About upelister

Hello, - İs tunnel up? (P1 and P2) -what kind of vpn messages in logs? -CP is Policy based routing type but Palo Alto is Route Based (Without PBR); PA Side; --Palo Alto NAT ip pool range should be in Palo Alto VPN Config>Proxy id as local. --CP NAT ip pool range should be in Palo Alto VPN Config>Proxy id as remote. --CP NAT ip pool range should be in Palo Alto Virtual router>Static Routes, for destination interface related tunnel interface next hop should be CP if ip.   info: ---you do not need to assign ip address to tunnel interfaces every time. --- For my enviroment, i am using NAT in many vpn tunnels because adding an ip address to CP encryption domain sometimes fails tunnel.               (couses Proxy-id mismatch error)   İ mean stright foward s2s tunnel config but both firewall need to know only NAT ip addresses instead of actual ip addresses. Bu setting up with CP another challlange wish you luck.   İf tunnel is working 100% than go to policy tab; Create Security Rule.  Create destination NAT rule.   İf you are new i suggest start with basics and get familiar with log messages. I hope this helps and have a nice day.             ... View more

Hello,   Maybe attackers identifed a vulnerability on your services in past and trying to access your servers. To be on the safe side checking servers, applications against any kind of vulnerability specially this one should be fine. I recommend; If applications are not required to acces from open world, limiting allowed traffic for specific Geo Locations greatly reduce attack surface and attack possibilites. Applying zone protection profiles can reduce scanning risks. Using, Vulnerability Protection, Spyware and Anti-Virus profile in strict state for the rules. Within great care all vulnerability protection signatures can be enabled. Also auto tagging feature can be used to block all or block for a period of time. attacker ip addreses. Vulnerability Protection> Vulnerability protection profile> Vulnerability Protection Rule> Action> Block-ip as source and how much time (Max is 1hr) this will block source ip address for one hour in hardware level With using DAG feature you can block attacker for a long time. I rec ... View more

Hello,   I think For the syn-scan (with no Threat prevention profile) or telnet you can discover open ports, in traffic logs it should be appear as "incomplete". In session logs also it should be on "discard" state.    **Against scanning zone-protection profiles has good prevetion options.     ... View more

Hello,   Checking server security logs can be helpful. To investigate further enabling extended packet capture on ip profile may be helpful. *Sometimes also i am seeing this event on logs and considering it as false positive. ... View more

Hello,   I exprienced same problems so i decided to use minemeld from docker.  🙂 https://hub.docker.com/r/paloaltonetworks/minemeld   ... View more

Hello,   Global Protect Client application does not provide password change feature for a user itself.  *For ease of operation, other type of supported authentication methods can be useful. (i.e: user certifiacate [Shared or disrubuted from a a internal CA], SSO etc...)  ... View more

Hello,   - IF computers are already joined to the domain, cookie authentication can be used with "pre-log on (allways on)" feature without using client certificate. - This config must be used alongside other authentication mechanisms like "LDAP". In order to client receives the cookie. With this config A cookie will be generated by firewall and sent to client profile folder under "%LocalAppdata%/Palo Alto Networks\GlobalProtect\" with <somenumerbers>.dat file. -So within the cookie lifetime client can be connect to gateway as pre-log on state and the can change their password.    I used this articale; https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boODCAY   Have a nice day. ... View more

Hello,   Chrome sometimes using tricky quick protocol so in firewall appliaction as seen "quick" in firewall logs. Do you have any chance to try this.   For Security Rule; From a Test host to internet block "quick" so chrome cannot change its behaviour. For Decryption Rule; From a test host to internet decrypt all traffic. *I am using TCP and UDP 443 on decryption policies.   Then analyze log maybe this method can give a clue about why msi file not blocked by firewall.   *before testing be sure, there are no active connection exist from test host to internet, monitor tab>session browser if there is any kill them all.   Have a nice day. ... View more

Hello,   Maybe, decryption broker option can be helpful. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/decryption-broker  ... View more

Hello,   If there is an clean up rule before default rules, which allows intrazone traffic. There shoud be a specific rule above cleanup rule in oreder to allow ping, icmp and trace route. You can try this allowing gp-zone to gp-zone; source as any and destination as any, service as application default and application any (to monitor what happens).   Also check the windows firewall if windows firewall is on, host machines not reply ping request.  ... View more

Hello,   I noticed i forgot to mention, every change in regedit requires reboot. Second option you can try,  Uninstall current installation Remove all Program Files and Appdata Folders to related Palo Alto Networks. Remove all Regedit entries HKLM and HKCU related to Palo Alto networks. Reboot Stop the wmi service. in windows service pane ( you can call it via starting a commad promt as admin rights than type services.msc) Try installation Reboot. Use recommended version I thing 5.1.3    Good Luck.     ... View more

Hello,   You can try; Uninstall all Global Protect installation if there is exist. Remove all Remainings under; AppData C:\Program Files Under Regedit HKLU Programs Palo Alto Networks HKLM Programs Palo Alto Networks Also Search Regedit because there are entrys for Global Protect Driver and network card entries in the registry. I mean remove all reaming value about Global Protect from Regedit I created a powershell script I hope it works.You can edit and add desired search location to Bold typed are. I hope this can be helpful to you, have a nice day.    $RE = 'GlobalProtect' $Key = 'HKLM:\SOFTWARE\' Get-ChildItem $Key -Rec -EA SilentlyContinue | ForEach-Object {    $CurrentKey = (Get-ItemProperty -Path $_.PsPath)    If ($CurrentKey -match $RE){      $CurrentKey|Remove-Item -Force    } }   ... View more

Hello, İ cannot run syslog miner, dasboard says it is on, after sending syslog to 13514 nothing happens. anyone knows how to run syslog miner? *l forwarded port 13514 to container.   Thank you. ... View more

Hello,   When using APP-ID default port is recomended also you can set service port to force allowed application to use specific port. My suggestion Create a application based rule with identical action before your old rule and monitor them what is hitting.  After your rule table is clean you can create and enfor application filter and groups to block unwanted application which your company requires. ... View more

Hello, You can try this, in custom category filter *.googlevideo.com should be added. You can capture youtube main URL's with using chrome developer option just pressing F12 on keyboard and seleck network tab and reload page.   For testing I put *.youtube.com and *.googlevideo.com on custom category and it worked for me. ... View more