About aleksandar.astardzhiev

Hi @chens , I have recently research similar use case, but unfortunately it doesn't seems possible with Palo Alto FW. As you can see in the official documentation SSH Proxy (paloaltonetworks.com)   SSH Proxy will mainly try to identify if SSH is being used for tunneling other traffic. If it detects tunneled traffic it will block it, but if simple SSH or SFTP or SCP it will allow it.   The link above explicitly mentioned that FW will not perform any content inspection for tunneled traffic (port forwarding or X11), but it does not mention if it will perform content inspection for allowed SSH/SFTP/SCP. However my assumption is that it doesn't, based on the fact that: - There is no application signature for SCP or SFTP - FTP application does not have secure ports (like HTTPS), which means FTP protocol decoder is not used for inspecting SFTP traffic and therefor impossible for the firewall to make sense - Othere people have asked the same question long time ago and get our results - https://live.paloaltonetworks.com/t5/general-topics/data-filter-with-ssh-proxy-decryption/td-p/9589 ... View more

Hi @rmeddane , With Palo Alto firewalls it is something similar, but bit more complex, because you have "NAT evaluation" and "Applying NAT" which are two separate actions.   As you can see NAT evalution, or NAT policy lookup is performed little after packet hits the firewall. FW will perform route lookup to identify egress zone (based on zone associated with egress interface from routing table). This egress zone will be used for NAT and security policy lookup.   After traffic is allowed by the firewall (match rule after security policy lookup), NAT will be applied using the NAT rule identified earlier.   The following discussion started by @TomYoung is probably explaining better - https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-precedence-of-routing-nat-policy/ta-p/526558   I would recommend to look at this link explaining traffic flow sequence over PAN FW. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0 ... View more

Hi @Ridwaan , This means you are not appling SSL decryption for this traffic. In that case it is expected to work only with plain-text HTTP.   Hey @ErinWest , It looks like you also don't decrypt this traffic. Without SSL decryption firewall is not capable of inspecting the full URL path, because thi is part of the HTTP headers that are exchanges after SSL encryption is negotiated.   When traffic is SSL encrypted firewall will have visibility up to the SSL/TLS negotiation where the SNI (server name indicator) is indicating which hostname the client is trying to reach. ... View more

Hi @ortmannteam , Based on my experience even if this is CDN for Microsoft update, I would expect to see a hostname/domain and not URL request to specific IP address.   I don't see such behaviour, but according to other vendor it seems this is something new   I would recommend to submit the whole URL you detect to PAN   for recategorization https://urlfiltering.paloaltonetworks.com/query/ - check the verdict and then select Request Change   ... View more

Hi @Sanjay_Ramaiah , You need to edit your GP Portal config and enable manual selection for the required external gateways From webGUI go to Network -> GP Portal -> <your-portal> -> Agent Tab -> edit <agent-config> -> External Gateways -> edit gateway -> At the bottom of the screen there is checkbox for manual selection   ... View more

Hi @RobertTryba , There are couple points so lets tackle them one by one: - "Gateway changes are not replicating from Panorama to physical firewalls" - this is most probably because GP Gateway config from Panorama is override locally on the firewall. When FW detect local config and config pushed with Panorama template it will always prefer the local config, until admin accept the Panorama config. You should be able to confirm this by checking on the FW GUI if there is green gear, if there is yello gear over the green gear this means there is local config overriding Panorama template. Two options: - Select (not edit, but just select) the gp gateway object, you should see button "revert" at the bottom of the screen. Something similar to this picture (I am don't have access to FW at the moment, so cannot provide actual picture) After that you need to commit locally on the FW.   - Second option - review eithire (or at least the major config) from Panorama template and make sure all setting in the template are correct. Then push template config from Panorama to FW, but enable the settings "Force template values"   What do the different colors on gear icon indicate when a templ... - Knowledge Base - Palo Alto Networks     - "Matching client config not found" - it is little difficult for me to follow this one, without looking at your config or group membership output, but it sound like you have a problem with user attribute mapping. Also with the group mapping. When you are configuring group mapping, you define what user attribute firewall will gather over LDAP. If you are authenticating with UPN to GP, but your group mapping using primary user attribute SAM (sAMAccountName), FW will not be able to match the username with group mapping. Now as you can see from group mapping, FW should be able to match different username formats (if I may call them this way), by mapping all attributes to a user. Please check this discussion where I have share couple of commands and links how to troubleshoot user attribute mapping - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CpgcCAC&lang=en_US%E2%80%A9   - "which account I want to use to authenticate, but I do not get MFA request from new tenant to authenticate my login" - Just to clarify, you are refering to Azure MFA, right? Not Palo Alto supported 3rd party MFA - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/configure-multi-factor-authentication#id1eeb304d-b2f4-46a3-a3b8-3d84c69fb214 ?   If you are configuring GP with SAML authentication only, which will open Microsoft login page, which then should challange you for MFA, this is completely contronlled by your AzureAD. There is an setting that you can tell Azure to not ask you for MFA is you try to login from the same device for the next N hours/days. If you want AzureAD to ask for MFA every time user attempt to authenticate you need to look at AzureAD settings. ... View more

