About Remo

Remo · ‎06-02-2017

What PAN-OS version do you use? Because I have done exactly this: same RADIUS server profile in different authentication profiles so on the RADIUS server we are able to identify to which user directory the request has to be forwarded. I have configured this on panorama running 8.0.2.

Remo · ‎06-02-2017

Search in your system logs: (description contains 'CRL') Try to connect with a computer which has a revoked certificate https://live.paloaltonetworks.com/t5/Management-Articles/View-Delete-CRL-and-OCSP-cache/ta-p/59286 less mp-log sslmgr.log

Remo · ‎06-01-2017

I would recommend using different credentials for your admin login. In this case it would be easy to distinguish between a normal and an admin user. The other possibility you have is using different authentication profiles with the same radius server profiles attached to it. Paloalto devices send the authentication profile name as an attribute in the radius request, which you could use in different radius authentication rules to itentify which login comes from GP and which one from an admin login.

Remo · ‎06-01-2017

@BPry In my case (also pair of 3020) I think it was when I tried to skip 6.0 or 6.1 ... not sure what it really was ... And normally I have preemtion disabled ... I only remember that the firewall booted up and both suddenly saw both clustermembers as non-functional ... Anyway but I probably don't try this again 😛

Remo · ‎06-01-2017

What is "a high number" meaning? On which hardware do you have these problems? And because of the link you provided is it correct that you run 7.1.x? Do you have an example of a decrypt-error-website and may be also analyzed this server for example on ssllabs.com or htbridge.com or manually with openssl/sslyze? But if you say a high number I assume at least some websites work, right? So it isn't a general decryption issue on your firewall.

Remo · ‎06-01-2017

Things to remember: Always follow the documentation when upgrading ... 😛 Never try things like upgrading one firewall two minor/major releases while the second one remains on the old release (for example upgrade one to 7.1 while the other one still runs 6.1). Even if you don't care about lost sessions or other synchronized data. When the updated fw booted up completely ond both fw's see each other, BOTH firewalls will enter non-funcional state ...

Remo · ‎06-01-2017

If you also clear the templates and device groups which the firewall was belonging to and also the locally stored (and maybe externally stored) configuration backups then the configuration is gone

Remo · ‎06-01-2017

I don't know 100% if this information is still valid but in the past I think only http url's were supported. I also searched in the documentation and so far I was not able to find something about an ldap url. If the url is included in your certificate then it will be enough if you simply click the checkboses for "Use OCSP" and "Use CRL". OCSP is always the preferred one. In the url's you only need the url for your intermediate CA, because this is the one which signs your client/user certificates. Ok, the inermediate can be revoked too but if you ever run into a problem with this one revoked then you need to manually change the cert on the firewall anyway. But if you simply import the root cert to your fw cert store, the fw will also get revocation information for that cert and likely mark your inermediate as invalid if it is revoked, but I did never test this.

Remo · ‎05-31-2017

Why do you think that there are dedicated images for every hardware platform? So - no, PAN-OS7.1.x is not supported on PA-5220 firewall which is also documented here: https://www.paloaltonetworks.com/documentation/platforms/pa-5200-series/pa-5200-series-hw-ref/pa-5200-series-firewall-overview

Remo · ‎05-31-2017

@TranceforLife You made my day 😄

Remo · ‎05-30-2017

Create a decryption profile with the following settings: After that you simply attach this profile to your decryption rule and your done. The firewall will only allow ciphers which it is able to decrypt and everything else will be dropped. (these are screenshots from PAN-OS 8. in PAN-OS 7.1 you HAVE TO SELECT RSA as Key Exchange Algorithm because DHE and ECDHE are not supported for inbound inspection)

Remo · ‎05-30-2017

Did you add your self signed root cert to the client configuration in global protect portal? https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprotect-portals/define-the-globalprotect-agent-configurations#_43122

Remo · ‎05-30-2017

You could use a decryption profile which you have to attach to your decryption rule: https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/objects/objects-decryption-profile But in 7.1.x your very limited with the use of strong ciphers. Beginning with PAN-OS 8 PaloAlto also supports PFS for TLS Inbound inspection: https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/decryption-features/perfect-forward-secrecy-pfs-for-inbound-ssl-sessions#_92861

Remo · ‎05-29-2017

I also had a very similar issue where we had dropped packets when a rekey occured. Maybe you should give 7.1.9 (thats the version where the problem was gone in my case) or 7.1.10 a chance ...

Remo · ‎05-29-2017

Hi @ansharma Bad luck 😛 At least we now know, that we don't have to further troubleshoot the issue. So I assume 8.0.3 will be released in about 2 weeks, right? (Assuming the normal releases all 6 weeks) Do you have more technical details regarding this bug? Because so far I don't fully understand how this could be fixed from PAN, because so far it only looked like the ASA is using these host-IP's for phase 2. So if cisco is nothing doing wrong and uses 0.0.0.0/0 as local network, how can palo use the host-ip for the ipsec-sa, which it does not know at that point of the tunnel setup process? And it also looks like this problem is specifically showing up in IKEv2 tunnels to cisco ASA and no other vendors, what again makes no sense to me 😛 Anyway, thank you Anurag for the information. Regards, Remo

Member Since	‎03-20-2013 04:23 AM
Date Last Visited	‎05-27-2025 04:37 PM
Posts	2,247
Total Likes Received	804

Online Status	Offline
Date Last Visited	‎05-27-2025 04:37 PM

About Remo

Re: Certificate Expired Warning in Deploy but all certificates are good

Re: How to request a URL filtering change to High-Risk?

Re: Template vs Device Group

Re: sorting question

Re: Panorama Disk

Re: Cortex XDR on Citrix non-persistent multi-user server

Re: Bad support from plaoalto

Re: Activate Firewall with Expired License / Unknown Auth Code

Re: Wait time

Re: Cortex XDR on Citrix non-persistent multi-user server

Re: Active-Passive pair takes long to show the status when one is rebooted.

Re: sorting question

Re: Deal Registration End Customer Details not Include

Re: Enable Qos on sub-interface

Firewallcrash because of Application cloud Engine (ACE)

Re: Admin console unreachable/cant remote in or ping - PA support wont let you submit a ticket without a TSF file - which you get via admin console

Re: How to request a URL filtering change to High-Risk?

Re: Log Container Page Only - impact?

Re: Stop wsc files

Re: Customer Support Portal error

Nominated Discussion - Sorting Question

Nominated Discussion: URL Filtering in TLS v1.3

How to Add Log Forwarding Profiles in All Security Policies

Re: Differentiate GP portal login(not client login) vs MGMT login

Re: GlobalProtect OCSP URL location with Offline Root CA and Enterprise Subordinate CA

Re: Differentiate GP portal login(not client login) vs MGMT login

Re: Upgrade secondary PA

Re: session_end_reason eq decrypt-error

Re: Upgrade secondary PA

Re: Unregistration a firewall from panorama lost all config.

Re: GlobalProtect OCSP URL location with Offline Root CA and Enterprise Subordinate CA

Re: Unable to downgrade PA 5220 to 7.1.x series

Re: PA-200 | Auto Shutdown via UPS - USB

Re: Forcing TLS/SSL decryption to cipher suite PAN can decrypt?

Re: TLS/SSL profile for PORTAL + GATEWAY (GlobalProtect); must have valid cert for GATEWAY ?

Re: Forcing TLS/SSL decryption to cipher suite PAN can decrypt?

Re: Site 2 Site VPN

Re: IKEv2 Site to Site VPN to Cisco ASA5540

Seattle Beta - GlobalProtect (ELK)

Unlock your full community experience!

About Remo