This Nominated Discussion Article is based on the post " What would this number be at the end of some signatures? " by @filipe.r.oliveira and answered by myself, JayGolf!
Guys, I saw that there is a different number sometimes in the same signature. What would that be? what is it for? Is there any documentation talking about it? If I block the subscription with a number and another one appears with another number, do I have to do this blocking too or do these numbers not interfere with the subscription blocking and just put the name? example:
1- DESCRIPTION AndroxGh0st Scanning Traffic Detection(86759) 2- DESCRIPTION AndroxGh0st Scanning Traffic Detection(86760) If you can help me with these questions, please!
Thank you for your attention!
These numbers represent the version number of the signature. In this case, "DESCRIPTION AndroxGh0st Scanning Traffic Detection(86760)" is the later version of the signature. You don't need to manually block each version as the latest threat updates include the most recent signatures.
In today's digital world, where encryption is all around us, SSL decryption becomes a real superhero in the fight against hidden threats and bolstering network security. Luckily, Palo Alto Networks Next-Generation Firewall comes to the rescue with its powerful SSL decryption capabilities.
This Nominated Discussion Article is based on the post " Palo Alto BGP routes from Azure " by @S_Williams901 . Read on to see Cyber Elite @aleksandar.astardzhiev response!
Palo 5220 running at the edge, using VPN tunnel to Azure virtual WAN running eBGP. Palo iBGP peered to switches, switches peered eBGP to Azure Express Route. My issue is VPN route is always installed in route table rather than express route, I assume because eBGP is AD 20 vs iBGP AD 200. I have tried local pref and weight on the palo to try and force it to install iBGP route coming from Express route with no luck. Any one else have a similar issue?
During route lookup administrative distance is always first to check, so no matter what MED, local pref or weight you set eBGP will always be preferable. AD is used to select route learned from different routing protocols, while the BGP metrics will be used when multiple routes from same routing protocol were learned.
Obviously the quick and dirty fix is to increase (or decrease) administrative distance metric for either iBGP or eBGP. However you need to double check how this will effect any other routing in your environment, since this change is per virtual-router and will affect all routes
Have you considered the option to use eBGP between firewall and switches? You could assign dedicate private AS number to the firewall, which is different from the AS of the switches. This way you could play with BGP metrics and tell FW to use express route when available.
This Nominated Discussion Article is based on the post " Merging Two Palo Configs " by @john.mayer and responded to by Cyber Elites @TomYoung, @OtakarKlier, and Community Moderator @JayGolf. Read on to see the discussion and solution!
This Nominated Discussion Article is based on the post " Adding a firewall back into a AP cluster that has outdated network and device settings " by @AlanDeBoer and responded to by @Raido_Rattameister . Read on to see the solution!
I'm curious if anyone can provide an article or just some basic steps of adding a firewall back into a AP cluster that has "outdated" network and device settings.
Firewall-02 was moved to a new location and has a new IP scheme for the network and device settings.
Firewall-01 will be physically moved and needs to rejoin the cluster, but it does have outdated IP settings.
I'm assuming the first step is to power up 01 without any copper/fiber connected and console into 01 and update the device management IP first.
Step 1 - Take config backup from both firewalls (Device > Setup > Operations).
Step 2 - Make sure that "Device Priority" of Firewall-02 is lower than Firewall-01 to make sure Firewall-02 stays active firewall.
Step 3 - Cabling (at minimum HA1 cable).
Step 4 - Click "Sync to peer" in Firewall-02 (Dashboard > High Availability widget).
If you click "Sync to peer" on Firewall-01 you will push old nic scheme from Firewall-01 to Firewall-02 and your network will go down!
In addition, mgmt IP change as you pointed out.
This Nominated Discussion Article is based on the post " Palo Alto integration with Azure Sentinel" by @ShailUpadhyay Read on to see Cyber Elite @PavelK's recommendation!
We are currently working on setting up the Azure Sentinel for our environment and Integration of PA firewalls with Sentinel is our top most priority.
However we need to understand what will be the best approach for integration.
