About CosminM

Hi,   Mine it's working all the time, but I forgot to update also the Custom URL on the post. I did it just now. You need to have on the Custom URL also: *.net.anydesk.com/   ... View more

Hi @MatwoksNetTeam  Even in the past, importing the Anydesk Root CA into the firewall did not mean that we were decrypting the traffic. Then we just mark that issuer as reliable. So, the risk of transferring malicious files is the same, that's why it's good to have security solutions on the end-points as well.   I just updated my older post (https://live.paloaltonetworks.com/t5/general-topics/anydesk-issue/td-p/198761/page/2) to match the new Apryl 2024 changes. ... View more

Hi @S.Support212931 , One of the steps it's to create a service for TCP destination port 6568. The source port it's dynamic and in your service should be empty. ... View more

Hello,   Since I wasn't able to capture the actual AnyNet Root CA 2, I just modify my decryption profile as follows:   All the rest remain as described on my comments (see on second page).   ... View more

Hello @ArtursOstapenko  Please see my comments from this post: https://live.paloaltonetworks.com/t5/general-topics/anydesk-issue/td-p/198761 (on second page - it's step 3 Custom URL list) ... View more

Hello, In the past it was working the workaround from this discussion: https://live.paloaltonetworks.com/t5/general-topics/anydesk-issue/m-p/516607#M107283 Now, when I can't have the AnyNet Root CA 2, I modified my Decryption Profile and unchecked "Block session with untrusted issuers" and I'm based only on URL's   Maybe this information will help you. ... View more

I just checked and has reappear the error messages after some time also on my PA. ... View more

Hi @cverniani , All the pictures from my reply are screen snip from my PA config. Can you be more specific about what screenshot are you referring?   ... View more

Hello,   For a period of time, the solution proposed by @dcaporetto worked also for me, but starting with one month ago I start having problems with Anydesk clients. After investigation, the following solution work for my PA:   Update on April 10th, 2024: Because I saw that there is interest in managing Anydesk traffic through the Palo Alto Networks firewall and the changes from April 2024, I decided to update this. In fact, at least one change in the decryption profile is necessary, that is, to stop verifying the issuer of the certificate because we have no way until we can obtain the new AnyDesk Root CA 2 certificate.   Update 2 on April 10th, 2024: (a big Thank You! for @S-Battermann, because we have now the new AnyDesk Root CA 2 certificate) Unzip the AnyDesk-Root-CA-2.zip attached file Import into firewall the AnyNet Root CA 2 certificate (AnyDesk ROOT CA 2.crt) and marked as Trusted Root CA.   Create a service object for TCP 80 and 6568 Create a custom URL list for:  anynet%20relay/ anynet%20relay:80/ anynet%20relay:6568/ anynet relay:6568/ anynet relay:80/ anynet relay/ *.net.anydesk.com/   Create a decryption profile with "Block sessions with expired certificates" and "Block sessions with untrusted issuers" checked on No Decryption tab Create a decryption policy with action of NO-DECRYPT using custom URL categories and services configured above as match criteria and action of NO-DECRYPT Note: If your service object includes only destination port 6568, then in your decryption policy you need to include also service-http, on service criteria. ... View more

Please let us know the TAC case resolution on this issue.   My workaround about this issue is based on https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001Uc6CAE  First I checked if DNS security subscription on my firewall is valid. After I reset the local cache with command "clear dns-proxy dns-signature cache", the error message stop appearing in system logs and the local cache it's regenerated. ... View more

Hi,   It's confirmed that is indeed an issue and will be corrected in the future. As a work around, we can do the following steps: unzip the OVA file, i use 7zip for that open OVF file with a text editor, replace "<vssd:VirtualSystemType>vmx-19</vssd:VirtualSystemType>" with "<vssd:VirtualSystemType>vmx-13</vssd:VirtualSystemType>" and save the file login to the VMware ESXi hypervisor and deploy the Broker VM using OVF and VMDK files. ... View more

Hi @SilviuMihailDascalu,   I follow your suggestion and I opened a TAC case for my issue. ... View more

I'm facing the same issue with contextual help page not loading correctly in PAN-OS 10.1.5-h1. I have physical firewalls (PA-5200 series) and Panorama VM. On the physical FW I have the same behavior that you explain but on Panorama I can see the right frame. Contextual help on PA-series    Contextual help on Panorama  ... View more