This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About aleksandar.astardzhiev

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
aleksandar.astardzhiev
‎12-22-2025
Cyber Elite
since ‎08-01-2017
Cyber Elite
User Activity
User Profile
Latest posts by aleksandar.astardzhiev
View All
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎08-01-2017 11:18 PM
Date Last Visited ‎12-22-2025 12:06 AM
Posts 1,077
Total Likes Received 448

Re: is it possible to have crowd-strike flacon installed on a paloalto VM

by Cyber Elite in General Topics
‎07-06-2023 12:03 AM
1 Kudo
‎07-06-2023 12:03 AM
1 Kudo
Hi @padmaguragari , No, you cannot.   Similar question were asked before - https://live.paloaltonetworks.com/t5/panorama-configuration/security-monitoring-software/m-p/546477#M502   You need to look at PanOS VM as virtual appliance which means you cannot install any third-party software to it. Yes it is UNIX-like/Linux based OS, but it is hardened and limited shell access.       ... View more

Re: Cortex XDR Firewall configuration query.

by Cyber Elite in General Topics
‎07-05-2023 06:20 AM
1 Kudo
‎07-05-2023 06:20 AM
1 Kudo
Hi @Vinothkumar_SBA ,   There is no change for the retention after license migration from "per TB" to "per GB". As explained here - https://live.paloaltonetworks.com/t5/general-topics/cortex-xdr-firewall-configuration-query/td-p/547833  "per GB/TB" license are ingestion only, meaning they don't effect retention periond.   Which means you should have (by default) 30days of hot retention for ingested data and 180 days of hot retention for alerts and incidents (created by XDR). If you need extend that you need to order license add-ons, details for which you can see in the link above. ... View more

Re: Need confirmation from Palo alto on DNS Trojan ShadowPad Detected

by Cyber Elite in Advanced Threat Prevention Discussions
‎07-05-2023 06:12 AM
‎07-05-2023 06:12 AM
Hi @Purushotham , If you have support account you can access https://threatvault.paloaltonetworks.com/ where you can search available PAN signatures/protections. If you search for "ShadowPad" - https://threatvault.paloaltonetworks.com/?query=ShadowPad&type= only AV signatures are available.   Can you provide more details on the alert your customer have received? - What device has triggered this alert? - What this alert is detecting? What traffic has triggered this alert?   2. TLS Version 1.1 Protocol Deprecated - Need to Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1. It is not very clear what you are trying to do, but I would assume you want to restrict TLS 1.1 traffic over PAN firewall. If that is a case you need to define SSL decryption profile - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/ssl-protocol-settings-decryption-profile As you can see you can only do this only for decrypted traffic. 1. Create SSL decryption profile 2. Configure SSL protocol settings to match your requirements - min=TLS 1.2 and max=max (this will tell the FW to use the latest which it could support at the moment is 1.3, if in the future OS is updated to support higher it will automatically apply that) 3. Create SSL decryption rule matching the traffic for which you want to enforce TLS1.2/1.3 and set action to decrypt, selecting the profile you created earlier     3.IP Forwarding Enabled - Need to disable IP forwarding. This questions is not clear at all. It looks like finding from vulnerability scan or PenTest from endpoint. In order to assist you we will need little bit more clarification and background info. ... View more

Re: Interfaces lost IPv4 IP

by Cyber Elite in Panorama Discussions
‎07-05-2023 04:05 AM
‎07-05-2023 04:05 AM
Hi @mb_equate , Based on your explanation my first guess is that IPs were probably configured locally on the firewall while the template were empty. During device-group commit and push, someone has clicked on "Force template values" which tells the firewall to accept what is configured in the template.   I would start by comparing commit revisions - locally on the firewall and Panorama, mainly the revision before and after the device-group commit. This will show the changes that were applied with this commit and I would expect to see the removal of the IPs.   "...Technically this is not a valid configuration as routes rely on next hops in the interface subnets..." This is not entierly try. I cannot test at the moment, but I am alsmost certain that you can configure static route with next-hop IP and interface, without assigning IP to that interface. You defintely will see commit warning - like those you have pasted above, but those are warning and not errors.     Little background - Device-Groups and Templates have different logic for resolving conflicting config. With device-group (just for contrast) you cannot create two rules (locally and pushed by panorama) with exact same name, you can override address object locally, but not a rule. This is on purpose to ensure the order of rule pushed by Panorama   Template on other hand allow without issues to push different values for exact same config that is being set locally. If you have device or network config that is being pushed by panorama and configured locally on the FW, FW will always prefer the local config. The tricky part is that pushing from Panorama wouldn't indicate in any way if the settings from the Template are indeed used or there is local config. The only way to apply Panorama config is to either "force template values" when pushing from Panorama, or clicking on "revert" for each setting locally on the firewall (which will require local commit).   PanOS 11.0.1 is fairly new any who know what weird bug you may face, but before chaising bugs I would suggest to eliminate obvious reasons by comparing config revisions around the time of the incident. ... View more

Re: Firmware download

by Cyber Elite in General Topics
‎07-05-2023 03:44 AM
1 Kudo
‎07-05-2023 03:44 AM
1 Kudo
Hi @aaouane80 , If you can ping updates.paloaltonetworks.com this means that you have DNS working and network connectivity - the most common issues causing such error.   By the way the correct command to update Firmware/Software list of availalbe versions is > request system software check # After that you can see the list > request system software info   The ping is confirming network connectivity, but fetching updates could still be blocked if you have any firewall on the path. Is there any firewalls on the path between FW and internet? Any restrictions or SSL decryption applied for this traffic?   Note also that your firewall needs to have correct time set in order to correctly validate update server certificate. ... View more

Re: Cortex XDR Firewall configuration query.

by Cyber Elite in General Topics
‎07-05-2023 12:36 AM
2 Kudos
‎07-05-2023 12:36 AM
2 Kudos
Hi @Vinothkumar_SBA ,   The short answer is - Yes, you can ingest Check Point logs to XDR with XDR Pro per TB license.   Palo Alto are making some changes to Cortex XDR licenses and "per TB" will be replaced with "per GB". The difference is that per TB was measuring the ingested data for a month, while the new license "per GB" will measure daily.   What this means is that you previously purchased license for the amount of TB you expect to ingest montly, from now on you will purchase license for the amount of GB you expect to ingest daily.   "per TB" should be automatically migrated to "per GB", but it will continue to serve exact same purpose. It looks like in some of the XDR documentation they have already replace the TB with GB.     This information should have already be provide to you over the email you are using for Palo Alto Customer Support Portal. If not you may want to reach to your sale engineer or account manager for more details. ... View more

Re: Unable to install GlobalProtect

by Cyber Elite in GlobalProtect Discussions
‎07-05-2023 12:01 AM
1 Kudo
‎07-05-2023 12:01 AM
1 Kudo
Hi @nadiasb , Can you provide little more information: - What Windows version are you using? - What GlobalProtect version are you trying to install? - How did you get the installation file? Did your IT support sent to you, or you download it from somewhere? - Have you tried to download the installation file from VPN portal? If you open your company vpn address (that you use to connect with GlobalProtect) with normal web browser (specify https:// because there is no automatica redirection from http to https), you probably will be prompted to enter your credentials, after that you should see links to download GlobalProtect installation file. (Note that your IT support may have disable this access) ... View more

Re: Global Protect SSL Fallback Time explanation

by Cyber Elite in GlobalProtect Discussions
‎07-04-2023 01:56 AM
‎07-04-2023 01:56 AM
Hi @DrewNumberTwo , https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-agent-configuration-tab/globalprotect-portals-agent-app-tab   Basically your expectation is correct - it defines for how long client will run on SSL without attempts to try IPsec again.     ... View more

Re: Logging In PAN OS

by Cyber Elite in General Topics
‎07-04-2023 01:45 AM
1 Kudo
‎07-04-2023 01:45 AM
1 Kudo
Hi @Sanjay_Ramaiah ,   Q: In general, the PA Firewalls are manged by Panorama will log directly to Panorama or do we need any configuration to be made to push the logs to Panorama? A: No, FW that is managed by Panorama will not forward logs to Panorama. You need to explicetly tell firewall to forward/push logs to Panorama. PAN FWs split logs into to main categories: - traffic and security logs (from traffic passing through FW): To push logs to Panorama you need to create Log Forwarding Profile and apply this profile to each rule (preferably all) - system and user-id logs: similar to traffic logs it need forwarding profile, but this one is configured under Device -> Log Settings The following link provide detailed steps to forward all logs - https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-log-collection/configure-log-forwarding-to-panorama   Q:What is the best way to configure logging for the firewalls managed via Panorama? A: If you noticed from above answer, when you create new security rule you need config it to send logs to Panorama. It is easy to forget to set log forwarding when creating new rule. But there is a little neat trick - if you use "default" for log forwarding profile name firewall/panorama will automatically add the profile when creating new rule - but this is valid only for creating rule over GUI. Based on this my recommendation is: - Create your log forwarding profile named default. - Create the log forwarding profile object in the highest device group level - let say Shared. This way it will be inherited by all of your managed firewalls   For system and user-id logs as mentioned above are configured under Device -> Log Setting and defining log forwarding profile for each log subtype. Because these settings are under Device tab, they are can be managed by Template. - Create new Template - Configure log forwarding to Panorama for each system logs - Add this template to each template-stack of your managed firewalls.   Q: For the firewalls in cluster as well the firewalls which are standalone? A: Logging is exactly the same no matter if the firewall is in HA or standalone.   Q: Based on what i read we can configure multiple syslog servers. But if i want to see logs in Monitoring section for troubleshooting what is the best way to save the logs? Because without logs being displayed on monitoring section we will not be able to anything except troubleshooting via CLI. A: It is important to understand that firewall is forwarding logs to Panorama. Which means you don' have to choose if you want to log locally or remotely. Firewall will always log locally and then forward those logs remotely (to Panorama or remote syslog server), based on your log forwarding settings.So even if you enable logging to Panorama, logs are still available locally on the firewall. But depending on your log rate and firewall storage capacity retantion could be significantly shorter than Panorama     ... View more

