This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About aleksandar.astardzhiev

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
aleksandar.astardzhiev
‎12-22-2025
Cyber Elite
since ‎08-01-2017
Cyber Elite
User Activity
User Profile
Latest posts by aleksandar.astardzhiev
View All
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎08-01-2017 11:18 PM
Date Last Visited ‎12-22-2025 12:06 AM
Posts 1,077
Total Likes Received 448

Re: How I detect vpn extension in browser ( Chrome, Firefox, Brave )?

by Cyber Elite in Cortex XDR Discussions
‎01-03-2024 01:59 AM
‎01-03-2024 01:59 AM
Hi @Prashanta ,   In my humble opinion there is no way to detect browser extensions using the XQL. Generally speaking XQL gives you a way to search/query the event logs. XDR is doing really great job by collecting information which process is generating the network traffic. But this means that those logs will only show that "FireFox is trying to access surfshark.com" (for example), it will not tell if the user is trying to open the page or there is browser extension that is trying to make the connection.   Long time ago I tried to achieve something similar - List/Detect browser extensions on endpoint from CortexXDR What I did is I tried to create custom python script that I imported in XDR. The script was basically searching for the directory where the three most common browsers keep their extensions and read the manifest file and print out the name and the extension ID. My idea was as next step to check the ID agains a list of known malicius IDs like https://github.com/mallorybowes/chrome-mal-ids, but I never complete this.   I am not sure if my approach was the best, but in my understanding it is the only one since the Operating System does not make difference if FireFox is trying to connect to VPN because there is extension installed or just user accessing a web page.   ... View more

Re: suspended firewall in HA pair became active after reboot ( preempt not configured on either active or backup firewall )

by Cyber Elite in Next-Generation Firewall Discussions
‎12-22-2023 07:28 AM
‎12-22-2023 07:28 AM
Hi @marianneogorman , Have you checked the system logs on both member around the time of the failover? Monitor -> Logs -> System   ... View more

Re: How to decode palo alto netflow app-id from hex value

by Cyber Elite in Next-Generation Firewall Discussions
‎12-21-2023 05:51 AM
‎12-21-2023 05:51 AM
Hi @ssovee , As mentioned here https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/netflow-monitoring/configure-netflow-exports PAN firewall will refresh NetFlow template based on the time interval you specified in the NetFlow server profile.   From your screenshare it looks like PAN firewall is already configured to send PAN-OS specific fields, which include App-ID. However wireshark is unable to recognize this field, and suspect the reason for that is your capture didn't capture NetFlow Template packet sent from the firewall. You can see example here, how WireShark is able to identify all fields when template is being captured - https://helpdesk.kaseya.com/hc/en-gb/articles/115003522631-How-to-view-NetFlow-in-WireShark   ... View more

Re: URL filtering database updates problem

by Cyber Elite in Next-Generation Firewall Discussions
‎12-21-2023 03:38 AM
‎12-21-2023 03:38 AM
Hi @adminglu ,   10.2 and 11.0 are fairly new versions any you maybe hitting some known or unknown bug. It will be better to submit a ticket to TAC to have a look. ... View more

Re: GWLB deployment challenge

by Cyber Elite in VM-Series in the Public Cloud
‎12-21-2023 03:35 AM
1 Kudo
‎12-21-2023 03:35 AM
1 Kudo
Hi @Doyenadmin ,   Q: Also If i will be configuring same IPsec on both the PA series and if traffic is intended only for Site A the GWLB will forward it to both PA and it will result in packet drop ? A: I believe that is correct. GWLB will send traffic to PAN FWs in round robin, so it may send traffic for tunnelA to PA02, which will effectively droppe it (or route it in clear following default route to IGW).   Better option would be to build tunnels to A and B from PA01 and PA02 (PA01 will have two tunnels, one to A and one to B, same will be for PA02). You will need to apply source NAT when traffic is sent over the tunnel to remote site can route traffic back to the correct firewall and keep session on the same memer.   If you really want to achieve what you want. In my humble opinion the only way would be to use additional interface on each firewall. 1. Create additional interface on each firewall 2. Create specific route in the routing table for each TGW attachment, for tunnelA subnet, pointing to PA01 new network interface (ENI) 3. Create specifc route in the routing table for each TGW attachment, for tunnelB subnet, pointing to PA02 new network interface (ENI) 4. Create routing table for the new ENIs with default poining to TGW (for the return traffic)   Note that you will need EC2 type that support at least 4 nics - https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-performance-capacity/vm-series-performance-capacity/vm-series-on-aws-models-and-instances (one mgmt, one GWLB, one IGW and one for the tunnel traffic. ... View more

Re: In URL Filtering logs, URLs are not showing the subdomains. Showing upto ( .com/ )

by Cyber Elite in Prisma Access Cloud Management Discussions
‎12-21-2023 03:08 AM
1 Kudo
‎12-21-2023 03:08 AM
1 Kudo
Hi @ram.balaji , The most plausible reason is that no SSL decryption is applied on the firewall generating these logs. Without TLS/SSL decryption, PAN firewall is inspecting the SNI (server name indicator), from the SSL negotiation. This is sent by the client to the sever to indicate which host the client is trying to reach so the server can know which SSL certificate to provide (if the server host multiple sites).   Because traffic is encrypted and no decryption is applied FW cannot see the full URL from the HTTP headers and will use the SNI for web filtering categorization.     ... View more

