About HULK

Hello Karlh, So far, there is no option to export the entire threat-vault from the PAN firewall. The database will be big enough, as It contains almost 40,000 threat.  I would recommend you to consult with your Palo Alto  SE for the same. He might help you with this. Thanks ... View more

Troubleshooting User-ID: Group and User-to-IP Mapping Thanks ... View more

Hello Sly_Cooper, You can create a regex to match specific java versions ( latest) to allow through the PAN firewall. For all other versions, other than the latest one, set the action as "block". So, all the request will be logged into the PAN firewall. Reference doc: Creating Custom Threat Signatures NOTE: The Java spec is written so that JAR files may look like ZIP files in PAN. Thanks ... View more

Hello, Few related discussion on the forum, might help you. : generic communication error Re: updates.paloaltonetworks.com connectivity Thanks ... View more

Hello Jared, I think any session based firewall will match the ICMP session based on ICMP Identifier, and the ICMP Sequence, to create the sessions. Hence, ideally there will be no default port for ICMP protocol, ultimately it will be "ANY". Thanks ... View more

Hello, It's looking like a routing issue for me. Let me know if i understand it correctly. NAT Policy: Source-zone=Public Zone, Destination-zone= Public zone Destination IP address: Public IP address NAT destination translation= Private address of the Server Security Policy: Source-zone=Public Zone, Destination-zone= Inside Zone ( LAN) Routing: a) Default gateway on PAN FW pointing towards Public zone ISP router. b) Server's Private IP address >>>pointing towards next hop to INSIDE FW Thanks ... View more

Hello Jclingan, As per my knowledge, you can add max 4 server address inside a single server-profile. After adding 4 server address, the "Add" button will be grade out. Thanks ... View more

Hello Dvlacic, Here is the KB doc which might help you to understand Proxy-ID concept for IPSec VPN tunnel. Why is a Proxy-ID Required for VPNs between PAN and Firewalls that Support Policy Based VPNs? For example: admin@40-PA-4020> show vpn flow name test-tunnel tunnel  test-tunnel         id:                     2         type:                   IPSec         gateway id:             1         local ip:               10.66.24.40         peer ip:                1.1.1.1         inner interface:        tunnel.101         outer interface:        ethernet1/3         state:                  init         session:                49166         tunnel mtu:             1448         lifetime remain:        N/A         monitor:                off         monitor packets seen:   0         monitor packets reply:  0         en/decap context:       5         local spi:              00000000         remote spi:             00000000         key type:               auto key         protocol:               ESP         auth algorithm:         NOT ESTABLISHED         enc  algorithm:         NOT ESTABLISHED         proxy-id local ip:      0.0.0.0/0     >>>>>>>>>>>>>>>>>>>>>>>>>>>> Source subnet, where from you are expecting to initiate traffic         proxy-id remote ip:     0.0.0.0/0 >>>>>>>>>>>>>>>>>>>>>>>>>>>> Destination private subnet         proxy-id protocol:      0  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Protocol allowed through the tunnel         proxy-id local port:    0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Source port         proxy-id remote port:   0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Destination For each proxy-ID, the firewall will create different SPI value (different IPsec tunnel) between source and destination.  PAN and Juniper firewall's uses 0.0.0.0/0 as default proxy ID, but for CISCO devices, you have to define the proxy-ID ( access-list) in order to pass traffic through tunnel. Hope this helps. Thanks ... View more

A workaround through CLI: admin@DADA> set cli config-output-format set admin@DADA> configure Entering configuration mode [edit] admin@DADA# show admin@DADA# edit rulebase security [edit rulebase security] admin@DADA# For example: you want to change/add the Antivirus profile into the security rules ( whether url-filtering is already added) [edit rulebase security] admin@DADA# show | match url-filtering set rulebase security rules LAN-ISP profile-setting profiles url-filtering default set rulebase security rules test-1 profile-setting profiles url-filtering default [edit rulebase security] Copy the output in a notepad and replace the url-filtering profile with the configured antivirus profile and paste it into the CLI. set rulebase security rules LAN-ISP profile-setting profiles virus XYZ set rulebase security rules test-1 profile-setting profiles virus XYZ Thanks ... View more

Hello Dave, While you will initiate a connection for RSYNS application, the first few packets will choose the first available policy in the same direction, regardless of the application defined in the security-policy.  As soon as PAN firewall identifies the application signature of the packet ( App-ID), then it will switch into the appropriate security policy. If you enable logging  session for  "Log at session start" in the security policy, it will be able to see the same behavior in traffic logs. Hope this helps. Thanks ... View more

Hello Steven, My apologize, i am not familiar with ISR. I thought it would be similar to ASA. My boundary is limited to PAN and Juniper SRX . Thanks ... View more

Hello Parvez, Yes, it will work. Thanks ... View more

Hello Markk96, User-ID agent and Domain Controller communicates each other very frequently,  it would try to communicate every 1 second to the AD server to read logs. These two are having most chatty behavior. AD and a User - ID agent will send queries, sync their information, read security logs every few seconds, hence it is recommended to have the AD-server and Agent inside the same LAN. There will be not much traffic between PA-agent and PAN firewall. On a certain interval the PAN firewall will retrieve the most recent mapping from the UID agent. Thanks ... View more

Hello Dave, In Active/Active mode, Both devices in the cluster are active processing and passing traffic:    > Devices back each other, taking over primary ownership if either one fails    > Both devices load share the traffic    > w/o external load balancers, traffic is “shared” between devices based on routes on up/downstream devices, or  manipulating default gateways BUT REMEMBER > No increase in session capacity > Not designed to increase throughput I would recomend you to contact with your Palo Alto SE to get a proper documentation for the same. Thanks ... View more