Searching for the obvious can sometimes be hard. You simply might have overlooked something or you might have never needed it before. Things can become especially tricky when you have a security policy that's several hundreds of rules long.

This Nominated Discussion Article is based on the post "Given Tunnel Interface IP is wrong but still tunnel is up".

   

The Palo Alto NGFW is a really stable device but sometimes there is a need to restart a process as a workaround for a bug causing high CPU or Memory leakage. How can we automate this process? 

   

   

   

This article is based on a discussion, "How to implement BGP and eBGP on Palo ".  Read on to see @rkvsenthil's guidance on configuring BGP below.   Hi, I am migrating WatchGuard to Palo and there seems to be a lot more configuration options on the Palo.    WatchGuard configuration is below. What is the best way to configure this within Palo? Where is the option to set default-originate?   router bgp 64801 bgp router-id 169.254.3.3 timers bgp 4 12 neighbor 10.200.34.2 remote-as 64601 neighbor 10.200.34.3 remote-as 64601 neighbor 10.200.52.2 remote-as 64601 neighbor 10.200.52.3 remote-as 64601 neighbor 10.200.64.130 remote-as 64601 neighbor 10.200.64.131 remote-as 64601 neighbor 10.200.34.2 default-originate neighbor 10.200.34.3 default-originate neighbor 10.200.52.2 default-originate neighbor 10.200.52.3 default-originate neighbor 10.200.64.130 default-originate neighbor 10.200.64.131 default-originate neighbor 10.200.34.2 ebgp-multihop 4 neighbor 10.200.34.3 ebgp-multihop 4 neighbor 10.200.52.2 ebgp-multihop 4 neighbor 10.200.52.3 ebgp-multihop 4 neighbor 10.200.64.130 ebgp-multihop 4 neighbor 10.200.64.131 ebgp-multihop 4   BGP Config template:   For default-originate -- In GUI,, go to Network -- Virtual Router --  <VR name or default> --- BGP --- Redist Rule and  add a Redistribution rule for ip subnet 0.0.0.0/0 and enable "Allow Redistribute Default route" option ..   Also,, use the below config example as template. This should give you clues on how and where, you can change the timer settings and TTL value (ebgp-multihop), etc..   admin@PAFW1> configure set network virtual-router default protocol bgp enable yes set network virtual-router default protocol bgp routing-options graceful-restart enable yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers type ebgp remove-private-as no set network virtual-router default protocol bgp peer-group stub_ebgp_peers type ebgp import-nexthop original set network virtual-router default protocol bgp peer-group stub_ebgp_peers type ebgp export-nexthop resolve set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 peer-address ip 10.0.18.2 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options incoming-bgp-connection remote-port 0 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options incoming-bgp-connection allow yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options outgoing-bgp-connection local-port 0 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options outgoing-bgp-connection allow yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options multihop 0 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options keep-alive-interval 30 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options open-delay-time 0 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options hold-time 90 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options idle-hold-time 15 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options min-route-adv-interval 30 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 subsequent-address-family-identifier unicast yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 subsequent-address-family-identifier multicast no set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 local-address ip 10.0.18.1/30 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 local-address interface ethernet1/1 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 bfd profile Inherit-vr-global-setting set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 max-prefixes 5000 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 enable yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 peer-as 64513 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 enable-mp-bgp no set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 address-family-identifier ipv4 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 enable-sender-side-loop-detection no set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 reflector-client non-client set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 peering-type unspecified set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 peer-address ip 100.100.100.1 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options incoming-bgp-connection remote-port 0 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options incoming-bgp-connection allow yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options outgoing-bgp-connection local-port 0 