Should we integrate independent firewalls with Azure Sentinel or Panorama with Azure Sentinel or both firewalls and Panorama with Azure Sentinel ? Also what factors drive this decision. Any leads will be helpful
in our case, we have been using following scenario for about 3 years:
Logs are sent from Firewalls to Panorama, then from Panorama to logstash, then from logstash to Sentinel. We never really run into any issue. The only issue we came across once was we started to see a log loss between Firewalls and Panorama which naturally resulted missing logs in Sentinel. This was eventually resolved by adding additional log collectors in log collector group.
Personally, I believe that having all Firewalls to send logs to Panorama and then let Panorama to send all logs to Sentinel has many benefits. For example: ease of management or ease of troubleshooting as you have only one place to look into.
On the other hand if you have many firewalls with a high log volume, then you might hit ingestion rate limitation of Panorama where Panorama would be a bottleneck (This of course depends on Panorama model and log collector design). In this case having Firewalls to send logs directly to Sentinel would be a better option.
Having both Firewalls as well as Panorama to send logs to Sentinel would be the last choice that I would preferably avoid. You will end up with log duplication.
Experiencing an issue where Commit to the panorama succeeds, but push to the device fails with status 'none' and error message as ' no detail'? Read to see @Tom-Lee's findings. Thanks for sharing with the community!
We recently had this issue where after upgrading firewalls to 10.1 the panorama gave an error on push to certain firewalls with the description "none" which wasn't very helpful. On further process eliminating we discovered it was only VM FWs in AWS the error occurred on. Panorama wouldn't even try to push the device templates or give any meaningful error messages.
It was only when prompted we checked the plugin versions. Panorama 10.1.8-h2 after the upgrade had vm_series-2.1.6 where as the firewall image include vm_series-2.1.7!
A reminder to all on PAN-OS updates not just to check your Panorama is a higher or equal version of Software but also the AV/Threat/ AND plug-in versions!
The reason template push failed specifically to AWS is that we utilize Cloudwatch configuration in the template for AWS where as other VM series didn't have this configuration in the template. The error was not shown in Panorama but basically the template was not compatible with the firewall as Panorama did not have support for 2.1.7.
Other strange issues on upgrade from 9.1.x to 10.1.x :-
We also had issues when setting User ID redistribution agents and they would not connect to panorama or some firewalls. When using default secure comms certificate the built-in PAN-OS certificate is used, and if this expires again no messages are displayed to make this obvious but in our case the scheduled dynamic content update after upgrade hadn't worked and it required a manual check now, download and install of the latest content version to refresh the built in certificate. This is not to be confused with other FW certificates as there is also device certificate (used to communicate with Palo Alto Cloud), Cortex Data Lake specific certificate (used to communicate with customer specific instance) in addition to the user based certs that can be installed for Management console or SSL decrypt / Client auth.
Creating this article to help others searching for quick answers!
See also here https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkupCAA
This Nominated Discussion Article is based on the post "Aggregate interface per cli " by @Shadow and answered by @Metgatz . Read on to see the discussion and solution!
I am in search of how to create an aggregate interface per cli.
I am using eve-ng and the option to create the ae via the GUI is not available.
set network interface aggregate-ethernet ae1 layer2 lacp enable yes
set network interface ethernet ethernet1/3 aggregate-group ae1
set network interface ethernet ethernet1/4 aggregate-group ae1
set network interface aggregate-ethernet ae1 layer2 units ae1.100 tag 100
set address 192.168.1.1 ip-netmask 192.168.1.1/24set network profiles interface-management-profile Trust https yes
set network profiles interface-management-profile Trust ssh yes
set network profiles interface-management-profile Trust snmp yes
set network profiles interface-management-profile Trust ping yes
set network interface vlan units vlan.100 ip 192.168.1.1
set network interface vlan units vlan.100 interface-management-profile Trustset zone Trust-L3 network layer3 vlan.100
set network virtual-router default interface vlan.100
set network vlan vlan100 virtual-interface interface vlan.100
set network vlan vlan100 interface ae1.100
set import network interface [ ae1 ae1.100 vlan.100 ]commit
This article is based on a discussion, " Precedence of Routing\NAT\Policy ". Read on to see Cyber Elite @TomYoung's response!
