About aleksandar.astardzhiev

Hi @Carracido,   The passive member disabled it routing engine. That way the firewall is not able to initiate or response to any packet send to its dataplane interfaces. Think for the tunnel monitor the same way as the HA path-monitor. - Both (tunnel monitor and path-monitor) as simple icmp ping packets generated by the FW waiting for response - When the member is in passive mode it is not able to generate those ping packets so both monitors are inactive ... View more

Hi @batd2,   All of our Panoramas are virtual. All of them are running on 8.1 and none of them support the command you have: user@panorama> show interface management Show management interface information user@panorama> show interface ethernet1/1 ethernet1/1 is not one of <management> Invalid syntax.   It seems that the physical devices are supporting these commands, but the virtual don't. Which is weird... ... View more

Hi @goran.katava,   Are you sure that you are using the GlobalProtect in SSL mode and not in IPsec mode?   In the past I had issues with IPsec based RA VPN (on another firewall vendor) for users connecting from China and the solution was to switch from IPsec to SSL for the RA VPN. This was few years ago and I am surprise to hear that the SSL based VPN is having issues.      ... View more

Hi @Sethupathi,   1. The "reject default route" from your screenshot is doing the opposite to what you want. This option will force the firewall to reject default route received by any BGP peer. To answer how it will affect your setup depends entirely of that how your firewall is receiving the default route (does it receive it via BGP or by other way static, ospf, etc). To answer will it solve your issue - definitely no. This option is to reject receiving default and you are trying to block advertisement (to specific peer)   2. The proper way to select/filter what you advertise to BGP peers is the Export rules. It is impotent to notice the following - from this document (which is not exactly what you need, but doesn't matter) There is an implicit deny rule that is triggered once any rules are created in the export or import tabs (the same is true for OSPF export). Add an allow rule to make sure you are importing other prefixes. The Import tab should now appear like the following:   ... View more

Hi @AlecWeiner ,   - What versions are the FWs? Are they running the same version? - Does both FWs are using same protocols PAP, CHAP?   I am not sure if it the same, but while ago we hit something similar - we wanted to configure RADIUS between PAN 7.1 and SafeNet (for token authentication). We hit a problem that when user entered username and password the SafeNet server was sending "Challenge" as response, which prompted the user to enter second password, even that there is no second pass. It turns out that by default the PAN 7.1 was using PAP and SafeNet was using CHAP. After forcing the FW to use CHAP everything was working fine.   In addition I would suggest you to run packet capture during the authentication attempt to capture the RADIUS traffic, I bet you will see that the server is sending the strange response (which will tell the FW to provide you with the "change password" page) ... View more

Hi @Joshim,   One of the best think I love with Palo Alto is the "find command".   If you know what you want to execute, but not sure what is the full correct command you can always run find: > find command keyword <value> CLI keyword > find command keyword vpn <shortened> show vpn gateway name <value> show vpn gateway match <value> show vpn tunnel name <value> show vpn tunnel match <value> show vpn ike-sa gateway <value> show vpn ike-sa match <value> show vpn ike-sa detail gateway <value> show vpn ike-hashurl show vpn ipsec-sa tunnel <value> show vpn ipsec-sa match <value> show vpn ipsec-sa summary show vpn flow name <value> show vpn flow tunnel-id <1-65535> <shortened>   You can use the find command in user and configure mode. If you run it in configure mode it will show you the set commands that contain your keyword ... View more

Hi @alal    Looking at the KB you post it seems the OS check comes to regex match in the HTTP header user-agent string. As a start I would suggest you to check the regex expression and see if its match what it is expected or it needs to be improved. It will be useful if you can past it here.   Googling around you should be able to find how different OS versions are described in the user-agent string. My first results says: For windows 10 it is Windows NT 10.0 for windows 8 it is 6.2, windows 8.1 it is 6.3 and windows 7 it is 6.1. https://stackoverflow.com/questions/40218173/user-agent-for-windows-7-vs-8-vs-10 So the regex expression should look like: User-Agent:.+Windows NT 6\.1   This is also very useful site - http://www.useragentstring.com/     ... View more

Hi @Mick_Ball,   Actually he (@ChrisGapske) need to have users typing domain along their username. As you pointed out Authentication Sequence will try to authenticate a user from top to bottom. This could be a problem if you have exact same usernames in multiple domains.   Starting from 8.1 (or even 8.0 not sure exactly) authentication sequence have option to use the typed domain to determine which profile to use from the list and jump straight to it, instead of going top to bottom.   Use domain to determine authentication profile Select this option (selected by default) if you want the firewall to match the domain name that a user enters during login with the User Domain or Kerberos Realm of an authentication profile associated with the sequence and then use that profile to authenticate the user. The user input that the firewall uses for matching can be the text preceding the username (with a backslash separator) or the text following the username (with a @ separator). If the firewall does not find a match, it tries the authentication profiles in the sequence in top-to-bottom order.  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-authentication-sequence.html     ... View more

