About kbe

Have you senn this topic discussing the same problem: https://live.paloaltonetworks.com/t5/general-topics/sectigo-ca-chain-decryption-issues/m-p/330802#M83832https://live.paloaltonetworks.com/t5/general-topics/sectigo-ca-chain-decryption-issues/m-p/330802#M83832   cu ... View more

Same problem here. Right now i only saw 1 site not working, but i guess more will follow. I also set up a new decrypt policy with a new decrypt profile allowing expired certs and put custom url list in place as a workaround.   ... View more

Thanks for the info. Seems my subsription went away. I was subsribed for status information but did not recieve them. Subscribed again and will monitor the updates further. The errors reduced to a minimum during today. Only 2 errors. Lets see if it falls back to normal behaviour. 😉   cu ... View more

@loveground Scott, would be cool if you open a case and let us now if there is something new.   TIA ... View more

Hi   checked URL Filter. Was not enabled on the rule for PA Updates. Turned it on now with action alert to get some URL logs. Not better now. Sometimes it works but still a lot errors.   The errors showed up in the last month. But only some. Now i had them every 5 mins. Since yesterday it´s a bit better and manual search also worked which did not before when i posted my request.   So it seems the problem is not on my or your site but on palo or their download storage (google cloudstorage?)  Thanks so far for all your replies. Lets see if it gets better soon.     ... View more

Seems to be fixed. The cert for eu.wildfire.paloaltonetworks.com is now the same like for wildfire.paloaltonetworks.com. Last night wildfire.paloaltonetworks.com was valid until 5/11/2020 I had to change the WF config to wildfire.paloaltonetworks.com last night because of warning email every minute was filling my mailbox. Have switched back to eu.wildfire.paloaltonetworks.com now and errors are gone.   cu     ... View more

Have you checked that the servers where it is working are using the security policy you created and the traffic is not using another way? You can filter the traffic log for a special policy so you only see the traffic that is allowed or denied by this rule. ... View more

In addition: when needing and adding non-default ports to an application, i would use a separate rule for this. If you e.g. allow webbrowsing and smtp in one single rule and choose application default on the services, each application will only be allowed on its own default ports. So webbrowsing would not be allowed on port 25. But if you in addition need port 9090 for webbrowsing and take one rule with application webbrowsing and application smtp and choose manually the services (so you would take tcp80, tcp8080, tcp9090, tcp25, tcp587), that would also allow smtp on port 80 or webbrowsing on 587.... ... View more

Strange rule you have there. Why are there so many services allowed? If you have not included the default services of webbrowsing and / or facebook (tcp80, tcp8080, tcp443...), it can not work. Best practise is to define applications to allow and choose "application default" in the service field. Otherwise all the applications are allowed on all ports you define under the service field. If you have applications that are not defined by PA you can create custom application and use a special rule for them. So your rule for webbrowsing and facebook should look like: from trust - to untrust - application webbrowsing, facebook - service application default - action allow (maybe define some groups or users to limit the rule). ... View more

Thats right. The warning is normal and can be ignored. There are many applications that also bring up this warning if you use a cleanup-rule as last rule. In your scenario it shpuld work as expected like Narong explained. You can use application default when working with application groups. Each application will then only work on its default port(s) that are defined in the application-default. But why are you using a blacklist? If you define apps that are allowed, all other apps should be denied by default. You do not need a special deny rule. Only allowed traffic should flow. ... View more

Could not have explained it better then Jared. Do never use "any" for service on incoming rules and try to use "app default" wherever possible to get tight control on your network traffic. And concerning one of your questions about a deny-all rule: The PA has an implicit rule that you can not see and that does not show up in log files. This rule is deny any nter-zone and allow-all intra-zone traffic. If you create a deny-all rule (also known as clean-up rule) you have to make sure that you allow required intra-zone traffic that is needed. I use a cleanup as last rule with any-any-any-deny. Others don´t. There is no best practise for that but alot people prefer to have a clear rule set with explicit conditions and no implicit rules. HTH ... View more

Are you allowing the desired apps with service any or with service application default? If you use application default (e.g. "from untrust" "to dmz" "app webbrowsing" "service application default" "action allow") you do not need another special deny rule. But if you use "app webbrowsing" "service any" your config should be reviewed. HTH ... View more