About mbutt

mbutt · ‎08-12-2013

Even though it will require human intervention and going through the Release notes, one possible work around i can think of is to set a THRESHOLD on application and Threat update schedule. If you want the content to update automatically but giving you enough time to go through the release notes. So if for some reason you did not get a chance to go through the Release notes the content will still get updated. since we know that the content update happen weekly you can delay it with threshold. Antivirus: Daily Applications and Threats: Weekly (Wednesday) URL Filtering: Daily Below is the doc which epxlains the same information as above for update Schedule. https://live.paloaltonetworks.com/docs/DOC-2902 Hope this helps in some degree to provide you enough time to research on the new updates. Thank you Numan

mbutt · ‎08-12-2013

Please look at the following doc. It seems related to OWA and decryption. https://live.paloaltonetworks.com/docs/DOC-1223#comment-1093 Hope this helps. Thanks

mbutt · ‎08-10-2013

After an upgrade or reboot of the firewall. Firewall does an auto-commit on it. what i have seen is usually you are able to login with the local accounts into GUI and CLI. However till the auto-commit is not finished you will not have the traffic passing through the firewall as the data plane ports are not up. So if you have local account you can try to login with it, if firewall allows and check on the auto-commit and see when it finishes by using following command. show job all. Hope this gives a little inside to the behavior. Thanks Numan

mbutt · ‎08-10-2013

If you have an ip address in the NAT rule that is not configured on the PA firewall then you need to configure a fake route for it work. Below is the document that explains on how to do that Destination NAT for a Network not Connected to the Firewall Moreover if you are trying to do a U-turn NAT following doc explains with examples on to do that page 22. https://live.paloaltonetworks.com/docs/DOC-1517 Moreover the above document give good understanding of NAT on the PA firewalls. Please let us know if this helps. Thanks Numan

mbutt · ‎08-10-2013

Here is also a brief description why that particular rule is catching incomplete or insufficient traffic. 1. Firewall allows few packets initially through to identify the traffic as an application and that traffic can be leaked matching any rule or most open rule. 2. Once the traffic is leaked we try to identify it as application. 3. Also incomplete or insufficient data is not an application. 4. Since the traffic passed through firewall was either one directional or not sufficient packets were passed through it, firewall could not make determination to match it to a specific rule. 5. Since that determination was not made it showed the traffic matching to rule on which it initially leaked the packet through to make the determination of the application. 6. Moreover unknown-udp or unknown-tcp is shown for the traffic for which we do not have the signature to identify it as an application. But if that determination is never made then applcation shows up as incomplete or insufficient data. Below is the doc which is intended to provide an overview of how to identify unknown applications on your network and what to do once they have been identified. https://live.paloaltonetworks.com/docs/DOC-2007 Here is a doc which explains different definitions of application when they are not determined https://live.paloaltonetworks.com/docs/DOC-1549 Hope this clarifies the situation furthermore and explains the behavior. Thanks Numan

mbutt · ‎08-10-2013

Following feature request has been filed on this FR ID: 1284.Multiple Countries in a Single Object You can request your local SE so he can also add you to this list. Hope this helps. Thanks Numan

mbutt · ‎08-10-2013

If you are not having split brain issue anymore and still running into issues with traffic. Try creating an app override for that traffic and see if that helps. Here is how to create an app override. https://live.paloaltonetworks.com/docs/DOC-1071 Hope this helps. Thanks

mbutt · ‎08-10-2013

For dataplane ports create a management profile by going to Network ---->interface management---> select the services you want and allow permitted ip addresses. Now apply to the interface you are interested on by going to network ---->interfaces To permit certain ip address on management interface you can go to Device--> setup -> management->management interface settings. select the services you want and allow permitted ip addresses. Hope this helps. Thanks

mbutt · ‎08-09-2013

If it was working at one point and then it stopped working and you are using user id agent which is installed somewhere. I would recommend you make sure that the mapping is showing up in the user id agent before restarting anything. If the mapping is showing on the user id agent and there is not Access control List created on it. After that has been verified make sure you do not have a service route for user id agent created on the firewall device---> setup---> service Then make sure on the firewall if your managment traffic is passing through your dataplane ports. If it is, then verify that you are not blocking the traffic. Also make sure that your user id agent are connected to the firewall. One more important thing to check is, in ldap profile where it has domain box. verify it is netbios domain name and not dns. Hope this helps. Thanks

