the CLI How to view SSL decryption information from the CLI Document List of applications excluded from SSL decryption List of applications that cannot be decrypted by the Palo Alto Networks device Document How to exclude a URL from SSL decryption Details the CLI commands for adding URLs to the SSL exclude list Document SSL decryption certificates How to manage SSL certificates for decrypting and inspecting SSL traffic Document How to temporarily disable SSL decryption How to temporarily disable SSL decryption without modifying the decryption policy Document How to enable/reset the opt-out page for SSL decryption How to enable the opt-out response page Document How to serve a URL response page over an HTTPS session without SSL decryption How to configure a device to serve a URL response page over an HTTPS session w/o SSL decryption Document Difference between SSL forward-proxy and inbound inspection decryption mode SSL forward-proxy and SSL inbound inspection modes Document How to create a report that includes only SSL decrypted traffic Create a report that includes only SSL decrypted traffic Document How to view decrypted traffic View decrypted traffic Document INTERMEDIATE     How to configure a decrypt mirror port on PAN-OS 6.0 Create a copy of decrypted traffic and send to a mirror port Document ADVANCED / TROUBLESHOOTING     Troubleshooting SSL Decryption using Dynamic Address Groups Automation example using the Palo Alto Networks firewall and Dynamic Address Groups (DAGs) Document How to identify root cause for SSL decryption failure issues How to identify decryption failures due to an unsupported cipher suite Document SSL vulnerability non-detection behavior is seen when inbound SSL decryption policy is set Detection of SSL relevant vulnerability by the security profile failed Document Troubleshooting slowness with traffic, management, or intermittent SSL decryption Troubleshooting intermittent SSL decryption Document SSL decryption not working due to unsupported cipher suites After configuration and import of required certificates the inbound SSL decryption is not working Document Unable to post pictures on Facebook after enabling SSL decryption After SSL decryption is enabled, user cannot connect to Facebook using HTTPs Document After configuring SSL decryption Mozilla Firefox presents certificate error SSL decryption on Mozilla Firefox showing certificate error Document SSL decryption policy is decrypting traffic for no-decrypt rules SSL Decryption policy is decrypting traffic for No-Decrypt Rules Document SSL decryption rules not matching FQDN SSL decryption rules not matching FQDN Document Google services do not work in Chrome with SSL decryption Google not working in Chrome with SSL Decryption Document Commit error received after configuring SSL decryption for certificate generation Configuring SSL decryption - commit fails after generating a certificate error Document Inbound SSL decryption fails when SSL compression is enabled Inbound SSL decryption fails Document SSL decryption stops working on Firefox after changing SSL decryption certificate After changing the SSL Decryption certificate, SSL decryption does not work for the Firefox browser Document SSL decryption opt-out timeout Display the opt-out page more frequently Document Wrong certificate used when SSL decryption is enabled Untrusted certificate presented when performing SSL Decryption Document   Note: If you have a suggestion for an article, video or discussion not included in this list please post a recommendation in the comments below and it will be added to the master list  
View full article
‎03-26-2018 02:53 AM
78,960 Views
0 Replies
5 Likes
Details If a URL has been miscategorized, a change request can be submitted, as shown in the PAN-OS versions below:   From the device WebGUI, the URL filtering log details has a link to request a categorization change: From here, fill out the form with the new suggested category, any applicable comments, and an email address for notifications: The following Palo Alto Networks Support site can also be used to test the categorization of a URL, and to submit a change request if the URL is categorized incorrectly: http://urlfiltering.paloaltonetworks.com/ For customers with a large number of change requests, bulk submissions can be made through the Palo Alto Networks URL Filtering - Bulk Change Request  Note: Please be sure to follow the instructions, as a strict file format must be followed for best results.
