About Zewwy

Hey all,   I want to start off saying I love Palo Alto's, they are AMAZING!   With that out of the way, I wanted to say I recently got a Device RMA'd and the process went amazingly smooth, and I actually was able to completed a HA peer PA-500 in less time then it took my provider to get my a digital key for some software! This was the guide I followed: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHFCA0 Everything seemed to go very well... however I have recently been receiving Split-Brain; HA1 Group down alerts, they don't seem to be affecting production flow thank goodness, but is alarming non-the-less.   12/11 08:18:43 vpn informational keymgr-ha-full-sync-done KEYMGR sync all IPSec SA to HA peer exit. 12/11 08:18:43 ras informational rasmgr-ha-full-sync-done RASMGR daemon sync all user info to HA peer exit. 12/11 08:18:42 ha informational session-synch HA Group 1: Starting session synchronization with peer 12/11 08:18:42 routing informational routed-fib-sync-peer-backup FIB HA sync started when peer device becomes passive. 12/11 08:18:42 ras informational rasmgr-ha-full-sync-start RASMGR daemon sync all user info to HA peer started. 12/11 08:18:42 vpn informational keymgr-ha-full-sync-start KEYMGR sync all IPSec SA to HA peer started. 12/11 08:18:42 satd informational satd-ha-full-sync-start SATD daemon sync all gateway infos to HA peer started. 12/11 08:18:39 ha informational session-synch HA Group 1: Completed session synchronization with peer 12/11 08:18:31 ha informational session-synch HA Group 1: Starting session synchronization with peer 12/11 08:18:29 ha informational peer-version-match HA Group 1: Threat Content version now matches 12/11 08:18:29 ha informational peer-version-match HA Group 1: Global Protect Client Software version now matches 12/11 08:18:29 ha informational peer-version-match HA Group 1: Application Content version now matches 12/11 08:18:29 ha informational peer-version-match HA Group 1: Anti-Virus version now matches 12/11 08:18:29 ha high peer-version-match HA Group 1: Threat Content version does not match 12/11 08:18:29 ha high peer-version-match HA Group 1: Application Content version does not match   12/11 08:18:28 ha high peer-version-match HA Group 1: Global Protect Client Software version does not match 12/11 08:18:28 ha high peer-version-match HA Group 1: Anti-Virus version does not match 12/11 08:18:28 ha critical peer-split-brain HA Group 1: Staying in Active state after split-brain recovery (split-brain duration: 1s) 12/11 08:18:28 ha informational connect-change HA Group 1: HA1 connection up 12/11 08:18:28 ha informational ha2-link-change HA2 peer link up 12/11 08:18:28 ha informational ha1-link-change HA1 peer link up 12/11 08:18:28 ha informational connect-change HA Group 1: Control link running on HA1 connection 12/11 08:18:27 ras informational rasmgr-ha-full-sync-abort RASMGR daemon sync all user info to HA peer no longer needed. 12/11 08:18:27 vpn informational keymgr-ha-full-sync-abort KEYMGR sync all IPSec SA to HA peer no longer needed. 12/11 0:18:24 satd informational satd-ha-full-sync-abort SATD daemon sync all gateway infos to HA peer no longer needed. 12/11 08:18:23 ha critical connect-change HA Group 1: All HA1 connections down 12/11 08:18:23 ha critical connect-change HA Group 1: HA1 connection down   I did a bit of research on it, and it said it does it when one PA see a firewall that the other doesn't? But both are setup exactly the same, thoguhts? ... View more

Hey there, I've really been enjoying the Palo Alto ability to update itself with threats prevention signatures almost instantly (depending on ones setup) I've been checking the ACC more latly and have notice the following: I'll make some notes here: 1) This is only appearing to user who are using the Global Protect to VPN into the corporate network. 2) the Victim host is our SharePoint FE 3) We currently have an issue where constant Event ID 1 are populated on the SharePoint FE due to a miss configured Performance Point Service which (AFAIK) as been removed from every aspect of our SharePoint (we currently don't use scorecard, etc) 4) I don't know if these two issue are related in some way. So my question is as follows is there any way I can get more details on each hit of this threat event? It'd be nice to click on the session and it displayed each session and time the event occurred/got triggered. Since these events are being done by legit users while remoteing in I'm not majorly concerned since I'm sure it has something to with the complex inner SharePoint permission structure (Even posting on TechNet, no one was able to tell me how to query any web parts that might be using performance point to track that event..) But even for future threat sessions it be nice to see when they occurred to help track who was doing what when.. etc... please and thanks! ... View more

Hey there, I have 2 PA-500's currently on: Software Version 6.0.2 GlobalProtect Agent 1.2.3 Application version 461-2402 (10/14/14) Threat Version 461-2402 (10/14/14) Antivirus Version 1391-1863 (10/13/14) URL Filtering version 4392 Software Version 6.0.2 GlobalProtect Agent 1.2.3 Application version 461-2402 (10/14/14) Threat Version 461-2402 (10/14/14) Antivirus Version 1391-1863 (10/13/14) URL Filtering version 4392 App Version Mismatch Threat Version Mismatch From what I can tell they are on the same version ( I know my GP version is outdated...) My question is how come its stating mismatch when they are matched? From this it states to add the passive MAC to the internal/trust interface of the active PA.. Which I don't understand when the ARPing for the Management subnet is handled by a different device in our network design.. (No firewall, just direct routing between the "internal" subnet of the PA and the "management" subnet) They can ping each other just fine via their separate mgmt IP's, so I don't see what this would accomplish.. Ideas? Thoughts? Suggestions? ... View more