Hello, I am following this guide to set up ISP failover.: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO
The problem is that my failover ISP (Starlink), does not provide me a static IP address
How would you recommend accomplishing what I want to do when the failover ISP provides a DHCP address?
If you want the static ISP to be primary, and the DHCP ISP to be secondary, configure the static route for the static ISP just like the document. Then set the metric for the DHCP default route to be higher than the static route.
Only the default route to the static ISP will be active (A) in the route table (Show Runtime Stats). When there is a failure (cannot ping the Path Monitoring IP addresses), that default route will be removed. The DHCP ISP default route will then be used.
Very important! Do not use only one destination IP address under Path Monitoring! Use at least 2 with the Failure Condition set to "all." Then if one public IP goes down for maintenance, your Internet does not fail over.
This article is based on a discussion, " Precedence of Routing\NAT\Policy ". Read on to see Cyber Elite @TomYoung's response!
I want to know what is correct precedence among Routing\NAT\Security Policy
So If a packet hits on the outside zone of the Firewall then whether below process is correct?
1. Whether FW has route for the destination\184.108.40.206 ( If YES)
2. Whether there is any NAT policy (If YES) ( Assume -> After NAT, 220.127.116.11 translated to 18.104.22.168)
3. Then security policy should allow original destination IP(22.214.171.124) or Translated destination IP (126.96.36.199)
Great question! A good general rule is "Pre-NAT IP, post-NAT everything else." For example, in this document -> NAT Configuration Examples the IP in the security policy is pre-NAT, while the destination zone is post-NAT. Scroll down to the bottom to see the NAT and security policy rules.
With regard to precedence, a good diagram is this one taken from the PCNSE study guide on Beacon.
Of the order you mentioned, the route lookup is done 1st (Forwarding Lookup). Then the NAT policy lookup is 2nd (DNAT check). However, NAT is not applied to the packets until the egress interface (Forward Traffic). The forwarding/NAT lookup is necessary to determine the destination zone. Then the security policy is checked last. That is why the IP address in the security policy is pre-NAT.
This article is based on a discussion, "IPSEC Tunnel to ASA". Read on to see the solution!
I am setting up an IPSec tunnel to an ASA. I am getting an error message about the PEERID type only allowing IP but receiving FQDN. Per the other KB article, I changed the PAN Exchange mode to Aggressive.
Now the PAN received an FQDN of the ASA side and gave listed the FQDN in the system logs.
My question.. where in the ASA can you configure PEER and LOCAL ID in the Phase1 settings? I am not seeing that option so I cannot figure out how the PAN is getting the FQDN.
Configure PA Firewall (Network > IKE Gateways > Configure IKE Gateway), as in the example below. Ensure that the Local and Peer Identification match with the Cisco Router.
Note: Use Aggressive Exchange Mode and Enable Passive Mode if the other end is a Dynamic IP. Choose a local and peer Identification for IKE phase 1 and match this to the Cisco Router Configuration.
With the Cisco router in VTI mode, configure IKE Gateway (see example below). Again, ensure that the Local and Peer Identification match with the Palo Alto Networks firewall.
With the Cisco router in equivalent Crypto Map mode, configure IKE Gateway (see example below).
This article is based on a discussion, "ECMP ". Read on to see @Raido_Rattameister's response!
Our question is "How can the firewall choose the route without configuring the ECMP?"
Appreciate your support as mentioned in this documentation:
" Without this feature, if there are multiple equal-cost routes to the same destination, the virtual router chooses one of those routes from the routing table and adds it to its forwarding table; it will not use any of the other routes unless there is an outage in the chosen route"
If you have multiple route entries to same destination with same metric you need ECMP to be enabled.
