About djr

djr · ‎01-14-2015

Can I assume this includes 2012 R2? Thanks

djr · ‎01-05-2015

Hi, The "first rule" was the rule based on the service process rather than the port based rules for SYSLOG and the User ID agent port Your last line is precisely why I went for the service-based option. I prefer to think of processes as trusted, so allowing the service is better in my mind than allowing all the ports it may need (and having to reverse engineer which ports it needs as Steven said). It also means if I add another User ID mechanism I don't have to go round my agents fiddling with firewall rules. I do think a KB article or preferably something in the documentation on the windows firewall config would be reasonable, if the software installation doesn't do that for you.

djr · ‎12-03-2014

Hi, I just found a bit of a weird problem with the User-ID on a 2008 server due to the windows firewall. I am using AD service polling and SYSLOG feeds for the User-ID but I couldn't get the syslog messages to be recognised. I could see them hitting the server via wireshark and when I turned of f the Windows Firewall they started working so it was clear where the problem was. When I configured the Windows Firewall I selected the user ID service and allowed all ports and protocols to it (inbound rule). This meant that the firewalls could connect to it and I confirmed that was working OK. The only way I could get the syslog messages through was to create another rule allowing UDP 514 through to any program/service. Looking up with netstat though, port UDP514 was owned by the UAService.exe process which was the same as port TCP 5007 so that seemed as if it ought to work with the initial rule. Can anyone shed any light on why that first rule didn't work and what the recommended windows firewall rules are? (I did a search and couldn't see any articles on this) Thanks

djr · ‎12-03-2014

Yes that's the command I usually use but I have to say I had not noticed the column headings! For me the max and idle values are always the same so I had learned to ignore the last one. Anyway that is great thank you for being so helpful,it has answered my question very thoroughly.

djr · ‎12-03-2014

That makes sense, but where are these two timeouts configured? On my firewall and agent config I can only see a "user timeout".

djr · ‎12-03-2014

Great that sounds like it does what I want. The only thing I didn't understand from your explanation was the "If any user mappings still exist on the firewall that require refresh," under what circumstances does the firewall ask for a refresh?

djr · ‎12-03-2014

I have been using the agentless user-id but it seems to be overloading my firewalls so I am moving to a separate agent. I am trying to decide whether I need one or two though and need to understand what happens when an agent restarts. When it loses the agent, does the firewall drop all its user mappings? When the agent comes back does it drip-feed new mappings or does it clear the existing mappings on the firewall from that source? In other words, if my server were to reboot, would the firewalls carry on and pick up where they left off (accepting I would miss that any events while the agent were down) or would I lose all my user mapopings either when it went down or when it came back? Most of my user mappings are from SYSLOG so are not re-generated. Once they are gone, that's it.

djr · ‎11-17-2014

By the way I tested this and it does not work! I set the path monitoring to ping the gateway of the management interface's network and failed my management interface. The device did not fail over but it did crash! So I logged a support ticket and the answer came back that it would have used any available path for the path monitoring. Unfortunately because it stayed active, my AD lookups stacked up and the useridd process crashed, the firewall wouldn't respond on the console and the only way out was to power it off. So if you set the box up using the DEFAULT, to use the management port for service routes and your management port goes down... It can't be made to fail over It can no longer resolve any users It can't update It can't be managed You can't get on via the console and it crashes key processes Why has no-one else realised that a failure of the management port is the achilles heel of the HA?

djr · ‎11-05-2014

Ah right, well my one is a lot simpler than yours, it just shows "use management interface for all" which for me is probably the best choice anyway. As you say it keeps the data plane free for the data. Thanks very much, this has been very helpful and I have emailed my SE with the request. Best regards

djr · ‎11-05-2014

How can you choose which interface to use anyway? I don't think I have set anything up to tell it which interface to use, it just does it.

djr · ‎11-05-2014

Thanks, I have done that. Just to be clear though, if the management port fails, the firewall will route the AD lookups and logs to panorama etc via the trust interface? It is L3 but I don't have any of the management services enabled and I don't presently have the trust address enabled on my panorama server as a valid source.

djr · ‎11-05-2014

Hi, I have an active/passive HA setup and have link state monitoring enabled on my data interfaces, but I notice I can't select the management port for this. To my thinking, if I lose the management port I would want the cluster to fail over because it would no longer be able to log to Panorama, or to look up user IDs. How would you recommend doing this? Is link path monitoring (using the management IP as the source) the only way?

djr · ‎10-31-2014

Brilliant, thank you. I was using the threat summary - not the detailed logs. Working perfectly now.

djr · ‎10-31-2014

I have created a really useful daily report of threats but it's full of stuff I am not too worried about so would like to filter it based on the severity. I have included the threat severity in the columns displayed but it won't let me use the severity in the filtering criteria. Is there a way round this? I can't even sort from High to low.

djr · ‎10-01-2014

OK thanks, if that is the definitive answer then I know not to waste time trying to do it. Thank you for the swift replies David

Member Since	‎11-18-2011 07:49 AM
Date Last Visited	‎03-29-2025 08:27 PM
Posts	111
Total Likes Received	13

Online Status	Offline
Date Last Visited	‎03-29-2025 08:27 PM

About djr

Re: 10.2.10-h9 Log Display Bug?

10.2.10-h9 Log Display Bug?

Re: PANCast™ Episode 28: A Few Things to Know About PAN-OS Versioning

Re: PANCast™ Episode 28: A Few Things to Know About PAN-OS Versioning

Threat 86751 - PotatoVPN Detection

Re: file getting blocked (false positive)

Re: file getting blocked (false positive)

Re: file getting blocked (false positive)

Re: file getting blocked (false positive)

Re: file getting blocked (false positive)

Re: HA Failover moniring Management port

Re: file getting blocked (false positive)

Re: file getting blocked (false positive)

Re: Server error : No ECDSA host key is known for netadmin2.intra.chu-rennes.fr . Host key verification failed.

Re: Monitoring of external ip configured for vpn in Palo Alto vm firewalls deployed in Azure

Re: Server error : No ECDSA host key is known for netadmin2.intra.chu-rennes.fr . Host key verification failed.

Re: file getting blocked (false positive)

Re: file getting blocked (false positive)

Re: Problem with routing of NATted reply packets over IPSEC tunnel

Re: Where does User Credential Detection search?

Re: When new version of User-ID agent will release to support on Active Directory 2012 version ?

Re: User-ID Agent Windows Firewall Settings

User-ID Agent Windows Firewall Settings

Re: What happens when a User-ID agent restarts?

Re: What happens when a User-ID agent restarts?

Re: What happens when a User-ID agent restarts?

What happens when a User-ID agent restarts?

Re: HA Failover moniring Management port

Re: HA Failover moniring Management port

Re: HA Failover moniring Management port

Re: HA Failover moniring Management port

HA Failover moniring Management port

Re: Can I sort or filter a threat report on Severity?

Can I sort or filter a threat report on Severity?

Re: Top Talker Report

Unlock your full community experience!

About djr