About gwesson

I recommend adding several ranges to satisfy these conditions. The IP ranges are attempted in a top-down order, so for the IP pool you might set: 10.125.15.0/24 172.20.120.0/24 192.168.200.0/24 Explore more options, and you should find a solution that works for the majority of your clients. Each range is added to the firewall's routing table so there is nothing you need to add to the Virtual Router to get it to work correctly. Give that a shot, and you should be in good shape. Hope this helps! Greg Wesson ... View more

You can connect a linux client (using vpnc) to GlobalProtect as long as you've enabled tunnel mode and allow x-auth. For Android, if you have purchased the portal license you can use the native Android GlobalProtect client (I use it myself on my Galaxy S3). Even if you don't have the license you can use the native VPN function on Android and iOS, as long as you have it set up with x-auth as above. If you do have the paid license, you can find the app in the Play Store: https://play.google.com/store/apps/details?id=com.paloaltonetworks.globalprotect iOS version is here: https://itunes.apple.com/us/app/globalprotect/id592489989?mt=8 Here's a doc talking about how to enable x-auth and get vpnc to connect: using vpnc with Palo Alto 4.1 IPSEC/Xauth Hope this helps! Greg edit: had the wrong link to the discussion before - sorry about that! ... View more

Session IDs are reused according to the device session capability. To check, you can use the CLI command "show session info". Here is an example from a PA-200: Number of sessions supported:                    65532 Number of active sessions:                       1560 If you are looking at logs long enough after they were created, the session ID will have been reused. You can take a look at your average active session usage at peak times to get an idea of the maximum time you should expect the sessions to remain valid for future review. A PA-5060 used only in a lab may have weeks or months before the session IDs wrap, but that same firewall used in a full production environment close to capacity may see only a few hours before those IDs are reused. Hope this helps, Greg ... View more

If you could convert that config output into CLI commands or add the XML back in, it would import. If the output is just the XML data without the XML tags, it will not import as the tags are needed to delimit the fields. You may want to check out the devcenter forum, where there are a number of community-supported scripts you could potentially use. Hope this helps, Greg Wesson ... View more

In your GP gateway configuration, are you specifying the CN in the cert (it appears to be "vpn.celadontrucking.com") or the IP address (198.199.129.150)? They should match for the connection to work. So if the cert has the fqdn, the gateway address you list should also be the fqdn. The other common issue with chained certs is that the full chain (minus the root) should be imported when adding the cert to your firewall. Check out this doc: https://live.paloaltonetworks.com/docs/DOC-4289 Hopefully one of the two will work for you. Greg ... View more

The "previous segment lost" indicates a packet was lost in the transmission. The "out-of-order" was likely that lost packet being resent. The "dup ack 170" is saying that the ACK in frame 170 was sent twice to tell the server about the lost frame. As Karthik mentioned, this is part of the normal TCP flow in the event of any packet loss. Enabling Wildfire should not introduce any latency as the files are sent out-of-band with the client. If you have a lot of files going up to the cloud in addition to your normal browsing, there could be a load issue causing packet loss. Knowing where you took the capture and what two endpoints are involved in the packet loss might help too (client-to-firewall, firewall-to-server, firewall-to-wildfire, etc.). Hope this helps, Greg ... View more

You may want to try checking the category on the firewall itself: > check url www.example.com The session output shows that the firewall isn't able to resolve the URL category. The site(s) you added to the custom URL category may not be the full list of domains. If you were to add paloaltonetworks.com to a custom URL category, there are other categories referenced by that page. Things like CDNs (akamai, etc.), site analytic cookies, and similar content may not be displayed if you are only allowing the custom category you created. Hope this helps, Greg ... View more

The firewall acts as the client when talking to the web server. It pulls the cert info from the server cert, then uses the CN and validity period to generate a new private/public key pair on the fly. It is that newly generated cert that is sent to the client in a separate session. This temporary cert is discarded after a cache period, and a new one is created again should another user go to that site. The firewall has the data fully decrypted on-box, but with the two separate SSL connections (separate session keys, etc.) the encryption is maintained client- and server-side. -Greg ... View more

Hi Mariusz, It's best to start a new thread if you have your own question. That'll make things more easily searchable in the forum for future users. To answer your question, the certificate is created on the fly when doing SSL decryption. That private key is not exportable, and is discarded after a cache period. You will not be able to decode the traffic later in Wireshark (or any other tool) because of that. Hope this helps, Greg ... View more

When you log at session start as you are doing, you'll see the application as shown at the start of the session rather than after the application has received enough packets to be correctly identified. In the two you linked, the first (as 'ssl') is showing 4 packets - syn; syn,ack; ack; client hello. That is enough packets to identify it initially as SSL, so we install the session and write the log. The next entry is 7 packets, and is enough to determine the full application based on the custom app you defined. In general, a log at session start is good for troubleshooting. It tends to lead to a lot of unnecessary logging other times so I generally only recommend logging at session end so you can see completed information. Hope this helps, Greg ... View more

Hi Steven, If the firewalls are configured to use an L3 interface to go out for updates (Device > Setup > Services tab > Service Route Configuration), the default setting for the passive L3 interfaces is to be down. This setting allows them to become active during a failure of the primary and ARP for the shared IP. The management interface is still up even when a device is in the passive state, so if the service route is configured to use that interface and you can configure a route on the connected devices to allow Internet access from that interface you should be able to eliminate those messages. You could also disable antivirus checking on the passive unit ensuring that the active syncs it, but that would stop updates if a failure happened. Hope this helps, Greg ... View more

When your packet filter is set up as mbutt recommended, run: show counter global filter packet-filter yes delta yes This will tell you why the packets are being dropped. Anything with a 'drop' message is an indication of what is happening. Just make sure to run that command once before the test starts to clear the counter stats. From the screenshot, it shows a length of 0 on that packet, so I assume it is a SYN on that port. As long as the firewall is able to read the initial setup packets, and there's a rule allowing FTP, it will create a 'predict' session matching the chosen PASV port and allow that traffic. What do you see from the global counter output? -Greg ... View more

The gmail server is an interesting animal when it comes to SSL. If you go to "https://gmail.com" it fails to decrypt, but if you go to "https://mail.google.com". I haven't found a solid answer to that in my testing, and I can only speculate that it has to do with the multiple handshakes, redirects, and certs used. Try hitting the full (final) URL for google services to see if it will decrypt properly. -Greg ... View more

That is correct. You must have a non-pattern string of 7 characters before the interpreted characters. The exceptions are patterns that are not wildcards or can be interpreted as greedy/lazy. An example of a pattern that is ok is: [Pp]aloalto This, though it uses an interpreted string to specify upper or lower case, it is not a broad greedy/lazy repetition or wildcard. You can also do: .*aloalto.* Though it starts with .* (0 to infinity characters), you still have a 7-character string as the match. You can NOT use: Pal.*alto That has a wildcard in the center of it, and even though there are 7 characters there is not a 7-character string in the match. That's why using "ab.cdefgh.ij.us" fails. It is only 2 characters before an interpreted character. Using "ab\.cdefgh\.ij\.us" works fine because the periods are escaped and are not interpreted. I am surprised that the 3rd pattern does not work as long as it is properly escaped. If you have an example (even obfuscated) of that, I'd like to see it. Hope this helps, Greg ... View more

The "resolve hostname" checkbox does a reverse DNS lookup to the firewall's configured DNS server(s). You could add the RDNS entry on the DNS server in question and it should resolve the addresses in question. You can also create Address Objects, which will resolve as well as long as it is configured as a /32. Hope this helps, Greg ... View more