About fjwcash

@ansharma wrote:   Then, to verify your regex/filter expression use the following commands:   admin@anuragFW>  test user-id user-id-syslog-parse regex-identifier event-regex <value> username-regex <value> address-regex <value> log-string <value> admin@anuragFW>  test user-id user-id-syslog-parse field-identifier event-string <value> username-prefix <value> username-delimiter <value> address-prefix <value> address-delimiter <value> log-string <value   If you are having trouble figuring out which regex is not being read correctly, feed the log-string values different sections of syslog messages. That's just something you gotta play around and figure out. Some special characters need to be escaped while some will not be allowed. Thank you!  Those "test user-id" commands were exactly what I've been searching for.  Trying to get a custom syslog filter working has been a pain, especially since the online regex tools say they work, but there's no logs on the PA200 to check if it's working or not.   You saved me a lot of desk-head interactions today.  😄   ... View more

I wasn't expecting it to be updated in 7.1.x.  🙂  But good to hear it's been changed in 8+.   I believe the plan is to keep running 7.1.x through the rest of this school year.  There are plans underway for replacing our PA200s and PA500s with PA220s this summer, so we'll be going with 8.1 (possibly 9.0) at that time.   Thanks for the confirmation. ... View more

are you talking about "overriding" that address object in the lower device groups, or actually creating another object?   ... View more

Just to confirm, we're running Panorama in an ESXi VM without issues. ... View more

Hi,   solution for error "failed to handle tdb_update_block"   Some customers running PAN-OS versions 7.0.x and earlier have experienced commit failures with a “TDB_BLOCK_UPDATE” error message after installing content 706 and 707. This issue only affects customers running PAN-OS 7.0.x and earlier and can be addressed by following the steps in the guide linked above. Customers who have not installed content version 706 or 707 are advised to skip directly to installing the latest version of Content Apps & Threats (version 708 or later).     follow this link for further solution   https://live.paloaltonetworks.com/t5/Customer-Resources/Guide-for-Resolving-TDB-UPDATE-BLOCK-Issues-Related-to-Content/ta-p/160631     ... View more

Aha!  It seems we run into these issues a lot, where we're running the version prior to the fix.  🙂   We have plans to upgrade to 7.1.19 soon, so it looks like that will fix things for us.   Thanks for the pointer! ... View more

Many thanks Everyone. ... View more

hi @katerinap   You could also move your servers into their own zone (like a dmz), this way you'd only need 1 NAT rule for everything internal and 1 for everything external   ie trust to untrust        any to publicIP    nosourceNAT destinationNAT  untrust to untrust  any to publicIP    nosourceNAT destinationNAT   Uturn NAT is only required when client and server are in the same broadcast domain causing reply packets from the server to not be sent back to the firewall but directly to the client instead. This is resolved by adding sourceNAT for the internal IP of the firewall so return packets are sent to the firewall   ie  trust to untrust        any to publicIP    sourceNATfwIP  destinationNAT    another solution is to populate internal DNS servers with an internal IP for the servers FQDN so there's no longer a need for NAT ... View more

Hello All - I practically tried to change the Source Interface for Netflow traffic as LAN interface, with the expectation to see the Netflow traffic originating from the Firewall will appear in the Traffic Logs.    It is not appearing in the log  under Monitor Section. In relation to this i have two questions?   1) If i want the Firewall to send a Netflow Traffic or Syslog of firewall Interface (WAN & LAN) , should i configure a Rule to allow the Firewall to send traffic to Netflow Collector? In this case, the Source Interface for Netflow is LAN interface and Syslog is Management Interface   2) To get the Logs of the above Traffic (to ensure the Firewall is generating Syslog/ Netflow), should i configure a Allow Rule with Log Option enabled?   thanks in advance/RB ... View more

Preemption controls what happens when higher priority device returns from down/non-functional state to functional, nothing else. If it's on, higher priority device becomes active when it returns from down/non-functional state If it's off, higher priority device becomes passive  when it returns from down/non-functional state   Decide how you want your cluster to behave, then control it with preemption. ... View more

An easy way to figure out how a Security Policy works is to remember:   All of the items in a column are OR'd together. All of the columns are AND'd together.   So, ( application1 OR application2 ) AND ( service1 OR service2 ) must match to allow the traffic through.   In your specific case, you'd want to create two separate policies:   1. to allow web-browsing application on service 8080/tcp and 8081/tcp   2. to allow ssh application on service application-default   You could create a single policy with ssh and web-browsing applications, and 22/tcp, 8080/tcp, 8081/tcp, if you're okay with the possibility of SSH traffic being allowed on ports 8080/8081, and web browsing being allowed on port 22.  This is where adding in the source / destination IPs can be used to lock the rule down further. ... View more