About Brandon_Wertz

@filman1979 wrote: What command can I use to display the global protect version on a palo alto firewall. The command "show system info" will give you what you're looking for (These will be intermixed with a bunch of other info) :   global-protect-client-package-version: XXXX global-protect-datafile-version: XXXX global-protect-datafile-release-date: XXXX global-protect-clientless-vpn-version: XXXX global-protect-clientless-vpn-release-date: XXXX ... View more

@MikeSangray2019 wrote: We have an existing GP setup and it's working, but the IP Pool is set to a range of IPs 192.168.10.10-192.168.10.100 instead of a subnet 192.168.10.0/24.   I want to either expand the range or change it to a subnet.   I tested this by expanding the range to 192.168.10.5-192.168.10.150, but clients that got an address in the newly expanded range e.g. 192.168.10.125 were having trouble with network traffic like connecting to internal DNS.   I looked at traffic logs, etc., but nothing stood out as the issue.   Are there other places in the config I need to change the range or commands I need to run?   Policies already allow by zone. Routing is already configured to use the /24 subnet. I did see traffic being allowed, but maybe replies weren't being routed correctly back to the expanded range?   Maybe a routing table issue? Sounds like it could be a routing issue.  What type of routing are you doing, static or dynamic?  After you changed your GP IP pool did you update your routing for the previous IP pool to include the new network space?  You would potentially need to update the route in multiple areas on the firewall or even outside the FW if you're using static routing. ... View more

This thread is a bit old, but I've found that using the support portal "Manage Your Case" is a good way to get movement on the case.     As with anyone the TAC resource you get will have their own experiences and greater abilities in certain technology areas.  The more information you provide at the start of the case the better.  I always upload a TSF, detailed explanation of my issue, what I've done to troubleshoot and any screenshots additional traffic log files which help the engineer get to where I think the issue might be.  TAC is manned by people too and giving them attitude will probably only hinder your interaction with them. ... View more

@ChandrashekharD wrote: Hello Friends,   We have a customer who is not able to connect Global Protect VPN from IPAD device with error "could not verify the server certificate of the gateway" I revived the configuration and selected connection method as on-demand in the app setting of GP Portal and did commit. After commit, we were getting error "the network connection is unreachable or the portal is unresponsive". Then again I revived configuration in IPAD device and found that root certificate is not imported in that device. Then we tried to import the certificate in the IPAD device, we were not getting install option, we tried by both formats like PSCK12 & PEM but no luck, also we were not getting option to enable this. I suspect, We are encountering this certificate error is due to the root certificate not being present in IPAD device.   According to customer, he tried to installed the GP app from the Apple AppStore, which is officially released by Palo Alto. There is no mention in the guidelines on GP gateways or the AppStore about needing to install an additional root certificate on the device. If this is necessary, the option should be integrated into the GP app itself.   We also refereed the document to install the root certificate in IPAD device but I could not find the options mentioned in the documentation, as it references iOS 12, while the customer currently using iOS 16.7, and those options are no longer available.   My concern, do we really need to install additional root certificate in IPAD device to access internal resources while connecting to GP VPN, if this is necessary then why we are not able to import and enable root certificate in IPAD device. If it is necessary to install additional root certificate in IPAD device then please suggest me how to import and enable root certificate in IPAD device   Regards, Chandrashekhar   Try following this KB:  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boSUCAY  ... View more

