About jambulo

jambulo · ‎10-15-2012

...What are the advantages of using Virtual Systems, other than being able to divide Management and Reporting of "Virtual" firewalls. In my case, I have a DMZ, Wireless, Trust and Untrust networks connected to a PA 5020. Should I split up the DMZ and Wireless networks into their own Virtual Systems? Something like this... eth1/1 - Untrust(internet). No Zone. Shared Gateway to Internet. eth1/2 - Trust(Internal Network). No Zone. Shared Gateway to Inside. eth1/3 - DMZ Zone. DMZ Virtual System. eth1/4 - Wireless Zone. Wireless Virtual System.

jambulo · ‎10-03-2012

Is there any way to manually sync the LDAP Group Mapping/User Identification in Palo Alto? We have the sync interval set to 4 hours, but there are times where would would like to sync manually.

jambulo · ‎09-27-2012

Should I expect any issues if I rename a VSYS? I assume it should rename all VSYS names in the config where applicable?

jambulo · ‎09-19-2012

We have iPad 3's with IPSec VPN working with the Palo Alto 5020. We upgraded one iPad from iOS 5 to iOS 6 and now the VPN is not working. I know iOS 6 just officially came out this morning, but anyone else have this problem? Here's what I'm getting from a tail of the ikemgr.log... 2012-09-19 17:22:39 [INTERNAL_ERR]: decrypt output length does not match (976 != 984) 2012-09-19 17:22:39 [PROTO_ERR]: decryption 7 failed. 2012-09-19 17:22:43 [INTERNAL_ERR]: decrypt output length does not match (1248 != 1252) 2012-09-19 17:22:43 [PROTO_ERR]: decryption 7 failed. 2012-09-19 17:22:43 [INTERNAL_ERR]: decrypt output length does not match (976 != 984) 2012-09-19 17:22:43 [PROTO_ERR]: decryption 7 failed.

jambulo · ‎07-13-2012

That did not work...anything else?

jambulo · ‎07-13-2012

I'm not sure what happened, but the System and Configuration logs are not showing up under Monitor>Logs. Do I need to (re)enable it somewhere?

jambulo · ‎05-24-2012

We are testing Certificate Based Auth + User Based Auth for iOS VPN. Is it best practice to export a unique Identity(Client) Certificate for each user/device? Or is it common to use the same Identity Certificate for everyone? Security wise, it would be better to use unique certificates, but managing them may be hassle. We are also looking into Mobile Iron if that'll help ease things.

jambulo · ‎02-09-2012

To simplify my question...Is there a way to create Threat Exceptions for a specific source and/or destination IP? Currently, the only way to create an Exception is to completely ignore the threat. No matter what source or destination. Now, I am able to create a rule in the Security Policy called "Ignore ID 12345". The rule has this settings, traffic from source 192.168.1.10 going to destination ANY, using Application "web-browsing", and using a Vulnerability Profile that has an Exception for Threat ID 12345. This rule will not log any Threats with ID 12345 if it's coming from 192.168.1.10 going on ANY, using "web-browsing". The problem, ANY OTHER traffic coming from 192.168.1.10 going to ANY, using "web-browsing" will show up in the Traffic Log as using rule "Ignore ID 12345", even if it has nothing to do with the Threat ID 12345.

jambulo · ‎02-09-2012

I created this thread over a year ago... https://live.paloaltonetworks.com/message/3636#3636 ...is there still no more intuitive way to be more granular when it comes to creating threat exceptions? I'm still having the same problem I report at the bottom of that thread. For example... I need to create a rule to ignore Threat ID 12345. If I use these rule settings... Rule Name = Exception-12345 Source = Internal Address Space Destination = Any Application = web-browsing Service = service-http Profile = Vulnerability profile with exception for Threat ID 12345 ...then it would successfully ignore threat 12345, but ANYTHING else that meets these rule requirements(even if it has nothing to do with Threat ID 12345)will be logged as this rule(Exception-12345) in the traffic log.

jambulo · ‎02-02-2012

So I finally got Global Protect to work on 4.1.2. Following the "Configuring GlobalProtect" guide won't get you anywhere. Apparently using the Palo Alto as a CA server does not work So the steps in the guide where it tells you to create a CA cert, and then the 2 other certs, do not apply. I had a Palo Alto Support Engineer take a look at our setup. What he did to make it work... 1) Generate a plain Cert in Palo Alto(Not signed and not a Certificate Authority) 2) Global Protect > Portals > Your Portal > Portal Configuration > Set "Client Certificate" and "Client Certificate Profile" to "None". Set "Server Certificate" to the Cert you made in step 1. 3) Move to Client Configuration tab > Delete any Root CA's that are set. 4) Global Protect > Gateways > Your Gateway > General > Set "Server Certificate" to the Cert you created in step 1. Set "Client Certificate Profile to "None".

jambulo · ‎02-01-2012

I too am getting this same error. I followed the document "GlobalProtect Configuration for 4.1" as much as I could. My Portal/Gateway does not have a FQDN, just an IP address. Edit: Importing the Global Protect Gateway Cert allows my browser to reach the portal. BUT, I can not log in, and I get a message on the portal saying "Invalid client certificate".

jambulo · ‎01-30-2012

We have had WildFire turned on for almost a week. In the Data Filtering logs, it has "forwarded" numerous "PE" files and only 1 "PE" file was logged as "wildfire-upload-success". That 1 file happened to be coming through the interfaces that are set to Virtual Wire. All of the other files that say "Forward" are coming through "Tap" mode. 1) Can Palo Alto send files to WildFire if it's seeing the file traverse the network via Tap mode? 2) What exactly is the difference between the actions "Forward" and "wildfire-upload-success"?

jambulo · ‎11-08-2011

The upgrade procedure for 4.1.0 says I must be running 4.0.0 or later. Does it matter which version of 4.0.0 I install? Which route is prefered... a) 3.1.7 > 4.0.1 > 4.1.0 b) 3.1.7 > 4.0.7 > 4.1.0 Thanks

jambulo · ‎10-12-2011

I will plan on upgrading. Is there a reason you did not suggest upgrading to 4.0.5?

jambulo · ‎10-12-2011

I'm on 3.1.7, but I think I found my answer... (Link removed, Issue fixed in 3.1.9) ...clearing the cache fixed it.

Member Since	‎11-08-2010 11:51 AM
Date Last Visited	‎11-03-2025 07:16 AM
Posts	114
Total Likes Received	25

Online Status	Offline
Date Last Visited	‎11-03-2025 07:16 AM

About jambulo

GlobalProtect VPN not working on T-Mobile Home Internet

Re: Captive portal authentication over TLS

What expression to use to block/permit an entire website?

GlobalProtect Internal Gateway and On-Demand

SSL Decryption and www.apple.com

Re: Traffic logs not shown the recent logs for particular source IP

Re: Global protect and Outlook 2016

Re: Measure CPS practically

Re: Wildfire False positivs ... more than usual

Re: Global Protect 5.0.2 - working deployments/configurations, open issues and everything else

What is the Agent User Override Key used for in GlobalProtect

Re: URL logs without URL Filtering license

Re: GlobalProtect with MFA/Dual Authentication

Re: How to find source of high open sessions and/or throughput

Re: Using PA-200 for home internet router?

Advantages of Virtual Systems...

Any way to Manually Sync LDAP Group Mapping?

Renaming a VSYS

iOS 6 and IPSec VPN

Re: System and Configuration logs are missing

System and Configuration logs are missing

iOS VPN and Identity Certificates

Re: Still no way to set SPECIFIC threat exceptions???

Still no way to set SPECIFIC threat exceptions???

Re: Certificate Error in Global Protect Portal

Re: Certificate Error in Global Protect Portal

Does WildFire work in "Tap" mode?

3.1.7 to 4.1.0

Re: playboy.com and dropbox.com categorized as "unknown"

Re: playboy.com and dropbox.com categorized as "unknown"

Unlock your full community experience!

About jambulo