About aleksandar.astardzhiev

Hi @KurdTech ,   Is this firewall managed by Panorama or it is locally managed? ... View more

Hi @Ben-Price , Without looking at your  config, I would take a whild guess and assume that in BGP Redist. Rules you have put the network instead of using redistribution profile. Am I correct?   - If you put prefix in bgp redist rules, FW will create "dummy" route for this network and redistribute to BGP that network. Because this network is not associated with any interface, not it is static route with path monitor, this route will always be active and redistributed to BGP. The main purpose for this function is to redistribute range that you don't have in your routing table - for example additional NAT range that is used for NAT rules.   - If you want FW to stop redistributing prefix once the route is inactive you need to use redistribution profile. Redis profile will match the routes that are already in your routing table and add it to the BGP process.   You should be able to confirm the use "dummy route" by checking your routingtable. You should have route with flag "~"   ... View more

Hi @pink-panther    I would disagree with @OtakarKlier. If pre-shared key is wrong phase1 will not be completed. If phase1 is established, this means the pre-shared key (alongwith the rest of phase1 settings) is the same on both ends.   And would agree with @MP18 - most common reason for failing phase2 is local and remote proxy id (encryption domains). But similar to phase1 it could also fail due to Authentication, Encryption or DH settings ... View more

Hi @pal7mentor ,   In addition to what @LukeBullimore  says you should be able to enable block page for encrypted traffic even without SSL decryption Details in the following link - How to Serve a URL Response Page Over an HTTPS Session Without ... - Knowledge Base - Palo Alto Networks ... View more

Hi @RobertShawver , Two points to remember when troubleshooting panorama connectivity: - Aways the FW is the initiator of the connection. Which means FW is always the source of the traffic and panorama is just waiting for someone to call it - Panorama is tracking firewalls by serial numbers, not by management IP. Which means panorama will accept any connection request as long as the FW serial number is added to panorama.   So by default Panorama will accept/establish TCP connection with any source IP, but can reject the connection if the provided FW S/N is not in the list of managed devices. You can control this by configuring "Permitted IPs" under the panorama management interface. That way Panorama will respond only IP from the allow list.   If everying is setup properly if FW is connected to Panorama, but its mgmt ip is change. The new IP will be detect and changed automatically. So it looks more like the new mgmt ip is not reaching the Panorama: - Try to ping panorama from fw using mgmt interface - Check if you have configured permitted ip panorama interface - Last resort make a packet capture on panorama and FW interface and confirm that you have bi-directional traffic ... View more

Hey @Remo , I know FW will use the cert CN as URL if traffic is encrypted, but I got the impression this is only valid for web-based traffic.   ... View more

Hi @GMTPaul , - Regarding your question about URL Category. You forget that URL is not FQDN... URL Category will work only if it web based traffic, that is why it is called URL. - Back to your main problem... I am also confused and I believe there is something that you are missing.... Have you download latest dynamic updates? ... View more

Hi @Metgatz ,   Few points to remember when working with QoS on PAN FW. - QoS is applied in egress interface. Which means if you apply QoS profile on WAN interface you will shape only upload. If you want to shape the download traffic (most likely) you need to apply QoS profile on the LAN interface (the egress interface towards the clients). Usually you should apply the same QoS profile on both interfaces. - QoS profile is defining bandwidth reservations for each class. Traffic classification (say which traffic what class to be assigned) is configured with QoS policy (under the policy tab in GUI). The rule is matching the direction in which traffic is initiated, but the class is applied for the entire session - which return traffic will have the same class. - Class 4 is default class, meaning that if there is traffic passing over interface on which QoS is enabled, but it is not classified, FW will consider it as class4 (something like native vlan). - Single QoS profile can have up to eight classes. Different networks with same class are sharing the allocated bandwidth. If you need to allocated more than eight separated queues you can but with not very easy.... --- Under QoS interface > Clear Text Traffic tab you can configure "mathing rules" and apply different QoS profile for different traffic. Total number of rules depens on your device. Remember one "rule" apply different profile, while single profile have eight classes. --- The problem is that these "matching rules" only allows you to match traffic based on source and destination interface and source subnet. So basically for each source interface/sub-interface you can different profile with eight classes. --- The bigger problem is with the source subnet. If you apply NAT on this FW, the source in this "matching rule" must be the IP after the NAT. If all networks are comming from same source interface, you can apply different source hide NAT and separate them this way. But. if you remember, to shape the download you need QoS profile on inside interface, but there since this is return traffic you cannot apply different profiles based on source subnet.   ... View more

Hi @hanuman ,   And what will be the purpose to have two DH groups on both peers? Even you can configure more than one peers should agree on most secure one. ... View more

Hi @mshamsan , You probably confusing Inbound SSL decryption and Forward SSL decryption. - With Inbound SSL decryption you are decrypting the traffic from public Internet to your public web server. In this case it is prefferable to have certificated that is signed by public trusted CA - With Forward SSL decryption you are decrypting the traffic from your internal users to public Internet. In this case during the decryption FW is intercepting user traffic and "replace" the original server certificate with cert generated by the FW. This cert will be signed by the CA cert installed on the FW - either self signed or your private CA imported on the FW.   Imaging for a second that publicly trusted CA gives your their root/intermediate CA... Which means you will be able to create any server certificate you want and everyone on earth will trust you...Nothing will stop you to create certificate for "facebook.com", build your own web server with that certificate and start pretending you are Mark Zuckerberg   In summary - there is no way to have Forward SSL decryption (decrypt internal users to internet) without instally certificate on the user machine. If you have internal PKI it will be a lot easier for you, but if you don't you must to it manually or with some kind of scripting.     ... View more

Hi @S.Cantwell ,   That is intersting suggestion, but in my humble opition (by default) ping will never take the fast path. Looking at the logs it seems that any request creates new log entry, therefor create new session. Which means after FW receives the ping reply it will close the session and next request will create new session which will take again slow path.   I was thinking if it could be related something with the fact that 5200 seriese and above have multiple Data Processors (DPs). Another direction I was starting to think - "bytes sent", does this means that FW didn't forward this packet - it receive it, create session and log, but drops it before reaching the egress interface. But this means that we will see packet lost in the ping (I am not able to confirm this at the moment)     ... View more

Hi @BigPalo , Have you checked this article - LIVEcommunity - Microsoft's June 2021 patches may break the User-ID Agent's connection to Domain Controller(s) - LIVEcommunity - 413331 (paloaltonetworks.com) i     ... View more

Hi @Chana88 ,   Version of what? IPsec is not single protocol, but suite of different protocols working together. So there is no such think as IPsec version 2 or 3, to my knowledge.   Can you provide the exact question defined by the auditor? In addition the answer to this question will really depend on your configuration, as FW can support almost any type of configuration.   ... View more