@BPry wrote: Keep in mind that a lot of people are replacing PA-3200 series hardware with the PA-1400 series. This makes sense as PAN didn't previously have an intermediate platform between the PA-800 and the PA-3200 series, but the replacement for the PA-3200 is the PA-3400. The PA-1400 series replaces the PA-800 and it doubles the storage available from its intended predecessor, the same way that the other newer platforms do.    Your VAR/Partner likely did you a disservice by not mentioning the downgrade in storage that you'd be getting going with a smaller platform, but there's also a little bit of self-reflection that needs to go into that as well. The storage space available on each device isn't hidden information and would have been known if the question was asked prior to purchase. Since it wasn't asked, external log storage is the only real viable solution that you have going forward.  Assuming that you have even an old desktop laying around somewhere, you could use something like Graylog to build a completely open-source solution for keeping logs longer. It would just cost you some time to get setup and configured.  This hits the target.  Our Palo account team told us the 3200 replacement was the 3400, so that's what we went to.  The 1ks are no where near the 32/3400s.  I've heard a few stories where the 1ks are really under performing customer expectations because of the hardware limitations.  The 1k is probably a great box, but it needs to fit the deployment requirements. ... View more

@MRamadanAHafiez wrote: have you or they managed to solve it? how ? is it possible to replacethe HDD with more storage one ? Your only solve is a larger 1k appliance or move to the 3400, or use some type of external log storage (Panorama, CDL, SEIM.)  There's not a solve with the appliance model you have. ... View more

@Jameslee20 wrote: ISP <--> Cisco Router <--> palo alto firewall outside -- > cisco router than to Palo Alto Firewall When firewall see invalid port or our Public ip address it forwards ARP flood asking the router  where this ip address or this address with port  Palo Alto has default out to the Cisco Router and when we did packet capture 69% of was ARP flooding asking where is this  There are CLI arp commands that would be really useful to troubleshoot in this situation.  There's still a lack of IP infrastructure in your network so I'm not certain but I'll make some assumptions up.   Your border router owns 192.168.20.0/24 and it's the .1...We'll call this VLAN 20.     Your FW has an interface in VLAN 20?  This is either a single physical interface 1/14.20 or in an ae1.20.  The FW has an IP in .20.  The IP address here, is it a /32 or something different?  If there's no mask described then /32 is implicit.  If it is something other than a /32 and the FW doesn't own that network this is likely your problem.   When you say the FW is garping out looking for a host this is usually because the FW isn't on the same L2.  So I'd check the masks between the 2 networks and make sure something isn't off.  After this is confirmed get into the CLI and look at the ARP table of the firewall the FW should see the MAC of the neighbor it's looking for here, or there's a routing problem. ... View more

@Jameslee20 wrote: Cisco router is getting flooding from Palo Alto firewall Source NAT is basic getting scan from outside random countries We deal with users in other countries and blocking by countries will not work. the ranges from outside to our public ip address It looks like a scanning because it's rang of our public ip address what can we do to stop it or protection     it looks like this but i'm using private as example but they are scanning our two /24 pubic ip address 192.168.20.1 port 192.168.20.3 port 192.168.20.5 port 192.168.20.16 port Etc... I want to clarify what you're saying is actually going on: "Cisco router is getting flooding from Palo Alto firewall"   ...    "It looks like a scanning because it's rang of our public ip address"   What is your boundary architecture?  ISP <--> Border Router <--> Palo FW  ??  Is this how your edge is deployed?   If I described your boundary correct does your border router "own" your public IP space?  When you say that the Palo is "flooding" your Cisco router, are you meaning that the downstream Palo is "arping" out for IPs that the border router owns?  If all of what I described is true, then my suspicion is that the L3 interface object on your PA firewall is set as wrong mask.  If the IP object is a /24 for instance, but the /24 is actually owned by the upstream router then the Palo will actually ARP out for all IPs in the /24.  In this instance the IP object on the L3 interface of the Palo needs to just be a /32.  Converting the IP object to a /32 will stop the upstream Cisco Border router from seeing the Palo flood it. Hopefully this is getting at what you're seeing.  If not please clarify. ... View more

