About kprakash

You can delete the license key for both PAN-DB and Brightcloud. Issue the below command, followed by the "tab" key to look at what keys are available, and then delete the PAN_DB_URL_FIltering and Brightcloud >delete license key Also remove any URL profiles that are part of the policies, after deleting the keys. BR, Karthik ... View more

Good Morning, You can apply Qos on the sub interface under the "Clear text Traffic" section as shown below. You still have to bind it to a physical interface, and I would use the Physical interface that is serving as a trunk for the vlan, that the vlan interface is associated with. Thanks and best regards, Karthik ... View more

Looks like we dont have user identifications enabled on the zones: Please refer to the below doc https://live.paloaltonetworks.com/docs/DOC-2951 :BR, Karthik RP ... View more

Also when it stops working, we better enable filters and packet capturing and look at the counters, the pcaps and the debug logging to understand the issue. I would recommend opening a ticket with us to investigate the reasons behind the drops. BR, Karthik ... View more

That definitely sheds some more information. So if its inbound traffic, we are doing a destination NAT to a server, arent we? can you give us the output of the following commands: >show running nat-rule-ippool show-freelist yes show cache yes rule <destination-nat-rule> BR, karthik RP ... View more

Can you restart the l3-service to see if it makes a difference? >debug software restart l3-service This service is responsible for the captive portal features. BR, Karthik RP ... View more

Is it a proprietary application that is being denied ( traffic for which we do not have signature for ) ? If that is the case, we can create a custom app for the traffic in question, and apply it under an app override policy and the security rule that it is to match. Are you facing this issue for any traffic, and how frequent is it?  We also want to check that the dataplane is not overwhelmed. You can issue the command >show running resource-monitor >show session info to verify that the data-plane is healthy. The first command gives the sanpshot of the dataplane for a specific duration. The second command gives the number of active sessions and the throughput. Alternatively you can also monitor the ACC to look at which app is eating up a lot of sessions and bytes. BR, Karthik ... View more

Good Morning, I am afraid if its an issue with the dataplane, but rather the way the traffic doesnt match the polices configured on the box. So does the traffic match the intended rule sometimes and matches the deny rule the other times? If not, you can determine what application the traffic is matching and write a specific rule for it. You can create an "any, any" permit rule and place it above your clean up rule, and then look for the traffic logs for those sessions. The traffic logs will specify the from and the to zones, the source and the destination IPs, the usernames, the matched application, etc. You can then use this information to create a more specific rule,and place it appropriately on the security rule list. Also when you mean reseting the dataplane, are you rebooting the device or just issuing a command to restart the dataplane? BR, Karthik ... View more

Good Morning, From what I understand, you wanna  create a security rule from Untrust to Trust, so that people from the internet can access a server that is behind the firewall on the trust zone. If the users from the internet initiate a new ssh session to the firewall, then the firewall receives a SYN packet from the untrust to the trust zone. We need not write a new policy for the SYN-ACK from the trust to untrust to go out, and the firewall will match any the server to client traffic on ssh to the same "untrust to trust" rule that you created. So it depends upon who is initiating the session. If someone is initiating a new ssh connection from the trust zone, we would then require a policy from "trust to untrust" allowing ssh. Bear in mind that when we have an inbound connection from the internet ( untrust to trust), the NAT rules are written slightly differently, and you may wanna refer to the destination NAT configuration as mentioned under page 15 of  the NAT tech note, https://live.paloaltonetworks.com/docs/DOC-1517 BR, Karthik ... View more

Good Morning, Is it that for the first time only that the wifi users will authenticate against the proxy squid, and once they are authenticated, will they talk on HTTP/ HTTPS with the other websites and bypass talking to the squid proxy? Or is the proxy squid server acting as a proxy server for any HTTP/ HTTPS requests that the mobile users attempt opening connections for? If its the latter, then all you need is a policy from LAN to DMZ for the HTTP traffic to reach the proxy, and then a rule from the DMZ to the INTERNET for the proxy to open the connection on behalf of the mobile user. If the proxy server has a private IP address, and is on the same subnet as that of the firewalls DMZ interface, then we need not NAT traffic from LAN to DMZ. But we definitely require a source NAT (dynamic and port translation ) from DMZ to INTERNET for the outbound HTTP requests from the proxy server to the outside servers. BR, Karthik RP ... View more

Good Morning, Warning level indicates a non-error event, in most cases no immediate action is required but it may be beneficial to monitor. The AHO is used for threat signature pattern matching, and the DFA is used in App-ID signatures and decoder token matches.  If signatures are changed, we will mark the FPGA as unavailable, load the new signatures into the FPGA, then unmark it. The aho_sw_fpga_unavailable and the dfa_sw_fpga_not_loaded counters are something that we shouldnt worry much about and they seen when signatures are updated,  and the PANFW marks the FPGAs as unavailable during the loading process. Once the new signatures have been loaded, the FPGA will be marked available again. The best way to check if the dataplanes are being overloaded are by looking at the below commands, >show running resource-monitor >show session info Where the first command gives a snapshot of the percentage of CPU being used per DP, during a particular time. The second command shows the total number of sessions active and throughput at that time. BR, Karthik RP ... View more

Hi HIthead, I am still wondering if the Phase-1 is getting established or not. Are the phase 1 and the phase 2 up? >show vpn ike-sa >show vpn ipsec-sa I have an apprehension that we are failing in the negotiation itself. BR, Karthik ... View more

Are you also permitting ike and ipsec traffic on the firewall 2? To rephrase my earlier question, may I know what local and remote peer IDs have been configured on each of the PA 200s? ... View more