View full article
dyang ‎03-12-2018 11:56 PM
30,878 Views
5 Replies
Overview The small form-factor pluggable (SFP) is a compact, hot-pluggable transceiver used for both telecommunication and data communications applications. The PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, and PA-7000 Series firewalls accept SFP module(s). This document describes how to view the currently installed SFP modules.   Details From the CLI, run the following command: > show system state filter sys.sX.pY.phy where X=slot=1 and Y=port=21 for interface 1/21 Typical SFP module output > show system state filter sys.s1.p19.phy sys.s1.p19.phy: { 'link-partner': { }, 'media': SFP-Plus-Fiber, 'sfp': { 'connector': LC, 'encoding': Reserved, 'identifier': SFP, 'transceiver': 10000B-SR, 'vendor-name': OEM , 'vendor-part-number': PAN-SFP-PLUS-SR , 'vendor-part-rev': B4 , }, 'type': Ethernet, } > show system state filter sys.s1.p21.phy sys.s1.p21.phy: { 'link-partner': { }, 'media': SFP-Plus-Fiber, 'sfp': { 'connec tor': LC, 'encoding': Reserved, 'identifier': SFP, 'transceiver': , 'vendor-name ': FINISAR CORP.   , 'vendor-part-number': FTLX8574D3BCL   , 'vendor-part-rev': A   , }, 'type': Ethernet, }   Defective SFP module output If the output appears similar to the sample below, then the SFP module may be defective: sys.s1.p21.phy: { 'link-partner': { }, 'media': SFP-Fiber, 'sfp': { 'connec tor': vendor specific, 'encoding': Reserved, 'identifier': SFP, 'transceiver': , 'vendor- name ': yyyyyyyyyyyyyyyy, 'vendor-part-number': yyyyyyyyyyyyyyyy , 'vendor-part-rev': yyyy, }, 'type': Ethernet, }   Note: To verify the above output, unplug the SFP module from the initial SFP port and plug it into another SFP port. Run the same " show system state filter " command as above. If the output is the same, then the module is defective.   owner: gcapuno
View full article
gcapuno ‎03-02-2018 03:11 AM
56,819 Views
10 Replies
4 Likes
Summary: Starting with PANOS 8.0.8 a new URL filtering validation was added to the commit process to warn administrators about c onfiguration  containing nested wildcards (*) in URL filtering profiles as this could impact the overall performance of the dataplane.   For more detail, please check the release note for Issue ID PAN-86882 in PANOS 8.0.8 : PAN-OS 8.0.8 Addressed Issues   The validation is triggered by the cases listed below.   Case1: Commit operation done by "Commit" button of GUI or "commit force" or "commit" command of CLI.   Please note that the validation doesn't take place for auto-commit done by the system startup or Dynamic Updates. For example, if Dynamic Updates job installs new Applications and Threats and then the PaloAlto Network Firewall performs auto-commit in order to reflect the installed Applications and Threats, the validation doesn’t take place.   Case2: Revert operation done by "Revert last saved configuration" or "Revert to running configuration" of GUI.   Case3: Load operation done by "Load named configuration snapshot" or "Load configuration version" of GUI / "load config" command.   Case4: Input nested wildcard(*) in Allow List / Block List field of "Overrides" tab of URL Filtering Profile.   Case5:  Input nested wildcard(*) in Sites field of "Custom URL Category".   For example, w hen the validation takes place you will see the validation error message as the following screen shot 1,2 and 3 shows.   Operation Failed - URL filtering profile: Screenshot1   You will see the message shown at Screenshot1 when the validation take places after you input nested wildcard(*) in Allow List / Block List field of "Overrides" tab of URL Filtering Profile (Case 4) and then push "OK" button.   Commit Failed: Screenshot2   You will see the message shown at Screenshot2 when the validation take places after Commit operation is processed by "Commit" button of GUI (Case1).   Operation Failed - Custom URL filtering profile: Screenshot3     You will see the message shown at Screenshot3 when the validation take places after you input nested wildcard(*) in "Sites" field of "Custom URL Category" and then push "OK" button.  (Case5).   If you see these messages during your daily operation after upgrading your PANOS to PANOS 8.0.8, please review our guide and then refine your URL pattern with nested wildcards.  
View full article
kkawachi ‎02-26-2018 07:12 AM
4,703 Views
0 Replies
3 Likes
Issue There can be a situation when upgrading the PAN-OS on WF-500 hardware, running PAN-OS 7.1.x or below and upgrading directly to 8.0.5 or above, that you may run into an issue which causes ssh to become inaccessible after the upgrade.      Workaround The current workaround is to install PAN-OS 8.0.4 first, then upgrade to 8.0.5 or above. This upgrade path avoids the issue which causes the loss of ssh access.   Steps to take if ssh access is lost: If after upgrading you lose ssh access, connect to the WF-500 via console cable.  Boot in maintenance mode by typing “maint” after interrupting the boot process. Select the previous disk image used prior to upgrade (7.1.x) and select reboot. This should restore ssh access to the WF-500 and allow you to continue to upgrade. Thank you for your patience and understanding as we investigate the cause of this issue.
