About Abdul_Razaq

Abdul_Razaq · ‎07-02-2019

Hi @karthikeyanB , You can configure 2 VPN tunnels with each of remote side ISP connecting IP as remote peer. Configure tunnel monitor on primary one then configure two routes to remote LAN through each of the VPN tunnel with lower metric on primary. Configure proper security policy for both the connections. So if primary VPN is down, as the tunnel monitor is configured, the route to remote LANwill be removed and new route with higher metric will be in action which will make the secondary tunnel UP.

Abdul_Razaq · ‎06-27-2019

@Tarczynski-SA , You need to configure tunnel monitor on main tunnel. Destination IP can be any pingable IP reachable through tunnel(IP at cisco side). Please note that the source of this monitor ping will be tunnel IP, make sure this communication is added in proxy ID ( 172.16.30.1 to destination) . Monitor profile should be 'fail-over'. Follow this document for tunnel monitor configuration, https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/vpns/set-up-site-to-site-vpn/set-up-tunnel-monitoring/define-a-tunnel-monitoring-profile.html#

Abdul_Razaq · ‎06-27-2019

@ROSSIGNOL Make sure you are putting only IP as portal ( dont include https://....).

Abdul_Razaq · ‎06-27-2019

@Tarczynski-SA , you can create a secondary tunnel and add route of remote LAN with higher metric through that tunnel. you need to have tunnel monitoring enabled in primary to remove the primary static route from the routing table, so once the primary tunnel is down, the route willl be trough secondary tunnel, and the tunnel will come up.

Abdul_Razaq · ‎05-06-2019

Hi @chuckles , For remote vpn for mac and windows without using HIP profile, you need not have a licence purchased. but if you want to connect mobile devices or need to use hip profiles, you need licence. For your info, https://docs.paloaltonetworks.com/globalprotect/8-0/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses

Abdul_Razaq · ‎05-06-2019

Hi @chuckles , Hope the below KB helps, https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcPCAS

Abdul_Razaq · ‎05-06-2019

Hi @mike406 , As @BPry mentioned, the way firewalls will identify the base URL is by examinig the servername field in client hello. if your communication is through ssl, the communication will be encrypted after ssl handshake, so the GET messages afterwards will be encrypted, you wont ba able to see it unless you have decryption configured.

Abdul_Razaq · ‎05-05-2019

Hi Community, Hope somebody can address my below query. I am able to see the Release date of App&threat version 8146-5421 as 2019-04-25 UTC in both threat vault and support portal( is it actually UTC time??, i am seeing 1-day gap here !), But my firewall have the details pf release date as 2019-04-26 07:24:00 GST (2019-04-26 in UTC aswell). I understand that PA didnt mention the release time along with date and there is timezone difference as well. But still, is there a gap between first release and making the content available for download ? in firewall In Threatvault

Abdul_Razaq · ‎05-01-2019

Hi @MickBall , Thanks for the information. I have tested different scenarios in my LAB and found the following, with plaintext ldap, failover is happening with configured timeout. With LDAPS (over port 636), failover is working fine - here PA will by default try with SSL With SSL/TLS over any other port, firewall is trying with TLS by default and wait for timeout then try with SSL - which may be the cause the higher timeout. In a nutshell, plantect and ssl connection is having the timeout configured, but if PA start with TLS, it causes higher timeout and GP auth fails. Not sure why TLS connectivity does wait for the default timeout.

Abdul_Razaq · ‎04-29-2019

Hi @MickBall Thanks for the response, i was following the below kb, which says about the failover. i was having the similar problem and timer values were default in mine also. i configured retry inteval high just to avoid retying to the same server frequently. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXnCA In my case i am able to failover successfully when i disable ssl in LDAP server profile ( using gp application or by test authentication command in cli), i am able to see that PA tries to authenticate the user with second server after configured bind interval. But the moment i enable 'ssl/tls required' option in LDAP server profile, the timeout is increased, and it tooks around 30s to failover to next ldap server and authentication succeed in cli. but definitly it will cause auth timeout for GP users. i am checking for a solution with enabling ssl/tls connectivity to ldap along with lesser failover time as normal plaintext connection. not even sure if it is a protocol limitation. regarding gp timeout, i have seen below PA document ------------- Portal Connection Timeout (sec) —The number of seconds (between 1 and 600) before a connection request to the portal times out due to no response from the portal. When your firewall is running Applications and Threats content versions earlier than 777-4484, the default is 30. Starting with content version 777-4484, the default is 5 ------------- i even doesnt check if it is configurable, i even dont prefer to change it.