Re: Tcp Scan on VPN Global Protect

by Cyber Elite in GlobalProtect Discussions
‎07-04-2023 01:02 AM
‎07-04-2023 01:02 AM
Hi @Hendrik9 , Yes, that is correct. I just noticed that your "Activate" rate is set to 0. To be honest I am still not completely sure what is the difference between Activate and Maximum, but if I understand the docs correctly "Activate" will tell when to start the protection. So in your case FW will perform SYN-Cookie for every new connection, no matter the rate.   I would still recommend to change to RED, the docs mentioned another good reason https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/zone-protection-profiles/flood-protection When SYN Cookies is activated, the firewall does not honor the TCP options that the server sends because it does not know these values at the time that it proxies the SYN/ACK. Therefore, values such as the TCP server’s window size and MSS values cannot be negotiated during the TCP handshake and the firewall will use its own default values. In the scenario where the MSS of the path to the server is smaller than the firewall’s default MSS value, the packet will need to be fragmented.   But if you still want to use SYN-Cookie you may try to set activate level little higher than the Alert level and see if your port scan will show open ports.   The link above gives suggestion how to select correct rate for flood protection. Pay attention at the note on the bottom of the page. You didn't mentioned what device you are using, but check if it is using multiple dataplane to calculate your rates properly. ... View more

Re: Tcp Scan on VPN Global Protect

by Cyber Elite in GlobalProtect Discussions
‎07-03-2023 11:24 PM
‎07-03-2023 11:24 PM
Hi @Hendrik9 ,   The screenshot confirms that PAN FW is applying SYN-Cookie protection against TCP flood attack. The behaviour you observe is expected when SYN cookie is used (compared to RED - random early drop). The following link is better than me explaining exactly why - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgRCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail   Since this is for GlobalProtect zone - where you have some layer of protection by authenticating the users first, the probabilty to have TCP flood from that zone is lower (in my personal opinion, attacker will use your VPN to silently infiltrate your organization,not using it for DoS) it should be safe to change from SYN cookie to RED for this particular zone.   ... View more

Re: Viewing Connected Users in Captive Portal using GUI

by Cyber Elite in Next-Generation Firewall Discussions
‎06-28-2023 06:52 AM
1 Kudo
‎06-28-2023 06:52 AM
1 Kudo
Hi @PA_compte , I cannot think of any way to see such information. And if I think about it I don't believe such information is actually available...   First lets clarify that when we talk about Captive Portal, there is no such think as "connected simultaneously users". Captive portal will authenticate users and create ip-to-user mapping. But because there no way for the firewall to know when logout, or disconnect or change IPs, the create ip-to-user mapping have expiration timer. Once the timer expires mapping is removed and the source IP is no longer associated with any user. This will trigger new user authentication (redirection to captive portal).   When user is connect to GlobalProtect in contrast, firewall is capable to monitor when connection from GP is established and when it is disconnected, using this information FW can report with confidence which are currently connected users.     ... View more

Re: Global Protect with Duo MFA

by Cyber Elite in GlobalProtect Discussions
‎06-28-2023 06:44 AM
1 Kudo
‎06-28-2023 06:44 AM
1 Kudo
Hi @Satyak , I would say the following seems the cause: 2023-06-12 13:32:30.407 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:4810): Auth FAILED for user "rajeev" thru <"DUO-Authentication-Profile", "vsys1">: remote server 192.168.10.198 of server profile "DUO-Service-Profile" is down, or in retry interval, or request timed out (elapsed time 26 secs, max allowed 25 secs) It looks like your firewall doesn't have access to the RADIUS proxy, or the proxy is not configured properly and it doesn't reply. By default PAN FW will use mgmt interface to reach radius server (if you haven't configure service route for it) - Confirm network connectivity between FW and radius proxy - Use packet capture to confirm server receive traffic from FW. Is it replying? ... View more

Re: I am looking for my PCNSA certificate in image

by Cyber Elite in General Topics
‎06-25-2023 11:10 PM
‎06-25-2023 11:10 PM
Hi @ChAkAL , Have you tried to follow the steps from this guide - https://live.paloaltonetworks.com/t5/certification-discussions/how-to-download-a-certificate-of-completion-for-an-exam-taken/td-p/252388   ... View more

Re: Tcp Scan on VPN Global Protect

by Cyber Elite in GlobalProtect Discussions
‎06-25-2023 09:55 AM
‎06-25-2023 09:55 AM
Hi @Hendrik9 , No. What you have highligthed will drop TCP connection if the SYN-ACK (the respond from destionation to the SYN) is split to two separate packets - SYN and ACK.   What I am refering to is under Flood Protection tab (the first from your screenshot). Can you please share screenshot for this?     ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎12-22-2025 12:06 AM
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks