About Zewwy

  Is this even possible, or am I crazy ... View more

Hey all,   I want to start off saying I love Palo Alto's, they are AMAZING!   With that out of the way, I wanted to say I recently got a Device RMA'd and the process went amazingly smooth, and I actually was able to completed a HA peer PA-500 in less time then it took my provider to get my a digital key for some software! This was the guide I followed: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHFCA0 Everything seemed to go very well... however I have recently been receiving Split-Brain; HA1 Group down alerts, they don't seem to be affecting production flow thank goodness, but is alarming non-the-less.   12/11 08:18:43 vpn informational keymgr-ha-full-sync-done KEYMGR sync all IPSec SA to HA peer exit. 12/11 08:18:43 ras informational rasmgr-ha-full-sync-done RASMGR daemon sync all user info to HA peer exit. 12/11 08:18:42 ha informational session-synch HA Group 1: Starting session synchronization with peer 12/11 08:18:42 routing informational routed-fib-sync-peer-backup FIB HA sync started when peer device becomes passive. 12/11 08:18:42 ras informational rasmgr-ha-full-sync-start RASMGR daemon sync all user info to HA peer started. 12/11 08:18:42 vpn informational keymgr-ha-full-sync-start KEYMGR sync all IPSec SA to HA peer started. 12/11 08:18:42 satd informational satd-ha-full-sync-start SATD daemon sync all gateway infos to HA peer started. 12/11 08:18:39 ha informational session-synch HA Group 1: Completed session synchronization with peer 12/11 08:18:31 ha informational session-synch HA Group 1: Starting session synchronization with peer 12/11 08:18:29 ha informational peer-version-match HA Group 1: Threat Content version now matches 12/11 08:18:29 ha informational peer-version-match HA Group 1: Global Protect Client Software version now matches 12/11 08:18:29 ha informational peer-version-match HA Group 1: Application Content version now matches 12/11 08:18:29 ha informational peer-version-match HA Group 1: Anti-Virus version now matches 12/11 08:18:29 ha high peer-version-match HA Group 1: Threat Content version does not match 12/11 08:18:29 ha high peer-version-match HA Group 1: Application Content version does not match   12/11 08:18:28 ha high peer-version-match HA Group 1: Global Protect Client Software version does not match 12/11 08:18:28 ha high peer-version-match HA Group 1: Anti-Virus version does not match 12/11 08:18:28 ha critical peer-split-brain HA Group 1: Staying in Active state after split-brain recovery (split-brain duration: 1s) 12/11 08:18:28 ha informational connect-change HA Group 1: HA1 connection up 12/11 08:18:28 ha informational ha2-link-change HA2 peer link up 12/11 08:18:28 ha informational ha1-link-change HA1 peer link up 12/11 08:18:28 ha informational connect-change HA Group 1: Control link running on HA1 connection 12/11 08:18:27 ras informational rasmgr-ha-full-sync-abort RASMGR daemon sync all user info to HA peer no longer needed. 12/11 08:18:27 vpn informational keymgr-ha-full-sync-abort KEYMGR sync all IPSec SA to HA peer no longer needed. 12/11 0:18:24 satd informational satd-ha-full-sync-abort SATD daemon sync all gateway infos to HA peer no longer needed. 12/11 08:18:23 ha critical connect-change HA Group 1: All HA1 connections down 12/11 08:18:23 ha critical connect-change HA Group 1: HA1 connection down   I did a bit of research on it, and it said it does it when one PA see a firewall that the other doesn't? But both are setup exactly the same, thoguhts? ... View more

Hey there, I've really been enjoying the Palo Alto ability to update itself with threats prevention signatures almost instantly (depending on ones setup) I've been checking the ACC more latly and have notice the following: I'll make some notes here: 1) This is only appearing to user who are using the Global Protect to VPN into the corporate network. 2) the Victim host is our SharePoint FE 3) We currently have an issue where constant Event ID 1 are populated on the SharePoint FE due to a miss configured Performance Point Service which (AFAIK) as been removed from every aspect of our SharePoint (we currently don't use scorecard, etc) 4) I don't know if these two issue are related in some way. So my question is as follows is there any way I can get more details on each hit of this threat event? It'd be nice to click on the session and it displayed each session and time the event occurred/got triggered. Since these events are being done by legit users while remoteing in I'm not majorly concerned since I'm sure it has something to with the complex inner SharePoint permission structure (Even posting on TechNet, no one was able to tell me how to query any web parts that might be using performance point to track that event..) But even for future threat sessions it be nice to see when they occurred to help track who was doing what when.. etc... please and thanks! ... View more

Hey there, I have 2 PA-500's currently on: Software Version 6.0.2 GlobalProtect Agent 1.2.3 Application version 461-2402 (10/14/14) Threat Version 461-2402 (10/14/14) Antivirus Version 1391-1863 (10/13/14) URL Filtering version 4392 Software Version 6.0.2 GlobalProtect Agent 1.2.3 Application version 461-2402 (10/14/14) Threat Version 461-2402 (10/14/14) Antivirus Version 1391-1863 (10/13/14) URL Filtering version 4392 App Version Mismatch Threat Version Mismatch From what I can tell they are on the same version ( I know my GP version is outdated...) My question is how come its stating mismatch when they are matched? From this it states to add the passive MAC to the internal/trust interface of the active PA.. Which I don't understand when the ARPing for the Management subnet is handled by a different device in our network design.. (No firewall, just direct routing between the "internal" subnet of the PA and the "management" subnet) They can ping each other just fine via their separate mgmt IP's, so I don't see what this would accomplish.. Ideas? Thoughts? Suggestions? ... View more