About Brandon_Wertz

@sushant1601 wrote: Hello,   I am part of an MSSP, and we ingest data from multiple clients. Some clients forward logs from Panorama, while others use Strata Logging Service. I would like to understand how we can differentiate logs based on their source—whether they were forwarded from Panorama or Strata. Is there a specific identifier or static keyword in the logs that indicates they originated from Panorama?     Last year also I tried to look into it but no response. https://live.paloaltonetworks.com/t5/prisma-access-discussions/understanding-prisma-access-syslog-header-amp-messages/td-p/584750   Any help would be appreciated. Thank you.   Strata Logging Service Panorama  Add this column to your log search while in Panorama:   "Strata Logging Service" = "Cortex Data Lake"     ... View more

Great free music suggestions ... View more

Hi @Kevin-Ng , happy new year! hope you are doing well. Any chance you got the root cause of this issue? I have a client using GP version 6.3.x and upgraded the firewall from 10.x to 11.1 then having the same issue. ... View more

Hello, Since its Teams, check your outbound policies to make sure that all traffic is allowed to O365. I use External Dynamic Lists in my policies to make this more dynamic for me. Just make sure to choose the correct lists. https://saasedl.paloaltonetworks.com/feeds/   Regards, ... View more

@shahar.dorfman, Can you describe a bit more on what you're actually looking to do and why you're interested in reading them from the log files directly? That's a bit of an odd request; there's multiple ways to read the logs programmatically, send automated alerts when someone logs into the system, and so on without ever reading authd.log directly. ... View more

waiting  4 hours   integration with Cradle point   ... View more

As @BPry says, PaloAlto scans seen websites for URL categorization. On my own website, I had never seen this in my logs until I went to it from behind a PA and my site has subsequently been surveyed frequently. This is normally a few pulls of base pages, similar to any other web spider (about 20 per week). I have never seen path traversal attempt, variable injection, or other common signs of malicious activity. A typical scan looks like this:   147.185.132.25 - - [11/Dec/2024:03:29:52 -0700] "GET / HTTP/1.1" 200 42 "-" "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com"   The scans come from: 35.203.210.0/23 - GoogleCloud 147.185.132.0/23 - PaloAltoNetworks 162.216.149.0/24 - GoogleCloud 162.216.150.0/24 - GoogleCloud 198.235.24.0/24 - PaloAltoNetworks 205.210.31.0/24 - PaloAltoNetworks ... View more

Well...I just went ahead and changed it through the CLI, was worried it wouldn't work but it did.  Thanks for the heads up. ... View more

@Sanjay_Jadhav wrote: Hi, how do export day wise internet bandwidth logs    There's not really a way to do that.  You'd need to use an external NMS to really capture this data. ... View more

@L.Lange737770 wrote: Grand idea!  (I should have thought of that...) PA support was not very helpful, as the end of the day we realized that two out of our 3 admins had their IP's addresses changed via DHCP(and the one who still had access was out sick....), and because our access is tied to IP, the firewall wouldn't allow us access - we couldn't even connect via the console port for some reason.     Live and learn... Yeah, that's one of the BPA checks that we don't really follow, and this is a perfect example as why to not follow it. ... View more

@JayGolf wrote: Hi @james_0007 ,   There might be some legal implications to decrypting Casino traffic... I would consider blocking all casino/gambling related traffic.   Agreed you shouldn't intentionally be decrypting things like HIPAA / Legal / Financial, unless you've got an air tight consent to monitoring in place. ... View more

The same. I downgraded to prefered release, and today again to new prefered release and its started working. ... View more

Im usngi PA5220, with 10.2.9-h1, as the last activity we do the restart log-receiver on the firewall as per TAC said. still dont know what cause this, but so far the uid agent mapping and users on log traffic is correct.   we still monitoring until now, because we found out that the traffic  log from GUI and CLI is different for showing the source users. ... View more

Hi @PaloAltorrr ,   Are you asking if PANW has a recommendation for the intrazone-default rule?  Not that I know.  The NGFW will drop packets if it is not listening on the TCP/UDP port.  It will not allow pings if not enabled in the interface management profile.   Like some others, I desire a little more protection.  I create a universal drop rule from the outside.  It is VERY important to make sure you have allow rules for L2L VPNs, GlobalProtect, BGP, etc. before doing this.   Here is a thread where an engineer recommends changing the intrazone-default rule to deny, and he makes some valid points.  https://live.paloaltonetworks.com/t5/next-generation-firewall/should-i-override-the-intrazone-default-to-deny/td-p/581801   Thanks,   Tom ... View more

If you are running into this error even on the new versions of GP, most likely your GP service is hanging/stuck due to another VPN being on or a broken service connection from leaving it in sleep mode instead of powering down the day before. You can simply restart device or attempt to close and restart the PanGPS service running in task manager under GlobalProtect service or the Services tab.    ... View more