About kprakash

The PANOS images are stored under /opt/pancfg  directory You can use the command >show system disk-space to look at how much space is left. admin@41-PA-4020(active)> show system disk-space Filesystem            Size  Used Avail Use% Mounted on /dev/sda2             3.8G  1.5G  2.1G  42% / /dev/sda5             7.6G  2.2G  5.0G  31% /opt/pancfg /dev/sda6             3.8G  2.6G  1.1G  71% /opt/panrepo tmpfs                 506M   67M  439M  14% /dev/shm /dev/sda8              51G  567M   48G   2% /opt/panlogs ... View more

In addition, when you are trying to match for sessions that are source translated, 1) The "show session all filter source <ip>", where  <ip>  is one of  the "Source Nated IP from the pool", will not show us any results. This is because the session is initiated from the original source, whose IP later gets translated to one of the IPs from the pool. This command is valid for pre-translated source IP addresses and not the post translated IP addresses. 2) On similar lines, the command "show session all filter destination <xlate-source>", wouldnt work for post translated source IP addresses, because from the PANFWs standpoint the destination is the real IP address and not the translated IP address. ( this command would however work for pre translated destination NAT IP address ) Hence for both the cases, you will never see any sessions, and this is an expected behavior. ... View more

Are we using "dynamic IP" or "dynamic IP and Port" ? From the description, it looks like we are using a pool, ie "Dynamic IP". The command "show running nat-rule-ippool" works only for "Dynamic IP and Port" Can you try out the command: debug dataplane nat sync-ippool rule<rulename> Here are some helpful links: https://live.paloaltonetworks.com/docs/DOC-3452 https://live.paloaltonetworks.com/docs/DOC-4891 BR, Karthik ... View more

Did we verify if the eth1/9 was configured with a zone and/or virtual router ? Your description seems contradicting: Here is whats happening: Remote user surfs the web, Traffic comes down the ipsec tunnel assigned a session ID by PA and logged. And is passed on to the core. and then passed back up to the firewall on interface1/9  ---------------------------------------------------------------------> how did you know if the traffic reached the eth1/9 interface? If we do not have traffic logs for the traffic, it means that the traffic never reached the firewall,                                                                                                                                                          or it would have been dropped because it did not have any zone/ v router assigned to it. Nothing Happens. We cannot see a log or a deny at all.-----------------------------------------------------------------------> usually the case, when the traffic did not reach the firewall at all ( else there would be a deny or an allow ) remote users cannot ping the 1/9 interface. ----------------------------------------------------------------------------------------> users might not have been able to ping the interface, if the eth1/9 interface did not have any interface management profile with ping configured under it ... View more

Please check these links: https://live.paloaltonetworks.com/docs/DOC-3904 https://live.paloaltonetworks.com/message/23749#23749 https://live.paloaltonetworks.com/message/10273#10273 https://live.paloaltonetworks.com/message/11919#11919 BR, Karthik RP ... View more

Hi Ignas, The PANFW does look for the hash of the files when using wildfire for file blocking functionality. The below docs explain the same: https://live.paloaltonetworks.com/docs/DOC-3300 https://live.paloaltonetworks.com/docs/DOC-5266 https://live.paloaltonetworks.com/message/13942#13942 ... View more

The global protect gatway settings would remain persistent on the windows client, until you disconnect and connect back to the gateway, or wait for the "config refresh interval" BR, Karthik RP ... View more

From BGPs standpoint, using local preference is the best way to influence outbound routing. However, it is impossible to configure local preference for all the routes on the internet. But if you have specific networks for which you want to use one ISP over the other, (for instance, networks for which latency is a business critical parameter ), you can use local preference to reach those networks via ISP A. Otherwise we don't load balance all outbound traffic, but we can configure policy based forwarding for specific source subnet/subnets to prefer one of the ISP over the other. Plus PBFs on PANFWs do not operate based on a load of a circuit, rather they work depending upon the matching source subnet/subnets and the destination address/addresses. ... View more

"Has any": check if any of the patches specified are missing "Has none" : exclude check for the specified missing patches. "Has all", checks if all the Patches are missing. the GP client has a library which can scan the machine for the current Windows patch status, and thats how it finds out which patches that are missing. And it relays this information to the gateways. Plus, if the HIP check is not hitting the correct policy, please verify if the entire certificate chain is included under Trusted Root CA section of portal config, when not using a self signed certificate. https://live.paloaltonetworks.com/docs/DOC-5492 Best regards, Karthik RP ... View more

As long as we are passing traffic through the correct zones, have the correct polices, we shouldnt have any issues with the traffic. Your new configuration looks valid. We will still see 2 sessions on the firewall, because there are 3 zones being involved here. Traffic ingressing into the IPSEC_Trust zone (tunnel.1), and egressing out via the Trust zone ( eth1/10) will have one session associated with it Traffic ingressing into the trust zone ( eth1/9 ) and egressing out via the untrust zone (eth Or you could configure a policy base forwarding rule with the below settings: source zone IPSEC_Trust source address: remote network destination address: 0.0.0.0/0 Forwarding: action:Forward Egress interface: untrust interface Next hop: Firewalls gateway And have a security policy from IPSEC_Trust to Untrust Be sure to have a static route route on the VR1 to have a route to the remote-network, pointing to VR2 ( ie remote-networks: nexthop VR2 ) BR, Karthik RP ... View more

Here a couple of useful links that explain why creating the URL filtering profile is preferred over adding the category on the rule itself https://live.paloaltonetworks.com/message/28646#28646 https://live.paloaltonetworks.com/message/23810#23810 https://live.paloaltonetworks.com/docs/DOC-3108 BR, Karthik RP ... View more

Can you create a URL filtering profile,  setting the action to "alert" for  "gambling", and applying the URL filtering profile to the rule, instead of matching the URL category of gambling on the rule itself. ... View more

This is not supported. BR, Karthik ... View more