About HULK

Hello Infotech, The ASA might be taking IKE version 2 by default. Could you please verify, if there is any option to disable it. The option would be available under Phase-1 configuration. Thanks ... View more

Hello Infotech, Please find below doc, which might help you. By the way, IKE V2 currently it is not supported. However, there is a feature request previously submitted.  (FR ID: 1683). I would request you to set IKEv1 on your CISCO ASA to successfully build the VPN tunnel with PAN. Sample IPSec Tunnel Configuration - Palo Alto Networks Firewall to Cisco ASA IPSEC with Cisco ASA Thanks ... View more

Hello COS, Are you facing this problem from a specific machine or from all machines ( with your credentials).? Are you able to login into the GP portal with same credentials..? You can enable debugging into the GP client to get some more information: Troubleshooting GlobalProtect, PAN-OS 4.1 Thanks ... View more

Hello Hartkently, If you add an exception for a Threat ID, the traffic will be bypassed through the PAN firewall and signature will not trigger. Thanks ... View more

Hello Hartkently. Yes you are correct, In case of spyware signature, the ID will be re-used by PAN firewall and you will not be able to change the default action. Thanks ... View more

Hello Edevansky, Could you please explain, how you did this on CISCO device. Accordingly, we can think about an approach here in PAN firewall to achieve the goal. Thanks ... View more

Hello Shank, Could you please identify the session ID for the same traffic and open it in CLI PAN> show session id XYZ   >>>>>>>> It will give you the detailed information. Thanks ... View more

Hello Sly_Cooper, You can take a packet capture on a test machine or PAN firewall from a host, where JAVA update is running. After taking the pcap file, you have to analyze the header to get the request information i.e "java version". Thanks ... View more

Hello Hartkently, Do you have the "threat-ID" for those you want to change the default action...? FYI: Thanks ... View more

Hello Shank, Is the session details showing all the parameters i.e security policy, ingress/egress interface etc correctly.....? ... View more

Hello Andiehuk, Could you please let us know the name of the application, you are trying to add here in your PAN firewall. The most common example is web browsing ( as a dependent application for facebook)  that transitions into "Facebook" and then this further transitions into "Facebook chat". If a user is blocked from web-browsing then they will never transition to a more specific aplication. Each time an application transitions to something more specific it is passed through the list of security rules again to see if it should be handled by a different security policy. Thanks ... View more

FYI for DOC Globalprotect portal uses web-browsing ? Globalprotect portal uses web-browsing ? 1) Are both ssl and web-browsing need to be allowed for GP portal to connect. In customer's case we needed to allow both SSL and WEB-BROWSING in order to display the GP portal page. PA-5050 PAN-OS : 5.0.4 Tested in lab and with Pan-OS 5.0.11 and found that we need both SSL and Web-browsing to allow GP portal page to get displayed. 2) The web-browsing application that is being identified when we access the GP portal page uses port 443 instead of 80. Customer needs to to know why ? c2s flow:                 source:      115.114.47.125 [untrust]                 dst:         86.36.50.9                 proto:       6                 sport:       15579          dport:      443                 state:       ACTIVE          type:       FLOW                 src user:    unknown                 dst user:    unknown         s2c flow:                 source:      86.36.50.9 [SSL-VPN]                 dst:         115.114.47.125                 proto:       6                 sport:       20077           dport:      15579                 state:       ACTIVE          type:       FLOW                 src user:    unknown                 dst user:    unknown                 qos node:    ethernet1/13, qos member N/A Qid -2         start time                    : Sun Apr 27 18:46:24 2014         timeout                       : 60 sec         time to live                  : 52 sec         total byte count(c2s)         : 7467         total byte count(s2c)         : 55677         layer7 packet count(c2s)      : 79         layer7 packet count(s2c)      : 45         vsys                          : vsys1         application                   : web-browsing         rule                          : test vpn         session to be logged at end   : True         session in session ager       : True         session synced from HA peer   : False         address/port translation      : source + destination         nat-rule                      : (vsys1)         layer7 processing             : completed         URL filtering enabled         : False         session via syn-cookies       : False         session terminated on host    : True         session traverses tunnel      : False         captive portal session        : False         ingress interface             : ethernet1/13         egress interface              : loopback.1         session QoS rule              : N/A (class 4)         session tracker stage l7proc  : proxy timer expired 3) When we access the GP portal page, the monitor logs shows DECRYPTED checked. There is no decryption policy enabled on firewall then why this session is shown as decrypted ? ANS: 1. Re: Globalprotect portal uses web-browsing ? 1. Yes, you need to allow both ssl and web-browsing for GP page to work. This assumes you have a default deny-all policy, which is not standard. If you don't have a deny-all policy, the GP page is on the same zone as the client requesting the page (usually) and is allowed implicitly. 2. Any connection that is decrypted will show the real application (see answer below). SSL is an application only when we cannot decrypt the session and determine what is happening under the SSL transport. 3. The reason it is decrypted is because the firewall itself is handling the SSL connection. There is nothing to decode because the firewall has the private & public key. Globalprotect portal uses web-browsing ? ... View more

Hello Blazarov, Captive Portal Behavior Captive portal will only be triggered by a session that matches the following criteria: 1) There is no user data for the source IP of the session 2) The session is HTTP traffic 3) The session matches a Captive Portal policy on the firewall Captive Portal Redirect Steps 1) Web traffic from unknown IP that matches Web Form CP Policy 2) Traffic Redirected to L3 Interface 3) Firewall request credentials - the same time firewall allocates cookie value (note that during first time allocation of cookie "Get Cookie and didn't find cookie" log message will appear on appweb3-l3svc.log if "debug l3svc on debug" in turned on) - Browser will save this cookie for example Firefox under Preferences > Privacy > Firefox will: Use custom settings for history > Show cookies > Site (Cookie Name: PHPSESSID) the PHPSESSID is the same value the PA Firewall use to check for session cookie if Captive Portal Session Cookie is enabled. - Once the user-ip-mapping on the PA firewall times out of cleared manually Steps 1 - 2 will be repeated. Because of cookie Step 3 - 4 wont be necessary. - In an event that the cookie is not present on the browser for some reason like corrupt cookie file the client won't be presented the Captive Portal Login Page because the firewall is still attempting to use the previous cookies. Manually removing the cookies on the browser might help. 4) Firewall authenticates user 5) User mapped and redirected to original address Link below might be helpful http://support.mozilla.org/en-US/kb/fix-login-issues-on-websites-require-passwords Please try "Remove corrupt cookies file" on your test workstation to check if this will help. Thanks ... View more

Hello Shank, Here is a good document to start initial troubleshooting: ? You can verify the session information on the PAN firewall CLI to understand where the packet is getting dropped. Are you trying to access the portal from inside network ( from firewall stand point) or from public internet...? How To Access External GP Portal/GW From Inside The Firewall Hope this helps. Thanks ... View more