This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About gwesson

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
gwesson
‎10-10-2019
since ‎03-27-2012
L7 Applicator
User Activity
User Profile
Latest posts by gwesson
View All
User Badges
Community Statistics
Member Since ‎03-27-2012 04:23 PM
Date Last Visited ‎10-10-2019 02:19 PM
Posts 731
Total Likes Received 296

Re: Password changed for user admin

by in General Topics
‎07-03-2018 10:57 AM
2 Kudos
‎07-03-2018 10:57 AM
2 Kudos
Device tab (or Panorama tab if using it) > Config Audit   At the bottom, compare the most recent config version before and after that log entry. If the password was changed, you should see an entry like:     If the phash value is the same, the password didn't actually change. If the password did change, then you'll need to take a closer look at the logs under Monitor > Configuration. The user who changed the password may have been logged in for quite a while or even via serial console. If you've got a console server connected to the device, check its logs as well to see who may have logged in. ... View more

Re: Management CPU Utilization is 100%

by in General Topics
‎06-28-2018 01:03 PM
1 Kudo
‎06-28-2018 01:03 PM
1 Kudo
I think there was probably a typo from support, it's most likely "genindex.sh" which runs every 15 minutes to create summary reports. There's quite a bit you can do to reduce some of those. Here's a good article on some steps that can help: https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Reducing-Management-Plane-Load/ta-p/64681   The last part talks specifically about the reports, but the whole article is pretty helpful. ... View more

Re: how interpret MAC in pcap

by in General Topics
‎06-28-2018 12:46 PM
1 Kudo
‎06-28-2018 12:46 PM
1 Kudo
You are correct in your assertions: When a packet arrives on an L3 interface, that packet's destination MAC should be the firewall's ingress interface. When a packet arrives on an L2 interface, it will have the destination MAC of the next L3 hop.   Some odd MAC addresses in captures can be caused by technologies like VRRP/HSRP or other tech that uses a virtual MAC address.   If you can provide additional detail specifics like the actual MAC prefix, as well as the specifics about the NAT problem you're seeing it would also help. ... View more

Re: Configuring OCSP

by in General Topics
‎06-06-2018 10:11 AM
‎06-06-2018 10:11 AM
If your OCSP responder IP  is your management IP address, then you need to configure that for HTTP OCSP:     If you're using a service route (a dataplane interface) instead, you'll need to enable HTTP OCSP as an interface profile instead, and assign that profile to the appropriate interface:   ... View more

Re: X-forwarded-for not showing results

by in General Topics
‎06-05-2018 01:37 PM
1 Kudo
‎06-05-2018 01:37 PM
1 Kudo
Starting with PAN-OS 8.0, you can use the XFF header for URL Filtering logs as well as for general use with security policies by mapping the XFF IP with a user name. You will need User-ID configured for that mapping to work:   https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/identify-users-connected-through-a-proxy-server/use-xff-values-for-policies-and-logging-source-users   @BPry pointed out that these are external clients rather than users managed by the firewall. I missed that these are external addresses. There wouldn't be a way to map the external addresses to user names in that scenario. ... View more

Re: Connecting to Management GUI remotely on a different port.

by in General Topics
‎05-07-2018 11:45 AM
4 Kudos
‎05-07-2018 11:45 AM
4 Kudos
First, I have to mention that it is probably a bad idea to put firewall management on a public interface. I highly recommend against doing that.   If you must, please restrict it to the IPs you're using and ideally lock it down to multi-factor auth. edit: Here's the official best practices for management of the devices: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/getting-started/best-practices-for-securing-administrative-access   That said, if you do want to put GlobalProtect (GP) as the same interface as a dataplane port for which you have enabled management, the firewall will automatically shift the management listener to port 4443 while keeping GP on 443. It's not something that can be customized so you'll need to make do with those ports, but will allow you to access the management service and still provide GP functionality. ... View more

Re: Best way to save new config, so they can be loaded and committed later?

by in General Topics
‎04-23-2018 04:13 PM
‎04-23-2018 04:13 PM
In addition to the export, another option would be to save it as a Named Configuration Snapshot then hit the Revert to running configuration link. That saves it as a name that can be referenced later but doesn't touch the running/current configuration.   ... View more

Re: Global Protect include a specific URL?

by in General Topics
‎04-20-2018 03:21 PM
‎04-20-2018 03:21 PM
If you can get a list of the IPs used by Okta, you can set that up in PAN-OS 7.1.15 with your split tunnel mechanism. Minemeld may have something for that as well.   If that is not practical or even not possible at all, tunnel splitting by app is new in 8.1 and cannot be set in 8.0 and older.  ... View more

Re: How-to delete a policy-based forwarding rule from CLI

by in General Topics
‎04-20-2018 03:07 PM
1 Kudo
‎04-20-2018 03:07 PM
1 Kudo
If the rule in question is not pushed by Panorama, you can delete it locally without issue: > configure # delete rulebase security rules RuleNameHere # commit     If the rule was pushed by Panorama, it can be deleted on Panorama via CLI as well. The syntax gets more complex because you need to specify the device group and specify the rule type (pre-rule or post-rule). > configure # delete device-group DGNameHere pre-rulebase security rules RuleNameHere # commit   I am fairly sure there is a way to delete Panorama-pushed rules on the firewall (if the Panorama admin allows that), but can't find it offhand.   ... View more

