About mbutt

Like suggested by sraghunandan you should definitely try app override.Below is what happens when you do app override Issue The Palo Alto Networks device is classifying traffic as "Unknown-TCP" or "Unknown-UDP". A custom application override is created and applied to a rule to re-categorize the traffic. The traffic is now properly identified but there is no URL filtering applied to the traffic falling under that rule. Resolution This is normal behavior.  A rule with a custom application override does not pass through any of the URL, threat or anti-virus scanning engines.  The scanning engine will be used with an app-override if you use an existing built-in application such as web-browsing. See also How to Create an Application Override The above information can be accessed on the following link as well. https://live.paloaltonetworks.com/docs/DOC-1343 Let us know if this helps. Thanks ... View more

The following doc explains How to Configure the PAN for use with Steel-belted RADIUS https://live.paloaltonetworks.com/docs/DOC-1831 Hope this helps. ... View more

Hi Vertical, Like panos said you might want to talk to ISP. From the logs it seems like the pppoe connection is not being setup and everything is being dropped. Once the password and user name is confirmed than we will be able to move forward. Also in the mean time if you think you can not verify password with ISP then seutp a connection on laptop and see if the existing password and connection works. If it works then there might be something wrong with the firewall and you might need to open a support case. But make sure you validate the user name and password by setting up it on a laptop. Hope this helps narrow down the issue. Thanks Numan ... View more

Hi Jbo, In the ldap profile under domain it is suppose to be netbios domain name and not FQDN. If you specify a wrong netbios domain name then the mapping will be incorrect and policies will not work correctly either. The reason is it appends the netbios domain name  you specify when it mapping the users. Hope that helps. Thanks Numan ... View more

Please verify on the tunnel you have created you have proxy id setup for the subnet traffic that needs to go through the tunnel. However if you have both sides as palo alto then you do not need to set proxy id. Here is a doc which explains why proxy ids are needed. https://live.paloaltonetworks.com/docs/DOC-3073 Also if you still see the issue after verifying this you can use the following steps to troubleshoot 1. Need to setup the filters for the traffic we are interested in. To do this, execute the following steps: Navigate to Monitor--Packet Capture Click 'Manage Filters' Set Filter ID 1 to be the source IP and destination IP of traffic you feel is affected ( leave all other fields blank ) Set Filter ID 2 to be the exact inverse of what you did in step 3 (destination IP in source field, Source IP in destination field) 2. Setup up the captures Create and name the file stage for a packet capture on all the stages (receive, transmit, firewall and drop) 3. Enable filters and captures debug dataplane packet-diag set filter on debug dataplane packet-diag set capture on 4. open 2 CLI windows on 1 run the following command to look at the counter ( make sure it run this command once before running the traffic) show counter global filter packet-filter yes delta yes on the 2nd window run the following command to look at he sessions show session all filter source <ip address> destination <ip address> After your test has been done stop all the captures and filters and see if global counter show you anything why it is dropping the traffic or if you have getting pcap with drop stage. This will help you narrow down the issue. Let us know if this helps you resolve the issue. Thanks Numan ... View more

The following doc explains how to do this https://live.paloaltonetworks.com/docs/DOC-3699 Let us know if this helps. Thanks Numan ... View more

HI Vertical, I am not sure what software version are you on but i know of an issue not where PA did not support relay session id and that was enhanced in 5.0.3. While doing the setup you can also tail the pppoed process to see what messages you are seeing tail follow yes mp-log pppoed.log Here is the bug which you can also verify in the release notes of 5.0.3 42147—PPPoE sessions were failing on the firewall when a PPPoE relay device was used between the firewall and the PPPoE sever. Issue due to a problem where the firewall was not parsing relay session IDs that begin with Null. As of this release (5.0.3), PAN-OS will now work with PPPoE relay. Hope this helps in narrowing down the issue. Thank you Numan ... View more

If i recall correctly once you activate the new version the users will be prompted to either upgrade to the newer version or not but i am not sure. Also for the new users they will have to go to the https://ssl-vpn-ip-address to download the client. Let us know if this helps. Thanks Numan ... View more

just to clarify you are able to browse the traffic however you are not able to ping 8.8.8.8. From the logs it seems you are able to do web-browsing and google analytic. The traffic is being seen in both directions. However when you are pinging you are not seeing the traffic. Try ping from CLI using source as external ip to make sure you have connection upstream. The command would be ping source (188.110.47.216 or the ip you are getting on the public interface) host 8.8.8.8 If this is successful then atleast you have connection from public interface to upstream. Then try to use the internal interface using the same command. If that fails you can trouble shoot it doing the following 1. Need to setup the filters for the traffic we are interested in. To do this, execute the following steps: Navigate to Monitor--Packet Capture Click 'Manage Filters' Set Filter ID 1 to be the source IP and destination IP of traffic you feel is affected ( leave all other fields blank ) Set Filter ID 2 to be the exact inverse of what you did in step 3 (destination IP in source field, Source IP in destination field) 2. Setup up the captures Create and name the file stage for a packet capture on all the stages (receive, transmit, firewall and drop) 3. Enable filters and captures  debug dataplane packet-diag set filter on debug dataplane packet-diag set capture on 4. open 2 CLI windows on 1 run the following command to look at the counter ( make sure it run this command once before running the traffic) show counter global filter packet-filter yes delta yes on the 2nd window run the following command to look at he sessions show session all filter source <ip address> destination <ip address> After your test has been done stop all the captures and filters and see if global counter show you anything why it is dropping the traffic or if you have getting pcap with drop stage. This will help you narrow down the issue. Let us know if this helps you resolve the issue. Thanks Numan ... View more

i just tried it with IE as well and it is opening the window for me. Also once you are in debug mode as bdeschut suggested try clearing the preferences as well. Let us know if this helps. Thanks ... View more

Hi Val, Two things you might want to look at. If they are using VLAN's then make sure that you have tag allowed in the vwire Below is the description of tag allowed in vwire and a snapshot of where to configure it Network--->virtual wire---. configured virtual wire Tags Allowed Enter the tag number (0 to 4094) or range of tag numbers (tag1-tag2) for the traffic allowed on the virtual wire. A tag value of zero indicates untagged traffic (the default). Multiple tags or ranges must be separated by commas. Traffic that has an excluded tag value is dropped. Note that tag values are not changed on incoming or outgoing packets. When utilizing virtual wire subinterfaces, the Tag Allowed list will cause all traffic with the listed tags to be classified to the parent virtual wire. Virtual wire subinterfaces must utilize tags that do not exist in the parent's Tag Allowed list. Secondly it would be good to have them in separate zone e.g VW-inside,VW-outside. So the logs can be seen in the traffic logs. Network--> Zones Now apply them to the interfaces you have the Vwires configured on If all the above is done then make sure the security policy is allowed in both direction and no security profile is configured on it. Once all the above has been verified and you have the traffic flowing then you can tighten up the policies and enable other features. Also another thing you can consider is clearing the arp on the router or upstream side. If it is a modem or a connection provided i have seen where the arp does not clear out and the traffic does not flow properly on the upstream device. So if it is a small office modem or cable router then you might want to restart that as well to make sure arp is cleared on both Checkpoint and router and PA as well. Let us know if this helps in convincing him. Thanks Numan ... View more

Do you have jumbo frames enabled. There was an issue which was seen on release 4.1.3 which got fixed in 4.1.7. Bug 40409: Palo Alto Networks firewall not able to setup an OSPF link when using P2P to a Cisco router with jumbo-frames enabled, but broadcast mode does work. Issue with to P2P mode only, which has been fixed. Another issue was seen in release 4.1.7 which has been fixed in 4.1.13 and 5.0.4 Bug 45687:  When HA fails over from the active device to the passive device, it took more than a couple of minutes to re-establish the OSPF adjacency when the OSPF database was large. This occurred in rare situations and was due to the new active device sending redundant Database Description (DD) packets. If the neighbor OSPF router cannot handle the duplicate OSPF DD packets, the OSPF database exchange can be aborted multiple times. This issue has been resolved with this release such that the redundant DD packets are not sent. I am not sure if you are running into any of the above issue. Thanks ... View more