About SOC_CSG

SOC_CSG · ‎09-16-2014

I have a vpn configured (PA<->PA) to manage my FWs. The problem is that when I open a ssh to the FW ip LAN (10.105.0.7), session ssh runs successfully and I can connect to the FW. But if I open ssh to the management ip 10.98.200.16 ssh remains frozen. Looking at the log monitor, when i try the LAN ip i can see how the PA recognise the Application SSH, but trying with the management ip the FW is not recognising correctly and it shows INCOMPLETE. Looking also at session browser when I run ssh session to the LAN ip, FW is not applying a Qos policy but is i try with management IP the FW is applying a Qos rule when it shouldnt do it. Why this strange behavior between ssh in LAN ip and management IP. I attached all the tests.

SOC_CSG · ‎09-01-2014

Hello I have a PA-2050 with PanOS 5.0.8 and I get this message today "THREAT,vulnerability,1,2014/08/31 16:32:08,216.75.XX.XX,213.0.XX.XX,216.75.XX.XX,10.1.5.92,Access webprv,,,ssl,vsys1,Untrust,DMZ,ethernet1/3,ethernet1/1.938,ACUNTIA,2014/08/31 16:32:13,207017,1,41570,443,41570,443,0x400000,tcp,reset-server,"",OpenSSL TLS Malformed Heartbeat Request Found - Heartbleed(36397),any,medium,client-to-server,40719923,0x0,United States,Spain,0," I knew that PaloAlto is protected againts HeartBleed 36416 Palo Alto Networks Addresses Heartbleed Vulnerability (CVE-2014-0160) ‹ Palo Alto Networks BlogPalo Alto Networks Blog ---but against 36397? The PA seems to block the communicaction but i like to confirm there's no problem Best Regards Gonzalo

SOC_CSG · ‎08-14-2014

Apparently we arent feeling anything weird....just SNMP TRAPS abut the proble each 15minutes.

SOC_CSG · ‎08-14-2014

I have checked the MONITOR SYSTEM LOG with the core-file date (Aug 6 23:55 crashinfo) and i have found this log. useridd:exiting because missed too many heartbeats.......i think this was the origin of the error....what could i do????

SOC_CSG · ‎08-14-2014

No, its ACTIVE/PASSIVE. these are the core files but i dont know exactly when the problem started. admin@FW1(active)> show system files /opt/dpfs/var/cores/: total 4.0K drwxrwxrwx 2 root root 4.0K Aug 6 10:11 crashinfo /opt/dpfs/var/cores/crashinfo: total 0 /var/cores/: total 11M drwxrwxrwx 2 root root 4.0K Aug 6 23:55 crashinfo -rw-r--r-- 1 root root 11M Aug 7 00:00 useridd_6.0.3_0.tar.gz /var/cores/crashinfo: total 60K -rw-rw-rw- 1 root root 54K Aug 6 23:55 useridd_6.0.3_0.info

