This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About Remo

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Remo
‎11-26-2025
since ‎03-20-2013
L7 Applicator
User Activity
User Profile
Latest posts by Remo
View All
User Badges
Community Statistics
Member Since ‎03-20-2013 04:23 AM
Date Last Visited ‎11-26-2025 01:29 PM
Posts 2,247
Total Likes Received 813

Re: x-forwarded-for header in traffic log on AWS VM

by in General Topics
‎08-09-2020 06:23 AM
‎08-09-2020 06:23 AM
@yhlee1 Are you already using PAN-OS 10? Is my assumption correct that you only see something in the xff header column but not in the source user column in url logs? If yes then this behaviour is expected. If the IP in xff header would match a username in the local user-ip-mapping table, then the username would be shown in traffic log.   The question about PAN-OS 10 is because there a feature was added that would be helpful in your case: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/identify-users-connected-through-a-proxy-server/use-xff-values-for-ip-based-security-policy-and-logging.html#ida9a1d4bc-33e5-4ff5-9455-fe2800cb8ff0 (PAN-OS 10 was just released and might contain (critical) bugs. It is recommended to wait until a preferred release exist to use PAN-OS 10 in a production environment) ... View more

Re: x-forwarded-for header in traffic log on AWS VM

by in General Topics
‎08-09-2020 04:22 AM
‎08-09-2020 04:22 AM
Hi @yhlee1  Maybe another stupid question, but what type of traffic (protocol) is coming from that loadbalancer to your firewall where you expect the xff header? ... View more

Re: Email Link Analysis - does it look at all emails?

by in General Topics
‎08-09-2020 03:52 AM
‎08-09-2020 03:52 AM
@jdelio My question was more about if the firewall already does a local check for the urls? Or does it - in the case like in this topic - upload 500 times exactly the same URL to wildfire if there are 500 incoming emails with this one URL? ... View more

Re: Authorized pishing scenarios, issues with Pan DB Url filtering

by in General Topics
‎08-09-2020 03:47 AM
1 Kudo
‎08-09-2020 03:47 AM
1 Kudo
Hi @marcelocampos  Are you sure that it is pan-db service which is opening the urls? If yes, then there is another reason that triggers pan-db. It could be wildfire - if you configured wildfire analysis for incoming emails. If your mailgateway is located somewhere in the cloud (like office365) and you do not control it directly, then it could be also a security feature there that analyses the urls in emails. Could you share some more information about your email infrastructure? ... View more

Re: Empty EDL PA220 PANOS 10.0

by in General Topics
‎08-09-2020 03:21 AM
2 Kudos
‎08-09-2020 03:21 AM
2 Kudos
Hi @wjt82918  Ok, got it. The "logic" behind this is that an EDL is only queried if it is used somewhere in your configuration. Unless this isn't the case the EDL will show only 0.0.0.0/32 - but this output definately could be replaced by somethinh like "EDL not in use" or something like that... ... View more

Re: Empty EDL PA220 PANOS 10.0

by in General Topics
‎08-07-2020 11:07 AM
‎08-07-2020 11:07 AM
Hi @wjt82918  Try to remove everything except the actual IPs. An EDL should be a simple texfile (without any html tags) with nothing else that the entries that should be imported by the firewall. ... View more

Re: Email Link Analysis - does it look at all emails?

by in General Topics
‎08-07-2020 11:03 AM
‎08-07-2020 11:03 AM
Actually yes, the firewall is doing the analysis for every email. It does not really care about the url, it simply forwards it to wildfire - in batches of 200 URLs per upload or all 2 minutes - depending on which limit is hit first. About the list of trusted sites I am not sure, as theoretically there is nothing like trusted site. On every website there is the potential risk that it gets hacked and will be used to host malware or exploit kits. But at least I think, there is a timer that a website is not ddos'ed by wildfire and only scanned for example max. once per hour or day. About a local check if the urls are identical, @jdelio could you say something about this? But often the links in such mass-emails aren't identical, every link is different to track which recepient clicks on the url. ... View more

