About Remo

Remo · ‎07-03-2021

@ebryan So currently probably the firewall or at least the default-vr has internet access but not your management interface as this one is conected to your computer. The route table of the management plane is completely separated from other dataplane configurations (all the actual firewallinterfaces). In a default configuration the firewall tries to reach everything from the management interface which means the firewalls tries to download updates for example over your computer. I see now two possiblities You connect the firewalls managementinterface to eth1/2. This should enable internet access for the firewall but in your current configuration you then don't have a connection to the firewall. You configure serviceroutes on the firewall. Under Device > Setup > Services > Service Features > Service Route Configuration you can specify another interface than the managementport as source for specific services like dns, paloalto updates. When you change this the firewall should be able to reach the dns servers and download the updates In your situation I propose to use possibility 2 and change the sourceinterface for the services that require internet access. If you do this, then a firewallpolicy is required to allow that traffic but as you already have an any-any-allow rule this shouldn't be a problem.

Remo · ‎07-03-2021

Hi @Andy123B So you scan the smtp traffic by the firewall and on this traffic you also configured a wildfire profile right? If yes, then unfortunately there isn't really a (simple) solution otherwise than disabling the wildfire protection on that traffic at all. The not so simple solution is to create a custom app that matches for emails containing such an URL. This way you would be able to create a dedicated policy for this traffic where you do not configure a wildfire profile. (One of our customers had a similar problem when they did a phishing test. All employees received a phishing email to test if they know the danger of if they simply click the URL in the email. Unfortunately wildifre opened all the URLs so the first test result was totally useless)

Remo · ‎07-03-2021

All right, then lets begin with troubleshooting. Easiest way is to check the last changes since the last working commit. Is there maybe a change that looks "special"? For example a space character in the port attribute of a service object. Next you continue with checking the devsrv.log file directly after a failed commit.

Remo · ‎07-03-2021

Hi @yalonso Thank you for your reply. I tried this command shortly but unfortunately this gives way too much results. Mainly because it simply shows all results from both queries in one resulttable. My goal still somehow is to search for driverinstallations by spoolsv.exe that are triggered from a remote host.

Remo · ‎07-01-2021

Hi @kcross Thanks for sharing that link. This definately helps already. Even if there are already some queries shared by Paloalto, I am still interested if my initial query is possible with this combination.

Remo · ‎07-01-2021

Hi Community I need some help in creating an XQL query for a BIOC which detects exploitation attempts for CVE-2021-1675 (printnightmare). So far I have the following two queries: 1. A query that detects incoming connections on port 445 dataset = xdr_data | filter event_type = NETWORK and event_sub_type = NETWORK_STREAM_ACCEPT and (action_local_port = 139 or action_local_port = 445) | fields event_type, agent_hostname as Hostname, action_local_ip as Local_IP, action_remote_ip as Remote_IP, action_external_hostname as Remote_Host, action_local_port as Local_Port, actor_process_image_name as Process_Getting_Connection 2. a query to view driverinstallations done by the print spooler service dataset = xdr_data | filter causality_actor_process_image_path = "C:\Windows\System32\spoolsv.exe" and actor_process_image_path = "C:\Windows\System32\drvinst.exe" | fields agent_hostname as host_name, causality_actor_process_image_name as CGO_Name, causality_actor_process_image_path as CGO_Path, causality_actor_process_command_line as CGO_CMD, causality_actor_primary_username as Username, actor_process_image_path as child_path, actor_process_command_line as child_cmd, actor_process_os_pid as child_pid, actor_process_image_sha256 as child_sha256, actor_process_execution_time as start_date, event_id Now I'd like to combine them somehow in order so get an alert for incoming connections over SMB which result in a driverinstallation done by the print spooler service. Has anyone done something similar or is able to help me with this XQL query? Thanks in advance, Remo

Remo · ‎06-30-2021

Hi @istrydom This applies to the old VM licensing. With the new software NGFW credits it is possible to increase the max. zones, max concurrent session, and some more specs simply by adding more RAM. All this is documented in the link in my first post (this one: https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/license-the-vm-series-firewall/software-ngfw.html ) There the following sentence is written: "The following table shows the firewall capacity for each memory profile. Unlike VM-series models, Software NGFW Credits from PAN-OS 10.0.4 onwards allow you to choose the memory profile that best fits your environment without consuming any additional credits." So my question still is how do other specs change when you add more RAM?