SOC_CSG · ‎08-14-2014

the alarm was reported by SNMP at 10:12:23. dc3 is not active but i dont think this is connected with the problem. This is the useridd.log 2014-08-14 10:11:38.531 +0200 Error: pan_user_id_win_sess_query(pan_user_id_win.c:1471): session query for dc3.cuatrocruces.com failed: [wmi/wmic.c:200:main() ] ERROR: Login to remote object. 2014-08-14 10:11:43.610 +0200 Error: pan_user_id_win_log_query(pan_user_id_win.c:1323): log query for dc3.cuatrocruces.com failed: [wmi/wmic.c:200:main()] ERR OR: Login to remote object. 2014-08-14 10:11:49.792 +0200 Error: pan_user_id_win_log_query(pan_user_id_win.c:1323): log query for dc3.cuatrocruces.com failed: [wmi/wmic.c:200:main()] ERR OR: Login to remote object. 2014-08-14 10:11:55.867 +0200 Error: pan_user_id_win_sess_query(pan_user_id_win.c:1471): session query for dc3.cuatrocruces.com failed: [wmi/wmic.c:200:main() ] ERROR: Login to remote object. 2014-08-14 10:12:00.956 +0200 Error: pan_user_id_win_log_query(pan_user_id_win.c:1323): log query for dc3.cuatrocruces.com failed: [wmi/wmic.c:200:main()] ERR OR: Login to remote object. 2014-08-14 10:12:06.825 +0200 Error: pan_user_id_win_log_query(pan_user_id_win.c:1323): log query for dc3.cuatrocruces.com failed: [wmi/wmic.c:200:main()] ERR OR: Login to remote object. 2014-08-14 10:12:16.311 +0200 Error: pan_user_id_win_sess_query(pan_user_id_win.c:1471): session query for dc3.cuatrocruces.com failed: [wmi/wmic.c:200:main() ] ERROR: Login to remote object. 2014-08-14 10:12:21.405 +0200 Error: pan_user_id_win_log_query(pan_user_id_win.c:1323): log query for dc3.cuatrocruces.com failed: [wmi/wmic.c:200:main()] ERR OR: Login to remote object. 2014-08-14 10:12:23.783 +0200 Error: pan_user_id_ha_pre_send(pan_user_id_ha.c:549): HA queue (0/50000) left 2014-08-14 10:12:27.400 +0200 Error: pan_user_id_win_log_query(pan_user_id_win.c:1323): log query for dc3.cuatrocruces.com failed: [wmi/wmic.c:200:main()] ERR OR: Login to remote object. 2014-08-14 10:12:33.392 +0200 Error: pan_user_id_win_sess_query(pan_user_id_win.c:1471): session query for dc3.cuatrocruces.com failed: [wmi/wmic.c:200:main() ] ERROR: Login to remote object. 2014-08-14 10:12:38.473 +0200 Error: pan_user_id_win_log_query(pan_user_id_win.c:1323): log query for dc3.cuatrocruces.com failed: [wmi/wmic.c:200:main()] tHANKS

SOC_CSG · ‎08-14-2014

what it happened with your issue???? its happening the same to me.....PAN USER ID HA QUEUE FULL

SOC_CSG · ‎08-14-2014

any new idea??

SOC_CSG · ‎08-11-2014

i dont see any strange thing.....i can see the useridd at then end, and the CPU is not very used..

SOC_CSG · ‎08-11-2014

Yes, we have group-mapping but nobody in ITSystems has changed anything in AD. how could i touch the buffer or something to fix it???

SOC_CSG · ‎08-10-2014

Hi, im receiving this snmp trap in my Palo Alto (PA-3020 PANOS 6.0.3). Checking the system logs i see each 15 mins this log message "HA-queue-full". Why is this happening?

SOC_CSG · ‎07-21-2014

i updated the PAN-DB and now they have the same version??????? how can i know if im using brighcloud db or PANDB???? which are the main diferent between these DB? any is better than another?

SOC_CSG · ‎07-21-2014

Hi, i have 2 palo alto 2050 in HA (active/passive). The active HA has intenet acces in order to take the palo lato updates but the passive PA doesnt have access to internet. The problem is that the active PA has a URL version updated but the passive has a version very old. what should i do??? there is any way to send this URL updates from Pa active to passive or i sould give internet access to the passive device??? thanks

