About Remo

Ok, now it is getting kind of strange. Mainly because it does not matter if the F5 is configured for offloading or passthrough... So, this is at least how I would continue here: Check the details of a tls handshake from your F5 and also from a connection directly to a server Compare these TLS handshakes Do a packet capture on the firewall towards your F5 and the server which is not locatdd behind the firewall Compare the TLS handshakes If there is still no obvious reason in the handshakes you need to dig deeper: start a packet capture with also logging enabled and enable the features proxy basic and flow basic. During connection tests for connecrions towards your F5 check the global counters multiple times. Maybe there is already something. If not then aggregate the captured logs and analyze them, at latest there hopefully is the reason why the connection towards your F5 isn't working. (Probably this could be analyzed on the F5 also, but there I have no idea how it works as I never used such a loadbalancer/WAF) ... View more

Hi @raji_toor  Now you need to start troubleshooting the connection. As you are using the same certificate already for globalprotect, this is not the reason for this issue. First check what ciphersuites and tls versions does the server offer for a tls connection. With a website like Qualys ssllabs - as you already know - you can check what the server does offer (for this test of course you need to disble decryption). Is the server behind the firewall a windows server? If yes, which version and do you have extended master secret enabled (is enabled by default)? ... View more

The pne log entry where facebook-chat is allowed looks special as you configured it to action deny. Unfortunately it looks like the app facebook-posting needs an update/improvement to cover evrything. I would recommend to open a support case. Until there will be an improvement, you could also create a custom signature to block these postings. ... View more

hi @simsim  I don't see an issue here. I sounds like everything works as it is configured. To "solve" the issue you need to configure the fortinet also to 20 mbps. ... View more

Hi @ZhenGuo  When you want to use xauth for iPhones, you cannot use SAML authentication. I think you are restricted to local, ldap and radius or certificates. Theoretically it could work with the same gateway as you could configure different authentications for different clients/OSes. But I am not sure if this really works on the same gateway. A dokument from the paloalto knowledgebase is old, but it still shows the requred steps for an xauth connection from iOS devices. I was not able to find it in the knowledgebase but on google search for: "GlobalProtect Configuration for IPsec Client on Apple iOS Devices" ... View more

How does your security policy to block this look like? Did you take the application dependencies into account when you created the block policy? ... View more

Hi @RichardChou  Do have configured SSL decryption, right? And what PAN-OS version do you have installed? ... View more

hi @aaltamirano  The installation of the certificate is required to avoid certificate warnings in the browsers. For visitors I know this could be complicated. But when you do require to decrypt also this traffic there is no way without this step. You could configure captive portal where you would write some information for the visitors about how to do this. Also with pfsense, cryptographically there is no way to implement TLS decryption "transparently" without this step (except when you have the power of CIA, NSA or some other intelligence agency - but also if they do this with an official CA certificate I would assume they will get caught pretty fast). For basic URL filtering you do not have to install the certificate on the clients as the firewall sees the domainname in cleartext in the TLS handshake when a client connects to a https website. ... View more

Hi @sokonta  Did you already read this knowledgebasearticle about clearing disk space on the root partition: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaJCAS   About the /opt/panlogs you do not have to worry about. These are the actual logs (traffic, threat, url, ...) that the firewall writes to the disk. These logs will be automatically overwritten (actually this is also done on the root partition). By default the value there will not go above 95% but it depends how you allocated the diskspace for the different type of logs. Some more information about this paftition you can find here: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgZCAS ... View more

Hi @raji_toor  For SSL inbound decryption the servercertificates including your wildcardcertificate is supported. Only for SSL forward proxy you have to use a self signed certificate. ... View more

Hi @raji_toor  What do you mean with not supported with digicert? What type (algorythms) of certificate do you have? ... View more

so first I would make sure if this connection really is possible and not blocked anwhere and second you may want to open a support case as PAN-OS 10 is still very new and this might also be a so far not known bug which needs to be fixed in a future release. ... View more

Actually this looks like this known issue: Did you try to restart panorama?   Source: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-release-notes/pan-os-10-0-release-information/known-issues/known-issues-related-to-pan-os-10-0-releases.html ... View more