Re: My website is listed on url filtering tool

by in General Topics
‎08-05-2020 12:04 PM
‎08-05-2020 12:04 PM
Hi @jdelio  This is something that could be improved in general. When a domain is removed from dns or other signatures, the websites verdict could be changed too or at least verified. Like with the website here, then the category would already be something else than malware (probably). ... View more

Re: Problem URL-Filter onedrive urls

by in General Topics
‎08-04-2020 04:26 AM
‎08-04-2020 04:26 AM
@RalfBoehm actually you are partly wrong. You are right that normally URL filtering works for http and https traffic, but configuration of tls decryption is required to see the full URL. Without decryption the firewall only sees "onedrive.live.com" and this obviously will not match with the url you wrote in the first post in this topic. ... View more

Re: wildfire logs showing allow action for malicious url

by in General Topics
‎08-01-2020 12:03 PM
‎08-01-2020 12:03 PM
Hi @Deepak_K  In what traffic did you see these logs? If it was in smtp traffic then this is expected behaviour. In smtp paloalto sees and forwards email-links to wildfire, but cannot take actions based on urls. ... View more

Re: Global Protect Client won't reestablishment connection after update

by in General Topics
‎08-01-2020 12:00 PM
‎08-01-2020 12:00 PM
Hi @Marc.Luecke  Does this problem happen with the integrated upgrade mechanism or also when you deinstall GP and install the new version manually? Was the upgrade successfully done? Did you check the PanGPS logs if there is something useful? ... View more

Re: Audit Global protect server

by in General Topics
‎08-01-2020 03:01 AM
1 Kudo
‎08-01-2020 03:01 AM
1 Kudo
Hi @BigPalo  Forward secrecy actually is supported by paloalto. If you look at the details of the browser handshake list, you should see most of them use ciphersuites with forward secrecy. Only a few - which count as reference browser for Qualys SSLLabs - do not use forward secrecy ciphersuites. The point with the missing secure renegotiation is still true and unfortunately theres nothing you can do about that at the moment except wait until it is supportet (in PAN-OS 10 it is still not supported). An explanation of secure renegotiation you can find here: https://devcentral.f5.com/s/articles/ssl-legacy-renegotiation-vs-secure-renegotiation-explained-using-wireshark-34023 ... View more

Re: PAN-OS 8.1 Partial IPs Captive Portal redirect not working

by in General Topics
‎08-01-2020 02:48 AM
1 Kudo
‎08-01-2020 02:48 AM
1 Kudo
Hi @TysonLiu  What error page do these users see when they are redirected? What do you mean by "display how many authentication rate at Captive Portal per single IP"? Do you have multiple users from one single IP - maybe because of a source NAT? ... View more

Re: Panorama 9x - how to delete Child DG ObjectX if Parent ObjectX exists

by in General Topics
‎08-01-2020 02:24 AM
‎08-01-2020 02:24 AM
Hi @rolinger  "In the Child DG, you can revert the Child Object-X back to using the Parent level Object.  But when you do that, `Object-X` now shows the location as Parent-DB and you no longer have access to the Child-DG Object-X - it is removed from the view." --> the object actually isn't only removed from the view, this step removed the object from the child-DG. So in this case should be possible to to select the objects you want to revert and then revert them. If you need to revert hundrets/all child objects there is also the API with which you could write a small script that fetches all child objects and then delets/reverts them. Another way with the CLI - requires a list of the objects that need to be deleted which could be also optained by showing the config on CLI - is to prepare all delete commands in a texteditor and then paste them at once in CLI.   ... View more

Re: why firewall drop server hello message

by in General Topics
‎08-01-2020 01:25 AM
‎08-01-2020 01:25 AM
@bit_byte So when you did a packet capture, was the server hello in the drop stage of the capture? How does the session look like in the traffic log? Did you try a packet log debug via cli and checked the global counters when testing the connection? ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎11-26-2025 01:29 PM
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks