About kprakash

Hello Gururaj, The "Patches" section, checks for the pathces that are missing. In other words, If we include "Security Update for Microsoft Windows (KB2778344)", under the Patches configuration, the gateway checks if this Patch is missing or not. The GP clients also reports about the patches, in the same manner, as shown below: So, you have configured it correctly. Page 34 of the global protect tech note discusses the same: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/2020-102-19-14175/GlobalProtect-Configuration-Rev-I.pdf You can also add the Microsoft Windows Update Agent and Microsoft Windows Automatic Update, to the Patch management settings. Best regards, Karthik ... View more

I created a custom report for traffic logs BR, Karthik ... View more

On similar lines, You have to create a custom report on the cli, using the command: admin@41-PA-4020(active)# set reports Test type traffic + group-by       group-by + sortby         sortby > aggregate-by   aggregate-by > labels         labels > values         values   <Enter>        Finish input admin@41-PA-4020(active)# set reports Test type traffic Only after the above step will you be able to add "Test" under the pdf-summary-report, as shown below: admin@41-PA-4020(active)# set pdf-summary-report TestSum custom-widget   Test    custom-reports Test   <name>  <name> admin@41-PA-4020(active)# set pdf-summary-report TestSum custom-widget Test [edit] admin@41-PA-4020(active)# admin@41-PA-4020(active)# run show config diff @@ -1676,6 +1676,20 @@                }              }            } +          reports { +            Test { +              type { +                traffic; +              } +            } +          } +          pdf-summary-report { +            TestSum { +              custom-widget { +                Test; +              } +            } +          }          }        }      } ... View more

Good Morning, We get the drop down box, only after creating a custom report. So I first created a custom report Test on the GUI ( Moniotr-->Manage Custom report ). Then when I click on the Manage PDF summary tab and click on add, I get the 6th column. Bear in mind that only 18 widgets are supported at a time, and hence you will have to delete a couple of predefined items, before you can add the custom pdf report. Hope that helps! BR, Karthik ... View more

Just verify what the link types were configured on the cisco and the firewall. Its recommended that if using the Ethernet cables to connect to the cisco router, select the link type as "broadcast", and not "p2p" or "p2mp" Plus, its always recommended to use graceful restart when deploying OSPF in a cluster. The feature, “graceful-restart” for OSPF is currently not supported by the PAN-FW.  Since “graceful-restart” is not supported for OSPF, the routes will not be retained in the FIB once an OSPF neighbor goes down. Moreover, since the routes have been purged, traffic  reliant upon these routes will be incorrectly forward out the default route or dropped. ... View more

Hi The end users will be prompted for upgrade when a new version of agent is available. The “transparent” option will automatically download the newer version of agent when available without prompting the user for upgrade. For more information, refer to the page 12 of the Global Protect Tech note: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/2020-102-19-14175/GlobalProtect-Configuration-Rev-I.pdf Best regards, Karthik RP ... View more

If by subdomains, do you mean how to restrict access for the admins to see logs on  the firewalls in a specific device groups? Refer the below document, that explains how to restrict manageable firewall access to admins https://live.paloaltonetworks.com/docs/DOC-3106 You can restrict access to a device groups or to individual firewalls themselves. The doc shows device groups. The below snapshot shows restricting the admin to firewalls. You can then select an admin role profile, and limit the access to only the logs as shown below: And use this admin role profile under the admin. Hope this helps. BR, Karthik ... View more

We cannot disable these messages, as they are notifications about OSPF state changes. If you are seeing these messages frequently, then it appears that the adjacency on eth1/xx is flapping, and can introduce instability in the OSPF domain. 1)  Verify if the Link itself is not flapping 2) Verify if there is no MTU mismatch on the interfaces ( If there is a mismatch in the interface MTU, the OSPF states wouldnt go beyond Exstart ) 3) Ensure that you have a policy to permit OSPF for the zone on which eth1/xx is configured on BR, Karthik ... View more