Hey All, Heres the Hardware and Software details: Model PA-500 Serial ############## Software Version 6.0.2 GlobalProtect Agent 1.2.3 Application version 452-2343 (08/26/14) Threat Version 452-2343 (08/26/14) Antivirus Version 1361-1833 (09/01/14) URL Filtering version 4360 Time Tue Sep 2 13:26:07 2014 Uptime 52 days, 20:49:06 User Systems: Windows 7 Enterprise 64-bit Windows 8.1 64-Bit All running GP version 1.2.3-6 One of my colleagues logged in on Friday night without fail. AFAIK no one attempted to log in either Saturday or Sunday (August 30, 31) I went to log on on Monday Night and my client on my Windows 8.1 machine complained about the Client Cert Error, but the scary part was it still connected my service?!?!?! I was able to remote work! Now IT users are set to connect manually while all other user connected automatically, whenever inside the company it will appear as services connected "Internal Network", and normal "Services Connected" when remoting from outside. Normally when I had this issue it was due to the USER_VPN_Cert not being installed into a users Personal store, either that or the PA Root CA isn't in Trusted CA's store. But nothing changed from when it did work... literally nothing! I attempted to do a bit of digging myself in the logs to maybe see if there was something obvious that might have changed... from the PAN-GPA log I could only see the following differences from a working session to the now not working sessions... (T7040) 07/25/14 08:51:25:779 Info (2448): IPADDR=DirectWANPORTALIP,PORT=443,URL=/ssl-vpn/prelogin.esp,POST=1,POSTDATA="tmp=tmp&clientVer=4100",PROXY_AUTO=1,PROXY_CFGURL=NULL,PROXY=NULL,PROXY_BYPASS=NULL,PROXY_USER=NULL,PROXY_PASS=****,VERIFY_CERT=0,ADDITIONAL_CHECK=0 That was from a working sessions and the non working session has ADDITIONAL_CHECK=1, I'm not sure if this might be the cause? Followed by (both working and none working sessions) List below is directly form non working session, as can be seen by date stamp: (T4272) 09/02/14 08:28:35:294 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_HANDLE_CREATED, this=000000000269AD10) (T4272) 09/02/14 08:28:35:294 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_HANDLE_CREATED, this=000000000269AD10) (T4272) 09/02/14 08:28:35:294 Info (2568): winhttpObj->SendRequest, first try (T4272) 09/02/14 08:28:35:294 Info (1041): winhttpObj, SendRequest, bIngoreClientCert=0 (T4272) 09/02/14 08:28:35:294 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_RESOLVING_NAME, this=000000000269AD10) (T4272) 09/02/14 08:28:35:294 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_NAME_RESOLVED, this=000000000269AD10) (T4272) 09/02/14 08:28:35:294 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_CONNECTING_TO_SERVER, this=000000000269AD10) (T2864) 09/02/14 08:28:35:294 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_CONNECTED_TO_SERVER, this=000000000269AD10) (T2864) 09/02/14 08:28:35:294 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_RESOLVING_NAME, this=000000000269AD10) (T2864) 09/02/14 08:28:35:294 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_NAME_RESOLVED, this=000000000269AD10) (T2864) 09/02/14 08:28:35:294 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_CONNECTING_TO_SERVER, this=000000000269AD10) (T2864) 09/02/14 08:28:35:294 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_CONNECTED_TO_SERVER, this=000000000269AD10) (T2864) 09/02/14 08:28:35:294 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, this=000000000269AD10) (T4272) 09/02/14 08:28:35:309 Info (1081): winhttpObj, get WINHTTP_CALLBACK_STATUS_REQUEST_ERROR (T4272) 09/02/14 08:28:35:309 Error(1103): error = ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED (T4272) 09/02/14 08:28:35:309 Info (1129): winhttpObj, set client cert name VPN_USER_Cert issued by Root Ca (T4272) 09/02/14 08:28:35:309 Info (1133): winhttpObj, reuse cert 0000000000B2B630 (T4272) 09/02/14 08:28:35:309 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_RESOLVING_NAME, this=000000000269AD10) (T4272) 09/02/14 08:28:35:309 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_NAME_RESOLVED, this=000000000269AD10) (T4272) 09/02/14 08:28:35:309 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_CONNECTING_TO_SERVER, this=000000000269AD10) (T2864) 09/02/14 08:28:35:309 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_CONNECTED_TO_SERVER, this=000000000269AD10) (T2864) 09/02/14 08:28:35:341 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_SENDING_REQUEST, this=000000000269AD10) (T2864) 09/02/14 08:28:35:341 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_REQUEST_SENT, this=000000000269AD10) (T2116) 09/02/14 08:28:35:356 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_SENDING_REQUEST, this=000000000269AD10) (T2116) 09/02/14 08:28:35:356 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_REQUEST_SENT, this=000000000269AD10) (T2116) 09/02/14 08:28:35:356 Info (1785): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_SENDREQUEST_COMPLETE, this=000000000269AD10) (T4272) 09/02/14 08:28:35:372 Info (1092): winhttpObj, get WINHTTP_CALLBACK_STATUS_SENDREQUEST_COMPLETE (T4272) 09/02/14 08:28:35:372 Info (1171): winhttpObj, since a cert used and https success, we cache this cert(VPN_USER_Cert issued by Root Ca) for now! This however is new and I did not see this event in previous logs (T4272) 09/02/14 08:28:35:372 Info ( 710): Server 64.4.72.90 cert verification result is 0x1010040 on another machine I was testing it replied with result of 0x40 instead of 0x1010040. Any thoughts on what cause this to happen? There were literally no changes made from Friday night, to Monday night as everyone (including IT) was enjoying the long weekend! ... View more