About Raido_Rattameister

You have same IP/subnet configured in 2 places:   Details:In router default: address 192.168.1.1/24 on interface vlan has overlapping subnet with address 192.168.1.1/24 on interface vlan.10.(Module: routed) ... View more

Do you have decryption profile attached to the inbound ssl decryption policy? What algorithms you permit in decyption profile (Objects > Decryption > Decryption Profile / SSL Decryption > SSL Protocol Settings tab).   Add "Session ID" column into your traffic log view. Copy session that has issues from traffic log (it looks like "( sessionid eq '3473517' )") and paste it into decryption log. Do you see any errors or unsupported ssl protocols for the failed session?   ... View more

Take destination IP of failed session. Check URL logs to understand what site is being accessed. It is either strict decryption profile (allows only crypto parameters that client/server are not capable of), pinned certificate or missing CA in client.   If decryption logs say "Received fatal alert UnknownCA from client. CA Issuer URL:..." then either your clients don't trust Palo CA certificate or application inside client has pinned cert.   In case of pinned cert you either pass this traffic through firewall without decryption or block it. No third option. ... View more

If behavior of your site changes then Palo can re-classify the category. ... View more

Set up DNS Proxy on Palo. Add Palo DNS Proxy IP into Domain Controller Forwarder field in DNS setting (or DNAT outgoing port 53 traffic to DNS Proxy IP in Palo). This forces both domains to use Palo to resolve IPs and Palo will cache correct IP. ... View more

Try to initiate traffic from Arista side towards Palo. Then go into Palo System log (Monitor > Logs > System) and look for any errors. ... View more

Yes only firewall has droppdown. Panorama don't have it. You can just click on "Clone" button on LDAP profile pushed from Panorama and test droppdown. After test just delete cloned profile from firewall and adjust profile in Panorama as needed. ... View more

In firewall add new LDAP profile. Enter server into "Server List" Add Bind DN and password.   If "Base DN" droppdown populates then connection to LDAP server is successful. ... View more

You can download Linux agent from support portal. Last time I checked 6.0.7 and 6.2.1 were preferred versions. ... View more

Palo will not try to keep tunnels up if there is no interesting traffic. So if no lan to lan traffic and IPSec timeout expires then this tunnel is not re-established until lan to lan traffic returns. ... View more

Just apply URL filtering profile to your outgoing rule where categories you want to permit are set to "alert" and those you don't want to permit are set to "block". Then you see blocked URL categories matching your general outgoing rule. ... View more

As Palo is dropping packets matching drop/deny rule it can't perform deep packet inspection for this traffic so you can as well not apply security profiles to this policy - they won't be used anyway. ... View more

"Thanks, I will try that, but will it resolve the issue or just give me the correct logs ?" In initial post you mentioned that rule that permits traffic has URL category in it. Thing is that Palo can't identify URL category based on first packet. Assuming that traffic is pure HTTP then Palo can identify application based on 5th packet (in case of HTTPS URL is retrieved from SNI on the cert). SYN (client to server) SYN ACK (server to client) ACK (client to server) HTTP GET (client to server) WEBSITE DATA BACK TO THE CLIENT <<< this is where Palo identifies traffic as web-browsing. (server to client)   So initial 4 packets need to be permitted through by some rule and in your case you see it in logs because you have log at session start checked.   If you don't want initial TCP 3way handshake to match some random rule you can add before any outgoing rule this nonsense rule that in reality would never permit pings (because ping is ICMP protocol) but it would log all TCP 3way handshakes under single rule name so you can run reports against it etc as needed. Adjust it according to your needs as it is very broad permitting outgoing SYN sent on any port (you might want to limit it to 80 and 443).       "Wont enabling Log at session start cause more load to cpu for the explicit Deny rule." You already have log at session start checked. You need to uncheck it to see logs  correctly. I assume it based on session end reason being "n/a" for those logs.     ... View more

You are logging session beginning and end. First firewall needs to let through TCP 3way handshake. After that it identifies real application and if that application is not in the policy then Palo starts looking for following rules below.   Usually you want to enable logging at session beginning only during troubleshooting sessions.     ... View more