View full article
ldemos ‎02-23-2018 09:40 AM
1,999 Views
0 Replies
1 Like
The Maximum Transmission Units (MTU) are actually only enforced when packets leave the Palo Alto Networks firewall, with the MTU of the egress interface being applied.   When receiving frames, the MRU (Maximum Receiving Units) is applied, which is higher than the average MTU (or even higher if jumbo frames are enabled).   The MRU for all interfaces can be viewed by executing the following command: show system state filter-pretty sw.dev.runtime.ifmon.port-states | match mru  
View full article
kikumar ‎02-22-2018 08:47 AM
2,608 Views
0 Replies
Overview Policies can be set to perform configured actions on session traffic at scheduled times and days.   Steps On the WebGUI, go to Objects > Schedules then click Add. Choose daily, weekly or non-recurring. To select multiple days during the week, choose weekly, day of week, start time, end time, then add. On the CLI: > configure # set schedule schedule-block-youtube recurring daily 09:00-18:00 On the WebGUI go to Policies > Security > Security Policy Rule >  Schedule > Actions. On the CLI: > config # set rulebase security rules block-youtube from L3-Trust to L3-Untrust source any destination any application youtube schedule schedule-block-youtube service any log-end yes action deny Continue adding each day until the list is complete. Commit the change. Note: Sessions begun before the scheduled start time are not affected by the policy if session rematch is not enabled (Device > Setup > Session) AND a manual commit is made. Commit MUST be ran manually via “commit force” from the CLI, or by adding/modifying something in the policy in order to have the option to commit via the WebGUI.   See Also How to Create a Schedule that Spans Two Days   owner: panagent
View full article
nrice ‎02-22-2018 08:41 AM
21,447 Views
4 Replies
Overview There are circumstances where routers need to advertise default routes to its peers . This document illustrates how we redistribute default routes to peer with/without having the default route in the routing table of the box.   Details Enabling the "Allow Redistribute Default Route" with the redistribution profile having the default route is mandatory to have the default route advertised to its peers. The procedure is same for OSPF and BGP.   If the default route is not available on the routing table , you can directly add the default route(0.0.0.0/0) in the redistribution profile of the protocols in the BGP-Network--BGP---Redistribution profile, Network--OSPF--Exportrule and enable the Allow redistribute default route tab and distribute the route.   The significance of having the Allow Redistribute default route tab  is to validate whether the default route needs to be propogated even if it is part of the redistribution profile, which has all the routes including default.         Troubleshooting - CLI To check if the default route is propogated , check the following CLI commands   OSPF > show routing protocol ospf dump lsbd 1                 1.1.1.1         0.0.0.0 /0          type-5 (External)    0x80000001 0x0000CEFE    29                    Options: [External]             Mask 0.0.0.0 , type 2, tos 0 metric: 1, forward 0.0.0.0 , tag 0.0.0.0   BGP > show routing protocol bgp rib-out | match 0.0.0.0/0  0.0.0.0/0           10.46.40.1       peer-110   0.0.0.0          advertised  no aggregation  65001  0.0.0.0/0           10.46.40.1       subint-2   0.0.0.0          advertised  no aggregation  65001  0.0.0.0/0           10.46.40.1       tunnelpeer 0.0.0.0          advertised  no aggregation  65001   Troubleshooting - WebGUI For BGP,  the same information can be checked on the WebGUI as well, but not for OSPF. This is found in the Virtual Router > BGP > RIB Out screen.   owner: mchandrase
View full article
kprakash ‎02-22-2018 03:17 AM
18,645 Views
5 Replies