Abdul_Razaq · ‎04-28-2019

Hi Community, I have 2 Domain controllers serving user information. I have configured these 2 under same LDAP server profile. I am using this profile in authentication profile for GP. I configured 4s each for search and bind timeout under LDAP server profile. I need the user should be authenticated with second server when first one is down(it is the default behavior) It works fine when the LDAP connection is via plain text(didn't check SSL/TLS box under LDAP server profile). But when SSL/TLS is enabled, it takes toomuch time for authentication timeout to first server, by that time GP authentication timeout, and users are not able to authenticate. I don't prefer increasing timeout for GP authentication. Please advice if there is a way to enable TLS/SSL along with smaller timeout , so that users will he authenticated with second server.

Abdul_Razaq · ‎04-23-2019

Thanks @reaper , The update was happened 3 weeks ago, but still the last week report showing as 7 day report from x Aug 2015 to y Aug 2015(example date but year is 2015, for which Palo Alto won't be having any data in logs, which may be reason for blank report). Not sure why there is a huge shift in report period even though the data plane and mp clocked are synched to actual time.

Abdul_Razaq · ‎04-22-2019

Hi Community, I have a weekly scheduled report for saas usage (pre defined in PA) to an email running on my PA-3060, it was working fine. i upgraded the box to 8.1.7 recently, now i am noticing that the report period my report is for one week in 2015, and there is no data in report. But when i run the report using run now, i have detals and the report period also correct. Have anybody faced this situation?. am i missing some configuration, or it is a bug. both dataplan and management plane clocks are synched and showing current time.

Abdul_Razaq · ‎04-03-2019

Hi @simsim , I feel there is a communication gap. hope you need to explain the requirment bit detail. If you are using different ip segment in both locations, you can have ipsec between two sites, and route the segments through tunnel in both firewall and have a proper security policy. As vlan is just local to local network, you have L3 connectivity between two locations(and as per commends, you are using diffrent ip segments in both locations), need not to bother about vlan much. But if you need a L2 extension like psuedowire ( L2VPN), i dont thing PA is having it now.

Abdul_Razaq · ‎03-31-2019

Hi @simsim , Are you refferring to L2 extention and will be using same network on both ends?( you are expecting a solution like psuedowire ?)

Abdul_Razaq · ‎03-26-2019

Hi @vsys_remo , I have couple of confusions here, could you please help. Which database firewall will check for these URLs in email ?. is it PAN-DB ?. if yes, hope i need PAN-DB licence to have link analysis work properly. So as you mentioned, when one url previously identified as malicious is available in another mail to differenr reciever, the mail will be blocked?.

Abdul_Razaq · ‎03-24-2019

@reaper , @BPry @OtakarKlier , guys pleas advice if you have any inputs

Abdul_Razaq · ‎03-24-2019

Hi Community, I am running PA local user-id agent in PAN os 8.1.3 i am facing an issue that my server monitoring is shows as 'not-connected', i am able to test the authentication and proper service account is configured. it was working fine for long time and hope ther was some windows patch in AD server recently. when i capture in AD server, i am able to see communocation between firewall and server, when firewall queries for tree, windows server is replying the LDAP tree as well. i am not sure how PA reads the security log and get IP-USER mapping, so not able to check the same. in PA user-id logs, i am able to see the following error, <var/log/pan/useridd.log> 2019-03-24 17:47:52.517 +0400 Error: pan_user_id_win_log_query(pan_user_id_win.c:1364): log query for EOHODC01 failed: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b <var/log/pan/useridd.log> <var/log/pan/useridd.log> 2019-03-24 17:47:52.517 +0400 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1055): WMIC message from server EOHODC01: NTSTATUS: NT code 0xc002001b - NT code 0xc002001b Does anybody knows what is this error is ?.