This doesn't make sense...If the problem is in the fragmented IKE packets, you shouldn't be able to build the tunnel at all. All of the renegotiation will contain packets bigger than 1500bytes and will be dropped.   VPNs going down after particular time usually happen if there is lifetime mismatch between the peers. Check the lifetime on both ends of the tunnel for phase1 and phase2. Check also if they both use the same metric - seconds, or bytes, or both.   Also insist for deeper investigation from Oracle. The answer they have provide looks more like dust in the eyes, than plausible case.   ... View more

Hi @jhwarren ,   You need to provide more information, with this poor explanation of the problem it is shooting in the dark. - Do you use full tunnel or split-tunnel VPN? - How is you security policy look like? Do you allow specific ports or using AppID? - How is you GP gateway configured - are you route the traffic base on route, domain or application? - Have you understand how whiteboard is working? Do you know what port, protocol is used? From which direction the traffic is initiated - is it possible that you need rule allowing traffic from inside to GP VPN?   You need to understand that GlobalProtect is just building logical connection from the user PC to the firewall, after that is down to basic network principles - do you have route, do you have fw rule allowing traffic, do you have reply routed back.   ... View more

Hi @fatboy1607,   Hold on for a second... Even tho BGP is very complex it still a dynamic routing protocol like any other. Which means that it should dynamically learn routes from other peers and advertise routes that are known.   By default, in normal situation the FW should learn/import the route (10.10.10.0/24) by PeerA and auto-magically advertise/export this route to all other BGP peers. Now I said by default and in normal situation, because there are many reasons preventing FW to advertise this route to other peers. Like any other dynamic routing protocol BGP also have some loop prevention logics built-in to the protocol itself (any device no matter if it is PA FW or a router will obey them) FW will not advertise the route to the same peer that it came FW will not advertise the route to AS if that AS number is already in the AS path for the route Which means in normal situation - that you learn route 1.1.1.1 from PeerA (with AS11), FW will automatically advertise this route to PeerB (with AS12) if AS12 is not already in the AS path for this route   You can control what you learn and what you advertise by BGP with import and export rules Import rule is controlling what FW will accept from the peers Export rule is controlling what FW will advertise to the peers Which means by default no import/export rules are configured, FW will accept anything that is send by the peers and will advertise anything (that is not filtered by the loop prevention mechanisms) to all peers. If you have configured at least one export rule, FW will advertise only the routes matching that rule and nothing else.   So back to your question: - If you ask "will it be advertised" - most probably yes if the "requirements" discussed above are met - If you ask "why it is not advertised" - I strongly recommend to first identify what is the reason to not advertise the route to other peers   Probably will repeat myself, but - the route should be advertised, but if it is not try to identify the reason. I strongly recommend - do not use redistribution rules! As @Shawverr, correctly quoted, main purpose of redistribution rule is completely different. Its purpose is to advertise route to BGP peers that FW didn't receive by BGP. For example routes that are statically configured - by default FW will not adv. static routes, or directly connected networks, or routes from other dynamic protocols (OSPF, RIP). Or if you want to advertise routes that are not in your routing table at all (for example your ISP is giving you second public range that you use for NAT, it is not configured on any of your interfaces, but still this traffic should be routed to the FW).   Up to this point we were talking only for one BGP instance. And like any other network device PA FW can only have one BGP instance per routing table - if you configure multiple VRs you can have different BGP instances (different AS). To be honest I am not sure if you can advertise routes between different VRs. I could guess you cannot, at least without static routes   ... View more

Hi @pkathiria,   lets take a step back - if  understand correctly your assumption that firewall is not syncing with AD is based on rule not matching for new user that is added to the allow user group, correct?   Have you tried all the commands that @Mick_Ball provide you? It is very important that username from user-to-ip mapping is identical to the username from the group mapping - including the domain. ... View more

@pkathiria, 2sec is too intrusive, but most important it shouldn't even be a valid configuration. The minimum possible value is 60 sec: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm0JCAS ... View more

Hi@S.Cantwell and what will be the benefit of option 2?   @mcroninI would personally go for option 1: - The other two options bring unnecessary complexity. One public IP for site-to-site and RA VPN is simple and easy to support - If you enable GP VPN on the same interface that you use for site-to-site or on a separate, you still need to expose it and open the required ports. If it reachable from internet any scanner will detect it and will try to exploit. ... View more