Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
08-06-2020
72Posts
43Likes
28Solutions
Aug 06, 2020Last Visited
User
Activity
User
Profile
Latest posts by apasupulati
| Subject | Views | Posted |
|---|---|---|
| 1370 | 01-02-2014 08:09 AM | |
| 1133 | 12-31-2013 07:48 AM | |
| 1133 | 12-31-2013 07:45 AM | |
| 937 | 11-12-2013 08:36 AM | |
| 864 | 11-07-2013 06:03 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 12-08-2012 06:41 PM | |
| 2 | 09-04-2013 04:06 PM | |
| 1 | 11-12-2013 08:36 AM | |
| 1 | 04-08-2013 09:33 PM | |
| 1 | 10-06-2013 07:43 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 14 | |||
| 2 | |||
| 2 | |||
| 1 | |||
| 2 |
User Badges
Public Statistics
| Date Registered | 10-18-2011 01:44 PM |
| Date Last Visited | 08-06-2020 04:41 PM |
| Total Messages Posted | 87 |
| Total Likes Received | 43 |
09-10-2013
10:14 AM
1 Kudo
This is our current file name length limitation, please contact your sales representative for a FR to increase the length of the path. You can't download the samples at this time, but the Malware samples are retained by PAN and used for research purposes. Thanks, Aditi
... View more
09-10-2013
09:41 AM
1 Kudo
The maximum length of filename field in the WildFire Portal is 63 bytes which is too short to cover full path in some cases, hence the report shows a truncated name. Thanks, Aditi
... View more
09-05-2013
09:34 AM
1 Kudo
Hello, If you configure filters for the VOIP traffic and check the global counters, do you see any drop counters for Packets matching rtp/rtcp predicts of sip? To check for counters use this command with filters turned on: show counter global filter packet-filter yes delta yes I ran across a known issue on PANOS 4.1.5, where asterisk based VOIP packets matching rtp/rtcp predicts of sip are dropped due to waiting for predicts merging, causing audi issues. This was addressed in PANOS 5.0 release. Do you have any plans to upgrade ? Thanks, Aditi
... View more
09-05-2013
07:59 AM
Hello, You can do both, since these are externally accessible servers you can install them in a separate zone from your LAN and do static 1:1 NAT for public access to these servers. Then configure a policy to allow outside access to the webservers on DMZ (if needed restrict the services allowed for more security). Document suggested above is a good reference. When you mention each server has an internal sql database, do they have to access internal production database on your LAN? However, you should be able to configure security policies accordingly for the servers to talk between zones. Hope that helps! Thanks, Aditi
... View more
09-04-2013
04:06 PM
2 Kudos
Hello Joy, You should be able to factory reset the WF500 device as well. Did you try to interrupt the boot sequence to go to maint mode? Just curious about how you are sure that WF500 doesn't have maint mode, since we have tested it. Not sure if this will help but you can clear the system/config logs on disk by, > clear log <tab> config Configuration logs system System logs Thanks, Aditi
... View more
09-04-2013
08:14 AM
1 Kudo
Hello, Here's the datasheet for the migration tool: https://live.paloaltonetworks.com/docs/DOC-1945 Our FW migration community is where you can download the latest 2.0.1 MT from: https://live.paloaltonetworks.com/community/partnertools/fwmigrate Please contact your SE if you don't have access to the community. Thanks, Aditi
... View more
09-04-2013
07:54 AM
1 Kudo
Hello Mark, Goodmorning! These are the available options that are available for MAC users to provide their User-ID info to the firewall: 1) Captive Portal (https://live.paloaltonetworks.com/docs/DOC-1159) 2) Install a client that will do AD login 3) Make them connect via SSL VPN and surf through the VPN. 4) User ID API integration using Syslog ( https://live.paloaltonetworks.com/docs/DOC-1936 ) - You would take login events on your OpenDirectory server and syslog these events. Parse through the data and use the API to send this info to the User-ID Agent for ip-mappings. Additionally, user-id agent can also monitor Exchange server, so if the mac users are able to login to Outlook to create login events, we should be able to get the mapping that way as well. Hope that helps! Thanks, Aditi
... View more
07-28-2013
04:25 PM
2 Kudos
Hello, You have to re-install the latest content manually, after the reverting to a previous content release. 1.Downgrade the content to any previous version - upload & install the package manually. 2.Try a commit on the device. 3. Re-install the latest content version and test the commit. Aditi
