About bspilde

Good tip Steve, probably the easiest option.     If pasting over CLI still though you might need "set cli scripting-mode on". ... View more

@Sethupathi  While IP addresses on the tunnel interfaces isn't a requirement, in your case it would be recommended. Then you can enable tunnel monitoring as they cover in https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK shared by SteveCantwell. This along with Dead Peer Detection are good ways to keep the tunnel up and operational.    Another method is to use an IP address on the far end VPN device in a /32 or /30 etc that can be in a route specific to that tunnel. Either use a dynamic routing protocol for the constant neighbor traffic or a static route and a monitoring device that would send an ICMP to the far end of that VPN tunnel device keeping "interresting" traffic going over the tunnel. ... View more

Technically, you could create a custom vulnerability that would match "normal" DNS traffic, set it to Alert for the action and set packet capturing to on. Unless you have plenty of resource overhead available to use on your PA I'm guessing this could be a bad idea for that much packet capturing just the same. It would fill up threat log quota or Extended Threat Pcaps quotea much more rapidly. In the logging then you would get a request source and destination just having to open the PCAP to get the domain record that was requested.   It would be great if there were just a DNS lookup log with the requestor IP included. Perhaps on your DNS server this is done and you can limit DNS lookups to just your DNS server(s) so everyone would need to be pointed there. ... View more

I think it would have but purchasing FortiConverter was not approved. I ended up going line for line manually with the Fortinet admin from the acquired company. Turned out much of the config wasn’t required anyway so it was a good audit as well. ... View more

Those URL's/categories are being decrypted? ... View more

It was sent via email from noreply@paloaltonetworks.com on October 22nd. I’m not sure exactly what enrolled me in the message list. On the support page check preferences under your profile for all communication preferences by type. Hope that helps! ... View more

This message was sent to Palo Alto Networks customers:   Dear valued Palo Alto Networks customer,   Please take the action recommended below if you have enabled SSL decryption forward proxy. This is required for users to access Gmail and other websites and applications using web browsers that implement strict TLS 1.3 compliance. We have been informed that Google Chrome is planning to implement strict TLS 1.3 compliance in their upcoming version 72. The stable build of Google Chrome version 72 may be available in January 2019, and if your users use a pre-stable build of Google Chrome, they will experience the issue outlined below earlier.   Applies to All supported PAN-OS releases   Action Required If you run PAN-OS 8.1: Upgrade to PAN-OS 8.1.4 (available now)   If you run a prior version of PAN-OS, plan to upgrade to one of the following releases: PAN-OS 8.0.14 (targeted to be available on Nov 15, 2018*) PAN-OS 7.1.21 (targeted to be available on Nov 1, 2018*)   Impact Without upgrading to one of the above maintenance releases, users may no longer be able access Gmail and other websites and applications that utilize TLS 1.3 when SSL forward proxy decryption is in use. As a result, your users will receive the following web browser error: ‘ERR_TLS13_DOWNGRADE_DETECTED’.   By upgrading PAN-OS to one of the above maintenance releases, your users will be able to continue to access Gmail and other TLS 1.3 enabled websites and applications when using browsers that exhibit this behavior.   ... View more

No, never have! TAC engineer lab'd it up but not the same scenario that I am using. HTTP/HTTPS works fine but noting that prompts the GP client. Sure seems like something is broken in the GP client. I was going to see if I had the 4.0.0 beta client that I know worked when I participated in the beta trials of that feature.   I have implemented a full workaround with the HTTP auth method in the meantime so the priority of this has dropped considerably.   What is bad about this is that the whole reason I went this route is RADIUS with MFA for the VPN authentication doesn't work. Then followed that with a workaround of non-HTTP(s) MFA not working and having to go with a third option. That is quite unacceptable. No home runs here on this project. ... View more

This process, mostly SonicReader, didn't seem to work correctly for me.   Something I am trying instead is this: Download and Install FortiNet's FortiConverter (Original price at CDW was $3,068.99 for 1yr, on sale for $926.01) Convert SonicWall config to FortiNet Use Expedition to import and convert FortiNet config to Palo Alto Networks. If this is successful I'll update with more notes.     ... View more

Found an article on how to migrate SonicWall by using CSV.   https://live.paloaltonetworks.com/t5/Expedition-Discussions/Expedition-SonicWall-Support/m-p/233791#M602 ... View more

@alestevezWhat firewalls are supported by Expedition now? I don't see this documented anywhere.   ... View more

In my most recent case, the user finally contacted the ISP.   Their VPN client was dropping every hour. ISP had them reboot their cable modem/router combo and it has been fine ever since. ... View more