About HULK

Welcome. ... View more

Hello Bino, Could you please try below mentioned steps ( assuming that, currently the tunnel is not passing any production traffic). >show vpn ipsec-sa tunnel <tunnel name> > show vpn ike-sa gateway > clear vpn ike-sa gateway XXXXX Delete IKEv1 IKE SA: Total 1 gateways found. > clear vpn ipsec-sa tunnel XXXXXX Delete IKEv1 IPSec SA: Total 1 tunnels found. > test vpn ike-sa gateway XXXXXX Initiate IKE SA: Total 1 gateways found. 1 ike sa found. > test vpn ipsec-sa tunnel XXXXXX Initiate IPSec SA: Total 1 tunnels found. 1 ipsec sa found. > show vpn flow >show vpn flow tunnel-id x  << where x=id number from above display Let us know the result. Thanks ... View more

You may get in touch with your PAN SE. He might give you some hints. Thanks ... View more

As per my understanding, you are correct.  If the wildfire is not having a signature of that packet, it will trigger "forward" action to the cloud. And then the signature would be modified in threat database/PAN-DB. For your reference: How is a New Registered Domain Classified by PAN-DB? For malware domains, PAN-DB will categorize a URL or IP as malware as long as WildFire has associated it with malicious activity. Regarding the CryptoLocker lists published by the FBI and InfraGard, Palo Alto Networks does subscribe to these lists and will create threat signatures around them, as well as feed the domains and IPs listed into PAN-DB. For those malware families that utilize DGAs, Palo Alto Networks will phase in DNS signatures as those domains go live (typically a few days before), and then disable them as they are taken down. Starting with the most recent InfraGard list, (CryptoLocker, GameOver ZeuS), Palo Alto Networks started adding all domains at once to PAN-DB, and keeps them categorized as malware until otherwise notified. Hope this helps. Thanks ... View more

Hello Infotech, Is there any specific reason,  you are using "lifesize – 4800 mb" in Phase 2. It will force the tunnel to re-negotiate the keys unnecessarily. It's not a mandatory parameter. Thanks ... View more

Could you please run > tail follow yes mp-log ikemgr.log---------- from CLI and at the same time, apply test VPN command from an another SSH window. Please share the o/p with us. Thanks ... View more

Could you please double check Phase-2 ( ipsec) proposals are same on both sides. Please select only one set of proposal on both side firewalls. Also check in ike-mgr log: admin@> tail follow yes mp-log ikemgr.log Thanks ... View more

If the PROXY ID did not match on both sides, Phase-1 will come UP but IPSec phase-2 will fail with an error "proxy ID mismatch". Thanks ... View more

For an example: Result of show vpn flow tunnel-id tunnel  Parkway_IPSec_Tunnel5:DR_Network         id:                     139         type:                   IPSec         gateway id:             5         local ip:               66.94.196.107         peer ip:                66.94.196.108         inner interface:        tunnel.5         outer interface:        ethernet1/3         state:                  inactive         session:                0         tunnel mtu:             1428         lifetime remain:        N/A         monitor:                off         monitor packets seen:   0         monitor packets reply:  0         en/decap context:       2716         local spi:              9C3025F2  >>>>>>>>>>>>>>>>>>>>>>>>>>> based on below mentioned Local/Remote subnet, this SPI keys will generate. If you do not enter any proxy ID's,it will take 0.0.0.0/0 as local and remote and SPI will mismatch with CISCO FW.         remote spi:             07B3DE31 >>>>>>>>>>>>>>>>>>>>>>>>>>         key type:               auto key         protocol:               ESP         auth algorithm:         NOT ESTABLISHED         enc  algorithm:         NOT ESTABLISHED         proxy-id local ip:      10.135.100.0/24  ******************************         proxy-id remote ip:     10.135.11.0/25 ******************************         proxy-id protocol:      0         proxy-id local port:    0         proxy-id remote port:   0 SPI is just like a KEY, to open and encrypt a packet. IF you check CISCO FW it should have the same SPI keys for this VPN tunnel. On CISCO FW: local spi: 07B3DE31   ( remote for PAN) remote spi: 9C3025F2  ( Local for PAN) Thanks ... View more

Yes, you need to configure the PROXY ID's on PAN firewall. Based on the proxy ID's, PAN firewall will create the SPI (keys). Thanks ... View more

An example: Hope it will help you to understand about proxy ID's. Thanks ... View more

Few related discussion on the forum, it might help you. Dhcp How To Configure DHCP Server in PAN-OS 4.1 How to Configure a DHCP Relay on Palo Alto Networks Firewall CLI Commands to troubleshoot DHCP How to Check the DHCP logs? You may share your network diagram here for better understanding. Thanks ... View more