Hi @RobertTryba , Unfortunately option 1 will not work. The main purpose of having multiple entries on "GP/Gateways/name/Authentication/Client Authentication" is to apply differnt authentication based on OS. However if client match any of those profiles and fail to authenticate it will not try the rest.   Unfortunately you cannot use Authentication Sequence as well, because you are using SAML In that case option 2 seems as reasonable solution to me. ... View more

Hi @janelle.provine , How do you collect user-id? User-ID agent on remote server reading Domain Controller logs? Or reading DC logs directlly from firewall? Or with GlobalProtect agent installed on the machine? Or any other method?   My first bet is that the users are getting lazy and don't bother switching accounts and second shift continue working with first shift account.     ... View more

Hi @newcollegedurham ,   I am guessing you have also "default" source hide-NAT rule at the bottom, which will translate all internal networks to internet, is that correct? If yes, I am not sure if using the same public IP for static NAT and for dynamic ip and port (DIPP) will not cause commit error. I could be wrong, but I am trying to imagine how FW will handle the port mapping for each session.   Creating static source NAT with bi-directional will NAT will create destination NAT rule matching any destination port. I would suggest you to consider to create the inbound NAT rule manually instead of using the bi-directional feature. - First benefit it will be visible in the GUI, so it will be easier to be spot - Second benefit is that you can specify port or port range, which leaves you options to use the other available ports for future needs. This could be little tricky as you want to NAT telephone system, which will require some large port ranges. ... View more

Hi @AkashThangavel , Please note that I don't have any experience with Prisma Access, but I can make an educated guess:" - I would assume Prisma Access "Tunnel Monitoring" to work exactly the same way as self-hosted/managed Palo Alto firewall. When tunnel monitor is enabled, firewall will generate ping probe packets to the destination IP, and if there is no reply firewall will consider this tunnel as down, even if the IPsec SA (phase1 and phase2) are actually still up. One of the use case of such monitor is to "disable" any static or policy based routes associated with that tunnel and failover the traffic to redundant path. Another benefit is that the constant ping will keep the tunnel up even if there is no actual traffic, which is equivalent to "aways-up" for the VPN tunnel. - While the email alert will only indicate that the tunnel is down and most importantly to trigger such alert, IPsec SAs needs to be down (no phase1 or phase2).   You  are correct that both can triggers an alert event indicating issues with the tunnel, but tunnel monitor take a step further by verifying of the layer3 path over that tunnel is indeed working and provide a way to dynamically switch to redundant path (if you have such in your setup).     ... View more

Hi @ccortijo , Regarding the DMZ server - although connection to the server seems to be working, in my humble there is room for improvement: - It seems your DMZ server security is now using "application-default" as matching service. Unfortunately this will cause issues in your particular case. App-default means FW, will allow connection only if the applicaiton it is detecting correspond to the tcp port that is being used. From the logs it we can see that FW is identifying traffic as "ssl", that is becaue you are using HTTPS, without performing ssl decryption on the firewall. "ssl" application default port is 443, but you are using 8080. For that reason traffic is not matching your DMZ server rule, but it seems to be falling back to the "intrazone-default" rule, which by default is blockin any any. But apperantly you have change it to allow any any.   My recommendation - set port to tcp/8080 with application "any" for your DMZ security rule. Obeserve the logs for one or two days and see what applications are detected over this rule. Then you can switch from "any" app to specify only apps that you see in the logs. Keep tcp/8080 for the service.   - Regarding the GP - From traffic logs for port 7000 you can see that firewall is trying to send the traffic to dest zone DMZ. Which means correct NAT rule is not being applied. This is confirmed by the lack of increasing hit counter on the NAT rule. For me the GP NAT rule seems correct and it should work, my only guess is that you have typo for service object "port-7000", can you edit the object and confirm it is using tcp and dst port 7000? Can you share service object config? ... View more

Hi @Felixcao ,   The command will return only information in real-time (no historical data). Which means you need to setup the capture and reproduce the issue by generating traffic that is matching your filters.   The lack of any counters means that there is no session that is currently passing over the firewall that is matching your filter. It looks like you are running active-active, so either the traffic is not matching your filter, or you are capturing on the wrong firewall, or just there is no traffic ... View more