This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About aleksandar.astardzhiev

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
aleksandar.astardzhiev
‎12-22-2025
Cyber Elite
since ‎08-01-2017
Cyber Elite
User Activity
User Profile
Latest posts by aleksandar.astardzhiev
View All
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎08-01-2017 11:18 PM
Date Last Visited ‎12-22-2025 12:06 AM
Posts 1,077
Total Likes Received 448

Re: Not able to ping ISP B interface -10.2.9-h1

by Cyber Elite in Next-Generation Firewall Discussions
‎08-21-2024 07:48 AM
1 Kudo
‎08-21-2024 07:48 AM
1 Kudo
Hi @UtkarshKumar , As I mentioned in the KB and also in my post, this feature is enabled only when ECMP is enabled. From your original post it looks like you have two default routes with different metric. Even if ECMP is enabled for the virtual-router (VR), only one of the routes will be installed in the FIB if they have different metrics. If you have ECMP enabled and configure both routes with the same metric, than this feature will allow you to receive reply from the same interface from which the request is received. ... View more

Re: How to Block MUs that have a back level version of the Global Protect client - in this case 6.2.2

by Cyber Elite in GlobalProtect Discussions
‎08-21-2024 07:43 AM
‎08-21-2024 07:43 AM
Hi @Michaeleddinger , Apologies but your question is not clear. Can you provide some clarification? What is "MUs"? And what do you mean by "back level version"? ... View more

Re: intermediate certificates

by Cyber Elite in Custom Signatures
‎08-21-2024 07:41 AM
1 Kudo
‎08-21-2024 07:41 AM
1 Kudo
Hi @smledv , As described here - Repair Incomplete Certificate Chains (paloaltonetworks.com) the RFC standard requires the server to send the full chain of trust. Unfortunately it is very common to not follow the RFC, which prevent the firewall to verify the root CA.   So in one perfect world we should expect server administrators to fix their servers instead of importing intermediate certificates to the network devices/firewalls.   I know the reality is far for that...Unfortunately I am not aware of any automated solution that could solve this. If you are not afraid to get your hands dirty with scripting, you may be able to achieve something with the steps described in the above link and some XML API calls to the firewall.   The problem I am having with such automated approach is the lack of review from the administrator. I would personally prefer person to review the blocked page and verify if the intermediate certificate needs to be imported, or user is trying to access something that is potentially dangerous. ... View more

Re: Custom vulnerability object trigger

by Cyber Elite in GlobalProtect Discussions
‎08-21-2024 05:07 AM
‎08-21-2024 05:07 AM
Hi @M.Bathgate , As mentioned here - http-req-host-header Context (paloaltonetworks.com) you may need to specify start and end anchors  To initiate an exact match search, you must add a <space> before the pattern and ‘\r\n’ after the pattern on PAN-OS 9.1 and earlier. Starting with PAN-OS 10.0 you can use the following anchor characters: ^ and $ to specify a string start and end.  Also are you applying SSL decryption for this traffic? As you try to check the HTTP host header the firewall will need to decrypt the traffic first.   If not, you may need to use ssl-req-chello-sni (paloaltonetworks.com) for context ... View more

Re: Never able to connect to (A/P) peer

by Cyber Elite in VM-Series in the Private Cloud
‎08-21-2024 03:24 AM
‎08-21-2024 03:24 AM
Hi @MeCJay12 , If I remember correctly you can user Mgmg interface as HA1-backup, but you need to use dedicated interface for HA1. Also it may sound stupid, but have you verified the HA1 peer addresses in both firewall configs? HA1 is Layer-3 and requires you to specific the HA1 peer IP. Is it possible that after redeployment the VMs got different IP addresses from the DHCP and HA configuration is no longer valid? ... View more

