About gwesson

You might be able to create a custom signature for browser user-agent headers. It's no guarantee, but might be enough. The IE string is "Windows NT 5.1", and in other browsers it will probably list "XP". You'll probably want to make it case sensitive and search for strings online to help get a better picture. Hope this helps, Greg Wesson ... View more

Sorry about that, my firewall is running 6.0.1 and I assumed it would be the same on a 5.0 box as well. It looks like the 'pool' output was added to the 6.0 version, so that's a new feature. There is no feature in 5.0 that would give you a summary from what I could find. Your best bet would be to turn on logging in your SSH program, turn off CLI paging (set cli pager off), then do a grep -c or something similar to count the number of lines you got that match your /21 (cat output.txt | grep -c 172.16.). Once you're ready to upgrade to 6.0, you can use the other command I gave before. Cheers, Greg ... View more

Hello, > show dhcp server lease all | match pool This will output the leases, but only match lines with "pool" in the name. A sample output is: > show dhcp server lease all | match pool Allocated IPs: 0, Total number of IPs in pool: 26. 0.0000% used Allocated IPs: 7, Total number of IPs in pool: 21. 33.3333% used Hope this helps, Greg ... View more

You may have too many log entries to export. Check the max rows you have configured, if it's set to default of 65535 and your CSV file has that many entries, you're probably hitting that limitation. You can bump up the max export, but it's not really designed to be a full log export, more of a way to provide some useful data to crunch through: http://screencast.com/t/vKbOpNoFkSW3 Hope this helps, Greg ... View more

@Lahcen when you get a certificate from a public CA like Go Daddy or Symmantec, they won't generate it with the "CA" flag checked, which means you won't be able to use it for SSL decryption. You have to either use a CA generated on the firewall, or one from an in-house CA. The challenge you are talking about is a common one, and there are a couple solutions. Some admins choose to not decrypt BYOD or guest content, but also not allow those devices full access to all resources to help mitigate any threats that may be missed by not doing decryption. Setting up separate wireless SSIDs can help with that. You may have a guest wifi that doesn't do decryption and only allows access to the Internet. Then you'd have a corporate wifi that does decryption, possibly with a splash page that has a link to your internal CA root certificate that can be downloaded with instructions on how to install it to various devices. There's no one solution that makes it seamless. The highly authenticated nature of SSL makes this challenge present, but also guarantees that a man-in-the-middle attack isn't going to be something easy to do. Hope this helps, Greg ... View more

I log in to a PA-200 using the FQDN almost daily from a remote location and have not seen this issue. I am using a public CA (godaddy) for that certificate, and it was the same cert used when I was running 5.0.10. A couple things you might try: 1. Check the authd.log file to see if there is anything relating to the login there: > less mp-log authd.log {hit Shift+G to go to the bottom of the log, navigation is the same as linux 'less' or VIM} 2. Turn on authd debug and check the above log again after attempting a login > debug authd on debug {disable it afterwards with 'debug authd on info'} 3. If the auth is successful as I suspect, you may be experiencing an issue with the PHP that the GUI web server is using. There's an article on getting a PHP debug log from the GUI, though it may be difficult if you can't get in to begin with. Still, may be worth a shot: How to Run a PAN-OS Web UI Debug Hope this helps! Greg ... View more

You wouldn't want to put it in both an allow list and an alert custom category. Instead, remove them from the allow list and make them only exist in the custom URL category for which you have set them to alert. That way when it goes through the #2 on your list, it won't see facebook.com, and will then got to #3 hitting the Alert action on that custom category. Hope this helps, Greg ... View more

The reason that "incomplete" is not selectable is because the firewall doesn't know ahead of time what the app is. All applications technically start as incomplete and are changed into some valid application once enough packets come in. Only when that session has failed to establish does the log get written and the app is listed as incomplete. Thus, there is no way to trigger on that. The cart is before the horse, so to speak. If you were to be able to trigger on 'incomplete', everything would trigger. You can enable brute force attempt blocking via vulnerability profiles. There is a DOS protection policy you can put in place, and a zone protection policy to cover a whole zone. Hope this helps, Greg ... View more

You could always report it without creating a case if you want to just supply basic info to the application team: http://researchcenter.paloaltonetworks.com/submit-an-application/ That link allows you to submit an app along with your company and email so the content team can get in touch if they need more info. If you have a packet capture, even better. If not, the content team may still be able to redefine that traffic. Hope this helps, Greg ... View more

I'd say that is a bug. The red underline is just your browser highlighting the words it doesn't recognize (oddly, Ruel is a word but only with caps, it's the surname of people and the name of a couple towns). If the entire field has a single red underline you can hover over it to get more information as Karthik mentioned. I tested this out on my firewall running 5.0.10 and I also don't get a pop-up warning that it's wrong. I don't recall any setting or feature update, so I'd encourage you to open a support ticket if you have a contract so this can be provided to the developers. Hope this helps, Greg ... View more

In the example you have, the host is the Server, so it'll be a "server-high" with an action of Alert. If it was a server attacking a client, or a client-targeted vulnerability, it would be a "client-high" which does have an action of block. Effectively, the host field is equivalent to the target. Hope this helps, Greg ... View more

If you have openssl installed (or you install it), you can check the cert by running: openssl s_client -connect www.example.com:443 Just change the site to your portal address. It'll pull down the certificate and show you the common name. Hope this helps, Greg ... View more

While I don't know exactly why this is happening, there have been a great deal of fixes to various User-ID issues between 5.0.2 and 5.0.9. Some of the changes were indeed regarding ip-to-user mappings not displaying in logs, so it might be worth upgrading to 5.0.9 to see if the issue is resolved before going with a support ticket. That said, you can also turn on debugging in the user ID process and tail the log. When the mapping starts to show up blank, turn off debugging and parse through the log to see what may be happening. Turn on the debug: > debug user-id on debug Turn off the debug: > debug user-id on info Parse through the log (uses standard linux "less" navigation): > less mp-log useridd.log That may help explain what is going on when the mapping stops to display. Hope this helps, Greg ... View more

Every packet, including those that match an existing session, gets a route look-up. My recommendation is to ensure that there is a correct route for each IP in question: > test routing fib-lookup virtual-router <VR_NAME> ip <IP_ADDRESS> Do this for both directions, and ensure that the destination interface matches the correct zone. If not, you'll want to either add a static route, update whatever dynamic routing you use, or modify your interface zone configuration to ensure the destination on the return path is pointing to the correct zone. Hope this helps, Greg ... View more