About HULK

Hello Sir, If i understand your requirement correctly, are you looking for an option to bypass Decryption policy. If so, there is a facility to negate source and destination address as mentioned below. Thanks ... View more

VM-Series Deployment Guide VM-Series Deployment Guide 6.0 (English) Thanks ... View more

Hello Sir, You can run CLI command > show system environmentals --- to check the individual component of a PAN firewall. As per my knowledge, you look at the SYSTEM logs under Monitor >> Logs >>System, it will show you all health related information, events on the PAN firewall. There is an option to setup email alerts also : How to Setup Email Alerts Thanks ... View more

Hello Gururaj, It think that you have a custom definition and there appears to be an error in the custom pattern. You need at least 7 characters for a pattern match (8 to be on the safe side). Do you have a custom definition? If so, please check that and ensure that you have at least 7 characters for the match. Thanks ... View more

Hello Minow, Could you please confirm whether outgoing SYN packet and incoming SYN-ACK packet is being received by the same physical interface and zone.It's looking like a assymetric routing situation. For testing perpose you can enable "assmetric-path-bypass= YES" "TCP non-syn reject=NO". Thanks ... View more

Hello Sir, As per my knowledge, If you are using a RADIUS server and not the User-ID Agent, the list of users is not displayed, and you must enter user information manually. Thanks ... View more

Hello Panos, The purgescript.sh file was missing in the root under  /usr/bin directory and the management-client was showing an error for GP license .  Hence, retrieve the license file once again from paloalto-updates server and that resolved the issue. Thanks ... View more

Hello Simon, I don't think it will be possible, as PBF is just a RULE, nowhere reflect on the routing table. If that information is not available on the routing table, then how you will re-distribute..? We can wait for more answers here. Thanks ... View more

Hello Sir, Here is an example of IPSec VPN between PAN and CISCO, where Palo Alto FW is having a static IP address and other side is having a dynamic IP address. VPN Tunnel Down Between Palo Alto Networks Firewall Static IP Address and Cisco VTI on Dynamic IP Address You have to configure the IPSec tunnel in aggressive mode, and the dynamic-side (checkpoint) should be the initiator always. ( PAN should be enable for passive mode-responder). In aggressive mode, the peer will be identified by its hostname/email-address/common IP address etc. Example: Thanks ... View more

Hello COS, From the above mentioned logs, it's looking like IPSec phase-1 started as an initiator, but the second packet didn't receive by the PAN firewall. Out of total 6 messages for PHASE-1 ( main mode), the 2nd message should be received from the responder with" responder cookies". The PAN firewall will wait for a particular time for that  " message-2 with responder cookie", if not, then it will delete the Security-Association keys (SA). Hence there could be multiple reason behind this failure: 1. Could you please verify if both firewalls are having an untrust-to-untrust security policy to allow IKE. 2. Verify if the same packet has been received by the Juniper-FW also and tried sending Message-2. 3. Run below mentioned CLI command: >show vpn ipsec-sa tunnel <tunnel name> > show vpn ike-sa gateway > clear vpn ike-sa gateway XXXXX Delete IKEv1 IKE SA: Total 1 gateways found. > clear vpn ipsec-sa tunnel XXXXXX Delete IKEv1 IPSec SA: Total 1 tunnels found. > test vpn ike-sa gateway XXXXXX Initiate IKE SA: Total 1 gateways found. 1 ike sa found. > test vpn ipsec-sa tunnel XXXXXX Initiate IPSec SA: Total 1 tunnels found. 1 ipsec sa found. > show vpn flow >show vpn flow tunnel-id x  << where x=id number from above display Reference doc: IPSec Error: IKE Phase-1 Negotiation is Failed as Initiator, Main Mode. Due to Negotiation Timeout CLI Commands to Status, Clear, Restore, and Monitor an IPSEC VPN Tunnel Please let us know the result. Thanks ... View more

Yes Sir, the above mentioned CLI command has to be run from configuration mode. Thanks ... View more

Hello Sir, In order to install PAN OS 5.0.x, you need to update your "Application and Threat" database version to 320-XXX or greater. This is a prerequisite for PAN OS 5.0.x version. Please follow below mentioned steps to update Content version on PAN firewall. Go to Device >> Dynamic Updates: Click "check Now" on the left bottom corner of the GUI. Then Download and install the required content database. FYI: document for PAN OS upgrade How to Upgrade PAN-OS on a Palo Alto Networks Device Thanks ... View more

Hello, Default time out value for a TCP session through PAN firewall will be 3600 Seconds (1 hour). If you think the session is getting timed out after 30 minutes, please verify the same from CLI. > show session all filter source x.x.x.x destination y.y.y.y application ms-rdp   >>>>>> Identify the session ID from here. > show session id xyz  >>>>> verify the output start time                    : Thu Mar  6 15:27:55 2014         timeout                       : 3600 sec  >>>>>>>>>>> default time out value         time to live                  : 3548 sec >>>>>>> TTL since last packet received.         total byte count(c2s)         : 2194         total byte count(s2c)         : 0         layer7 packet count(c2s)      : 4         layer7 packet count(s2c)      : 0 Apply the above mentioned command multiple times and see if the TTL value is decreasing correctly, if there are no consecutive packet received/transmitted for the same session. As per the logic, once the TTL value become 0, then the session will be closed. Thanks ... View more

Hello, Could you please verify the SYSTEM logs (Monitor >> System logs) for the same. Also, verify the DNS for the Secondary firewall as the same as the Primary on the Device>Service. Thanks ... View more