About gwesson

Regular expressions can not be used without a basic 7-byte string first. The period is a wildcard character in a regex, so it is seeing only 2 characters then a regex value. For your first example, you could use: ab\.cdefgh\.ij\.us (technically you only need the first 7 bytes, or ab\.cdef to satisfy the requirement, but it will be a much broader match) That should allow it to work similarly to your first two working domains. Hope this helps, Greg ... View more

The general recommendation is to not use a clean-up rule at all. The firewall allows all same-zone traffic by default, and denies all intra-zone traffic. Unless you have a specific requirement to log this traffic, a generic "deny all" policy is not needed. If you do have that requirement, my recommendation is to make specific policies that exclude same-zone traffic. For example, if you have 3 zones (trust, untrust, dmz) you would make 3 policies: Src: Trust; Dst: untrust or dmz; Deny Src: DMZ; dst: untrust or trust; Deny Src: Untrust; dst: trust or dmz; Deny This gives you the logging, but prevents the issue you are running into by allowing same-zone traffic. When the firewall makes an outbound connection on a public L3 interface, the source and destination are the same zone and thus your cleanup rule denies it. Hope this helps, Greg ... View more

The firewall seems to be having trouble with the issuers as you have shown. The large list of CAs should indicate that it is working fine, and I have not seen this issue before. A couple questions that may help: 1. What OS version is your firewall running? 2. Is the content up to date? The most current as of this posting is 375-1810. You can confirm it by looking under the dashboard, or Device > Dynamic Updates. 3. Is there any other SSL interception/proxy device being implemented? Another firewall or a proxy may cause this. Hope this helps, Greg Wesson ... View more

The Palo Alto database migrates in both directions (from Brightcloud and back to Brightcloud). The mappings are not exactly the same, and the categories can change so a static list would not be very valuable. The Palo Alto URL database is available in many languages, has geographic redundancy, and has built-in mechanisms for finding the fastest responder. If a node is ever down, the firewall would find the next available node without any administrator interaction.  Hope this helps, Greg ... View more

The checkbox allows that specific firewall to be the agent for other firewalls. It gives you a central user-ID agent that several firewalls can use without having to deploy software agents or set up the agentless configuration on every firewall. Hope this helps, Greg ... View more

The M-100 (and Panorama in general) will not populate users or groups when creating rules until a rule has been created with that user/group at least once. The reason for this is because of the huge amount of load it would take if you had several hundred firewalls, each with different domains configured with a single Panorama (imagine how long it would take to query each firewall, which would query each domain, and return the full group and user list). If you create the policy local to the firewall, the group will indeed prepopulate because the scope is limited to that one firewall's set of user and group data. Once you create a policy which has a user- or group-name on Panorama, that user/group will be available for future rules. Note that there is no integrity check, so a mistake will be allowed through and simply fail to match. I recommend copying the user data from an LDAP browser so you don't have to worry about the syntax. Hope this helps, Greg Wesson ... View more

That is something I wouldn't expect. If you only added the NFS partition and no other changes, unless that NFS is highly latent where we are spending cycles waiting on read/write operations, I would expect the CPU to be the same as before. You may want to get a support case opened to double check. Greg Wesson ... View more

The pan_summary_gen process will spike the CPU at regular intervals while it creates the summary reports for the ACC. This is expected, and will not cause any interruption in function. The spikes should be fairly brief. You can run a top-like command to monitor it for a while if you like: > show system resources follow Hitting 'q' will get you out of that command. Hope this helps, Greg Wesson ... View more

A couple things to try: 1. Test using PuTTY or another similar SSH tool to hit your server, making sure you can connect with it (eliminating issues with windows firewall, etc.). 2. Check with another SSH server in your environment using the same command to see if the firewall has any issues connecting via SSH. 3. See if you can export your config to that server via the SCP export command: > scp export configuration from running-config.xml to Panorama@10.20.161.238:c:/test/ Replace the path with something valid for your environment. The firewall will challenge you for the password if it is able to connect. Hope this helps! Greg Wesson ... View more

If it is internal space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) it will not be seen as the United States. The location is seen as "Reserved", as seen by the command given by egearhart. If the destination address is an IPv6 address, it may not yet be supported. When you look at the traffic logs for that traffic, how many packets are seen in the c2s and s2c flows? You can also check the session id (CLI command: show session id 123456) that is present in the logs to see what application it is identified as and which rule it is hitting. Hope this helps, Greg Wesson ... View more

I ran into a similar issue with the IPSec GP function on a Windows 8 tablet with 4G-LTE. The issue was caused by the client sending a large MSS (something like 4000 bytes). When an HTTP 200 response was sent by the server, it was larger than 1500 bytes. The server-side was correctly transmitted on multiple frames, but when the PA transmitted it, it would transmit as a single, IP-fragmented packet. The PA must do that as the client is indicating its wishes for the frame to be sent as a single chunk. Since the MTU of the firewall (and next hop) is 1500, the packet must be fragmented. The client-side sent the 4000-byte MSS and should have been ok with the IP fragmentation, but those fragments were never making it back to the client. The solution was never really ironed out, but the correct solution is to either lower the MSS on the inbound SYN (could be from the tablet or from the carrier, I'm not sure) or to convince the carrier to transmit the fragmented IP traffic back to the client. You can see if this is the same issue by taking a packet capture on the firewall and checking the transmit stage. If you see fragmented IP frames leaving toward the client but never getting an ACK, it's probably the same issue. Hope this helps, Greg Wesson ... View more

I wouldn't expect using OCSP would have any effect on decryption. I think that it might be worth creating a case with support as long as your firewall is under a support contract. The client doesn't get the original certificate, so it wouldn't be possible for them to check to see if it is revoked or not. When you open your support ticket, please point to this discussion for additional background. -Greg ... View more

OCSP is pretty uncommon to be used for SSL decryption. I most commonly see it used for the firewall login itself (using a trusted or in-house CA), captive portal, and global protect. The reason you get untrusted warnings on all certificates with SSL decryption is because the firewall is creating a new certificate on the fly for the host you are visiting. For example, if your client visits https://live.paloaltonetworks.com, instead of the certificate being issued by GoDaddy as ours is, it is issued by your firewall. The firewall copies the Common Name and dates from the official GoDaddy cert on that site, but has to issue a new one for the client. Unless the client trusts that firewall CA certificate, every site will be untrusted. This is the nature of SSL Decryption (technically it is a man-in-the-middle). ... View more

The OCSP extension will simply not be built in the client-side certificate by default. If you choose to use an OCSP responder on the self-signed certificate, the client will use that OCSP responder. It won't fail, because the OCSP responder will not find a revoked serial number (it won't find any serial number, but that's not the purpose of OCSP). Hope this helps! Greg Wesson ... View more