About michelealbrigo

The firewall was (and still is) directly connected to its L3 peers, which I manage as well. I've tried the MTU fix, but it did not help. Reducing the amount of exchanged information (splitting areas and using NSSAs) helped a bit, making the issue less frequent, but it still occurred from time to time. Upgrade to 9.1.8 resulted in the first two consecutive forced failovers without any issue at all. ... View more

On my setup, this problem was (probably) caused by PAN-154899 bug. Upgrading from 9.1.6 to 9.1.8 finally made the issue disappear. ... View more

Sorry if I bring up such an old topic, but I am encountering a similar problem. I have two PA5220 (HA active/standby pair) and 4 Cisco C3850 switch pairs (4x2-way VSSs). PanOS = 9.0.9-h1, Cisco IOS 16.9.4. The entire setup is dual-stack IPv4/IPv6 and I am using OSPF for IPv4 and OSPFv3 for IPv6, due to PA limitation on dual-stack OSPFv3. I am attaching a diagram with a sample configuration. The core switches host a total of 9 VRFs, each with its own uplink, and all uplinks are transported on the same Po/Ae trunks. Each VRF pair (core A, core B) has its own Area (normal), with the firewall is the designated router (DR). VRF OSPF processes have their priority set to 0, so they won't take part in the election. My failover process is not the "standard" one (i.e. make device inactive), I'd rather lower the standby fw priority and let it preempt the active. Now, if I force a failover, CoreA does everything right. Core B encounters this very same error: Neighbor Down: Too many retransmissions and Neighbor Down: Ignore timer expired. I can fix it by disabling/re-enabling CoreB's interface vlans, one at a time, as if they had some kind of "bottleneck" problems (we are talking about 2x10Gbit links, 282 IPv4 routes). OSPF traffic is allowed intra-zone (OSPF Area = firewall Zone = 1 firewall interface vlan + 2 core interface vlan = a bunch of networks on the cores) I removed the mtu-ignore command on Cisco side (but I might add it back), and all OSPF routers have graceful restart enabled. I have two questions: 1) is there a way I can avoid these errors? am I doing something wrong? 2) could LLDP being enabled on both the firewall(s) and the switches interfere in all of this, by enabling a "higher level" negotiation between core and firewall, and disabling a "virtual mac address" failover mechanism which would avoid me the entire neighborship calculation? ... View more

As @OtakarKlier told you, the problem is outside Kibana, which is "just" a GUI over something else. Kibana gets its data from another place, usually ElasticSearch, which is "just" an indexed storage. Something else will put data into ES, and a common tool to do that is Logstash, which is where you configure all parsing operations. For PANFW logs you'd generally use a CSV parser, rather than a Grok one, since the logs have a fixed structure and the CSV parser is much faster than the Grok one (more flexible). My configuration is quite complicated, but I think I've started from this tutorial: https://anderikistan.com/2016/03/26/elk-palo-alto-networks/   I doubt your Kibana gets its data from anything else than Elasticsearch, while your Elasticsearch might get its input from something different than Logstash: try to explore a CSV-style parser for your log processor of choice. Also, if possible, I recommend creating the proper mappings in your ES firewall indexes (i.e. an integer gets stored as an integer, an IP as an IP, and so on). ... View more

By definition, unless you decrypt outbound traffic, no firewall would be able to tell DNS over HTTPs traffic from the rest, especially if DoH is implemented over a large cloud infrastructure that you can't block with IP lists (think about Cloudflare and Google, which might host the service on their "base image" and mix up services at their will). I think the only currently viable solution is browser makers honoring some "kill switch" mechanism (e.g. Mozilla's canary domain: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet and network administrators implementing it, where appropriate (I'm thinking about networks where you have a split-DNS situation, and external clients are pointed to a different IP than internal ones... ...lots of reasons to do this, and not all of them can be worked around). Anyway, not really a firewall problem/solution, here, unless we start fiddling with PAN's DNS proxy. ... View more

@s_quasar I've tried to look at those two questions, but I have no experience with Decryption + SNI or with Kiwi Syslog, I'm sorry. ... View more

Not really, I'm sorry. It's something I plan to do, but it's low on my priority list at the moment. ... View more

My firewalls exhibit the same behaviour (PanOS 8.1.10), the list is valid, but the GUI shows no addresses in it. Maybe it's a bug? ... View more

Maybe you can try working on the AD side, e.g. restricting visibility of the B domain for the User-ID AD user? I can't go into details, I do not know AD well enough to tell you if this is even possible, but I'd expect it to be able to do it... ... View more

No. A rule with a statically defined list of IPs is not an "external dynamic list". Your configuration is pointing to an external source of addresses, it is reading it, but it's not using it. You can either remove the list from Objects > External Dynamic lists or use it in a policy (if appropriate, of course). ... View more

In Objects > External Dynamic Lists you defined an EDL (e.g. you read a list of malicious addresses from some feed), but none of your policies is referencing it. An EDL would probably end up in the Destination Address part of some policy. Nothing bad, anyway, your firewall is basically just reading an external list of addresses but it's not using that information anywhere. ... View more