About Abdul_Razaq

Hi Team,   I am facing an intermittent issue as follows. - I have a policy based on the username in domain\username format (Domain in NetBIOS name). I can see sometimes user traffic is not hitting this policy, but the traffic log shows with the correct username (domain\username - hope this eliminates the chance of domain normalization issue). -As the username in the traffic log is exactly matching, not sure why the traffic was not hitting the policy. -There is no configuration change, I can see the traffic occasionally miss hitting the policy. -I am running PanOs 9.1.5 in 3060 with windows based UserID agent.   Thanks!.   ... View more

Hi Team,   After installing cortex XDR, I can see C:\ProgramData\Cyvera\Prevention folder is getting filled up fast in one of the servers. There are a lot of activities on this server and Traps is catching some malicious activities often. This will definitely create logs, but i have below queries if anybody can help. is there any way to restrict the disk usage ?. Will the disk usage pile up if there is no cloud connectivity or wildfire access ?. Will it be deleted once the data is presented to Cortex? Is it recommended to have disk restriction by agent settings profile ?. I am having XDR 7.2 agent   Thanks in advance. ... View more

 Hi Community,   As per the document https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleBCAS describes, The IP-User mapping in firewall should be updated with the user used to RDP once a successful RDP is done. But I cannot see this behaviour in my environment, the username mapped with my PC is still the username I used to log in the device. I can see the RDP credential validation audit logs in Domain controller security event logs ( So hopes it is getting logged). Anybody noticed this behaviour? any idea on if anything needs to be enabled in Domain controller for this to work?   Thanks in advance. ... View more

Hi Community,   I have a requirement to add multiple client certificate into Linux GP config. Usually, whe we put 'globalprotect import-certificate --location <cert_location>', the existing client cert will be overridden with the new one and it will be imported as pan_client_cert.pfx under  /opt/paloaltonetworks/globalprotect .. Is there a way to keep both instead of override, so that i can use different client certificates while connecting to different portals. In windows, as it is taking from windows personal store, it will be discrete and we wont face this issue.   Anybody have any idea to achieve this ?.. or can we combine different .p12 files to single .pfx ?,  I am looking for some options other than adding both CAs in certificate profile   Thanks in advance!   ... View more

Hi Community,   Can anybody suggest on the minimum privileges a service account for LDAP (Settings -> Multi ESM -> DMZ AD configuration under ESM server) should have for using AD objects in ESM policy. The ESM core is not part of the domain. Having server operator privilege works fine, but i need to make the service account with very minimal permissions, preferably a read-only.   Thanks in advance. ... View more

Hi Community,   I am facing a strange issue that i cannot see the malicious domains showed in SLR report (under DNS security section) in my firewall threat logs. i can see DNS queries trying to resolve some other domains. But the interesting thing is, once i try to create SLR using same dumb file but selecting another country while generating the SLR in portal, i can see another malicious domain access and this domain is available in threat logs. I am wondering why different info just by selecting different countries while generating. Other informations are same.   Also is malware family is something SLR auto populates by considering the malware family these domains mostly use ?. Because the malware family info cannot be seen in threat logs ... View more

Hi Community,   Does the wildfire test file generate a alert/incident which can be seen XRD console ? I have a XDR agent connected to cloud. The wildfire test sample in prevented and i can see it in events of XDR agent. I cannot see this in XDR console neither in incident nor alert table. Does this expected behaviour ?. Also i noticed that one of the prevention (not the test file but other .exe) is also not visible in portal. I hope each security events in agent should create at least one alert in console.   Thanks in advance. ... View more

Hi Community,   I can see my firewall is sending DNS requests ( request for A record) to resolve some of internal hostnames. I dont have GP/detect internal host configured I dont have FQDN objects with these hostnames I have exported and checked entire config, the firewall is not having this hostname in the configuration It is requesting for A record ( so 'resolve hostname' is not causing it. Dont have DNS proxy configured in firewall This are internal hostnames, not malicious, which rule out DNS queries because of HTTP/TLS evasion This looks like firewall is trying to resolve in real time. I understands that firewall will be using DNS for  reporting, management services (such as email, Kerberos, SNMP, syslog) as per document. But not sure because of which of this reason firewall is trying to resolve these internal hostnames. It would be helpful if anybody can answer this.   Thanks in advance !  ... View more