Since the traffic hits inbound first on the PANFW firwall, and we are destination NATing the packets  to the exchange server, configure a source NAT translation on the same NAT rule, and NAT ( IP and port) it to the IP address of the interface through which the exchange server is reachable on. This ensures that the traffic, when it leaves the firewall has the source IP as that of its interface, and destination interface as that of the exchange server. With this setting, the exchange server will respond to the IP address of the firewall, which is known internally in the network ( as a connected route, and for which the switch has a MAC table entry for ). Once this packet reaches the firewall, the firewall will perform the reverse Source and Destination NAT. Hope this helps. Best regards, Karthik  ... View more

It doesnt make sense that you can ping in one direction, and indeed it is taking the default routes somewhere. More likely to be a routing or a policy issue. ( Cannot rule out proxy id issue as well ) From the output, I see that the 192.168.1.0/24 is reachable on the tunnel interface, ie tunnel.5. I am assuming that this is on the Noway firewall. Do you have a similar route on the Finland firewall, pointing out to 192.168.120.0/24 on its tunnel interface. We would appreciate it, if you can attach the network diagram, about how the users are trying to connect from the global protect client to the users on 192.168.1.0/24 network. Plus, please attach the screenshots of the tunnel interfaces and the zones on which they are configured,  the policies, the >show routing route command from both the firewalls, Have you added mirrored image proxy ids on both the firewalls? Best regards, Karthik ... View more

If the team viewer traffic works fine, I am assuming that there is an issue with the policy. Can you verify if 1) The client obtained the routing information from the gateway. You can look that up, by going under the troubleshooting tab of the global protect client, or typing 'route print' on the windows cmd. 2) Verify if the tunnel 1 is configured with a zone and a virtual router, and if there is a policy in place to allow traffic from the zone of the tunnel.1 interface to the internal networks. 3) If the internal network (192.168.1.0/24) is not connected directly to the firewall, and are a couple of hops away from the firewall, ensure that the hops know the route to 192.168.120.0/24. Or else you can Source NAT  the traffic (from the tunnel zone to internal zone), to the IP address of the interface from where the internal networks are reachable on the firewall. 4) When you mention that the pings work from 192.168.1.4 to 192.168.120.12, do you see both the echo responses come back from the 192.168.120.12? 5) Ensure that you do not have a route to 192.168.120.0 being pointed out via another interface on the PANFW. 6) Traceroute from 192.168.120.12 and find out at which IP address the pings die Best regards, Karthik ... View more

Hi Knut, Are the clients connected to the global protect gateway, but cannot access networks behind the PANFW? If the clients are connected to the gateway, there are 3 things that I would check 1) Check the access route configuration on the gateway. The access routes that you configure on the gateways get pushed to the clients routing table. You can change the access route from using a split tunneling to allowing all the routes ( 0.0.0.0/0 as the access route) to troubleshoot if you can reach the internet or internal networks. Plus if you are connecting from an Iphone/Ipad split tunneling doesn't work, because of a limitation of the apple devices 2)  ensure that the  IP address assigned to you does not overlap with the other IP addresses on your network adapters on your PC, where you are connecting from.. 3) Verify the DNS settings being pushed from the gateway to the client. BR, Karthik ... View more

Did you experience a latency in the traffic, when you saw the counters drop to this value? Can you elaborate more about that you meant by "delayed to connect Web-Server", Can you try configuring the DSRI option on the firewall as mentioned in the below links, to see if it makes a difference. https://live.paloaltonetworks.com/message/21078#21078 https://live.paloaltonetworks.com/docs/DOC-3821 Threat Prevention performance will not be impacted by the number of Threat Prevention profiles or the number of signatures that are enabled thanks to the single pass parallel processing architecture (SP3) unique to the Palo Alto Networks firewall. Any session content is inspected in parallel by the Antivirus, Anti-Spyware and Vulnerability Protection features. One notable configuration setting that will have a positive impact on performance is DSRI or Disable Server Response Inspection. With DSRI turned on, server response traffic is not inspected, which will increase the throughput capacity. Obviously, enabling this feature is only recommended for trusted servers. Best regards, Karthik ... View more

Glad that it works! If I have been able to answer your queries, you can mark my answer as a correct answer for the benefit of other people, asking the same question in future BR, Karthik ... View more