Re: Intermittent UserID - Syslog Parser -

by Cyber Elite in General Topics
‎08-21-2024 02:12 AM
‎08-21-2024 02:12 AM
Hi @NSutfin , Note that traffic logs are generated at the end of the session. Although the logs are generated few seconds apart, the actuall session for each log may have started minutes apart.   Try the following: - Check the session start timestamp for two logs one with user-id and one without - Check the user-ID logs to see the timestamp when the user-to-ip mapping was created - Verify the mapping timeout has not expired for the two session start timestamps   ... View more

Re: Not able to ping ISP B interface -10.2.9-h1

by Cyber Elite in Next-Generation Firewall Discussions
‎08-21-2024 01:19 AM
1 Kudo
‎08-21-2024 01:19 AM
1 Kudo
Hi @UtkarshKumar , This is expected behaviour. Although this is considered "local" traffic (targeting the firewall itself, not passing through). Firewall will still perform policy and route lookup when generating reply for traffic to Data Plane interface.   Why this is happening: As described in Getting Started: Packet Capture - Knowledge Base - Palo Alto Networks and Building Blocks for a Custom Packet Capture (paloaltonetworks.com) the four stages for the packet captures are: drop - When packet processing encounters an error and the packet is dropped. receive - When the packet is received on the dataplane processor. transmit - When the packet is transmitted on the dataplane processor firewall - When the packet has a session match or a first packet with a session is successfully create These stages can roughtly map as follow to the flow sequence - Packet Flow Sequence in PAN-OS - Knowledge Base - Palo Alto Networks receive = ingress stage firewall = firewall session lookup + session setup + AppID + Content inspection trasmit = forward/eggress stage As you can see during firewall stage, firewall perform route lookup to identify the destination/egress interface. Since the default route for ISP-A is with better metric, only that route is installed in the FIB (forwarding table). And since the FIB lookup return only ISP-A default route, the reply packet is forwarded through the interface connected to ISP-A   Suggested Solutions: The simplest solution would be to create static host route for the source IP via ISP-B. This way reply will take the host route (since it is better match then the default route). The disadvantage of this approach is that ping to ISP-A from the same source IP will now fail, because replies will always go via ISP-B More scalable solutions would require a bit more configuration. Note: I haven't tested, this but I am almost certain that it will work that way Enable ECMP and create two default routes via ISP-A and -B using same metric. This way both default routes will be installed in the FIB Enable "Symmetric Return" for the ECMP. This will ensure firewall will reply with the same interface, which has received the original packet Enabling ECMP however will cause your outbound traffic to be load-balanced between the two ISP, which you don't want. To avoid this you will need PBF (policy based routes) with path monitor, which will make sure that outbound traffic is forwarded via ISP-A and when path monitor is  down, traffic will be failovered to ISP-B   ... View more

Re: Radius Auth VIA management?

by Cyber Elite in GlobalProtect Discussions
‎08-09-2024 08:42 AM
‎08-09-2024 08:42 AM
Hi @tcsmithh , In the service routes config you can specify source interface per service, or per destinantion. If you define source interface for RADIUS service, this will force the firewall to use the same interface for every RADIUS server you define. Specifying source interface per destination allow you to have different RADIUS servers reachable from different interfaces/VRs ... View more

Re: Authentication Issue with Authentic ID and GlobalProtect Integration

by Cyber Elite in GlobalProtect Discussions
‎08-09-2024 08:39 AM
‎08-09-2024 08:39 AM
Hi @hamza_d , Remember that under the hood GlobalProtect is performing two authentication - first authenticate and connect to GP Portal then authenticate annd connect to GP Gateway. By default GP client will try to reuse the credentials you use for portal to authenticate you to the gateway. With SAML this is not possible. Try search through the form there should be multiple similar questions, explaining that workaround would be to set GP Portal to create authentication cookie, valid for 1mins and set GP Gateway to accept authentication cookie. This way when user is connecting with GP client, he will be authenticated with SAML against the portal. Portal will give the client cookie, which it will use to authenticate to GP Gateway.   You should still keep the SAML authentication on the portal, in case GP client skip portal connection (when using the last known good cached config) ... View more