mbutt · ‎08-07-2013

I am not sure what OS version you are on and what browser you are using to access it. There was a bug which has been fixed in 5.0.5 and 5.1.1. Bug 49171: Access to the firewall’s web interface was not available from Internet Explorer 7. The issue has been resolved with this release. Hope this helps. Thank you Numan

mbutt · ‎08-06-2013

If you are on 4.1.x OS version then you will have user id agent installed on the DC. Then you can look at the following docs to create an ignore user list https://live.paloaltonetworks.com/docs/DOC-1987 https://live.paloaltonetworks.com/docs/DOC-1116 If you are on 5.0.x and are using agentless user id agent then as Vince pointed you can use those docs as reference https://live.paloaltonetworks.com/docs/DOC-4278#comment-3404 https://live.paloaltonetworks.com/message/22261#22261 Hope this helps. Thanks

mbutt · ‎08-05-2013

If you configured internal gateway on the GP client. It will automatically detect you on the internal LAN. and on the GP client it will show up as internal instead of connected. This way it will not create a tunnel for the client. Some useful docs for Global Protect configuration https://live.paloaltonetworks.com/docs/DOC-2904 https://live.paloaltonetworks.com/docs/DOC-2020 https://live.paloaltonetworks.com/docs/DOC-3930 Hope this helps. Thanks

mbutt · ‎08-05-2013

It is a bug 32363 which has been previously reported. However the bug will be fixed in next Major release. So it is not in 5.0.x. Hope this helps. Thanks

mbutt · ‎08-05-2013

If you are experiencing issues due to split brain, i think you should troubleshoot the split brain issue and see if you still have the VPN issue. Here is a good doc for it https://live.paloaltonetworks.com/docs/DOC-1094#comment-1321 https://live.paloaltonetworks.com/docs/DOC-1997 The following doc explains HA Failover optimization https://live.paloaltonetworks.com/docs/DOC-5008 Hope this helps Thanks

mbutt · ‎08-05-2013

I am not sure if you are looking for the following or not https://live.paloaltonetworks.com/docs/DOC-1662 https://live.paloaltonetworks.com/docs/DOC-1348 https://live.paloaltonetworks.com/docs/DOC-1580 Hope this helps Thanks

Member Since	‎03-19-2012 02:28 PM
Date Last Visited	‎03-21-2025 02:22 PM
Posts	365
Total Likes Received	206

Online Status	Offline
Date Last Visited	‎03-21-2025 02:22 PM

About mbutt

Re: CLI part 2

Re: How to Configure Dual VPNs with Dual ISPs from a Active Active Cluster to a Remote Site

Re: Avoid scanning threat vulnerabilities

Re: HA Group 1: Dataplane is down: packet descriptor leak detected on slot 1 dp0

Re: CLI part 2

Re: How to setup a redundant IP?

Re: Problem with NAT rules

Re: UIA - Not domain user Identification Problem

Re: how to work decryption policy?

Re: Network Monitor does not show specific data.

Re: Difference between apps and contents

Re: Custom App-ID iMessage

Re: Panorama Generating Blank Reports

Re: commands to debug traffic between two host using Palo alto firewall

Re: SNMP monitor parameters for Palo Alto

Steps to Apply Microsoft Patch to Addressed Meltdown and Spectre Vulnerability on Traps Agents

Re: What happens when a previously unknown App-ID gets added to PA through dynamic updates? How are others handling this situation?

Re: There is a question about a SSL decryption for OWA(outlook Web Access).

Re: Cannot log in after 5.0.5 upgrade

Re: Virtual IP

Re: Skype-probe rule catching other traffic

Re: Is it possible to group countries?

Re: Weird problem with SSL VPN traffic

Re: How can I only allow specific source address to insert XML-API request

Re: User-ID stopped populating mappings - OS 4.0.12

Re: What does PAnel Undefined not registered mean

Re: Two client account on one PC

Re: How to disable Global Protect inside Firewall

Re: Admin authentication using RADIUS without local accounts

Re: Weird problem with SSL VPN traffic

Re: User ID Mapping Directly to Firewalls

Unlock your full community experience!

About mbutt