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options outgoing-bgp-connection allow yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options multihop 4 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options keep-alive-interval 30 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options open-delay-time 0 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options hold-time 90 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options idle-hold-time 15 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options min-route-adv-interval 30 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 subsequent-address-family-identifier unicast yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 subsequent-address-family-identifier multicast no set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 local-address ip 192.168.102.2/30 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 local-address interface ethernet1/2 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 bfd profile Inherit-vr-global-setting set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 max-prefixes 5000 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 enable yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 peer-as 64512 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 enable-mp-bgp no set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 address-family-identifier ipv4 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 enable-sender-side-loop-detection no set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 reflector-client non-client set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 peering-type bilateral set network virtual-router default protocol bgp peer-group stub_ebgp_peers aggregated-confed-as-path yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers soft-reset-with-stored-info yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers enable yes set network virtual-router default protocol bgp reject-default-route no set network virtual-router default protocol bgp allow-redist-default-route yes set network virtual-router default protocol bgp router-id 192.168.102.2 set network virtual-router default protocol bgp local-as 65535 set network virtual-router default protocol bgp redist-rules 0.0.0.0/0 address-family-identifier ipv4 set network virtual-router default protocol bgp redist-rules 0.0.0.0/0 enable yes set network virtual-router default protocol bgp redist-rules 0.0.0.0/0 set-origin incomplete set network virtual-router default protocol bgp policy export rules default-route-only action allow update as-path none set network virtual-router default protocol bgp policy export rules default-route-only action allow update origin incomplete set network virtual-router default protocol bgp policy export rules default-route-only action allow update community none set network virtual-router default protocol bgp policy export rules default-route-only action allow update extended-community none set network virtual-router default protocol bgp policy export rules default-route-only match address-prefix 0.0.0.0/0 exact no set network virtual-router default protocol bgp policy export rules default-route-only match route-table unicast set network virtual-router default protocol bgp policy export rules default-route-only used-by stub_ebgp_peers set network virtual-router default protocol bgp policy export rules default-route-only enable yes [edit] admin@PAFW1# commit Commit job 6 is in progress. Use Ctrl+C to return to command prompt ..........100% Configuration committed successfully [edit] admin@PAFW1# run show routing protocol bgp rib-out VIRTUAL ROUTER: default (id 1) ========== Prefix Nexthop Peer Originator Adv Status Aggr Status AS-Path 0.0.0.0/0 10.0.18.1 upstream_R5 0.0.0.0 advertised no aggregation 65535 192.168.100.0/30 10.0.18.1 upstream_R5 0.0.0.0 advertised no aggregation 65535,64512 192.168.101.0/30 10.0.18.1 upstream_R5 0.0.0.0 advertised no aggregation 65535,64512 0.0.0.0/0 192.168.102.2 inside_core_2 0.0.0.0 advertised no aggregation 65535 5.5.5.5/32 192.168.102.2 inside_core_2 0.0.0.0 advertised no aggregation 65535,64513 total routes shown: 5 [edit] admin@PAFW1# set network virtual-router default protocol bgp policy export rules default-route-only match address-prefix 0.0.0.0/0 exact yes [edit] admin@PAFW1# commit Commit job 6 is in progress. Use Ctrl+C to return to command prompt ..........100% Configuration committed successfully [edit] admin@PAFW1# run show routing protocol bgp rib-out VIRTUAL ROUTER: default (id 1) ========== Prefix Nexthop Peer Originator Adv Status Aggr Status AS-Path 0.0.0.0/0 10.0.18.1 upstream_R5 0.0.0.0 advertised no aggregation 65535 0.0.0.0/0 192.168.102.2 inside_core_2 0.0.0.0 advertised no aggregation 65535 total routes shown: 2       If you need the BGP learned best routes to be installed in the routing table, add this from CLI.   [edit] admin@PAFW1# set network virtual-router default protocol bgp install-route yes [edit] admin@PAFW1#commit [edit] admin@PAFW1# run show routing route type bgp    

   