Remo · ‎06-29-2021

I think you should consider an update to 9.1.10. Maybe the situation gets also better for you and maybe the issue is already completely resolved in this version

Remo · ‎06-29-2021

As long as you immediately reboot the firewall after the OOM systemlog, then yes you will be able to reduce the downtime to almost 0. Otherwise there will still be a timeframe where users are not able to connect. Setting up a HA pair on the firewallside is quite easy to do. The walkthrough with a step by step manual you can find here: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/set-up-activepassive-ha/configure-activepassive-ha.html Depending on thw network setup you need to change some things there too. What PAN-OS version do you currently run on this firewall?

Remo · ‎06-29-2021

I had the issue in a HA pair (active-passive). Actually we have more than 10 other firewall HA pairs where we use global protect, but so far (luckily) the issue only happened on one of them ...

Remo · ‎06-29-2021

I also have seen this issue. Clients were not able to connect and they were presented with a message that a valid certificste is required. I also saw the out of memory logs. After that I installed PAN-OS 9.1.10 which has quite a few fixes for something that could result in this problem. So far the error did not happen again.

Remo · ‎06-29-2021

Did you try to add a newly created antispyware profile to that rule where you do not configure the dns security options at all?

Remo · ‎06-29-2021

So far I did not use it (in production) to restrict anything else than webtraffic (only in lab environments, but I can confirm it works generally and I also have logs in the url log from smtps, imaps and ftps connections.

Remo · ‎06-29-2021

@aleksandar.astardzhiev as long as the firewall sees an "url" which is also the case in pop3s/imaps (specially if SNI is used in the TLS handshake and if not the firewall sees the CN from the certificate which is also logged in url logs. So for TLS connections - almost no matter which protocol is used - url filtering can be used to restrict the access.

Remo · ‎06-29-2021

Maybe it is worth a try to delete the dns security license as it is expired anyway. Did you check the system logs to see if there are some logs which could lead to the reason of this issue?

Member Since	‎03-20-2013 04:23 AM
Date Last Visited	‎11-26-2025 01:29 PM
Posts	2,247
Total Likes Received	806

Online Status	Offline
Date Last Visited	‎11-26-2025 01:29 PM

About Remo

Re: Certificate Expired Warning in Deploy but all certificates are good

Re: How to request a URL filtering change to High-Risk?

Re: Template vs Device Group

Re: sorting question

Re: Panorama Disk

Re: Cortex XDR on Citrix non-persistent multi-user server

Re: Bad support from plaoalto

Re: Activate Firewall with Expired License / Unknown Auth Code

Re: Wait time

Re: Cortex XDR on Citrix non-persistent multi-user server

Re: Active-Passive pair takes long to show the status when one is rebooted.

Re: sorting question

Re: Deal Registration End Customer Details not Include

Re: Enable Qos on sub-interface

Firewallcrash because of Application cloud Engine (ACE)

Re: Admin console unreachable/cant remote in or ping - PA support wont let you submit a ticket without a TSF file - which you get via admin console

Re: How to request a URL filtering change to High-Risk?

Re: Log Container Page Only - impact?

Re: Stop wsc files

Re: Customer Support Portal error

Nominated Discussion - Sorting Question

Nominated Discussion: URL Filtering in TLS v1.3

How to Add Log Forwarding Profiles in All Security Policies

Re: NGFW routing internet traffic help

Re: Prevent WildFire scanning certain URLs

Re: Problem with panorama

Re: XQL Query for CVE-2021-1675 exploitation attempts (printnightmare)

Re: XQL Query for CVE-2021-1675 exploitation attempts (printnightmare)

XQL Query for CVE-2021-1675 exploitation attempts (printnightmare)

Re: FlexVM Licensing with Software NGFW Credits

Re: VPN client certificates rejected until firewall reboot

Re: VPN client certificates rejected until firewall reboot

Re: VPN client certificates rejected until firewall reboot

Re: VPN client certificates rejected until firewall reboot

Re: dns issue

Re: application any not actually "any"

Re: application any not actually "any"

Re: dns issue

Seattle Beta - GlobalProtect (ELK)

Unlock your full community experience!

About Remo