This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About SCantwell_IM

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
SCantwell_IM
‎04-06-2024
Cyber Elite
since ‎05-10-2019
Cyber Elite
User Activity
User Profile
Latest posts by SCantwell_IM
View All
User Badges
Community Statistics
Member Since ‎05-10-2019 01:48 PM
Date Last Visited ‎04-06-2024 04:34 PM
Posts 869
Total Likes Received 207

Re: split tunnel issue

by Cyber Elite in General Topics
‎07-01-2019 10:11 AM
‎07-01-2019 10:11 AM
When a commit is attempted, you will get messages about success, warnings, or failures. Right now, we do not know any of this information. Please attempt to push your configuration from the Panorama, but be logged into the FW that is not working. At lower right corner, open tasks, and watch as config from Panorama is being pushed to FW. Copy any error/warning messages. Let us know if you do not see these messages, which would mean that Panorama is not speaking to FW.   Thanks. ... View more

Re: FWs not sending logs to Panorama, logs show constant disconnect

by Cyber Elite in General Topics
‎06-28-2019 12:56 PM
‎06-28-2019 12:56 PM
Well now... support are humans as well, and do not think it is fair to say they are the worst. I can tell you that I personally had seen/occured worst support from other vendors as compared to PANW.   Anyways... can you confirm that you have seen/viewed this topic: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFCCA0   It talks about when the FW and Panorama lose their sequence numbers.  This has personally happened to me, when I corrupted my virtual Panorama and just installed a new one.  The sequence numbers were not the same, and the FWs would not forward correctly.   Good luck and let me know... keep me the loop, as the Live website here has other commands for how to force the resynch, but do not know if this is your issue.  Take it troubleshooting step at a time.     ... View more

Re: Policy details

by Cyber Elite in General Topics
‎06-28-2019 12:49 PM
‎06-28-2019 12:49 PM
What happens if you did a show | match command   So going into configure mode on Panorama from CLI   show | match "Test" or similar   Maybe it would be show |match "address-group Test" or similar.   This should show you all "hits: on the word Test, and what the policy name is, and what DG you would find that Test group at.   Just some ideas to help you along. ... View more

Re: USER-ID and problems with runas /netonly in combination with MMC modules

by Cyber Elite in General Topics
‎06-28-2019 12:42 PM
‎06-28-2019 12:42 PM
Not an exact fix, but an idea that I have seen other customer use, is to reduce the time of the caching of IP info from the default 45 minutes, so something less, say 5 minutes.  There may be a potential that more IPs may be cached out, but it may be an idea/temp workaround (if even called that).     Unless there was scripting function that after you did the netas command you would also have it clear the IP mapping for your username, that is about the only thing (knee jerk reaction) that comes to mind to perhaps assist you.   Thanks.   ... View more

Re: How to test DNS Security Properly?

by Cyber Elite in Threat & Vulnerability Discussions
‎06-28-2019 12:35 PM
1 Kudo
‎06-28-2019 12:35 PM
1 Kudo
The steps provided were to show you that the DNS Sinkhole functionality was being actioned/"hit on". While I agree that these same sites are probably used in the Content Profile for URL Categorization, testing was done to provide confirmation that DNS sinkhole was working.   I enabled the Spyware profile to use the licensed DNS security feature. But, instead of using the default sinkhole.paloaltonetworks.com FQDN, I used a bogus 9.9.9.9 as my sinkhole.   Then I tested the 4 sites.   My traffic was blocked, not because of the URL.  In looking at the threat logs, I see the action of sinkhole against the IP of my device. For confirmation, I filtered on the Traffic log, and saw 4 hits on a destination IP of 9.9.9.9, which were not there, prior to my testing.   Therefore, the DNS Security feature, along with sinkholing to a different IP, shows/provides me confidence that the DNS security feature worked, before the URL filtering profile (which may well have those 4 sites listed), but Spyware profile is what was triggered.   Thank you.     ... View more

Re: Shadow Rule Warning

by Cyber Elite in General Topics
‎06-27-2019 10:08 AM
‎06-27-2019 10:08 AM
Rule shadowing is always because a more general rule is above more specific rule below it (as you are aware)   Not knowing how many Source Zones you have... my recommendation is list all of the them in the source zone field vs using ANY.   You could also do ANY source zone (but then put in the 3 internal unrouteable address 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) Just need to modify the rule so it does not cause the shadowing. ... View more

Re: Any way to copy objects from one firewall pair to another?

by Cyber Elite in General Topics
‎06-27-2019 10:00 AM
‎06-27-2019 10:00 AM
Ah... I see what you are saying... Let me clarify.   You would not change the entry to match your FW domain Keep it just as /config/devices/entry[@name='localhost.localdomain']   using localhost.localdomain. (dont put in FW-A.abc)     ... View more

Re: Any way to copy objects from one firewall pair to another?

by Cyber Elite in General Topics
‎06-25-2019 10:54 AM
1 Kudo
‎06-25-2019 10:54 AM
1 Kudo
Excellent question!!!   Yes this can be done. I would like you read/understand this link:   https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-cli-quick-start/use-the-cli/load-configurations/load-a-partial-configuration#   Essentially, from one FW that has the objects/groups, you will save that config off to a named config (say... partial.xml)   Next, import the partial.xml file onto the other FW, but do NOT commit; just get it onto the HDD   Next, from CLI the command is going to be load config partial from <filename> from-xpath <source-xpath> to-xpath <destination-xpath> mode [append|merge|replace] I am not aware of how to get ALL objects from a single config merged into a new config. This is but a very small snippet of what can be done with the xml file.   Address load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address mode merge   Address Group load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group mode merge   The above will move ONLY the address objects and then Address Group objects into the config. If you have service objects/groups, that is a similar pattern, but the path is located differently.   Enjoy!  And welcome to advance FW configuration/administration!   ... View more

Re: Captive portal not working

by Cyber Elite in General Topics
‎06-25-2019 05:47 AM
‎06-25-2019 05:47 AM
Seems like all step should be there.   Confirm that you have seen/used this doc: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFlCAK   and depending on what PANOS software test authentication-policy-match from <value>|<any> to <value>|<any> source <ip/netmask> destination <ip/netmask> category <value> ... View more

Re: Suggestion on how to made dual IPSec VPN UP with Dual ISP failover by configuring Dual VR

by Cyber Elite in General Topics
‎06-24-2019 02:00 PM
1 Kudo
‎06-24-2019 02:00 PM
1 Kudo
Well. based on the picture you uploaded, you seem to be familiar with the proper document that discusses Dual VPN with failover.   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK I have set this up 2x with customers and used the above document as my bible.   Steve ... View more

Re: Fighting the cli ... sigh - how to import a cert via the cli

by Cyber Elite in General Topics
‎06-24-2019 01:56 PM
1 Kudo
‎06-24-2019 01:56 PM
1 Kudo
Ok, am going to ask the obvious and dumb question first.   Why not, temporarily, disable the need to use a Cert to manage the Panorama? You have CLI access, remove the line that references the cert.   for me, that line is set deviceconfig system ssl-tls-service-profile SecureGUI (SecureGui is my cert profile) delete that line.  commit. Now the Panorama would not be looking for a valid cert to manage on it.   Certainly will keep an eye on this message response, but should not be too difficult.   If I am misunderstanding the issue, please provide greater detail.  😛             ... View more

Re: PA 500 home use

by Cyber Elite in General Topics
‎06-24-2019 01:45 PM
‎06-24-2019 01:45 PM
Maybe a different recommendation is to download a VM version of a PANW FW, and use it like a "lab in a box", with VMWare Player. Gets you used to the gui, basic policies, etc.  BUT... still unlicensed, you will not get many sessions (like only 10 or so), but the point to become familar with the FW GUI.   Again, just a 2cent idea.  😛 ... View more

Re: Avoid Attack from outise in PA

by Cyber Elite in General Topics
‎06-24-2019 01:40 PM
‎06-24-2019 01:40 PM
Perhaps a suggestion to slow/limit may be to take a look at a document I created   https://live.paloaltonetworks.com/t5/General-Topics/Using-the-Log-Forwarding-Built-In-Actions-to-create-Dynamic/td-p/267612   It uses a Dynamic Address Group, along with a (somewhat simple auto-tagging from the Log Forwarding Profile) to tag "Bad Ppl", so that when this Address Group hits my DoS Policy, they are immediately dropped. Not a lot of fine tuning required.   Thanks Steve ... View more

Re: I have question with SSL decryption.

by Cyber Elite in General Topics
‎06-20-2019 02:30 PM
‎06-20-2019 02:30 PM
I think I may see/understand your situation.  Prior to 9.x software, the PANOS software did not include secured ports in its AppID.   Example When SSL:443 traffic is decrypted, the application becomes web-browsing:443 (port does not change)   because 443 is not app-default for web-browsing, then it is not longer a match. If policy was app-default then you would need to change web-browsing to allow 80, 8080, and 443, or change to service any.   maybe this is your issue?   ... View more

Re: Panorama Confusion

by Cyber Elite in General Topics
‎06-20-2019 02:21 PM
‎06-20-2019 02:21 PM
Hmmm, make sure  you have setup a log forwarding profile on the FWs to PUSH the logs to the Panorama.   I did not see that you had done this yet.     ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎04-06-2024 04:34 PM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks