About gwesson

From your log output, it looks like the communication is probably plaintext (port 389 is rarely used for TLS). If that's true, you could take a packet capture of the communication between the firewall and DC. https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/take-packet-captures/take-a-packet-capture-on-the-management-interface   Check the LDAP response for "maxPwdAge" to see what the value is. It looks like the initial LDAP bind is failing, so you should be able to catch it there.   Interestingly, Microsoft's Max-Pwd-Age site doesn't say how it should be represented on a 2016 server. I'm sure it exists, so you may want to check it out on the DC itself if the capture doesn't reveal any results. ... View more

Just to be sure, you're saying:  server(1.1.1.50) <---> [e1/3]PAN[e1/1] <---> Router And you want the PAN to respond to ARP requests for 1.1.1.50 that originate from the router?   If that's correct, there are two ways I can think of offhand: 1. Proxy ARP will do this if you do destination-NAT on 1.1.1.50 to some other internal address. There's a good doc on that here: https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/networking/nat/nat-policy-rules/proxy-arp-for-nat-address-pools   2. Use virtual wire (vwire) interfaces instead of layer 3. A virtual wire doesn't terminate layer 2 or 3, so the ARP request will directly hit the server, and the response will come from the port that eth1/1 is connected to. Docs on that here: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/virtual-wire-deployments https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/networking/configure-interfaces/virtual-wire-interfaces/configure-virtual-wires ... View more

In addition to vsys_remo's suggestion, having Panorama in HA would probably be best, but that does require a second Panorama.   If you think the switch may take longer than the firewalls can cache the logs and don't have Panorama in HA, your 2nd Panorama IP address on your firewalls should be unused, you could maintain near-constant connectivity by populating that with the new Panorama IP address:   ... View more

Please include your PAN-OS version and platform if possible when posting questions, it can really help in diagnosing issues.   Some platforms (such as PA-5000 and the older PA-7000 NPCs) don't have enough memory on the DP to effectively cache SSL sessions compared to how many decryption sessions they support. The setting you see leverages the MP memory to store the SSL session cache instead, giving the system the ability to effectively keep up with the demand of the platform. It's enabled by default, and can be modified by:   > configure # set deviceconfig setting ssl-decrypt use-mp-sess-cache <yes|no> # commit I wouldn't recommend touching it though, since it is working as designed. Removing it could cause your DP CPU to increase since it has less cache space for resuming previously-negotiated decrypted SSL (TLS) sessions. You can see the cache activity with:   > show system setting ssl-decrypt session-cache   ... View more

What value do you have for "Allow User to Upgrade GlobalProtect App" under Network > GlobalProtect > Portals > {portal-name} > Agent tab > {config-name} > App tab?   Set it to "Allow with Prompt" or "Allow Transparently" to upgrade it after a user prompt or silently. Choose "Internal" if you want it to upgrade the app only when the user is internal to the network rather than external.   If it's set to "Disallow" or "Allow Manually" it won't update when it connects. ... View more

Troubleshooting GP logs can be a challenge, as the logs are rather verbose. There's a really good knowledge base article that should help with some of the more common issues admins and users tend to run into:   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkBCAS   Beyond that, if you want to spend some time on learning the logs I'd recommend starting with a very simple portal/gateway setup with local auth. Check the logs of a successful connection to see what's normal. Then, start adding features for more complexity until you get to the point where your test setup mirrors your true GP setup.  ... View more

You can check to see the admins who have a commit lock via the UI or CLI:   > show commit-locks Commit locks are designed to prevent any other logged in admins (even other superusers) from doing a commit until the lock is released. If you're a superuser, and you see commit locks from the CLI command above, you can clear them with:    > request commit-lock remove For the GUI version, check this document: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltACAS ... View more

The system needs 7 bytes that are not regular expression fields. The [a-zA-Z0-9] text is an expression, so it is not valid. You would need something like:   blahbla[a-zA-Z0-9][a-zA-Z0-9]...     From the custom objects (data patterns) page, even though you're creating an app the same requirements apply: https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/objects/objects-custom-objects-data-patterns:   Syntax for Data Patterns   When adding a new pattern (regular expression), the following general requirements apply:   The pattern must have string of at least 7 bytes to match. It can contain more than 7 bytes, but not fewer. The string match may or may not be case-sensitive, depending on which decoder is being used. When case-sensitivity is required, you would need to define patterns for all of the possible strings in order to match all variations of a term. For example, if you wanted to match any documents designated as confidential, you would need to create a pattern for “confidential”, “Confidential”, and “CONFIDENTIAL”. ... View more

None of the update servers will respond to ping. I couldn't find anything in any of the documents you've referenced that say it would, so it may just be a misinterpretation.   As long as your DNS resolves correctly it should reach the server. So if you ping it from the firewall's CLI you won't get a reply but you will see the address resolve:     > ping host updates.paloaltonetworks.com PING updates.inap.gslb.paloaltonetworks.com (199.167.52.141) 56(84) bytes of data. ^C --- updates.inap.gslb.paloaltonetworks.com ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2014ms This shows DNS is resolving, which is what you're looking for.      If you do a "request system software check" or "request content upgrade check" from the CLI but you don't get a response, make sure that your management interface traffic is going through a NAT device if it doesn't hit the firewall's dataplane interfaces. If it does hit the dataplane, make sure you've got a rule that will NAT and allow the traffic. ... View more

> It is my understanding if the Palo Alto has an established connection in its session table, a spoofed TCP reset -  4 Tuple with a sequence > number within the TCP window, and window size equal to or smaller then sessions used,  will make it through the Palo Alto and reset the > connection.  Can you confirm this is correct.     Yes, you are correct. There is no mitigation for that, regardless of the challenge-ack setting I described earlier. Sorry about the confusion.     > The Challange ack change setting seems like it would allow a reset crafted to make it through the firewall when there is NOT an > established  connection in the session table, assuming that 4 Tuple and sequence number/window is in line with the ACK it just saw.    This is also correct. You stated it much more plainly (and correctly) than I had 🙂 ... View more

"Problem is - we can't make it work...."   If you can supply any more details than that, it would be very helpful.   What isn't working? Can you not assign the certificate to the decryption rule? Did you import the private key when you imported your wildcard? Does everything appear correctly but the traffic just isn't decrypted? What PAN-OS version are you using?   Some more details will help people trying to assist. The answers to the questions above can help narrow down where to help you troubleshoot. ... View more