Re: Understanding palo alto license - VM count and vCPU

by Cyber Elite in VM-Series in the Public Cloud
‎12-21-2023 02:53 AM
‎12-21-2023 02:53 AM
Hi @N-Open ,   I am guessing you have purchased Software NGFW Credits, which is the current licensing model for virtual PAN firewalls. Those are great, because they gives you the flexability to modify your virtual firewall any time.   In nutshell you by credits, then you create deployment profiles which define how you spend these credits, including how many vCPUs and firewalls and what subscription licenses you want to apply on those firewalls. At any point you can modify the deployment profile and redeploy your firewalls increasing or decreasing the number of vCPUs or just adding or removing  subscription licenses.   Software NGFW Credits Estimator - Palo Alto Networks is great tool that allows you to calculate how many credits you need for specific deployment.   Q: It says 6 VMs with 8 vCPU. Is it 8 vCPU for each VM? A: We can only guess, but I understand it the same way. Probably the easiest way to confirm is to play with the Estimator tool and compare how many credits have you received and how many the estimator tells you will need for 6 FW with 8vCPUs.   Q: Can we have 12 VMs with 4 vCPU each? Please advice. A: That is what is great about Software NGFW credits is that you can choose what ever you want combination, as long as you have enoguh credits. ... View more

Re: How to validate user/endpoint is fetching which profile from GP Portal Agent configuration.

by Cyber Elite in GlobalProtect Discussions
‎12-20-2023 08:48 AM
‎12-20-2023 08:48 AM
Hi @dramchandani , By default Group Mapping refresh AD user groups every 60mins. Which means if you make any changes in the AD groups, firewall will receive this information after one hour (really depending when was the last refresh).   You can change this update interval https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/user-id/map-users-to-groups Step 2, substep 5   In our environment we have changed that interval to 10mins. But if you are impatient you can manually trigger group mapping update and not wait until the next interval > debug user-id refresh group-mapping all # Check when is the next update interval > show user group mapping state all # List members in AD group to validate if user is present > show user group name "<group-dn>"   Q:-2) If refresh connection is not right option to fetch new configur? what is the alternative way? A: Refresh config from GP client GUI is the best way to fetch new config. But make sure firewall has AD groups updated   ... View more

Re: HIP Checks failing GP failing GP users called in ACL's when source device is Apple

by Cyber Elite in GlobalProtect Discussions
‎12-20-2023 07:46 AM
‎12-20-2023 07:46 AM
Hi @dromanelli    "I can even set a line for those users and not have any HIP check enabled on said line, and it will still block them on the catchall. I've set it to "any" and "none," but neither work. "   Above statement indicates that the problem is not with the HIP, but with user-id matching.   In order traffic to be allowed over the firewall it has to match all the critiria applied on that rule. This means that once the users connect to GP, they needs to match one of the usernames AND the HIP profile. If you remove the HIP profile from the rule, this means traffic is not match the username in your rule.   Palo Alto user identification works  by creating ip-to-user mapping, basically mapping a source IP to username. When packet hit the firewall it will get the username from that mapping and will perform policy lookup to search for rule matching source network AND source username AND HIP profile.   - What authentication are you using for your GP? Local (creating users locally on the firewall)? or Remote (LDAP, RADIUS, SAML etc)? - If you are using remote authentication, are you using group mapping? Group Mapping (paloaltonetworks.com) - How did you define the username in the rule? Manually type them or select them from the dropdown?     I am almost certain that your problem is in the user identification and not in the HIP, but you can easily confirm this by looking at the HIP logs. Go to Monitor -> HIP Match. There you can filter by username or IP address and see what HIP object and HIP profiles that user has matched. Try to connecting with MacOS and check the HIP logs ... View more

Re: Palo Alto 5220 Upgrade

by Cyber Elite in General Topics
‎12-20-2023 07:20 AM
‎12-20-2023 07:20 AM
Hi @Robert_DeUmberto , Are you able to login with SSH and local credentials?   You may be hitting the RAID rebuild situation - https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-5250-raid-integrity-check/td-p/509758   We faced the same issue when upgrading from 9.1 to 10.1. The upgrade from 10.0 to 10.1 took reaaaaly long time. Looking at the above discussion it seems other users have experience the same RAID rebuild when upgrading 10.1 to 10.2   As @JayGolf mentioned it should take arround 10mins (my previous experience shows 5200 series needs some time to get data plane engines running), however the RAID repair it what actually causing the delay. ... View more

