About cchristiansen

To answer your question about how long; the answer is immediate.  Are you saving the change to the device group your firewall is in, to a template (in the case of 5.x), or just to Panorama?  Give us some steps you are following (and/or screenshots), and we can better determine where the problem is. -chadd. ... View more

Your best bet is to open a case with support.  They will require a techsupport file to examine.  If there are core files, that should give an indication as to what the problem is.  You can check for cores with: > show system files I would suspect that the HA events do correlate to the problems you are seeing. -chadd. ... View more

Also, if you want to search all the logs from the command line you have this option: admin@PA-200> show log data + action                      action + app                         app + category                    category + csv-output                  csv-output + direction                   direction + dport                       dport + dst                         dst + dstuser                     dstuser + end-time                    end-time + from                        from + query                       query + receive_time                receive_time + rule                        rule + sport                       sport + src                         src + srcuser                     srcuser + start-time                  start-time + suppress-threatid-mapping   suppress-threatid-mapping + to                          to   |                           Pipe through a command   <Enter>                     Finish input admin@PA-200> show log data ... View more

Are you refering to the GUI or command line?  In the GUI, you can click the "?" at the end of the search line and it will give you information about viewing logs.  Also in the GUI, you can click any of the clickable enties within a column and it will put that filter up in the search field for you.  It will always add the next filter as an "and", but if you want, you can change that "and" to "or" if that fits your intended query better.  As for the CLI, you can download the cli guide from the support.paloaltonetworks website for the version of PAN-OS you are running.  You can also just use the "?" on the CLI as well.  For example: admin@PA-200> show session all filter ? + application         Application name + count               count number of sessions only + destination         destination IP address + destination-port    Destination port + destination-user    Destination user + egress-interface    egress interface + from                From zone + hw-interface        hardware interface + ingress-interface   ingress interface + min-kb              minimum KB of byte count + nat                 If session is NAT + nat-rule            NAT rule name + pbf-rule            Policy-Based-Forwarding rule name + protocol            IP protocol value + qos-class           QoS class + qos-node-id         QoS node-id value + qos-rule            QoS rule name + rematch             rematch sessions + rule                Security rule name + source              source IP address + source-port         Source port + source-user         Source user + ssl-decrypt         session is decrypted + start-at            Show next 1K sessions + state               flow state + to                  To zone + type                flow type   |                   Pipe through a command   <Enter>             Finish input admin@PA-200> show session all filter Hope this helps answer your question.  If not, please be more specific and I will try and get you the information you need. -chadd. ... View more

Have you thought about using custom application signatures and then using those in your security policies, in conjunction with UserID?  Here is a document on Custom Apps: Creating Custom Application Signatures There are lots of other documents in the knowledgebase that can help you as well. Good luck! -chadd. ... View more

Please check to make sure that the address (FQDN or IP) configured in the GP client i.e vpn.mydomain.com or 1.2.3.4 is the same thing you have as the CN in your portal/gateway certificate, and the gateway setting in your portal configuration.  The others were correct to point out that you should look in the PANGPS logs.  If you are getting CN errors in that log, then you will know that what I have described is likely the issue.  I have seen this several times.  It is a common mistake because the portal->gateway configuration says "gateway address" so people type in the IP when their certificate CN is an FQDN and the gateway they are connecting to is an FQDN.  Anyway, hope this helps. -chadd. ... View more

You may also want to check the path of the FTP transfer that is not working, to make sure that the return path does not need a route between VRs.  If it does, you may need to add a route which says "Next VR", so the return traffic gets back.  Just a thought.  I like the suggestion from mbutt as well, that should point you in the right direction. -chadd. ... View more

You can use the RESTAPI.  Here is one method: The username and password for this firewall is 'admin'. First, get an API key: curl --insecure https://10.30.1.131/api/?type=keygen\&user='admin'\&password='admin' Which returns: <response status = 'success'><result><key>LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09</key></result></response> Second, take the key and use it in the following query: curl --insecure https://10.30.1.131/api/?type=op\&key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09\&cmd='<show><admins></admins></show>' | sed 's/<entry>/\'$'\n/g' | wc This will give you the number of admins currently logged in.  The sed command is just looking for the "<entry>" tag and replacing it with a new line so we can then pipe the output to 'wc' (counts lines). Currently there is no way to just get a count from the GUI or command line.  You can use the API from a web browser too, I just chose the use curl in this example so I could manipulate the output for a simple count. Hope this helps! -chadd. ... View more

Hello soporteseguridad, I have had quite a few questions on this topic recently and have tried lots of things.  Unfortunately none have been very helpful.  The problem with most spam is that it is valid email (not malware), just lots of it, and unsolicited.  Here are a few options that may or may not help. 1.) The answer given by HITSSEC was one that it thought would be a great idea, though I tried it, and had very weak results.  The problem was, that even when metering SMTP traffic down to something like 2pps, I was still able to pass out 80+ emails out of 100 in a couple of seconds..Not very helpful.  In addition, if your spamming from an SMTP(postfix) type server, the server will just keep trying to deliver the messages.  It will eventually succeed after your DoS rule timeout happens.  I tested this with a postfix server running on my Mac (and a handy spam script), behind my PA-200 with a DoS policy.  It didn't matter how much I decreased the allowed pps, the policy did not prevent spamming - just slowed it down some. 2.) Dynamic block lists.  This is an option available in 5.x and could be useful if you are trying to block email being sent to known relay servers, or from known IPs.  If you were so inclined, I imagine you could pull a list with a script (curl or wget) from a site that tracks spammers and make that file available on a webserver that your firewall has access to.  Then, add that path to your security rule as a dynamic block list.  This will of course not be helpful if the spam is being sent from dynamic (changing) IPs. See KB here: 3.) Dynamic address objects. Also in 5.x, you can have a dynamic address object in your security rule which can be updated via a script using the XML API on the firewall.  This could be an option if you had a method (external to the firewall) to detect and identify spammer IPs.  I have seen people use this feature to great success in conjunction with Splunk and the PaloAlto app for splunk (which contains a python script for updating dynamic address objects).  See KB here for info on dynamic address objects: Dynamic Address Objects Hope this helps, -chadd. ... View more

It is true that you are not able to simply initiate a packet capture with a security rule as the filter criteria.  However, you can do the following: admin@PA-200> show session all filter rule dns-test -------------------------------------------------------------------------------- ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port]) Vsys                                      Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 13580   dns            ACTIVE  FLOW  NS   192.168.100.50[52160]/trust/17  (10.19.0.107[39841]) vsys1                                     10.0.0.246[53]/untrust  (10.0.0.246[53]) 12502   dns            ACTIVE  FLOW  NS   192.168.100.50[49422]/trust/17  (10.19.0.107[62992]) vsys1                                     10.0.0.246[53]/untrust  (10.0.0.246[53]) 13571   dns            ACTIVE  FLOW  NS   192.168.100.50[52502]/trust/17  (10.19.0.107[15692]) vsys1                                     10.0.0.246[53]/untrust  (10.0.0.246[53]) 13590   dns            ACTIVE  FLOW  NS   192.168.100.50[62261]/trust/17  (10.19.0.107[32684]) vsys1                                     10.0.0.246[53]/untrust  (10.0.0.246[53]) admin@PA-200> show session id 13580 Session           13580         c2s flow:                 source:      192.168.100.50 [trust]                 dst:         10.0.0.246                 proto:       17                 sport:       52160           dport:      53                 state:       INIT            type:       FLOW                 src user:    unknown                 dst user:    unknown         s2c flow:                 source:      10.0.0.246 [untrust]                 dst:         10.19.0.107                 proto:       17                 sport:       53              dport:      39841                 state:       INIT            type:       FLOW                 src user:    unknown                 dst user:    unknown         start time                    : Thu Jun 20 03:48:34 2013         timeout                       : 30 sec         total byte count(c2s)         : 95         total byte count(s2c)         : 152         layer7 packet count(c2s)      : 1         layer7 packet count(s2c)      : 1         vsys                          : vsys1         application                   : dns          rule                          : dns-test         session to be logged at end   : True         session in session ager       : False         session synced from HA peer   : False         address/port translation      : source + destination         nat-rule                      : NATOUT(vsys1)         layer7 processing             : enabled         URL filtering enabled         : True         URL category                  : any         session via syn-cookies       : False         session terminated on host    : False         session traverses tunnel      : False         captive portal session        : False         ingress interface             : ethernet1/2         egress interface              : ethernet1/1         session QoS rule              : N/A (class 4) admin@PA-200> "show session all filter rule" will give you the sessions that are currently matching your rule.  You can get the session data by doing "show session id <ID>". Capturing the actual data will require a packet capture, either on the firewall or another machine. -chadd. ... View more

Hello Joergk, I believe that Klaus may be correct.  This sounds very similar to a known issue.  You should open a case with support so that they can investigate. -chadd. ... View more

To answer your second question, the "Exempt Profiles" is where you can add an exception directly from that dialog.  Click on it and configure that profile with exemptions.  Hope this helps, -chadd. ... View more