... View more
07-09-2013
08:23 PM
Hello, Is PAN firewall retrieving the user-group information properly? >show user group name <group name> //this should list all the group members of the group >show user user-IDs match user <username> //shows the groups a user is a part of. If the firewall is able to identify the users in the group and see traffic logs for these users, it should match the query for the report. Thanks, Aditi
... View more
07-03-2013
12:48 AM
Please refer to the article below to see if user groups are being retrieved on the firewall, Thanks, Aditi
... View more
06-24-2013
07:29 PM
Yeah, here's the link to retreive the msi file: https:// <device-ip>/global-protect/getmsi.esp?version=32&platform=windows
... View more
06-24-2013
06:02 PM
Hello, If all you're trying to do is to save distinct rulebase configurations, first save the current configuration then make whatever rulebase changes required and save the new configuration. Load this new config to the device as/when needed. You can save the configuration under Device tab-->Setup-->Operations--->save config snapshot. Hope that helps, Aditi
... View more
06-11-2013
09:32 AM
1 Kudo
Make sure the mgmt interface has connectivity to internet. This indicates the device is unable to register/communicate with the WF cloud. You can try configuring a service route for Wildfire traffic to use a DP port and test as well. Thanks, Aditi
... View more
06-11-2013
09:17 AM
1 Kudo
For your destination NAT: Assuming 'Vendor-VPN' is the zone the tunnel terminates on, NAT rule should be: srczone: Vendor-VPN dstzone: Vendor-VPN dstaddr: NAT IP (172.1.1.1.); dst translation addr: Real IP (10.1.1.1) Security policy: srczone: Vendor-VPN dstzone: Trust dstaddr: NAT IP (172.1.1.1.) Looks like the bi-directional static NAT should have worked as well, not sure why it didn't. You can trace the NAT IP/nat rules/security rules matching the traffic from the traffic logs. Thanks, Aditi
... View more
06-11-2013
08:09 AM
1 Kudo
Do you have a file blocking profile with action 'forward' or 'forward-continue'? This will allow the device to forward files to the WF cloud if the hash was not seen by the cloud to analyze the files for malicious activity. Please read this article for more information on configuring and testing wildfire. Reference article: https://live.paloaltonetworks.com/docs/DOC-3252 Thanks, Aditi
... View more
06-11-2013
07:50 AM
1 Kudo
This is an expected error because the external gateway address needs to be a unicast address. So please remove the subnet mask and try again. Aditi
... View more
05-29-2013
10:39 AM
1 Kudo
Hi, It would help to look at the Uadebug log file in the User-id Directory for any errors. Also, there are some known issues with UIA version 4.1.6 regarding the ip-mappings being dropped on the firewall. Thanks, Aditi
... View more
05-28-2013
08:49 AM
Hello, Are both the PAN firewalls in the same Device group on the Panorama? If so, since you're looking for creating identical rules but with different IP/address objects, create separate security policies with respective address-objects/IP's and target them only to the specific device in question.(Target is the last tab while creating a Security policy). This way when pushing the config to the Device group, policies will be pushed based on the target specified to the selected device. You can also add the devices in different device groups, so that way you can create address-objects and policies specific to each group. In this case, as you said you define the object with a different IP depending upon the device group. Hope that helps! Aditi
... View more
05-25-2013
09:04 AM
Hello, Here's a good document with a network diagram which can help, Hope that helps! Thanks, Aditi
... View more
05-25-2013
08:56 AM
Hello, Have you tried Policy based forwarding Rule for this traffic? Configure it such as all tcp/32400 traffic sourcing from Untrust to forward on the media server's interface. Let me know if that helps. Thanks, Aditi
... View more
04-12-2013
03:16 PM
Hey Nathan, Is the remote side configured to send the traffic (destined to 172.168.1.x) through its tunnel interface as well? You said: Since it wasn't working with the zones defined, I changed the Source/Destination of the rules to the specific IP ranges of the zones in the security rules. Assuming you did have a static route for remote subnet pointing to the tunnel.1 interface (remote zone), the traffic must match the Wifi-to-Remote rule, unless the default outbound rule is above this specific rule ignoring it. You can also try taking pcaps on the remote side and verify if they are receiving our packets and responding back to us. Thanks, Aditi