Re: Cortex XDR Pro Per GB License

by Cyber Elite in Cortex XDR Discussions
‎12-20-2023 06:55 AM
‎12-20-2023 06:55 AM
Hi @RichardChou , If I understand correctly you need centralized place to store your firewalls logs and use search queries to over those logs, without using Cortex XDR.   The "Logging Service" (which before was called Cortex Data Lake) is probably what you look for - https://www.paloaltonetworks.com/resources/datasheets/logging-service   There you can use the Explore tool to query search in your log https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/retrieve-log-records   ... View more

Re: SSH\SFTP Proxy

by Cyber Elite in Next-Generation Firewall Discussions
‎12-20-2023 06:45 AM
‎12-20-2023 06:45 AM
Hi @chens , I have recently research similar use case, but unfortunately it doesn't seems possible with Palo Alto FW. As you can see in the official documentation SSH Proxy (paloaltonetworks.com)   SSH Proxy will mainly try to identify if SSH is being used for tunneling other traffic. If it detects tunneled traffic it will block it, but if simple SSH or SFTP or SCP it will allow it.   The link above explicitly mentioned that FW will not perform any content inspection for tunneled traffic (port forwarding or X11), but it does not mention if it will perform content inspection for allowed SSH/SFTP/SCP. However my assumption is that it doesn't, based on the fact that: - There is no application signature for SCP or SFTP - FTP application does not have secure ports (like HTTPS), which means FTP protocol decoder is not used for inspecting SFTP traffic and therefor impossible for the firewall to make sense - Othere people have asked the same question long time ago and get our results - https://live.paloaltonetworks.com/t5/general-topics/data-filter-with-ssh-proxy-decryption/td-p/9589 ... View more

Re: Routing and NAT Order precedence

by Cyber Elite in Next-Generation Firewall Discussions
‎12-20-2023 06:04 AM
‎12-20-2023 06:04 AM
Hi @rmeddane , With Palo Alto firewalls it is something similar, but bit more complex, because you have "NAT evaluation" and "Applying NAT" which are two separate actions.   As you can see NAT evalution, or NAT policy lookup is performed little after packet hits the firewall. FW will perform route lookup to identify egress zone (based on zone associated with egress interface from routing table). This egress zone will be used for NAT and security policy lookup.   After traffic is allowed by the firewall (match rule after security policy lookup), NAT will be applied using the NAT rule identified earlier.   The following discussion started by @TomYoung is probably explaining better - https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-precedence-of-routing-nat-policy/ta-p/526558   I would recommend to look at this link explaining traffic flow sequence over PAN FW. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0 ... View more

Re: New Advanced URL Filtering Category: Scanning Activity

by Cyber Elite in Community Blogs
‎12-19-2023 12:27 PM
‎12-19-2023 12:27 PM
Hi @Ridwaan , This means you are not appling SSL decryption for this traffic. In that case it is expected to work only with plain-text HTTP.   Hey @ErinWest , It looks like you also don't decrypt this traffic. Without SSL decryption firewall is not capable of inspecting the full URL path, because thi is part of the HTTP headers that are exchanges after SSL encryption is negotiated.   When traffic is SSL encrypted firewall will have visibility up to the SSL/TLS negotiation where the SNI (server name indicator) is indicating which hostname the client is trying to reach. ... View more

Re: HSBI and HA

by Cyber Elite in General Topics
‎12-08-2023 05:00 AM
1 Kudo
‎12-08-2023 05:00 AM
1 Kudo
Hi @Ramakrishnan, Please check the following documentations - https://docs.paloaltonetworks.com/hardware/pa-1400-hardware-reference/pa-1400-series-overview/front-panel-1400-series  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/ha-concepts/ha-links-and-backup-links/ha-ports-on-the-pa-7000-series-firewall HSCI is high speed interface, which main purpose is to be used for HA2. As @reaper  already mentined HA2 is data link, it is used to sync session information between the two HA members. (and also forward traffic in case you use active/active). So if you have the physical capability to connect both member directly (no routers, no switches, no other intermediate devices), it is always recommend to  use the HSCI for HA2.   If you cannot connect both peer directly, you can reserve one of the data plane interfaces for HA and then configure HA2 to use that dataplane interface. By default no dataplane interface is being reserved for HA, that is why when you try to edit HA your dropdown offers only HSCI. Regarding the IP addresses: - As you can see from above links HSCI is layer1 interface, so must use "ethernet" for HA2 transport, which used PAN custom/properiotry ethernet frames which doesn't use IP address. So even if you set some addresses they will be ignored if transport is set to ethernet Transport —Choose one of the following transport options: Ethernet —Use when the firewalls are connected back-to-back or through a switch (Ethertype 0x7261). IP —Use when Layer 3 transport is required (IP protocol number 99). UDP —Use to take advantage of the fact that the checksum is calculated on the entire packet rather than just the header, as in the IP option (UDP port 29281). The benefit of using UDP mode is the presence of the UDP checksum to verify the integrity of a session sync message.   For HA1 you must use IP addresses and you must have different addresses for each member. If you connect them directly you have to specify the same subnet. If they are not connected directly you should configure a gateway which will route between the two networks. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎12-22-2025 12:06 AM
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks