About HULK

Hello Cos, Incomplete means that either the three way TCP handshake did NOT complete or the three way TCP handshake did complete but there was no data after the handshake to identify the application. In other words, that traffic you are seeing is not really an application. So to explain a little clearer, if a client sends a server a syn and the Palo Alto device creates a session for that syn, but the server never sends a SYN ACK in response back to the client, then that session would be seen as incomplete. NOTE: From the above screenshot, it looks like, while you are trying to reach IP 10.98.200.16, only 78byte of data is being received at PAN FW. Thanks ... View more

How is the response from GUI now...? Thanks ... View more

There are few similar feature request is already submitted. It's best you reach out to your SE or sales contact, If there are any features we currently don't have but you would like to see added they can create a feature request for you. Custom Report enhancement - More sort by options FR ID: 395 More granular time period for scheduled custom reports FR ID: 2429 Time Frame Based Reporting FR ID: 3292 Hope this helps. Thanks ... View more

Hello Diennea, mgmt-server process looks good to me. The log receiver process took more than 1 Gig memory from the management plane (MP) 20857 root      20   0 1139m 116m 1792 S    1 12.7  47:51.03 logrcvr You may apply below mentioned commands multiple times from the CLI ( with 2 second interval) and update here. > debug log-receiver statistics > show counter global filter delta yes | match log Thanks ... View more

Hello diennea, From the above mentioned output, it seems the firewall is always having a large queue for I/O to complete. %wa - percent of time CPU has been waiting for I/O to complete.  (Too high may be indicative of heavy swap usage particularly. Also noticed, the "log receiver" process is taking a large volume of memory from the MP (management-plane). You may apply CLI command > show system resource follow (press SHIFT + M), to get the output based on memory utilization. If you have enabled logging for every policy on this firewall, i would suggest you to enable on required policy and bypass non-urgent traffic i.e DNS, ping etc. Hope this help. Thanks ... View more

A good number of traffic is passing through the PAN firewall. So, from PAN point of view, seems to be working fine. Thanks ... View more

Hello Darren, Yes, you are correct. Pre-logon is a feature which will authenticate the user and connect the PC to global protect with pre-installed user certificate before he logs into his machine. Few related discussion threads for your reference: Pre-Logon Global Protect GlobalProtect Re: Pre-Logon Global Protect Hope this helps. Thanks ... View more

Hello Darrent, The GlobalProtect pre-logon connect method is a feature that enables GlobalProtect to authenticate the agent and establish the VPN tunnel to the GlobalProtect gateway using a pre-installed machine certificate before the user has logged in. Because the tunnel is already established, domain scripts can be executed when the user logs in instead of using cached credentials. With pre-logon, when an agent connects to the portal for the first time, the end user must authenticate (either via an authentication profile or a certificate profile configured to validate a client certificate containing a username). After authentication succeeds, the portal ushes the client configuration to the agent along with a cookie that will be used for portal authentication to receive a configuration refresh. Then, when a client system attempts to connect in pre-logon mode, it will use cookie to authenticate to the portal and receive its pre-logon client configuration. Then, it will connect to the gateway specified in the configuration and authenticate using its machine certificate (as specified in a certificate profile configured on the gateway) and establish the VPN tunnel. When the end user subsequently logs in to the machine, if single sign-on (SSO) is enabled in the user-logon client configuration, the username will immediately be reported to the gateway so that the tunnel can be renamed and user- and group-based policy can be enforced. FYI.. a reference DOC for more detail information: GlobalProtect Configuration Tech Note   --- page no 50 ... View more

Hello Srikanth, If you enable packet capture on the PAN firewall, please verify, if any packet received or transmitted through PAN. Also, you can check the real time session in the CLI by using 'show session all filter source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION'. >  If there is a session exist for the same traffic,  then please apply  CLI command PAN> show session id XYZ   >>>>>>>> to get detailed information about that session, i.e NAT rule, security rule, ingress/egress interface etc. Hope  this helps. Thanks ... View more

Hello Greg, Could you please let me know, Is this PA-200 firewall installed with 4.1.x PAN OS version ( 4.1.0 or 4.1.1)....? Thanks ... View more

Here is a similar discussion thread: Re: reading ARP table  ( it's might be possible through API) Thanks ... View more

FYI.. This is not supported: Thanks ... View more

Hello kentjday, Just to let you know, the Virtual Wire NAT will only support IP address translation on an address which is not on the same subnet as the endpoint which is directly connected to our firewall. Thanks ... View more