... View more
04-10-2013
09:11 AM
1 Kudo
Hello, Have you referred to this document about inter-vsys communication, see: How to Set Up Shared Gateway and Inter VSYS Hope that helps, Aditi
... View more
04-08-2013
09:59 PM
Hello, Your second NAT rule is incorrect for this scenario (to only allow access from outside, you can remove 'L3_LAN' as the source zone here). You need a Destination NAT to allow users from outside to access the public camera, so no source translation necessary as well. You will need a rule like below: "public access to server" { from untrust-L3; source any; to untrust-L3; to-interface ; destination <public-ip>; service any/any/any; translate-to "dst: private-ip:port"; Here's a good document that explains about configuring NAT in different scenarios: Hope that helps! Aditi
... View more
04-08-2013
09:33 PM
1 Kudo
Hello, Yes, you can use Radius/Kerberos/LDAP authentication methods for IPsec VPN connections. Here's a document that can help you configure Ldap authentication for GP: Thanks, Aditi
... View more
04-05-2013
12:10 PM
Hey Jama, Did you have packet filters configured while you collected these counters? To deal with the non-SYN tcp drops, can you the run following command from CLI and see if that helps with the inter-VR communication: > set session tcp-reject-non-syn no Note: this command isn't persistent through a commit/reboot. The firewall by default rejects any non-SYN packets (SYN-ACK, ACK) that don't match an existing session, we can disable this feature for testing and see if that helps. The reason the packets don't match the existing session could be that the response took too long and the session expired OR that the packets return from a different zone/interface causing asymmetric routing. Let me know. Aditi
... View more
04-04-2013
06:30 PM
2 Kudos
Hey Jama, Application incomplete means that the TCP 3-way handshake was unsuccessful. So to explain a little clearer, if a client sends a server a syn and the paloalto device creates a session for that syn, but the server never sends a syn ack in response back to the client, then that session would be seen as incomplete. So you can configure packet captures on the device and look for the complete TCP handshake. Make sure client to server and server to client communication is good. Refer to this article to know how to configure filters and capture the traffic, Hope that helps. Aditi
... View more
04-03-2013
10:56 PM
Hello, Yes, we do have a VPN client called Global Protect. You can refer to the following article to know how it works, Thanks, Aditi
... View more
03-20-2013
10:48 PM
1 Kudo
Hello, Just another side note, you can use Radius authentication with VSAs if you want to avoid creating users on the firewall. The VSAs can pull the username and the admin role automatically. You can view this document for more details and to get help setting it up: Thanks, Aditi
... View more
03-20-2013
10:35 PM
Hello, This is something we've seen in a few environments before and a code fix is coming to address it. As of now the fix is planned to be released in version 5.0.4. The management server is responsible for the DNS lookups required for the ACC data. If there are too many lookups, the management server will be too busy doing the lookups and won't properly serve the GUI and SSH. Thanks, Aditi
... View more
01-24-2013
09:58 PM
You can check our Threat Vault for more information on the Threat ID from the Support Portal. Here's the description for the threat in our database: Pidgin is prone to a integer overflow vulnerability while parsing certain crafted MSN protocol messages.The vulnerability is due to the lack of proper checks on message header in the MSN protocol , leading to an exploitable overflow. An attacker could exploit the vulnerability by sending a crafted MSN response. A successful attack could lead to remote code execution with the privileges of the current logged-in user. Other References: http://secunia.com/advisories/30971/ As per the advisory, this should affect only Pidgin versions earlier to 2.4.3. Please verify and open a case with Support if this is a false positive.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-06-2020
04:41 PM
|
Latest Tags
No tags yet
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