Abdul_Razaq · ‎03-20-2019

web-browsing standard port is tcp/80, your traffic is to tcp/8080 . And your policy will be to allow web-browsing only on standard ports, so it wont match to policy. You need to allow web-browsing over tcp/8080 in security policy.

Abdul_Razaq · ‎03-19-2019

Hi @DPWorld , As you have moved from 6 to 8, there are changes to default actions in PA, Check whether you are hitting the below policy behaviour change, https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFtCAK

Abdul_Razaq · ‎03-17-2019

Hi Community Not sure whether it is a bug or behaviuor of SIP(ALG enabled) or there is too much sessions between sip servers, I fond out that my NAT buffer usage for that particular rule was so high. eventhough i didnt have any active sip/rtp sessions, my NAT buffer was used much. feels like it caused some packet didnt get NATed. Post clearing stale NAT buffers, cleared all sip connection and after long time (may be the sip timeout in sip servers is high), things started working Anybody faced these kind of behaviour ?. reed to verify the root cause as the issue may return soon. @reaper @OtakarKlier your inputs are much appretiated.

Abdul_Razaq · ‎03-14-2019

Hi community, I have seen lot of Palo Alto documents and some blogs saying about ALG functionality issue in firewall. I am facing some issues randomly with ALG functionality in firewall, I have seen documents says to disable ALG in PA, but my sip server/client is not aware of NAT, and I don't have any STUN servers. Does any body faced this kind of problems in Palo Alto and how they fixed it, does it have a solution without application override and disabling ALG ?. I have proper security and NAT policy in place and the setup was working for a while

Abdul_Razaq · ‎03-06-2019

Thanks@reaper , I have seen below KB as well, https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXoCAK So it looks like the cache is timed out but not removed.

Abdul_Razaq · ‎02-28-2019

Hi @DerarAbubaker , Are you trying to allow any subdomains?. (eg. www.xyz.com/abc) ?) For this granularity, you need to have decryption.

Abdul_Razaq · ‎02-28-2019

Hi @DerarAbubaker , do you have the same URLs configured in different custom URL catogaries, if so, please not that block have more preference than alert. Please check if below document helps, https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC Please note that whatever url catogary you directly add to policy is a matching condition, it may not address your requirment

Abdul_Razaq · ‎02-27-2019

Hi @reaper , In my case, the licence is expired, so after the 1800 seconds, it cannot have a new request to cloud and get updates,so it will expire soon right?. for example, if i put test facebook.com, it gives me following output. facebook.com social-networking (Base db) expires in 0 seconds facebook.com cloud-unavailable (Cloud db) And i feel PA if not considering this cache, even if had a profile to block social networking catogary, it bypasses. So does that mean that 'expires in 0 seconds' indicates it expired already and it is stale, but it is not removed ? Thanks in advance

Abdul_Razaq · ‎02-27-2019

Hi @reaper Usually how long PA will use url category cache?. I hope even after cache timeout happens, it won't be removed from db. When I do test url, I am able to see category, but it shows cache expires in 0 seconds. Does it means cache is timed out, and PA won't be using this category information ?

Abdul_Razaq · ‎02-26-2019

Hi Community, What happens if URL and Threat licence expire in paloalto?. From PA kb ( https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloiCAC ) , i am able to understand that the cache will be used until it expires, but what is the cache timeout duration for URl and threat ?. I am able to see the local db category information of particular URL, but in traffic log, it shows as licence-expired. Does this mean PA is no longer uses this catogary information and cache is already timed out?

Abdul_Razaq · ‎02-26-2019

Hi @SThatipelly , FYI https://live.paloaltonetworks.com/t5/Customer-Advisories/Action-required-if-you-have-enabled-SSL-decryption-forward-proxy/ta-p/236596

Abdul_Razaq · ‎02-26-2019

Hi @Jan_Linhart , PA is doing proxy for DH/ECDH key exchange now also. so if you have a PanOS version supports TLS 1.3, things should work i feel. Do you have a trustable source which says 'Pan OS wont support decryption for TLS 1.3' ?.

Date Registered	‎11-06-2018 12:48 AM
Date Last Visited	yesterday
Total Messages Posted	91
Total Likes Received	16

Online Status	Offline
Date Last Visited	yesterday

Strata

Prisma

Cortex

About Abdul_Razaq