ECMP path choosing methods are:
- IP Modulo (default)—The virtual router load balances sessions using a hash of the source and destination IP addresses in the packet header to determine which ECMP route to use. - IP Hash—There are two IP hash methods that determine which ECMP route to use: If you select IP Hash, by default the firewall uses a hash of the source and destination IP addresses. If you Use Source Address Only (available in PAN-OS 8.0.3 and later releases), the firewall ensure that all sessions belonging to the same source IP address always take the same path. If you also Use Source/Destination Ports, the firewall includes the ports in either hash calculation. You can also enter a Hash Seed value (an integer) to further randomize load balancing. - Weighted Round Robin—You can use this algorithm to take in to consideration different link capacities and speeds. When choosing this algorithm, the Interface dialog opens. Add and select an Interface to include in the weighted round robin group. For each interface, enter the Weight for that interface (range is 1 to 255; default is 100). The higher the weight for a specific equal-cost path, the more often that the equal-cost path is selected for a new session. A higher speed link should be given a higher weight than a slower link so that more of the ECMP traffic goes over the faster link. You can then Add another interface and weight. - Balanced Round Robin—Distributes incoming ECMP sessions equally across links.
Other option is to use Policy Based Forwarding.
PBF will be checked first and if traffic matches PBF policy then PBF route takes precedence and virtual router routes are not checked.
You can't configure multiple routes with same metric if you don't enable ECMP.
So without ECMP metric is used to decide route.
Smaller metric configured on static route will take precedence.
The commit will fail if you have multiple routes to same destination with same metric without enabling ECMP.
This article is based on a discussion, Security Profiles - URL Filtering - Update Multiple Categories within all Profiles.
Read on to see how @PingMyServer was able to accomplish this from the CLI.
Hello all, I'm looking for some suggestions, or information on how I can quickly update all security profiles, with 3 select objects at once. In total, our Panorama has 129 profiles, so I would need to login to all 129 profiles, and update 3 categories in them to block.
By way of the gui, I think the only way would be able to edit 1 profile at a time, and search all 3 categories, and update them accordingly. Can anyone suggest any easier way to maybe resolve this?
Solution for Update Multiple Categories Within All Security Profiles With the CLI:
After doing further research, I found through the CLI you can do this fairly easy. Using the following commands. You can pull your profile names from the command "set device-group GROUP1 profiles" and pressing tab. It takes a little work, but with excel you can get all the commands you need fairly quickly
set device-group GROUP1 profiles url-filtering PROFILE_NAME block ransomware set device-group GROUP1 profiles url-filtering PROFILE_NAME block encrypted-dns set device-group GROUP1 profiles url-filtering PROFILE_NAME block real-time-detection
This article is based on a discussion, Prioritizing a BGP route over other BGP routes for IPSec tunnel traffic redirection, posted by @tamilvanan . Read on to see the guidance from our Cyber Elite @aleksandar.astardzhiev!
We have a physical Firewall on-premise. We have Three ISP and a single virtual router with ECMP enabled(Balanced Round Robin) in it.
Recently, we had configured Two pairs of IPsec tunnels(Pair one -Tunnel 1 and Tunnel2// Pair 2 - tunnel 3 and tunnel 4) to communicate to AWS Peer(Only one Subnet on AWS 10.x.x.x/24) using the BGP Method for successful failover.
ISP 1 -->Tunnel 1, Tunnel 2
ISP 2-->Tunnel 3 and Tunnel 4
As we had already enabled the ECMP Balanced round robin method the traffic is currently passing through tunnel 2 and tunnel 4
Now, we need the traffic to pass through only tunnel 1 and the traffic should pass through other tunnels only if the tunnel 1 fails. All the tunnels are configured under BGP.
Thanks in advance!
My guess is do we have some metrics mechanism which will influence the Tunnel through which the traffic will be egressed.
BGP Routing Question IPSec Tunnel Creation BGP Peer Configuration
I don't understand what ECMP have to do in this question... I understand you use ECMP for Internet access (your default route), but on top of that we are talking about IPsec tunnels, so the routing to AWS private range as nothing to do with the ECMP (as long as you have any tunnel up 🙂 ). So I will abstract from this.
Now I understand that you are receiving the AWS prefix via BGP from all four tunnels. So all you have to do is to create import policy under the BGP. As I said with BGP you have lots of options to controll what you receive, how you receive it and what you advertise, probably the straight forward would be: - Create one import policy for BGP peer over tunnel1
- Since you receive only one prefix, you can leave "match" tab as it is (meaning match any route received from that peer
- On "action" tab put 100 as local preference (for example)
- Create one more import below the previous one for BGP peer over tunnel2, 3 and 4
- Leave match tab as it is
- On "action" tab put 200 for local preference
This way your firewall will receive same prefix over all four tunnel, but it will prefer the route over tunnel1. If this tunnel fails, BGP peering will also fail and fw will stop receiving the prefix from tunnel1, so it will switch to the other tunnels.
Now depending what you actually try to accomplish you may want to split the second import policy and have four different policy for each bgp peer with different local pref for each.
This article is based on a discussion, How to Configure GRE over IPSEC?, posted by @ZhouYu. Read on to see the solution!
Some implementations require multicast traffic to be encapsulated before IPSec encrypts it. If this is a requirement for your environment and the GRE tunnel and IPSec tunnel share the same IP address, add GRE Encapsulation when you set up the IPSec tunnel.
PAN-OS TechDocs: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/gre-tunnels/gre-tunnel-overview.html
How do you configure GRE over IPSEC？
How to configure?
@v.vittih's Accepted Solution:
Hi all! There is a working version of this GRE over IPSec.
According to the official manual from Palo Alto Networks, there are 2 options for creating this bundle. In the first case, when the source and destination addresses are the same (as in my case) and the source and destination addresses are different.
Let's start setting up: Side A: PanOS 10.2 WAN: 10.10.2.50 LAN: 192.168.50.0/24 VTI IP: 10.200.200.1/30
Side B: Mikrotik: RouterOS 7.6 WAN: 10.10.2.60 LAN: 192.168.10.0/24 GRE IP: 10.200.200.2/30
Let's start with PaloAlto: Create a tunnel (for example 1), add it to the default router and register the ip address 10.200.200.1/30 on it. Next, we create IKE Crypto, IPsec Crypto with the settings that you need. Create IKE Gateways (I use IKEv2 only mode), then specify Local IP Address 10.10.2.50/24 and Peer Address 10.10.2.60, specify PSK, specify Local Identification 10.10.2.50 and Peer Identification 10.10.2.60. also do not forget to specify IKE Crypto Profile on the Advanced Options tab:
Next, we proceed to configuring IPsec Tunnels: Select the previously created tunnel 1 Select the previously created IKE Gateway Select Show Advanced Options and select Add GRE Encapsulation Go to the Proxy IDs tab and add the IP addresses of our external interfaces: Local 10.10.2.50 Remote 10.10.2.60
Don't forget to specify routes: Virtual Router -> Static Routes: add -> Destination 192.168.10.0/24 Interface tunnel 1 Next Hop IP Address 10.200.200.2
Moving on to Mikrotik: Interfaces -> GRE Tunnel Creating a GRE tunnel Specify Local Address 10.10.2.60 Specify Remote Address 10.10.2.50 OK Next, add the IP address to the interface: IP -> Addresses add 10.200.200.2/30 ok Moving on to creating IPsec: IP-> IPSec
Creating a Profile We specify the data we need
Creating Identites: Specify the PSK My ID Type Auto Remote ID Type Auto
Creating Peers: Specify Address: 10.10.2.50 (IP Address of party A) Local Address: 10.10.2.60 Specify IKE profile Exchange Mode IKE2
Creating a Proposal: We specify the data we need
Creating Policies: Specifying Peer Select Tunnel Src.Address 10.10.2.60 Dst.Address 10.10.2.50 Protocol 255(all) On the Action tab, do not forget to specify the Proposal. We specify the routes to the network we need (in my case it is 0.0.0.0/0 10.200.200.1 so that there is Internet access in the office via PaloAlto) Within the current example 192.168.50.0/24 10.200.200.1 Profit.