Re: GlobalProtect User Report with Login and Log-out time

by in General Topics
‎04-18-2018 12:00 PM
‎04-18-2018 12:00 PM
You can get the info from CLI, I don't think there is a built-in or custom report option that gives you that detail.    Run: show global-protect-gateway previous-user You'll get an output like (some details obfuscated): Tunnel Name : GP-Gateway Domain-User Name : \gwesson Computer : Greg's Phone Client : Apple iOS 11.2.6 VPN Type : Device Level VPN Mobile ID : f106...1b63 Client OS : iOS Private IP : 172.20.30.47 Private IPv6 : :: Public IP (connected) : 192.0.2.1 Public IPv6 : :: ESP : exist SSL : none Login Time : Mar.04 14:52:44 Logout/Expiration : *Mar.04 14:53:05 Reason : client logout Domain-User Name : \gwesson Computer : Greg's Computer Client : Apple Mac OS X 10.13.3 VPN Type : Device Level VPN Mobile ID : Client OS : Mac Private IP : 172.20.30.48 Private IPv6 : :: Public IP (connected) : 192.0.2.2 Public IPv6 : :: ESP : removed SSL : exist Login Time : Apr.11 17:51:36 Logout/Expiration : *Apr.11 20:52:32 Reason : user session expired You should be able to get the same data via XML API, or even something like an Expect script. You can also replace "previous-user" with "current-user" to see the users that have not logged out. ... View more

Re: commit status warning on rules that are working the way I want them too

by in General Topics
‎04-02-2018 11:53 AM
1 Kudo
‎04-02-2018 11:53 AM
1 Kudo
Sometimes App-ID can determine that the app is google-play without using the application dependencies, so you're able to see the app. An example is one where the client is sending the Client Hello with "play.google.com" in the server_name extension, so it's easy to tell.   But other times the user would have already been logged into google, and the check is against "accounts.google.com". Unless you're doing SSL decryption, you can't see the actual encrypted request to the play store. If you can't see that it's google play and you haven't allowed SSL anywhere in your security policy, there will be situations where a user is denied going to google play but other times it works fine.   The commit warning could probably be "application 'google-play' requires 'google-base' to be allowed for reliable detection of 'google-play'", but that may just be too wordy and may even generate more questions about what specific scenarios will cause it to be matched versus not. It's much simpler to state the dependency as a requirement, even if there are conditions that will sometimes allow for detection.  ... View more

Re: Destination NAT not working

by in General Topics
‎03-29-2018 04:07 PM
‎03-29-2018 04:07 PM
> Question: If I am accepting SSL VPN clients on the same external interface/IP, does that cause issues for port forwarding?   Only if it's on the same port. If your SSL VPN is using 443, it won't have any affect on any other ports (like 5001 or 22).    If you're trying to forward 443 though, something will break. The packet comes to the firewall only as a SYN on port 443, so the firewall won't know if it's destined for its own interface for GlobalProtect or if it should forward it to the server. It'll pick one, but I'm not sure which offhand. ... View more

Re: Destination NAT not working

by in General Topics
‎03-29-2018 11:32 AM
‎03-29-2018 11:32 AM
Your config looks good, and it tripped me up a bit because my Synology NAS is also on 192.168.1.25.    Make sure that your NAS has a route that takes it through the firewall. It can't just go through on any interface, it has to match the interface that sent the NAT external traffic to your NAS.   You can also try doing source NAT on your inbound NAT rule for the NAS as well. Set the source NAT to be the IP of the firewall's Internal-L3 interface. ... View more

Re: GlobalProtect and general Internet access?

by in General Topics
‎03-28-2018 02:47 PM
1 Kudo
‎03-28-2018 02:47 PM
1 Kudo
Though split tunnel has been there since the beginning, prior to 8.0 you couldn't exclude a network. You had to do it all with inclusion, which was tedious if you wanted to allow a /8 but only exclude a few subnets within it.    With 8.1 and GP 4.1 out now as well, that can go even further by specifying apps that you want to split: https://www.paloaltonetworks.com/documentation/41/globalprotect/globalprotect-app-new-features/new-features-released-in-gp-agent-4_1/split-tunnel-for-public-applications   The "New Features" guides show only changes from the previous major release, but I can see the confusion because it doesn't make it obvious which part of the screenshot is the new feature and which is the existing. Once you get familiar with all the features, the incremental changes are easier to handle 🙂 ... View more

Re: test security-policy-match application ping -> Server error : argument protocol is required

by in General Topics
‎03-21-2018 10:35 AM
1 Kudo
‎03-21-2018 10:35 AM
1 Kudo
You need to specify the protocol for ICMP, which is 1. That works well for me: > test security-policy-match application ping from Trust to Internet source 192.168.1.1 destination 192.168.2.1 protocol 1 "Default Outbound; index: 5" {         from Trust;         source any;         source-region none;         to Internet;         destination any;         destination-region none;         user any;         category any;         application/service  any/any/any/any;         action allow;         icmp-unreachable: no         terminal yes; } The full list of protocols assigned by IANA is here, in case you want to test others (TCP is 6, UDP is 17 for example): https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml   ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎10-10-2019 02:19 PM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks