About Brandon_Wertz

@rbrainar wrote: Hi,    We would like to deploy captive portal instead of using userid. We would also configure it so that the user does not have to login or get a login page. However, the browser-challenge seems to fail and then the user gets redirected to the default web form.    Is it even possible to configure captive portal to authenticate the user without displaying the captive portal login page at all? You want browser challenge         And mode transparent in the portal settings:   ... View more

@Alpalo wrote: Hi @PavelK  Hi @PavelK Yes, I have enabled auto mode, but the problem persists, we only have HA1 enabled, I don't know if the problem is related to it. HA1 is connected to the aruba pair switch with LACP . any other idea? Thank you very much Twice now I only see mention of HA1 being used/turned on.  Do you not have a config for HA2?  Is there no HA2 connectivity (of some sort) between FW1/2?     HA1 links carry management sync/config sync.  HA2 links carry TCP session sync.  If you do not have HA2 connections between your active/passive firewalls the TCP state of existing sessions will NOT be known to your passive firewall and when a failover occurs all that session data will be lost and will need to be restarted for ALL traffic.  If this is how things are then I could potentially see a 40 second delay in your HA failovers.   I'm not sure what your routing situation is but relevant IP/routing information/state wouldn't be known your to your passive firewall and would have to be learned.  Then once the network state is known to the firewall then all client TCP sessions could get re-established. ... View more

Thank you so much @reaper and @Brandon_Wertz , was really helpful your resplies. ... View more

Thanks everyone. beside the radius server, we have another NPS server with NPS Extension for Azure MFA. I have tried to setup the GP timeout to 90 secs, Radius server to 60 secs, still no luck.  Palo TAC doesn't help much either. We are deploying Prisma now which should be resolve the issue.   ... View more

Awesome, glad to help. ... View more

@freadmin wrote: I have everything configured correctly so that I can receive a dynamic IP from the internet provider. The Palo Alto assigns IPs through an access point. Zones are set up correctly.   However, the internet is often slow and sometimes painfully slow? We are waiting for more than 10-20 seconds for web pages to load at times. There is no issue without the Palo Alto, so it must be something about how it is set-up.   The only thing that we could come up with is that the licenses are not yet assigned to the firewall or this #PA-410 is buggy.   Any thoughts?   I can provide more context if need be.  Thoughts?  I wouldn't run any firewall in a production environment that didn't have active/entitled licenses.  Not sure if this is or isn't a problem, but it doesn't seem like a good practice.  Is it all traffic that is slow or only some traffic?  I know that on versions <10.2.6 and you're doing SSL inspection HTTPs traffic could be abysmally slow.  (known bug) As with mentioned by @BPry  maybe there's an MTU mismatch or some other L1/L2 problem like duplex or CRCs?   Also what does the CPU stats says on the FW when traffic is slow?  Could you be pushing more traffic through than the box is rated to handle?  Are you running the current preferred code version?  What code are you running? ... View more

@Bunty36 wrote: Hi I have Lenovo laptop which support 5ghz router. I disabled wifi 6 but it not work.   Do you find any workaround for same? Yeah...I'm saying there's a known issue with some Intel wNICs that Lenovo laptops use.  Try connecting to the SSID over the 2.4Ghz spectrum.  Do NOT use the 5Ghz SSID/spectrum.  It's possible this isn't a GP client version problem but in-fact a known issue with Intel wNICs connecting to 5Ghz.       ... View more

@parste wrote: Hello, for a longer time I've been trying to submit an application to Applipedia via the form at https://www.paloaltonetworks.com/blog/submit-an-application/ - unfortunately no response after months of waiting. Is there please any other way how to contact somebody who could provide assistance in this matter? Thank you very much for any response!   It's been my experience that these types of websites are "black boxes."   If you're a Palo Alto customer open a support ticket and attach a PCAP with the session data of the traffic that can be used to create the "application" that you're saying needs to be created.   In either way, creating a "new" application will take months to year(s.)  I wouldn't expect to hear anything from your submission on that public website for the entire time (as bad as that sounds.)  You're better off creating a support case to get the new app-id created. ... View more

