About emr_1

I have two different customers who hits same issue. One user is using PAN-OS 8.1.3 and UIA 8.1.3-10, another is using PAN-OS 8.0.12 and UIA 8.1.3.-10.   The issue is that UIA detects user info as three types of formats like... 1) domain\user (this is same as previous version) 2) domain.local\user 3) user@domain.local   When PA received these info, "show user ip-user-mapping all" shows following two types as below 1) domain\user 2) domain.local\user   admin@hostname(active)> show user ip-user-mapping all IP Vsys From User IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 10.241.73.100 vsys1 UIA domain\user1 Never Never 10.212.136.101 vsys1 UIA domain.local\user1 Never Never 10.224.57.100 vsys1 UIA domain\user1 Never Never 10.128.145.9 vsys1 UIA domain\user2 Never Never 10.128.144.35 vsys1 UIA domain.local\user3 Never Never   The issue is that when PA recognize user format as "domain.local\user" format, the user does not hit to policy which was configured by user group that was pulled from AD. The reason is that user group and member was recognized ONLY by "domain\user' format.   admin@hostname(active)> show user group name "cn=domain users,cn=users,dc=domain,dc=local short name: domain\domain users source type: ldap source: groupmapping [1 ] domain\01 [2 ] domain\21 [3 ] domain\22 [4 ] domain\23 [5 ] domain\24 [6 ] domain\26 [7 ] domain\27 [8 ] domain\29 [9 ] domain\88 [10 ] domain\98 [11 ] domain\administrator [12 ] domain\agroadmin [13 ] domain\agrotest [14 ] domain\alc [15 ] domain\amano1 [16 ] domain\amano2 ..so on   I believe on PAN-OS 8.0 and earlier, "domain\userA" and "domain.local\userA" is NOT same guy, thus it does not hit group members.   Is there any body who hits same issue?     Note: I know PAN-OS 8.1 starts supporting multiple formats, though it makes me confusing and hitting this issue.   Regards, Emr ... View more

Hello Palo Alto,   I was using following link to check critical issues. https://live.paloaltonetworks.com/t5/Integration-Articles/Critical-Issues-Addressed-in-PAN-OS-Releases/ta-p/52882   I can't access to it anymore. How can I collect the latest critical issue information? Do I have to open a ticket every time I want to know?   Regards, Emr ... View more

I have a lots of customers who uses HA pair with 1.1.1.1/30 and 1.1.1.2/30 for HA1 port. This HA1 port connected directly. And reason for selecting these IPs are because nobody was using it in the past.   Today, I read this article: https://blog.cloudflare.com/announcing-1111/ https://www.theverge.com/2018/4/1/17185732/cloudflare-dns-service-1-1-1-1   According to this thread, it sounds okay to keep using 1.1.1.1 for HA1, though I'm curious... do they need to change IPs?   In addition, with my quick test in my lab, I can access to 1.1.1.1 DNS server even HA1 is using 1.1.1.1, thus I believe 1.1.1.1 for HA1 is okay.   Regards. Emr ... View more

Hi All,   In Zone Protection Profile, a unit of rate changed from packets/sec to connections/sec when I upgrade into PAN-OS 8.0. It sounds defferent thing, though is this only changes on GUI and nothing changes on this feature, I mean way of counts is same as before? If no, how to calcurate accurate value for 'connections'? Let's say if I configure '10000 packets/sec' on PANOS7.1, then what value should be for 'connections/sec' on PANOS 8.0?       ... View more

Hello all,   I know this question is outside of the PAN device matter.  But my customer asked me how to specify the program on his computer for removing malicious program. Let me tell you exmaple:   When I see threat log, it shows Src 192.168.1.1:12345  Dst 100.100.100.100:80   We can understand that we need to investigate 192.168.1.1 device. On this device, we don't know how to specify which program used source port 12345 in the past. If this program keeps generating traffic, then we can use ' netstat -abn' or something similar. How about if session already ends, how to find it?   Does anyone have idea? Any useful windows command or tools?   Regards, Emr ... View more