Re: Migrating Configuration from Panorama/PA-3220 (PAN-OS 9.1.6) to New Panorama/PA-1410 (PAN-OS 11.1.2-h3)

by Cyber Elite in Panorama Discussions
‎08-09-2024 06:59 AM
2 Kudos
‎08-09-2024 06:59 AM
2 Kudos
Hi @Tutchapon ,   You may want to explore the Expedition tool - https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool I have used used long long ago for migration from other FW vendors to Palo Alto, but it should also be able to assist you with migrating from one hardware to another. Please note the following EoL announcment - https://live.paloaltonetworks.com/t5/expedition-articles/important-update-end-of-life-announcement-for-palo-alto-networks/ta-p/589642   Does your PA-3220 config is entireply pushed from Panorama, or there is some local config? My suggestion would be: 1. Export complete Panorama configuration (with device config) 2. Create new Panorama running the same OS version and import the backup. (Disconnect the PA-3220, so the new Panorama does not try to communicate with it. Although communication is always initiated from FW to Panorama) 3. Upgrade the new Panorama to the target version following upgrade path to ensure config is migrated properly 4. Attach the new 1410 to the new Panorama and assign the existing Device Group and Templates for old PA-3220. You probably will need to adjust the network interfaces, before pushing the config to the device. ... View more

Re: Global Protect Split tunnel dns resoleving problems in MacOS configured with Private Relay

by Cyber Elite in GlobalProtect Discussions
‎08-09-2024 06:52 AM
1 Kudo
‎08-09-2024 06:52 AM
1 Kudo
Hi @DorMarcovitch ,   Thank you for sharing this.   Note that you can also prevent the use of private relay on network level by blocking the DNS resolution for these two FQDNs mask.icloud.com mask-h2.icloud.com As described by Apple documentation - https://developer.apple.com/icloud/prepare-your-network-for-icloud-private-relay/ ... View more

Re: Error 500 when attempting to login

by Cyber Elite in General Topics
‎08-09-2024 06:40 AM
1 Kudo
‎08-09-2024 06:40 AM
1 Kudo
Hi @crodriguez , It seems you  are using SAML authentication and GP embedded browser.In this case the GP window is simply a browser that is trying to visualize the Identity Provider (IdP) page.   Have you tried to open the VPN portal address with web browser? What  is the result? Are you getting authentication prompt? ... View more

Re: Verify EDL is working after applying a Certificate Profile to the list

by Cyber Elite in General Topics
‎08-09-2024 06:37 AM
1 Kudo
‎08-09-2024 06:37 AM
1 Kudo
Hi @1treelanedrv , I believe EDL is refresh at the end of each Commit. So when you appl the certificate profile and commit that change. You can go to the CLI or the Tasks window and review if there is any failed EDL refresh task ... View more

Re: Setting up VPN for MAC access

by Cyber Elite in GlobalProtect Discussions
‎08-09-2024 06:22 AM
‎08-09-2024 06:22 AM
Hi @mbritt , Can you please clarify: - Are you using Clientless VPN or connecting with GlobalProtect client? - What do you mean by "use a Mac to go to the portal"? Are you opening the VPN address with web browser, or trying to connect with GP client? - If you go to GP portal -> Authentication tab are using "any" for OS or have specific authentication rules for each OS?   ... View more

Re: Global Counters if packet is dropped by QOS

by Cyber Elite in Next-Generation Firewall Discussions
‎08-09-2024 05:40 AM
‎08-09-2024 05:40 AM
Hi @zGomez ,   Sorry, I don't have answer to your question, but in the mean time - have you try to setup packet capture for this traffic capturing on "drop" stage, in addition to "receive" and "transmist" stages. This should at least confirm your suspicious that firewall is dropping the traffic. If drop capture file contain packets you can start looking at counters for actual reason. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎12-22-2025 12:06 AM
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks