About bspilde

Great Post @kiwi!   Adding to this, I have some remediation options, contingencies, or questions to consider when doing DSRI (Disable Server Response Inspection): Is the traffic secured by other methods without needing to decode the server response? Require Cortex XDR or other endpoint product scanning the file being copied. Do this by creating a HIP check on the VPN device and require a match on XDR being enabled and updated in a HIP Profile.  Then create a firewall policy configured with an application match policy for ms-ds-smb, ms-smb-v2, and if supported on your OS, ms-smb-v3. Include in this policy a requirement for the HIP profile created in the previous step. Now, consider this... if you use DSRI, consider the potential impact this might havee on vulnerability protection, not just file blocking and malware protection. Are you doing file blocking? You may not be able to use DSRI if your company mandates DLP or other file blocking policies. This may be obvious but just to reiterate, copying a file from the server to a workstation would not be inspected/scanned with DSRI. This is one reason @Kiwi mentioned it should only be used for trusted servers. What is a trusted server? Is a NAS trusted? If the communication is with a NAS, there may be no endpoint protection on the NAS itself. Thus, leaving you to defend your environment either with the inspection of the firewall or the endpoint transferring the files. My definition of a trusted server is one that is on a supported OS, regularly patched, vulnerability scanned, status monitored, and running endpoint protection EDR or preferably an XDR solution such as Cortex XDR. Do you get that with your NAS? Are you allowing SMBv3 prior to PAN-OS 8.1? If so, you are essentially allowing the SMBv3 protocol to bypass the decoder on your firewall.   Note on SMB as mentioned by @kiwi :  SMB Improvements with WildFire Support Firewall SMB support now includes SMBv3 (3.0, 3.0.2, and 3.1.1) and has additional threat detection and file identification capabilities, performance, and reliability across all versions of SMB. These improvements provide an additional layer of security for networks, such as data center deployments, network segments, and internal networks by allowing files transmitted using SMB to be forwarded to WildFire for analysis. Because of the way that SMBv3 multi-channel works in splitting up files, customers should disable the use of multi-channel file transfer for maximum protection and inspection of files. As a result, Palo Alto Networks recommends disabling SMB multi-channel through the Windows PowerShell. For more information on this task, please refer to: technet.microsoft.com/en-us/library/dn610980(v=ws.11).aspx ... View more

If I remember correctly, the last time I saw it work was when the feature was introduced in beta. I haven't ever seen it successfully prompting in the client with production releases. Working with the support team never amounted to any fixes. ... View more

Oh, and I forgot to mention, my SE is escalating this up the chain so we can get engineering to realize the importance of making this operate how all of using the this thread are expecting it to function. I'll post updates as progress occurs. ... View more

Alex,   I would say get the license for the HIP check capability but that isn't working right for me right now either. 🙂    I will say, I see much better support from Palo Alto than I do from any other vendor I have worked with. If there is a bug to identify or open, Palo is much more willing than say, Cisco to do so. It might take a bit for a bug fix but it will be a correct fix without adding more bugs. Generally speaking, I don't run into work stoppage bugs with Palo like I do with other vendors either. There is always some sort of a workaround or its just an administrative bug.   I am a Palo Alto Networks Ambassador member and have had some influence in direct conversations with the VP of support in the past. I've unfortunately instigated an emergency meeting of all the VP's in the company that lead to significant improvements to quality of code released and the support provided to customers. They implemented numerous changes and are still working on some of those suggested improvements even, such as customer ticket level changes from high to critical, more specialized support teams vs having to know everything, escalation process improvement, web support improvement, and so on. Yes, there are frustrations at times and yes my SE is always wondering what I came up with now when he sees my caller-ID, but the channels are there and your SE should always be your best friend so treat them well. 🙂 ... View more

I take that back... it shouldn't need the EXE if the domains are listed but I removed the EXE path to outlook.exe and now my client is no longer Split-tunneling Outlook traffic. Seems none of the split-tunneling features work as expected except for the IP/subnet based split tunnel settings. ... View more

@RLJFRY  Yes I do have a ticket open with Palo. According to the document you referenced, they are doing domain based AND EXE based. However, that example they provided wouldn't need the EXE excluded so having it "work" using a %userprofile% in the path is a false sense of accomplishment. It would have been the domain that made it work.   @recross  Also in my meeting with him today, what he explained is that when you do an application/EXE based split tunnel, it only lets you reach out to the first destination that EXE requested. So for example outlook.exe requests access to outlook.office365.com but the IP it really connects to for data is a CNAME for something like mdw-efz.ms-acdc.office.com then you will not see outlook.exe doing a split tunnel. You in this case have to do it based upon domain and include both *.office.com and *.office365.com. Outlook only successfully split tunneled for me when both domains were bypassed and I didn't even use the EXE because it doesn't do any good. Therefore, I've never done a %variable% based path because these EXE's in those paths have to communicate with more than one destination anyway and wouldn't know if it worked or not because it wouldn't work 100% anyway.   Here's another good reference for split tunnel: https://live.paloaltonetworks.com/t5/General-Articles/GlobalProtect-Optimizing-Office-365-Traffic/ta-p/319669 ... View more

@yannogrodowicz    You said "The %variable% method definitely works if you have a GlobalProtect license, but you need to make sure your GP client version and your PAN OS version support it. (https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/globalprotect-features/split-tunnel...)".   However, I don't see anywhere in the document that %variable% is supported. In addition to that, I have tested it and it doesn't work. Palo Support also says that will not work.   As mentioned in another reply to this, Palo Support has stated engineering is working on a solution to MSTeams.exe. I have been given no idea when this might be implemented but it is allegedly on the roadmap. ... View more

I checked on 9.2 beta and I didn't see that anything has changed for address support.   Also, I am being told engineering is working on a solution to the MSTeams.exe path being different.   Couple thoughts to throw out for some feedback on feature enhancements: What I'd really like to see is that there is no path dependency such as done with PulseSecure, and even the option to require a specific MD5 hash of the file/version.  Best scenario would also be that Split Tunneling be subjected to HIP requirements. Unpatched or disabled host firewall disables split-tunnel. ... View more

I don't believe I'm seeing anything there. With my testing anyway it showed correctly disappearing traffic while in a Teams meeting. I have not double checked later on yet.   I have created a list for Zoom and that works well also.   I'm struggling with anything EXE based but it might be due to the multiple possible folders Outlook might be installed into based on 32bit vs. 64bit O365 vs stand alone install. I did successfully split MS AppStore as a test and that worked flawlessly all the time.   Palo needs to support %userprofile% and %appdata% in the config! ... View more

Exclude by using the  "Access Route" Exclude list.   Use 13.107.64.0/18 and 52.112.0.0/14 as the excluded networks. There may be more but that's what I tested with and it works. The latest releases of supported PAN-OS do not appear to work with %userprofile% variables as an option in the path. ... View more

From what I recall, once you go lab you can never go back. You can however convert from production to lab. It is quite possible I have that completely backwards but I do know one of the directions is a one time switch. ... View more

I haven't tried recently but I'm guessing it is still a no. Maybe I'll give it a try in 9.1 beta and GP beta I'm running in the lab now. ... View more

Shoot! Ok, good to know. If you have successful steps please post. ... View more

To get the proper syntax of the configuration including all the carriage returns etc. do the following to get the configuration output in set format. Then you can take just that section of the config to paste into Notepad++ or SublimeText so that you get the correct line requirements such as right after the BEGIN CERTIFICATE ---  line.   admin@M100-01(primary-active)> set cli config-output-format set admin@M100-01(primary-active)> set cli scripting-mode on admin@M100-01(primary-active)> configure Entering configuration mode [edit]                                                                                                                                                                   admin@M100-01(primary-active)# show   The private key is a single line but the public key is fixed width. ... View more

Scripting mode is recommended when doing multiple lines of commands via CLI. I’m not sure if it is a cure for your issue though.   As for the cert requirement. Is it just that the certificate is no longer trusted and your browser won’t allow a connection? The cert is still there just expired right?   You can generate a new Panorama web-server certificate with the command:                 run request certificate generate for-use-by panorama-server    More detail on what you are trying would be helpful.   Also agree that just enabling HTTP management would be a quick way in. Deleting the SSL service profile probably won’t even commit since it would be referenced by the configured features to be using it.   ***  Another option would be to SCP export the configuration to another device and replace the existing certificate in the XML configuration file and reimport. ... View more