@SoloSigma wrote: On my Ubuntu Server I receive syslogs, that may look like this:   <14>Sep 23 20:01:11 PA-440 1,2024/09/23 20:01:11,021201133296,TRAFFIC,end,2561,2024/09/23 20:01:11,10.10.10.103,20.190.177.21,192.168.10.20,22.120.127.11,rule1,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,LFP LimaCharlie FW,2024/09/23 20:01:11,121977,1,60637,443,39335,443,0x40041c,tcp,allow,23588,6260,17328,30,2024/09/23 20:00:56,1,any,,7408146363088945002,0x0,10.0.0.0-10.255.255.255,France,,13,17,tcp-fin,0,0,0,0,,PA-440,from-policy,,,0,,0,,N/A,0,0,0,0,a6854971-45bb-499a-86fd-30008807b6e1,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-09-23T20:01:11.522+02:00,,,encrypted-tunnel,networking,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,ssl,no,no,0 I understand that there are different log types that can be sent, including Config System Threat Traffic URL Data WildFire Tunnel Authentication User-ID HIP Match Globalprotect Iptag Decryption   Are there any documentation that shows me how the different log types are constructed? I need it in order to create a Regex that will convert syslog into JSON format.   Maybe this is what you're looking for?  The LEEF fields? https://docs.paloaltonetworks.com/strata-logging-service/log-reference/network-logs/network-traffic-log/network-traffic-leef-fields   ... View more

@SRNetwork wrote: Name a version of PAN-OS that does not have a vulnerability. Ya that would be great Is there something you're looking for specifically?  I would say it's generally impossible for ANY vendor for their product to NOT have a vulnerability.  It's pretty much how the industry works. ... View more

@rbrainar wrote: Hi,    We would like to deploy captive portal instead of using userid. We would also configure it so that the user does not have to login or get a login page. However, the browser-challenge seems to fail and then the user gets redirected to the default web form.    Is it even possible to configure captive portal to authenticate the user without displaying the captive portal login page at all? You want browser challenge         And mode transparent in the portal settings:   ... View more

@Alpalo wrote: Hi @PavelK  Hi @PavelK Yes, I have enabled auto mode, but the problem persists, we only have HA1 enabled, I don't know if the problem is related to it. HA1 is connected to the aruba pair switch with LACP . any other idea? Thank you very much Twice now I only see mention of HA1 being used/turned on.  Do you not have a config for HA2?  Is there no HA2 connectivity (of some sort) between FW1/2?     HA1 links carry management sync/config sync.  HA2 links carry TCP session sync.  If you do not have HA2 connections between your active/passive firewalls the TCP state of existing sessions will NOT be known to your passive firewall and when a failover occurs all that session data will be lost and will need to be restarted for ALL traffic.  If this is how things are then I could potentially see a 40 second delay in your HA failovers.   I'm not sure what your routing situation is but relevant IP/routing information/state wouldn't be known your to your passive firewall and would have to be learned.  Then once the network state is known to the firewall then all client TCP sessions could get re-established. ... View more

Awesome, glad to help. ... View more

@MRamadanAHafiez wrote: Hello Team,                  Firstly, thank you all for your cooperation. I have an issue that is I have my internet connection fully utilized most of the time. is there a way or work arround to find out which host IP is utilizing the bandwidth, knowing that I am not running the SD-Wan. software version 11.1.2-h3 TIA, The only way to see who/what is using a link's bandwidth is through netflow or looking at the actual interface.  Even looking at ACC or creating a report on top bytes sent/received does NOT necessarily give you a point in time X host consumed Y amount of bandwidth on your circuit.  The closest is to have QoS enabled on your firewall and looking at the statistics that way.  Like this:     From this view you can look deeper into source clients / applications being used at a given moment.    The problem with looking at cumulative bytes sent/received is that it's cumulative over a defined period of time.  So if the the total bytes sent/received was 10GB the rate, or Gbps/Mbps, of that transfer will need to be a manual calculation by you.  You will need to look at the session data and will have to divide the amount of traffic by the seconds of the session then do the link speed conversion as well. OR you will need to have some other source monitoring and calculating what traffic was consuming a link. ... View more