Thank you so much for the link. ... View more

@Yenn_Alfredo wrote: hi, Do you know where I could locate a procedure where I can see how to set it up.   Kind regards Not really it's kinda our job as the firewall admin to know how to do these things.  That said a lot of what is needed would be here:  https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/high-availability/set-up-activepassive-ha/configure-activepassive-ha but setting and specific will take decisions and information from you. ... View more

@Marie_Jenner wrote: 1. Examine your browser The majority of contemporary web browsers include information about the encryption employed over an SSL/TLS connection: Chrome by Google: In the address bar, click the padlock icon. Depending on the version of Chrome you are using, choose "Certificate" or "Connection is secure". To view details about the encryption protocol and cipher suite, click "Details". Firefox Mozilla: In the address bar, click the padlock icon. To get more details, click the arrow or "Connection secure". Click "More Information" to see the details of the encryption under "Security". Microsoft Edge: In the address bar, click the padlock icon. Select "Certificate (Valid)" or an analogous choice. Examine the information in the certificate window's "Details" tab. Safari: Click on the padlock icon in the address bar. Select "Show Certificate" to view details about the SSL/TLS connection. Check the "Details" tab to find encryption information.     2. Make Use of Internet Resources A website's encryption can be examined using a number of online tools: Visit SSL Labs' SSL Test, type in your domain, then click "Run" to begin the test. It offers a thorough report on the SSL/TLS settings, covering cipher suites and encryption algorithms. Why Is There No Padlock? To verify a website's SSL/TLS settings, including the encryption details, go to Why No Padlock? 3. Use Command Line Tools to Verify Additionally, you can examine SSL/TLS connections using command-line tools: OpenSSL: OpenSSL allows you to inspect the encryption details by connecting to a server. 4. Examine the certificate You can use a variety of tools to examine the certificate itself in order to see the encryption specifics of a specific certificate. This involves using programs like certutil on Linux or the previously listed methods to examine the certificate's data. You may find out which cipher suites and encryption protocols are being used on your SSL/TLS certificate by utilizing these techniques.     While useful information what you shared doesn't really help the OP, and doesn't help a firewall administrator understand what keys are being used by systems the firewall sees. ... View more

@itassetbenilde, I'd recommend setting the URL category, especially something that you created yourself, to at least 'alert' so that it's logged. If you're setting 'allow' you won't see logs when traffic properly matches the custom category.   How are you trying to allow the custom category in your security rulebase? When it comes to bypassing URL categorization, I highly recommend having a dedicated security entry that triggers off of the custom category and has the applicable individual profiles allocated. IE: If I have a "Allow-Blocked-Domains" category as an example, I'll have a security entry that triggers off of the category before my more general traffic rules. Then assign profiles as you see fit; I generally recommend having a url-filtering profile assigned to this entry that simply has all categories set to alert for this rule. This process has proven to be very effective in allowing access and not having to worry about other competing profiles as long as your custom category is matching properly. ... View more

@Molly_Rice, The way that you would do this through the API (and the way that the GUI actually performs this) is simply not outputting the full return. Something a bit like this: session_table = requests.get('https://<firewall>/api/?type=op&cmd=<validate><full></full></validate>',headers=headers, verify=False) session_dict = xmltodict.parse(session_table.content) returned_session_list = [] session_list = session_dict['response']['result']['entry'] for session in session_list: if session['application'] == 'ssl': logging.debug("Drop Session") else: returned_session_list.append(session) ## Do something with returned_session_list ## ... View more

@AtulK wrote: There is a How-to documentation created by Palo Alto Networks: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS6CAK    I hope this helps! While this thread is very old, I think your response doesn't address the actual point of the question.       To me this question is asking how to integrate the "known users" from Clearpass authentications to PAN-OS via API calls.  Your KB article is about using Clearpass as an authentication source to log into the firewall itself.   The API integration between the 2 products are described here: https://www.arubanetworks.com/assets/pso/TechNote_ArubaAndPaloAltoNetworksIntegration.pdf   This documentation is old though and needs to be refreshed.  The documentation both from Palo and Aruba is lacking and the way Aruba Clearpass makes API calls it's entirely possible to overrun the stated support API call limit in PAN-OS which is only 5 API calls a second.  If configured incorrectly from Aruba Clearpass, Clearpass may trigger 20+ API calls a second which will crater Panorama / Strata appliances.  Requiring Clearpass the API integration to be turned off on CP in order to recover PAN/Strata. ... View more