About PavelK

Hello @cdcirexx   I had similar project in the past to make multiple VPN Gateways publicly available with seamless automatic failure detection / failover. I found the simplest and most cost effective solution leveraging Azure Traffic Manager: traffic-manager-overview. All you have to do is to set up health monitor where you configure your publicly available endpoints. You create CNAME of your domain mapped to traffic manager DNS record tied to your health monitor. If one of your endpoint is marked as unhealthy it will be automatically taken out. The failover speed will depend on TTL setting of DNS record and aggressiveness of health probing. This solution is readily available without need for custom scripts. You can also build the same solution by using AWS's Route 53.   Kind Regards Pavel ... View more

Hello @M.Allen   in addition to what Otakar mentioned here are KBs for Firewall sub-interface configuration:   How to Create Tagged Sub-Interfaces Unable to Add VLAN Tag to Layer-3 Interface   Kind Regards Pavel    ... View more

Hello @Mokhairy   unfortunately, as of now there is no official up to date setup guide / knowledge base for Radius setup with Windows Server 2022. Are you able to see your failing authentication session in Firewall logs: less mp-log authd.log? This would be starting point for troubleshooting.   Kind Regards Pavel   ... View more

Hello @bbashash81   thank you for reply.   From your post it looks like that your Keytab has been generated correctly, however just in case here is a manual: How To Generate Kerberos Keytab for SSO. Make sure that FQDN for captive portal is resolvable and pointing to Firewall's interface where Captive Portal is enabled.   Here is the tutorial for Captive Portal setup: How to Configure Captive Portal. In Step No.6 import Kerberos Keytab. Also make sure that certificate's SAN field is FQDN of Captive Portal.   Make sure that in authentication policy you configured browser challenge to trigger SSO (Step No.3): Configure Kerberos Single Sign-On. Make sure that you set redirect mode and redirect host matches certificate's SAN name: What are the client trust settings required to change the redirect URL for captive portal with Kerberos SSO?. Finally, you will have to enable decryption: Captive Portal Not Working with HTTPS Sessions. Could you test whether captive portal SSO works for test HTTP site?   Kind Regards Pavel ... View more

Hello @bbashash81   thanks for post!   To me this log message does not indicate an issue / authentication failure. Could you please elaborate where and for what purpose you are setting up Kerberos authentication? If the authentication is failing there should be more detailed log after the log message you shared. Just in case, here is Configure Kerberos Single Sign-On configuration guide.   Kind Regards Pavel ... View more

Hello @Mahendran.M   would it be possible to include screen shot of error you are getting? To troubleshoot it further, looking into logs would be good next step. Below KBs might help: Configured server monitoring using WinRM over HTTP with Kerberos User-ID Agent Generating DCOM and Kerberos System Errors   Kind Regards Pavel ... View more

Hello @M.Allen   thanks for post!   It does not look like that the issue is caused by not having PA-3410 in Device Group. Could you please confirm PAN-OS version running on PA-3410? I can see this issue addressed in PAN-OS 10.2.8 and 11.1.2:   PAN-223259 Fixed an issue where selective pushes failed with the error Failed to generate selective push configuration. Unable to retrieve last in-sync configuration for the device, either a push was never done or version is too old. Please try a full push.   Also, I have noticed in one post that one LIVEcommunity member reported this being resolved after restart management process in both HA Firewalls.   Kind Regards Pavel ... View more

Hello @N.Koirala   thanks for the post.   Similar question came up in this forum in the past. For configuration migration from 3rd party Firewalls to Palo Alto, there is a migration tool called Expedition: Expedition. In that link there is a video series guide for ASA migration. Although this is official migration tool, it might not be perfect with all configuration parts. Some users reported that some configuration parts had to be configured manually in PAN Firewall.   Kind Regards Pavel  ... View more

Hello @jmarcus101   starting from PAN-OS 10.1 uncommitted changes are persistent: Persistent Uncommitted Changes on PAN-OS. The uncommitted changes should be still there after you reboot Firewall.   Kind Regards Pavel  ... View more

Hello @austinsaint278   thanks for post!   I am going to break down your question into more details.   After logs are forwarded to Panorama's log collector, you will have to set log forwarding from log collector to SIEM. Here is documentation with instructions how to do it: Configure Log Forwarding from Panorama to External Destinations. After you complete the configuration do not forget to commit changes and push changes to log collectors. In the Syslog profile you can customize log format, however unless you have specific requirement you can leave it in default. Unless you configure filtering based on log severity or filter builder all logs regardless of log category will be forwarded to SIEM.   When it comes to specific events you mentioned in your post:   Malware/Spyware detections Command and Control (C2) communications CVE exploit attempts High/Critical severity IPS alerts DNS tunneling or other evasion behaviors   The above logs will be presented in Threat logs. You do not need additional configuration on Panorama side to allow logs forwarding to SIEM except of setting log forwarding profile described at the beginning of the post, however you have to make sure that you have security profile attached to every security policy with threat profile set to block/alert based on severity: Internet Gateway Best Practice Security Policy Also, to allow Firewall inspect traffic, you will have to enable decryption.   For below portion:   Blocked or suspicious URL category access attempts   you will have to enable action alert or deny URL filtering: URL Filtering Profiles to see logs, then you will have to enable URL log forwarding in Panorama. Here are all log fields: URL Filtering Log Fields. URL logs are not part of Threat logs.   For this portion:   DLP events or sensitive data exfiltration   For Data Leak Prevention logs, you will have to enable DLP logging in Firewalls and make sure that DLP logs are configured in Panorama for log forwarding. Here are DLP log fields: Data Filtering Log Fields.   For this portion:   Abnormal login behavior or access to uncommon ports   you will have to enable traffic log forwarding. It is tricky to give good answer to this point. As log as you have enabled log at session end: Session Log Best Practices you will have all traffic log, however you will have to categorize what uncommon ports mean in your organization and reflect it in security policies, then have a rule in SIEM to have detection for those events. Here are all traffic log fields: Traffic Log Fields.    For this portion:   GlobalProtect VPN anomalies (e.g., connection failures, logins from new or suspicious locations)   you will have to enable Global Protect logs: GlobalProtect Log Fields and ideally also HIP Match logs: HIP Match Log Fields. Firewall will not be able to recognize what suspicious location means in your business context and where your GP clients are usually connecting from. I have seen this function to be facilitated by Identity Protection solution or SIEM. By quick search it looks like Wazuh has anomaly detection feature, however I do not have any experience to judge whether it can fulfill your expectations.       Good luck with your setup and threat hunting!   Kind Regards Pavel ... View more

Hello @Y.Choi436432   thank you for reply.   I see what you mean. Yes, it is possible. I do not see any dependency / blocker. You can use SLS from SCM Pro subscription to start collecting logs, then once ready you can start to use SCM to manage Firewalls.   Kind Regards Pavel ... View more

Hello @Y.Choi436432   thanks for post.   If the customer's requirement is to only collect logs, then Strata Logging Service: Introduction to Strata Logging Service is better fit. With Strata Cloud Manager Pro, you get features for Firewall management + Strata Logging Service. See details here: Strata Cloud Manager Licenses. If logging is only requirement, then Strata Logging Service will be cheaper option.   Kind Regards Pavel  ... View more

Hello @vishalrsshah   thanks for post!   Personally, I have always opted for having HA managed locally in the past. If you decide to migrate HA configuration under Panorama, I can think of below caveats with overriding and Template variables (If you have a single Template for both Firewalls in HA pair):   Panorama managed HA cluster device facing High-availability configuration overridden when there is a HA configuration sync from the peer How to configure template Variables for High Availability Active/Passive How to use one Template stack for a high availability Firewall Pair on Panorama   Please keep in mind that local configuration will take precedence over Panorama pushed configuration until you manually override it locally or use force template values option.   When it comes to actual migration with configuration switch from local to Panorama configuration, I do not expect issue / outage during process.   Kind Regards Pavel ... View more