About S.Cantwell

I have the same issue, but I think it is to keep the admin aware of the function/security consideration.   In terms of how to turn it off... don't believe there is a button to click on. This could be a feature request (or even a bug... depending on your perspective) to have this message only show 1x, at attachment of mgmt profile and never again.     ... View more

Not a dumb question at all... let's review some info, and set expectations.   PC1 is in Zone1. PC2 is in Zone2   You did not mention at what layer (VWire, Layer2, or Layer3 interface) you are doing your routing (if any)   If all PCs are plugged into a switch (downstream from FW), then the switch will intercept the arps and the FW will not be an inspection point.   You can plug PC1 physically into a port assigned to Zone1 (and do the same for PC2, assigned to Zone2) and now, the firewall would inspect traffic between both PCs.   Ideally... PC1 in Zone1, should be a different subnet than PC2/PC3, so that the FW is the default gateway (at L3) to route and inspect/allow traffic to PC2 and deny traffic to PC3.   To summarize, the FW must see the traffic ingressing to the Zone1.  ... View more

Hello again., I wanted to hold my comments about this static routing, as I really do not understand why you needed to put in static routes. I am only presuming that your FW can fwd traffic out its public interface, and let the routing of the Internet get the traffic to the Outlook servers.   The other question that I had... is why ONLY the GP users. If you needed outlook to work with static routes, this also implies that your internal users could not have had their email working at all. Again, because it was not a security policy change, but a network/routing change.   Am I simplifying your configuration too much? ... View more

Have you confirmed that the emails is NOT being sent vs NOT being received. That is two different things.   The email profile does not have a user/password field, only an email.   I would recommend doing a tcpdump on the FW's mgmt interface to confirm that your email traffic is/isnt egressing the FW.   Thanks. ... View more

Hello there.   I would have presumed that your CN or Common Name is either IP or FQDN name (which both FW would synch between them) So in your template, your inside IP for both FWs is the same.. ( right??? ) and the FDQN name (if you used this for your CN) is the same on both FWs.   I guess, I am trying to determine if you used a wildcard cert on ALL firewalls?   So no, it should not be a problem to push the cert to both FWs.   Are there any other details that would create a difference (SNs are not included in differences).   Also, what is your methodology to get the cert onto all end user browsers (IE, Edge, Chrome, Firefox, Safari, Opera, etc) Please advise. ... View more

@a.jones    I have a differing perspective on how to configure this.   Encryption Domain terminology implies that you are using a policy based product (like CP?  :P) The PANW uses static route based solution.   The policy based technologies require a complimentary SA/DA pair configured on both sides.  This is a proxy ID The PANW does not use complimentary proxy IDs, so you will need to create them.   On the PANW, modify your IPSec tunnel, click on ProxyID and enter the local (from the PANW side) and the remote subnet. Now you will have a complimentary proxy ID for both sides to be exchanged.   You do NOT need to enable "NAT Traversal", unless your PANW firewall is NOT performing and a L3 switch (north of the PANW is) This is typically for virtual FWs that have private IPs vs public interface IP.   You should NOT need any NAT at all in NAT policies.   Your routing table should take your private IP, fwd it across the VPN to the remote side, without the need to NAT.   I have been teaching PANW edu classes and doing PS for 8 years, so I am available for a phone call if you want to chat offline about this.   Let me know. ... View more

Can you export the configuration on "bad" one, and import it onto "good" firewall.   use the Config Audit functionality to definitely compare side by side (vs eye balling it.. 😛  to see where the change it)   Just an idea besides prayer.  😛 ... View more

This is always one issue that strikes a chord with users.    The issue is really how the webpage is created and not much about how the FW is configured.   Read this below article.   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZJCA0     ... View more

@DavidHostetter    I am a little confused by this comment   This would be a whole lot easier and more powerful if PanOS could join the domain as a member workstation and directly integrate with AD.   This is how AD integration works on the PANW Firewall   You have your MS person create a service account with 3 permissions: Event Log Readers Distributed COM Users Server Operator Privileges.   You use this account to create a LDAP Server profile You go to UserID  ==> Group Mappings, and refer to the LDAP Server profile, and determine what LDAP Groups you want to create policies for.   You enabled UserID on the zone (trusted) You create security policies. based on LDAP user or group.   Am I misunderstanding? What I have understood by PANW (as a trainer and PS engineer) is that the service account you created is exactly used for joining the domain, but is not an end user service account... if that makes sense.           ... View more

Typically, the device that supports syslog messages sends the messages to the syslog server. So think about any network piece of hardware (switch/router, wireless access controller, etc) These devices would typically fwd to the IP of a syslog server.   In this case, your syslog server should be sending them to another syslog server (in this case, the IP of the FW mgmt)   What does a log message look like in QRadar, when the DC successfully fwds the messages to the syslog server? ... View more

Hello there.   We are fellow engineers like yourself, so if you can source an alternative, by all means. I do not think the rev is important as much as making sure the voltage/amps/etc are exact match.   Any other questions we can answer?   ... View more

@karthikeyanB    Definitely creating the CSR on the FW is the correct way to do it.   If the error is mismatched private/public keys, then... they will need to export the cert AND the private key, and import on the FW.   To be fair, I think the best thing to do,.. create the CSR on the FW and ask Comodo to sign it. As they have already paid for the cert, I do not see Comodo pushing back on this request... I have lost my certificate signing requests before and create a new one with out issue. Granted.. it would have to be identical name/CN to for it to be re-signed at no charge. ... View more

Looks good to me...IF the rule is a local rule on the FW.   If managed by Panorama, I think you will need to run a similar command on the Panorama as described below   (obviously  not fred as the device-group.. but you understand what I meant ;P)       ... View more

Hello there.   I have often used LDAP for much of my configurations, based on simplicity and need. As you mentioned, LDAP can do authentication, can be used for LDAP Group Mappings, etc.   As you also mentioned, you have individually confirmed that authentication profiles for each type, have been configured. Now, you would need to create an Authentication Sequence, which allows each auth profile to be queried/tested.   The other configuration you would want to implement is creating an service account with the following permissions: Event Log Reader (to determine/establish user to ip mappings) Server Operator (to maintain known ip mappings of those ppl using file/print share sessions) WMI Probing (if needed) to query unknown IPs that may be microsoft devices, but not picked up by the previous 2 techniques.   You can configure the FW (User ID --> Group Mappings) to limit those LDAP group you want policies to be for (such as FW admins) You can enabled UserID on the trusted zone, so that the FW knows who the users are. You can create policies, based on UserID name (or group mapping) to be used at matching conditions for your policies.   I would recommend the old "RTM" method of reading the admin guide on UserID.   All techniques that you want and described, can be accomplished. You just need to engineer the solution to do them.   What other questions can we answer for you? ... View more

@JermaineScott    Always glad to assist you.   To be more accurate in my comment about the Server Operator Privs, I agree it will not prevent UserID from working, however.... it is one of 3 techniques used by PANW, when working with LDAP. 1) Event Log Reader (to read the security logs)   2) Server Operator Privs (which is ONLY used by the FW to confirm an IP is maintaining its file/print share sessions. If your MS has issues with it, have them escalate it up to PANW, but in the meantime, it really is NOT a security concern, because your MS team controls the password.. It is not on the FW.   3) Probing... (which is not a bad thing....) using WMI.  I was surprised that your MS group provide you with an elevated privilege (normally reserved for Domain Admins...yet fumble on a more secure ServerOpPriv service. ) so that you can probe unknown IPs.   Other techniques that you should be investigating... Syslog profile from your wireless controllers, enabling GP (always ON with no internal gateway) so that users can authenticate to (and through) the FW.   Thanks.. and happy firewalling!!!  ... View more