This article is based on a discussion, Security Profiles - URL Filtering - Update Multiple Categories within all Profiles.      Read on to see how  @PingMyServer   was able to accomplish this from the CLI.   Hello all, I'm looking for some suggestions, or information on how I can quickly update all security profiles, with 3 select objects at once. In total, our Panorama has 129 profiles, so I would need to login to all 129 profiles, and update 3 categories in them to block.   By way of the gui, I think the only way would be able to edit 1 profile at a time, and search all 3 categories, and update them accordingly. Can anyone suggest any easier way to maybe resolve this? Solution for Update Multiple Categories Within All Security Profiles With the CLI:   After doing further research, I found through the CLI you can do this fairly easy. Using the following commands. You can pull your profile names from the command "set device-group GROUP1 profiles" and pressing tab. It takes a little work, but with excel you can get all the commands you need fairly quickly   set device-group GROUP1 profiles url-filtering PROFILE_NAME block ransomware set device-group GROUP1 profiles url-filtering PROFILE_NAME block encrypted-dns set device-group GROUP1 profiles url-filtering PROFILE_NAME block real-time-detection  

   

This article is based on a discussion, Prioritizing a BGP route over other BGP routes for IPSec tunnel traffic redirection, posted by  @tamilvanan . Read on to see the guidance from our Cyber Elite @aleksandar.astardzhiev!   Hi All,   We have a physical Firewall on-premise. We have Three ISP and a single virtual router with ECMP enabled(Balanced Round Robin) in it.   Recently, we had configured Two pairs of IPsec tunnels(Pair one -Tunnel 1 and Tunnel2// Pair 2 - tunnel 3 and tunnel 4) to communicate to AWS Peer(Only one Subnet on AWS 10.x.x.x/24) using the BGP Method for successful failover.   ISP 1 -->Tunnel 1, Tunnel 2 ISP 2-->Tunnel 3 and Tunnel 4   As we had already enabled the ECMP Balanced round robin method the traffic is currently passing through tunnel 2 and tunnel 4   Now, we need the traffic to pass through only tunnel 1 and the traffic should pass through other tunnels only if the tunnel 1 fails. All the tunnels are configured under BGP.   Thanks in advance!   My guess is do we have some metrics mechanism which will influence the Tunnel through which the traffic will be egressed.   BGP Routing Question IPSec Tunnel Creation BGP Peer Configuration      Solution:   I don't understand what ECMP have to do in this question... I understand you use ECMP for Internet access (your default route), but on top of that we are talking about IPsec tunnels, so the routing to AWS private range as nothing to do with the ECMP (as long as you have any tunnel up 🙂 ). So I will abstract from this.   Now I understand that you are receiving the AWS prefix via BGP from all four tunnels. So all you have to do is to create import policy under the BGP. As I said with BGP you have lots of options to controll what you receive, how you receive it and what you advertise, probably the straight forward would be: - Create one import policy for BGP peer over tunnel1 - Since you receive only one prefix, you can leave "match" tab as it is (meaning match any route received from that peer - On "action" tab put 100 as local preference (for example)   - Create one more import below the previous one for BGP peer over tunnel2, 3 and 4 - Leave match tab as it is - On "action" tab put 200 for local preference   This way your firewall will receive same prefix over all four tunnel, but it will prefer the route over tunnel1. If this tunnel fails, BGP peering will also fail and fw will stop receiving the prefix from tunnel1, so it will switch to the other tunnels.   Now depending what you actually try to accomplish you may want to split the second import policy and have four different policy for each bgp peer with different local pref for each.

   

  This article is based on a discussion,  Tracing external IPs back to internal IPs at a specific moment in time...,  posted by @Tom_Access .  Read on to see the solution and collaboration from  Cyber Elite @OtakarKlier & @Adrian_Jensen!   In the course of tracking down security vulnerabilities, I find myself trying to trace External IPs (from external security scan reports) back to Internal IPs at a specific moment in time (the timestamp from the scan report). Most of the time, it's very simple, as many internal IPs are NAT'd 1-to-1 to external IPs. Those tend to stay static. But there are also large groups of PAT'd addresses, such as whole ranges of internal IPs (like guest WiFi network DHCP pools) that go out a single external IP.   I'm really struggling with how to track these devices down. I can rarely even find a matching internal IP for that timestamp.   Is there a specific NAT/PAT log I can reference? Or a tool for this that I'm missing? I've been trying to use the traffic logs, but that's not always fruitful and it is tedious.   Any suggestions? I'm using a Palo Alto PA-5250 running PanOS 10.2.0.   Thanks in advance, Tom Solution:   First thing is to make sure you have logging at session end enabled on all of your security policies. Then you go into the Unified log and filter on source IP of the attacker. This should show all the traffic from that IP address. Then click on the paper/magnifying glass icon on the far left of the log.   This will bring up all the session details and will show you the NAT'd IP.      In addition the Monitor -> Logs -> Traffic viewer has many additional fields which can be selected/filtered upon by selecting the down arrow in the column name header and selecting additional fields. (Note: You can also reorder columns by dragging them to either side.)   Two additional columns that are not shown by default are "NAT Source IP" and "NAT Dest IP" (as well as NAT Source/Dest Port), which show the NAT'd IP results. You can filter you traffic on these fields as well. So, for instance, if you external security report complains about an exploit attempt from your public IP to an internet IP:   2022-07-08 12:35 - 1.2.3.4:53219 -> 5.6.7.8:443   You can find all the matching outbound traffic logs with a Traffic log filter like: ( natsrc eq 1.2.3.4 ) and ( natsport eq 53219 ) and ( addr.dst in 5.6.7.8 ) and (port.dst eq 443)   You can further add time filters to narrow down a window, though be aware that while log receive time appears to be a log database index, session start time is not. So queries using start time may take much longer/time out when searching (you can work around this by also using a wide receive time filter to pre-narrow the results subsequently filtered by the start time filter). ... and (receive_time geq '2022/07/08 12:30) and (receive_time leq '2022/07/08 12:50) and (start_time geq '2022/07/08 12:30)

This article is based on a discussion,  Issue that specific policy traffic logs fail to forward to syslog server and drop from firewall,  posted by  @JoHyeonJae.  Read on to see the discussion and guidance from  @PavelK!   Hello, PAN-OS : 9.1.6 Currently, my customer is facing Issues where logs generated (TO_DNS policy) from a specific policy of more than 10,000 LPS are dropped without being forwarded to the syslog server.   The Traffic Log of the firewall is verifiable, but the Forwarding Stats Syslog Drop Count is constantly increasing, debug log-receiver statistics have been confirmed, and less than 1,000 Total LPS appear in addition to this policy. There is no logs for that policy on the syslog server because it is dropped without being forwarded by the firewall. The Log Setting/Log Forwarding Profile in the policy settings is set normally, so it seems to be no problem with the settings. I will let you know, if you guys need additional info. The Device Log Forwarding Limit of PA-3260 is written in 24,000/LPS as shown in the document below, so I wonder why it is dropped.   Thanks,   Hello @JoHyeonJae   your customer might be hitting an issue PAN-185616 addressed in 9.1.14:     Kind Regards Pavel

   

This Nominated Discussion Article is based on the post " Change forward decrypt trust cert to a new one " by @djon  and answered by @emr_1. Read on to see the discussion and solution!   I have forward ssl decrypt running and I want to change the cert I use. Can only have one forward trust cert at a time. If I deselect forward trust box I get commit error because my ssl decrypt policies don't have a forward trust cert. I can't select forward trust on the new cert until the old cert has forward trust deselected. So now what do I do?    You don't need to "deselect and commit".   Just change the certificate and commit will work (at least worked on my lab / pan-os 10.1.6-h6)   Also make sure to have a private key for it. Following two screenshots show what happens if you did not import private key (you won't be able to select Forward Trust Cert option):     tags: certificates, SSL Forward Proxy, Management, Management & Administration, NGFW, certificate management