Symptom After checking Dynamic Update under Device tab after clicking on the Check Now button displays the following error: "Failed to check content upgrade info due to generic communication error. Please check network connectivity and try again."   Cause There can be several reasons that cause this message to appear and they are usually related to how the firewall is able to reach out to the internet.   Resolution   Verify the firewall has DNS servers configured to be able to resolve updates.paloaltonetworks.com: From the WebGUI, go to Device > Setup > Services: DNS servers Ensure the firewall has an appropriate Default Gateway and interface speed and duplex are set to match the switch it is connected to  Management interface properties Make sure the firewall is able to resolve FQDNs: admin@firewall> ping host www.example.com PING www.example.com (93.184.216.34) 56(84) bytes of data. 64 bytes from 93.184.216.34: icmp_seq=1 ttl=52 time=107 ms 64 bytes from 93.184.216.34: icmp_seq=2 ttl=52 time=106 ms 64 bytes from 93.184.216.34: icmp_seq=3 ttl=52 time=106 ms ^C --- www.example.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 106.349/106.643/107.025/0.388 ms Traceroute out to updates.paloaltonetworks.com verify the correct path is taken (the final host will not reply) admin@firewall> traceroute host updates.paloaltonetworks.com traceroute to 199.167.52.141 (199.167.52.141), 30 hops max, 40 byte packets 1   10.192.16.1 (10.192.16.1)   0.522 ms   0.507 ms   0.497 ms 2   1.111-11-1.adsl-static.isp.belgacom.be (1.11.111.1)   32.761 ms   32.753 ms   32.740 ms 3   2 .222-22-2.adsl-static.isp.belgacom.be (2.22.222.2)   81.856 ms * * 4   * * * 5   * * * 6   * * * 7   prs-bb4-link.telia.net (213.155.136.222)   82.884 ms * * 8   ash-bb4-link.telia.net (62.115.122.159)   142.306 ms   147.212 ms * 9   sjo-b21-link.telia.net (80.91.248.188)   226.073 ms   222.208 ms   214.858 ms 10   internap-ic-140172-sjo-b21.c.telia.net (213.248.81.134)   201.253 ms   198.637 ms   219.945 ms 11   66.151.144.15 (66.151.144.15)   225.185 ms   242.096 ms   178.880 ms 12   paloaltonetit-5.border3.sje011.pnap.net (66.151.155.74)   194.397 ms * paloaltonetit-5.border3.sje011.pnap.net (66.151.155.74)   206.609 ms 13   * * * 14   * * * 15   * * * 16   * * * Verify Service Routes are set as expected, some services may need to be redirected over a dataplane interface in case the management network is isolated Use Default or Custom settings Make sure the firewall is allowed to make outbound connections through the security policy:  Note there is no URL filtering or file blocking profile If ssl decryption is used, "Verify Update Server Identity" may need to be disabled if updates.paloaltonetworks.com is not excluded from decryption Verify Update Server Identity  
View full article
tgupta ‎02-20-2018 08:56 AM
40,836 Views
24 Replies
1 Like
To upgrade the User-ID agent:   Navigate to services and stop the service User-ID Agent. Navigate to Program Files > Paloalto Networks > User-id agent.  Zip the user-id agent folder and back it up to a different location. Log into support.paloaltonetworks.com and download the latest User-Id Agent. Perform the install. Once the install is done, the latest agent should start running with all the configs retrieved from the previous agent.   owner: mvenkatesan
View full article
mvenkatesan ‎02-12-2018 01:09 AM
16,520 Views
4 Replies
5 Likes
Issue: SSL inbound policies worked ok when configured on 7.1 but after upgrading to 8.0, the sessions would fail and the logs show decrypt errors. This is seen when the server uses a certificate with an intermediate certificate in the chain.   Cause: Prior to PAN-OS 8.0, inbound inspection was completely passive. In 8.0, with ECC and DHE support it takes a more active role.   Confirmation: A packet capture on the firewall will confirm if the firewall is sending the full certificate chain or only the server certificate to the client. Check the Server hello packet which includes the certificates and if only the server certificate is sent, this may be the cause.   Fix: Re-import of the certificate from your web server to the firewall, make sure you're combining the server cert with the intermediate CA (not the root CA though).   Here are the steps to do so: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Install-a-Chained-Certificate-Signed-by-a-Public-CA/ta-p/55523   Additional information: https://live.paloaltonetworks.com/t5/General-Topics/Panos-8-inbound-ssl-inspection/m-p/183289
View full article
jarena ‎02-08-2018 05:18 AM
8,713 Views
0 Replies
How to test if our URL Filtering service is properly enforcing an organization’s policies for malicious and benign URLs. Things can get a bit tricky for gray area categories, such as adult, as you generally don’t want to visit an adult site at work. You obviously don’t want to actually visit a malicious URL either.  We have test URLs for all categories that are 100% benign, and have been categorized to their respective categories for testing purposes. 
