About ahandoo

Hi @Thomasevig    There is a lot of work associated with blocking/allowing URLs, not only for this but for a wide variety of scenarios. It can be tricky sometimes. My lab experience using the URL Filtering profiles allowed me to block Whatsapp upload of images & videos while allowing the messages to be sent. I am sharing it if it can help. Created a URL Category including  mmg.whatsapp.net/ *.cdn.whatsapp.net Created a URL filtering profile and set the above created URL category to block. Added the URL filtering profile to the rule which matches the Whatsapp traffic.     Note: In order to get the list of the URLs to block, I took a packet capture on the host which was running the Whatsapp application or the Whatsapp web.   Regards, Arnesh ... View more

Hi Thomas, SNI is the Server Name Identification field present in the Client Hello of SSL/TLS Handshake. It allows the client to indicate the hostname which it is trying to connect. For more information , you can refer to this link. You will have to take network trace or packet capture to know this information. We can find multiple videos on youtube on how to find the SNI from a packet capture. You can check this video. Regards, ... View more

Hi Thomas, On the firewall, the application description says, WhatsApp has integrated the TextSecure encryption protocol, which enforces certificate pinning to its most recent update. Due to this we can longer decrypt this application, and it will be added to the SSL exclude list. Policies enforcing "whatsapp-base" will continue to function normally, but policies using "whatsapp-file-transfer" can no longer be enforced.     Unfortunately firewall cannot see what is sent by the client in an encrypted packet (chat/upload, etc). Furthermore, the application does not like to get decrypted as it uses end-to-end encryption. This means that even if we do SSL inspection we won’t be able to see the content of a message.  Although you can block the URLs to which the traffic is traversing provided we have the SNI information, however from my personal experience, these URLs keeps changing from time to time.     Regards   ... View more

Hi @Netzer , @CKobelsky    Ideally, the device should update the ssh key in the known-hosts file after following the article. It is interesting to know that the CLI test work fine but the schedule for config export. As it does not work, then the TAC may access the known-hosts file to check if there are any issue or if this is any Bug. Have you tried reaching out to the TAC regarding this?   Regards, ... View more

Hi @Netzer    You can follow this Knowledgebase Article which can be of help.   Regards, Arnesh   ... View more

Hi @Damiano  May I know what is the Authentication which you are using like LDAP, SAML, Radius or any other method? Can you check how is the firewall creating the IP-to-User mapping while having the 'user/user group' set as 'Any'? ---->run the following command after user is connected 'show user ip-user-mapping all type GP' The way you have added the user is called as 'sAMAccountName'. However, the mapping can be also learned in different ways such as UPN format (udername@domain.com) or simply just the username. If the mapping is learned in a different format we can try checking the below document. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boHMCAY ... View more

Hi @AdamHP   To be double sure that the firewall is the one sending the RST and not any intermediate device, I would take a simultaneous packet capture on Firewall and Panorama. An alternate way would be to compare the TTL value (in the IP Header) of the RST with the SYN packet (if both are sent from the same host, TTL will be the same).   Regards ... View more

Hi @BipinK  The error ideally refers to that there is something wrong with the certificate which is received, for example, the FQDN/IP which GlobalProtect is connecting is not reflecting under the SAN/Common Name, expired certificate etc. Would mind taking a packet capture to check what certificate is offered in the SSL handshake? Has the different ISP test been tried from the same machine? Just for a sanity check, have you confirmed that there is no decryption taking place between the client and the GP Portal? ... View more

Hi @Ben-Price, I am not sure about any document provided to the ASCs surrounding this, however, ASCs normally go through the EDU-220 (Basic config related) and EDU-330 (Advance t-shoot; Intructor-led) training which would help them build their understanding for troubleshooting. EDU-330: The Palo Alto Networks Firewall 10.1: Troubleshooting https://www.youtube.com/watch?v=cQy-09bg2IA ... View more

Hi @Ben-Price  Most hardware firewalls consist of a management plane and one or multiple dataplanes. Smaller platforms and VM-Series firewalls only have a management plane that runs the dataplane processes. Some larger platforms have an additional control plane, and Panorama does not have a dataplane. The below article may be of help to illustrate which daemons are responsible for which processes and corresponding daemon logs can be looked at. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLUeCAO For smaller platform firewall and VM-series, daemon/process logs (both MP and DP) can be found in /var/log/pan directory. For larger platforms (having separate DP and MP) MP logs can be found in /var/log/pan directory and DP logs in /opt directory. ... View more