About Brandon_Wertz

@SyafiqBharudin -- you're running an EOL PAN-OS version. Upgrade to a supported OS, and confirm if you're issue still exists:   ... View more

From all of the posts here I haven't seen anything where the traffic deny was identified.  The "allow" action was for the Layer 3/4, but somewhere in L5-7 the firewall took a block action and it WILL be logged.  Check the data filtering, URL, threat, decryption...et al logs, somewhere one of these logs will show the reason for your ultimate deny action.     Like mentioned before it's possible/probable that it would be a decryption issue.  Also previously mentioned was a decryption profile.  You can look there.  What settings do you have enabled there?  Does the server have an encryption certificate using unsupported parameters?   https://docs.paloaltonetworks.com/compatibility-matrix/reference/supported-cipher-suites/cipher-suites-supported-in-pan-os-10-2/cipher-suites-supported-in-pan-os-10-2-decryption ... View more

@KarthikaSubbiah wrote: We submitted the request to Palo Alto to have the URL category and risk changed and that was recategorized to 'low-risk' now. My question is will Palo Alto might identify the site as malicious again based on our activity in the future and change the category? There are 2 components to URL categorization, which you've mentioned (Category & Risk.)   I wouldn't worry as much about "risk" as the category your site falls under.  An organization can't really survive on blocking "high" risk sites alone as an attribute.  There are legitime sites that also have a high risk association.  It's my understanding that the risk definition is coming from some sort of observable activity from the website itself.  So if your site is being defined as medium or high risk it might indicate your website might be compromised or being exploited in someway from a threat actor. ... View more

@${userLoginName} wrote: Hi Community, we are thinking about enabling Jumbo frames globally on PA-5430 firewall that is connected to Nexus and Catalyst. - Nexus for high performance & storage with MTU 9216. - Catalyst for all the standard stuff with MTU 1500. Are there any limitations, drawbacks, concerns by enabling Jumbo frames instead of using standard MTU 1500 (and maybe have 10% bandwidth reduction by not using Jumbo frames) ? Any experiences are welcome. Thanks a lot. Best regards, Henry I wouldn't only enable jumbo frames if they're absolutely necessary.  I'm not sure about the 5400 series, I'd ask your SE, but on the 5200 series enabling jumbo frames severely limits the firewalls buffer space.   You mentioned Nexus and Catalyst Cisco switches.  How do endpoints connected off these network segments communicate though the firewall?  If "datacenter" traffic stays on the Nexus side (application & database communication) & just general policy / routing through the firewall into the catalyst environment then I wouldn't enable jumbo frames on the firewall (without talking to your SE.)   If high volume data like servers accessing storage mounts, or interconnected components of an application communicate through the firewall then it would probably be necessary jumbo frames. ... View more

@sayyidi wrote: I am facing the same issue. How to solve this ? You're facing the same issue?  The image in the OP doesn't show a .tgz file being uploaded to the newly created case.  Are up uploading a .tgz file to the case?  If the technology area is around a firewall it's my understanding that a TSF (.tgz file) is needed to be uploaded to the case.  Are you doing that and still getting an error? ... View more

@459768405 wrote: Dear all         We need to replace our old ldap server config to a new ldap server on PA firewall and panorama, I want to know if I add a new ldap server config on PA firewall and panorama, how can I test the healthy of the new ldap server? I try to use telnet command to connect the new ldap server's 636 or 389 port, but I found there is no telnet command on PA firewall and panorama...         On PA firewall maybe I can use the "group include list" function in "user identification", but it doesn't work on panorama, need you give me a favor~   Best wishes Cat  I don't have access to the PAN or FW UI right now, but is there a "test connection" button in the GUI?  I don't know of an easy way to test, but in the system logs the firewall's ability to connect/contact a LDAP server shows up.  So if a server goes offline there will be a log for that.  Also I don't believe Panorama will "connect" to the servers in your LDAP profile, that only happens from the firewalls themselves.  So if you're already executed the group include list command from the FW and it's working, that should be enough to tell you it is.  Especially if you're not seeing any system log error messages. ... View more

@PaloNetworkMonkey wrote: Hi, I want to move all interface from a 1gb port (1/2) to a 10gb port (1/8) what is the quickest way to do this. Is there a bulk move or clone interface option within the GUI? Model PA-5220 Software Version 10.1.14-h10   Not using Panorama. Have just tested but unable to configure the new 10gb interface as it uses the same IP details as the 1gb.. which will not be moved until OOHs migration window..   Thanks @PaloNetworkMonkey  I would do it exactly as @TomYoung  described.  Export your config via XML.  Adjust the interface settings moving them away from 1/2 and applying them to 1/8.  Just make sure you capture all configuration points.  Then import the config.  It should be an almost seamless transition and should be less than a 10 second (random time I can think of in a worse case situation) outage while things come up on the new interface.   You can have the new interface all cabled up ahead of time.  This definitely should be done in a maintenance window though and you should be ready to troubleshoot if something doesn't go as planned. ... View more

You previously mentioned you don't have GUI access and only have CLI access to this firewall.  There are a lot of components and configuration items that need to be deployed for this to work.  You'd be better off having a lab with GUI access, recreating all of these components in the lab (GUI) validating that it works then taking that config and applying to your production via the CLI. ... View more

@Kfialkowski  --    How are you expecting your client to get a DHCP address from the firewall?    From your config I only see Layer 3 components, but what you're asking is for the firewall to participate in Layer 2 functionality.  You're going to need to create a L2 VLAN that hosts will be on to get the DHCP address.  Then the network your PC is on will be to be apart of the same L2 domain that the firewall is trying to provide an IP address for:       ... View more

@pyrainath wrote: Hi, We are using PA820 i have a isp connection of 700mps up/down.and i have an internal server that can access from public and the domain is pointed to the public ip.the internal server is in my dmz zone and isp is in untust only untrust interface is configured with Qos.and dmz interface has no Qos configured. when i check the speedtest i see it shows 500mbps up/down.but when a client try to upload or donload a file from the server from public they only get 40-45 mbps max . and it will increased when multiple client try to upload and i tested upto 200mbps uplaod to the server. why i cant go more than 40-45 mbps per connection .   i try uploading a file from private network and it get 500 mbps upload speed so i think its not my server then i thought its my firewall or Qos that throttling the bandwidth so i disable Qos in untrust but no luck. i even try to configure the public ip in server to bypass the firewall but the result is same ,so i thought it is the isp and i tried with another isp and the result is same,So i kind of stuck here. please help me if u have some suggestion on this matter       I've got a 5250 in my DC with 10Gb Internet circuits (symmetrical.)  On my best day I would only get 200Mbps from a VPN client at home with 1Gb symmetrical Internet and WiFi running 802.11ax with 80MHz channels.   The 800 series (820 or 850) really isn't a "datacenter" series firewall.  It's more SOHO.  You're saying from the Internet connecting to a server in your DMZ, downloading a file remotely you're only getting 50Mbps (~6MBps?)  Your download speed probably has more to do with your server (OS) and client setup than the firewall.  You also mentioned QoS being setup on the firewall, that really will have no bearing as that's only going to be a local thing.  QoS settings on the FW will really have no bearing on the larger Internet your and client.   These performance specs are "best case scenario" given specific test criteria.  The don't really equate to end user performance.  For the hardware I would say your download speeds you're seeing are not worth your time trying to improve:     ... View more

@M.Kluibenschdl wrote: Hi Brandon,   yes pre-logon is working with a machine cert and yes we wan't that the if the user logs on, the prelogon tunnel should stay established until the user manually starts the vpn tunnel. Unfortunately that's not the way it works.  Pre-logon = Pre-logon.  If a user has logged in that tunnel, by definition, needs to go away.   If I understand what you're saying, is that it's a UI / user experience issue.  For whatever the reason is, the GP client is "annoying" / "gets in the way" and you only want the users to see the GP client when they directly want to interact with it?  Am I understanding the issue correctly?   If I'm right in my assumption then unfortunately I don't have a solve for you.  I've not messed around enough with the GP client to find the UI nuance to make it behave the way you want.  My only idea would be to convert the user-logon method to be always on (with SSO), this would make the client not appear as it connects immediately and pulls credentials from the OS directly not requiring user interaction. ... View more

@M.Kluibenschdl wrote: Hi !   we use the pre-login feature with client cert logon - this work quite good. after logon we would like to connect on demand with saml login. we made two configs, one for prelogon and one for the user, both with prelogon: At the moment if you login to the client the GP client starts direct with the SAML login - is it possible to stopp this behavier?   We want the prelogon tunnel to remain active in the background until the user manually establishes a user vpn session. We also tried "Pre-logon then On-demand" but with the same behavior:     THX for your feedback! To clarify, have pre-logon configured and that is successfully creating a VPN tunnel without a user logging in (This has to be using machine cert for auth)?  You also have user-logon currently configured for client certificate auth which is also working without issue?   You want to switch the user-logon authentication method from client certificate to SAML auth?  Your issue is when the users are logging in the SAML auth for the user is happening right away?  You want the pre-logon tunnel to stay on and the user to manually select/enable the VPN tunnel at their discretion?   If I have these facts correct then what you're wanting to achieve isn't possible.  The pre-logon tunnel will get torn down the second a user logs in. (regardless of if they've connected the VPN or not) ... View more

@CPATT wrote: Hello,   I'm trying to figure out any reasons that the decryption exclusion would not be working. As the traffic is being denied:   What could I be doing wrong in my config to have this exception not work?    I don't think this has anything to do with decryption.  We'd need to see the larger pop-out window of the log, but the "Deny" action is probably because of a threat profile action or maybe matching a deny action from a URL profile.   --edit-- If this was because of a decryption issue you'd see a "decrypt-error" log message.  You can also look at the decryption logs for this particular traffic to see if it is being decrypted (why it is.)  You can also add the "Decrypted" column to the traffic log and if = yes, then the traffic is being decrypted.)  The log field is something like (has proxy="yes") ... View more