View full article
neg273 ‎02-08-2018 02:57 AM
20,132 Views
1 Reply
5 Likes
Connecting HA1 and HA2 – A/P   Use dedicated HA interfaces on the platforms. If the firewalls are in the same site/location. Connect HA1 and HA2 links back to back. This helps in convergence. Always connect backup links for HA1 and HA2 HA1 interface should be faster than HA2. Recommend HA Heartbeat backup.     Configuring HA settings - Passive Link Settings   Set the Passive link state to "Auto". Auto setting will bring the interfaces on the passive firewall to UP physical state, the interface will not pass any data traffic.  This facilitates faster failover times.     HA timers   It is recommended to start with “Recommended” HA timers setting. If needed go with “Aggressive” setting.     HA to act on Network Failures – Link and Path Monitoring   Have both link and path monitoring enabled. Link Monitoring – Monitor all important links for which you need a failover to happen when the link goes down.. Path Monitoring - Monitor more than one path (prefix). Just do not depend on one path.   Networking– Best Practices   Graceful Restart (GR) is enabled by default on BGP and OSPF. GR functionality should be enabled on the neighboring routers as well for it to work. GR helps maintain the forwarding tables during switchover and does not flush them out. This is a way faster mechanism than depending on the routing protocol to converge. If Aggregate Ethernet interfaces (Port Channels) with LACP are used then enable LACP pre-negotiation feature to speed up convergence + passive link state to auto. The LACP pre-negotiation feature helps by sending LACP messages out on the passive FW port channel and bring the AE link up beforehand to help in fast failover.  
View full article
vbalasubra ‎02-08-2018 01:33 AM
4,695 Views
0 Replies
La Automatización de Palo Alto Networks a partir de PAN-OS 8.0, y los Dynamic Address Group (DAG). El mismo tiene una utilidad importante para lograr generar un Data Center auto-defendido, sin necesidad de tener que aplicar políticas manualmente.
View full article
MarceloRey ‎02-06-2018 12:49 AM
3,257 Views
0 Replies
2 Likes
Symptoms When Policy Based Forwarding (PBF) is configured with the  "Enforce Symmetric Return" option enabled, but without a Next Hop Address, forwarding may fail occasionally.   See also: How to Configure Symmetric Return Diagnosis When the issue occurs, you can see the return mac entries have reached their maximum level when you run the show pbf return-mac all command. user@firewall> show pbf return-mac all current pbf configuation version:   1 total return nexthop addresses :    0 index   pbf id  ver  hw address          ip address                      return mac          egress port -------------------------------------------------------------------------------- maximum of ipv4 return mac entries supported :     1000 total ipv4 return mac entries in table :           1000 total ipv4 return mac entries shown :              1000 status: s - static, c - complete, e - expiring, i - incomplete pbf rule        id   ip address      hw address        port         status   ttl --------------------------------------------------------------------------------   Note: The maximum number of entries that this ARP table supports is limited by the firewall model and the value is not user configurable. To determine the limit for your model, use the CLI command: show pbf return-mac all . Solution This issue will only occur if the 'Next Hop Address' is not set in a PBF rule that does have symmetric return enabled.  Therfore, please configure a valid peer IP address in the Next Hop Address list to avoid running into the issue. Add a Next Hop Address Setting the Next Hop Address ensures only the appropriate return mac addresses are learned for Symmetric Return     >show pbf return-mac all maximum of ipv4 return mac entries supported : 16000 total ipv4 return mac entries in table : 12800 total ipv4 return mac entries shown : 12800 status: s - static, c - complete, e - expiring, i - incomplete pbf rule id ip address hw address port status ttl -------------------------------------------------------------------------------- symmectric 1 8.0.0.2 00:1b:17:05:f1:17 ethernet1/1 c 737 symmectric 1 8.0.0.3 00:1b:17:05:f1:17 ethernet1/1 c 742 symmectric 1 8.0.0.4 00:1b:17:05:f1:17 ethernet1/1 c 741 symmectric 1 8.0.0.5 00:1b:17:05:f1:17 ethernet1/1 c 743 symmectric 1 8.0.0.6 00:1b:17:05:f1:17 ethernet1/1 c 746 symmectric 1 8.0.0.7 00:1b:17:05:f1:17 ethernet1/1 c 743 symmectric 1 8.0.0.8 00:1b:17:05:f1:17 ethernet1/1 c 742 symmectric 1 8.0.0.9 00:1b:17:05:f1:17 ethernet1/1 c 741 symmectric 1 8.0.0.10 00:1b:17:05:f1:17 ethernet1/1 c 745 symmectric 1 8.0.0.11 00:1b:17:05:f1:17 ethernet1/1 c 746    Author: tsakurai
View full article
tsakurai ‎02-02-2018 12:19 AM
2,669 Views
0 Replies
After matching a custom application, the Palo Alto Networks firewall cannot create the PREDICT session by ALG, which might result in  'file transfer failed on ftp data connection.'  We have a solution.
View full article
tsakurai ‎02-01-2018 08:23 AM
5,895 Views
0 Replies
Ask Questions Get Answers Join the Live Community