SOC_CSG · ‎07-07-2014

Hello, I have a lot connections from my firewall to public IP addresses 65.52.98.231 port 443. Our SIEM correlated events and generating the following offense: Event Name: Excessive Firewall Accepts From Multiple Sources to a Single Destination Low Level Category: Firewall Permit Event Description: Excessive Firewall Accepts were detected from multiple hosts to a single destination. More than 100 events were detected from at least 100 unique source IP addresses in 5 minutes. This is common in large organization where the destination is a common web server like Google or a software update site, however connections to unknown hosts should be investigated. Paloalto event: <14>Jul 1 06:14:52 1,2014/07/01 06:14:52,0003C102046,TRAFFIC,end,0,2014/07/01 06:14:51,XX.XX.XX.XX,65.52.98.231,XXX.X.XX.XX,65.52.98.231,usuarisInet,oa\segXX,,ms-product-activation,vsys1,Trust,Untrust,ethernet1/2,ethernet1/3,ACUNTIA,2014/07/01 06:14:51,238570,1,49266,443,19777,443,0x400000,tcp,allow,59379,38092,21287,69,2014/07/01 06:14:13,9,computer-and-internet-info,0,328805147,0x0,10.0.0.0-10.255.255.255,United States,0,39,30� *Event 3772 events http://forums.mydigitallife.info/threads/41010-KMSEmulator-KMS-Client-and-Server-Emulation-Source/page180 Legal/illegal KMS activation. Any idea? Could someone confirm these are bad and OK, to block? ...and another more: IP addresses 134.170.184.137 port 80. https://www.virustotal.com/es/ip-address/134.170.184.137/information/ https://malwr.com/analysis/NTk4N2E3N2Q2NjUzNGI1OGIzYzE1Mzc0OWI1MWQ2ODc/ IP addresses 134.170.189.4 port 80. https://www.virustotal.com/es/ip-address/134.170.189.4/information/ https://malwr.com/analysis/ZTUxZmZlYzg3MmZkNDdmMDkyNWI2YmRlMzdmZjg0YmU/ IP addresses 64.4.11.25 port 80. https://www.virustotal.com/es/ip-address/64.4.11.25/information/ Malwr - Malware Analysis by Cuckoo Sandbox Regards and thanks, Diego C:smileyconfused:

SOC_CSG · ‎06-30-2014

Hi, I have to create a rule bidireccional between two of my servers. My question is, do i have to create two rules to allow the connection in both flows, or i could only create the rule TRUST TO DMZ and the way back would be permit too? Its a bit tricky 2 rule for one connection, no??? thanks

Member Since	‎05-21-2013 06:58 AM
Date Last Visited	‎11-13-2018 12:27 PM
Posts	216
Total Likes Received	12

Online Status	Offline
Date Last Visited	‎11-13-2018 12:27 PM

About SOC_CSG

Re: URL filtering Block List is not working properly

URL filtering Block List is not working properly

Re: Unable to delete Certificate

Re: Unable to delete Certificate

Unable to delete Certificate

Re: URL Filtering doesn't work with Google-base/quic/google-docs

Re: URL Filtering doesn't work with Google-base/quic/google-docs

Re: URL Filtering doesn't work with Google-base/quic/google-docs

URL Filtering doesn't work with Google-base/quic/google-docs

Prototype Attributes. Share_level and confidence: Meaning

Re: Unable to delete Certificate

Re: SNMP monitor parameters for Palo Alto

User-ID. Is WMI really needed?

Problems users with Windows 10 and User ID agent

Re: Problem connecting SSH

Re: URL filtering Block List is not working properly

Re: URL filtering Block List is not working properly

Re: URL Filtering doesn't work with Google-base/quic/google-docs

Re: Integration Palo Alto PAN-OS v7.1.X. using Custom Log Format and improve QRadar (LEEF)

Re: VPN flapping

Problem connecting SSH

OpenSSL TLS Malformed Heartbeat Request Found - Heartbleed(36397)

Re: HA queue full

Re: HA queue full

Re: HA queue full

Re: HA queue full

Re: HA queue is full

Re: HA queue full

Re: HA queue full

Re: HA queue full

HA queue full

Re: PA URL FILTERING UPDATES force to update the HA peer

PA URL FILTERING UPDATES force to update the HA peer

A lot of traffic on port 443 (https) to ip 65.52.98.231

Doubt about security rule

Unlock your full community experience!

About SOC_CSG