About aleksandar.astardzhiev

It is worth mentioning what cluster are you running! Because the smallest boxes are using so called HA-lite, which doesn't support IPsec SA sync.   https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/device/device-high-availability/ha-lite ... View more

Thank you for the prompt feedback @reaper!   My concern is that we have approved plan to upgrade the VM capacity only - which shouldn't require reboot. While CPU upgrade requires VM shutdown.   So I am wondering if we can leave the CPU upgrade for another day and leave the firewall running with VM-500 and 6 CPUs - will the firewall still function properly?   We will definately upgrade to 8 CPU, because we need to assign additional CPUs to the dataplane (as the current 2 are overloaded). But cpu upgrade would probably be in different day, if possible. ... View more

When you are connecting to Global Protect you actually face two authentications: one authentication for the portal and one for the gateway. By default PAN firewall will try to use the same credentials provided for the portal again for the gateway. If you are using LDAP authentication for both (portal and gateway) the user will be asked for credetials only once, and he will get the impretion that only one authentication is happening.   Howeve if youare using OTP tokens the default behaviour wouldn't work. The reason for that is - once the user put his OTP when prompted by the portal to authenticate, the firewall will cache the OTP and will try to sent it again to the Radius server (RSA server) when prompted to authenticate to the gateway, howeve since this token has been already used the RSA will reply to the firewall with Access Reject message, which will force the firewall to prompt the user to enter credentials to authenticate to the gateway.   That is why during user login in the RSA logs you probably will see: - one successful login message (when user has authenticated with OTP to the portal) - one failed login message (when firewall is using the same OTP to authenticate gainst the gateway) - one successful login message (when user generate new OTP and authenticat to the gateway)   As other already suggested the solution will be to enable Authentication Override cookies. This will generate and install a auth. cookie on the user PC once he authenticate to the portal, when prompted to authenticate to the gateway the PC will use the cookie instead of prompting the user for credentials again.   My suggestion: - For the portal, enable only "generate cookie for authentication override". Do not enable "accept cookies", that way users will always be prompted to authenticate when connecting to the portal - For the gateway, enable only "accept cookie" and set cookie lifetime to the minumim (one minute) ... View more

Yes you can.   There are actually two ways to accomplish this: Using redistribtion profile Configure redistribution profile which should matach your IP pool: Network -> Virtual-Router -> edit your VR -> Redistribution profile Select source type connec and destination your IP pool prefix Set redistribure (the radio button on the top right) to Redist Tell the BGP to use this profile: Network -> Virtual-Route -> edit your VR -> BGP -> Redist Rules Add new rule and under "name" select your redistribution profile from the drop-down menue If you are using BGP EXPORT rules, make sure that your GP IP pool is added to the allow export rule Without redistribution profile Add the GP IP Pool straight to the BGP Redist Rules, without creating redistribution profile Add new rule and under "Name" put your GP IP pool range (do not select anything from drop-down, just type your prefix) Again make sure your BGP EXPORT rules are allowing the GP IP pool   Using redistribution profile gives you an option to advertise any prefix that is already in your routing table - static, directly connected, or dynamically learned from different routing protocol.   Howeve you can advertise any prefix even if it is not in your routing table. If you create BGP redistribution rule, without redistribution profile (just typing the prefix), the firewall will first create "dummy" or internal route for this network and then advertise it over BGP. The disatvantage of this approach is that the intrernal route will always be in the routing table and firewall will alway adv. via BGP, while if you are using redistribution profile matching some static routes it will stop adv. the route if the static is removed from the routing table (interface down or etc.)     I would suggest you to use the redistribution profile, that way the firewall will not require to create the additional internal route. If you create the redist. rule without profile you will have two routes for the GP IP pool (one as connected to the tunnel interface and one as internal "~") ... View more

Great artical! Very useful.         One small note - on step 6 I believe you got the wrong screenshot. I guess you wanted to should the warning for the no valid URL filtering during commit? ... View more

I also would suggest to enable "Use Hypervisor Assigned MAC Addresses" under Device -> Setup -> Management -> General Settings ... View more

What PanOS version are you running? There was a bug in 7.1 (if I remember correctly), that active member is sending latest url db version to standby but i was failing to receive it and the log message was generated. ... View more

By default PAN FW is not accepting traffic destine to any of its data plane interfaces. To be able to ping firewall interfaces, you need you configure "Interface management profile" - Network -> Network profiles -> interface mgmt -> create new profile allowing ping -> Assign it to the interface you desire ( network -> interfaces -> select int -> advance tab -> management profile)     ... View more

@j.anderson wrote: flushdns, release ip, connect to the internet via PA220 .  When I get in, I have about 2 minutes before I get kicked out.   During that time, I can tracert to both 8.8.8.8 and google.com, etc.  I can ping the interface, the dns servers and the wan gw.           If you can reach google DNS (8.8.8.8) and you suspect faulty ISP DNS. Why don't you try to put 8.8.8.8 as DNS for the PC behind the firewall?   For DNS you will always see the session ending reason - Aged out. that is because DNS is UDP and as such there is no way firewall knows when connection is ended or not. If it is TCP connection you have FIN or RST flags to mark the ending of a connection, firewall can see that and note in the logs that connection has ended normaly (with FIN) or is being reset by the client or server. UDP on other hand doesn't provide such functionality, so FW cannot tell if there are no other packets after the DNS reply. Thay is why FW is waiting for the DNS timeout timer to expire to remove the connection from the connection table. A healthy DNS connection will still be closed as aged-out, even if the reply was received right after the request.   For that reason the UDP timeout timer is relevantly slow number, if it is higher you can end up with lots of old connection filling the firewall table.   In my huble opinion there are quite a lot other scenarios that I don't see how increasing the UDP timeout can solve your issue. If you increase it to 120sec and you see improvment, that is not problem of the firewall, but you have HUUGE delay and even if you solve the dns you will have unusable slow connection.   At this point is quite clear for me that your ISP has some issues...If you are able to traceroute and ping 8.8.8.8 while you don't have internet connection, this clearly shows that you indeed have internet connectivity, but either the DNS you are using is having issues, or there is huge delay of the traffic. ... View more

If your only purpose is to have different policy for the two user groups I would suggest you to use different approach insteead of playing with loopbacks, NATs, ports and etc.   How do you authenticate users: Is it LDAP, local, RADIUS?   The simple solution with local users would be: 1 Create users locally and add them in local user-groups 2 Create Auth profile and select type local, add the two user-groups to allow list 3 Configure global-protect portal as usual 4 configure global-protect gateway and under client setting configure two profiles, matching the loca user-groups. The tricky part here is that you need to use different pools for the two groups. But you can have the split-tunnel settings different for each group (ex. group A should access only to 10.0.0.0/24 while group B only to 172.16.0.0/24) 5 configure two security rules filtering on source user-group and put each group in separate rule.   You can choose to skip fourth step and configure one client setting profile for both groups, that way all users will receive same routes through the tunnel, but the policy will decide if the traffic should be indeed allowed or rejected.   AD authentiation over LDAP is pretty much similar, but you need additional steps to create group-mapping profile so the firewall can get the AD user group membership.   ... View more

Hi @MikeC,   In most of the time I am doing the upgrade during the provisioning/deployment phase and the firewalls are almost empty from configuration point of view. So I have never bother upgrading to the latest maintenance release before duing the feature or major version upgrade.   That is why I am 100% sure that you are not required to upgrade to 8.0.13 first.   I believe the only reason Palo Alto recommending upgrade to the latest maintenace release before during major is only enure that you don't hit any of the known bug fixed in the latest maintenance release.     ... View more

I believe I hit a bug recently on 4.1.6. The initail config was "Save Username Only" and the client was saving the username, removing the domain that client has entered along with the username. We put "save user credentials" to none, cleared the credentials cache on the host, but still client was remembering the username without domain. So we put 4.0.8 as active version and downgrade the users ... View more

Hi @ce1028,   I would say everyinthing in your post is correct: - If you run 8.0.9 you can upgrade straight to the latest maintenance release - 8.0.13 - If you want to upgrade to 8.1.4 from 8.0.x you need to follow supprot instructions (only download 8.1.0 and download and isntall 8.1.4) - In your case the feature release is 8.1.0, that is why you need first to download this image before installing latest 8.1.4   Each maintenace release image (the last number) contains only the changes since the previous maintenace release. When you want to upgrade between major version - 8.0.x to 8.1.x you need first to download the base image for the target version. Of cource you can always donwload and install 8.1.0 first and then download and upgrade to 8.1.4, but PAN FW is doing this for you and make your life easer requiring only on reboot.   I am provisioning virtual PAN FWs in hybrid cloud and the template I am using is 8.0.5. So I am have done so many upgrades that I can't count. Yes they are almost on non-productions firewall, but I can assure you that the upgrade is exactly as support team has told you. I will add only one more think: - Download and install the latest App and Threat package (or at least make sure you are running the four digit versions) - Download only PanOS 8.1.0. No need to install it, just download it. That way you will have the base OS for the new major version - Download the latest maintenance release. - During maintenance window install and reboot the firewall   Installing the latest patch for 8.0.x is recommended from the documentations, but it is not actualy required ... View more