About reaper

Any update? ... View more

Hello @N.Nicolaides, everything looks right based on the procedures you itemized in your previous notes. I don't really believe using Azure AD for Prisma should cause this behavior as well. Do you want to try Palo Alto TAC support team so they can have a deeper look on your settings to see if they could narrow down the root cause of the issue? Looking for more info on my side as well in the meantime if I could see you may pay attention to.  ... View more

it is not available anymore 404 - Palo Alto Networks ... View more

isn't there an option 'use different account' at the first login screen? alternatively you could try logging on untill you reach a failure and you should get that option there   ... View more

to troubleshoot phase1 it's ideal if you have access to the logs of the receiving end, as the initiator will have very minimal logging available if you can't access the remote side, see if they are able to initiate a connection so you can see which part in the negotiation fails most likely it's a problem with the ID or the available cipher pairs between the two peers ... View more

makes perfect sense 🙂 90% convinced 😉 ... View more

@PC-TomS, If you have the ability to feed the IPs in as an EDL this is easy enough with a custom report and the API. Something like this for the custom report: <entry name="Failed_GP_Login"> <type> <globalprotect> <sortby>repeatcnt</sortby> <aggregate-by> <member>public_ip</member> <member>srcuser</member> </aggregate-by> <values> <member>repeatcnt</member> </values> </globalprotect> </type> <period>last-15-minutes</period> <topn>5000</topn> <topm>50</topm> <caption>Failed_GP_Login</caption> <query>( error eq 'Authentication failed: Invalid username or password' )</query> </entry>   Then you can run the job via the API: api?type=report&async=yes&reporttype=custom&reportname=Failed_GP_Login # Runs the report and returns the job ID. If you convert the reponse to a dictionary the job would be at ['response']['result']['job']. Allow enough time for the job to run (60 seconds should be sufficient, varies by environment and platform).# api?type=op&cmd=<show><report><id>' + str(job_id) + '</id></report></show>' # Collect the report so that you can actually analyze it. Again you'll want to convert the response to a dictionary. I've included a better Python example here # report_dict = xmltodict.parse(request_report.content) # Convert the response # OrdDict = report_dict['response']['result']['report']['entry'] root = OrdDict for element in root: recorded_session = [(element['public_ip']),(element['srcuser']),(element['repeatcnt'])] public_ip = recorded_session[0] src_user = recorded_session[1] repeat_count = recorded_session[2]   This is just a starting point, but what I've chosen to care about in particular is the three fields listed. I utilize a REDIS database to increment the failed login count for both the IP and the user. What this allows is to set a threshold for the number of failed logins we determine is acceptable before we block them; you could alternatively simply utilize a similar account to block any source which failed to login to GlobalProtect if you don't want to provide any sort of leeway. Then you can just have the script update your EDL to block any of the sources that you don't care to have accessing resources and send any alerting that you would care to send to indicate that the address/user has been blocked. ... View more

Thanks for the help. Let me explain you further so that you can help me more.    1. My base machine on which virtual box is installed has the IP of 192.168.1.8 and the default gateway for internet it 192.168.1.1.  2. I have set both palo alto management IP and server IP in the same subnet as the base machine.  3. I just need to disable internet on the server as a lab exercise.    I have followed steps on a Udemy course in which the setup is more complicated with internal network and internet network that too on EVE-NG which I don't have as I couldn't install EVE-NG lab properly so I gave up. I only have 16 GB RAM on my computer which is a hinderence to creating a complex lab.    How to create a trust and untrust network if I have everything in the same subnet. how can I create a rule based on it?    I have already tried the static route and everything but the rule is not working and I am able to ping every IP from my server. Hope you'll be able to provide better solution this time.    ... View more

are you running clientless userID on these firewalls? for this amount of users I'd consider using the userID agent and run it on the DCs directly (or set up a RODC and run it from there)   I know this answer sucks as it doesn't address your issue directly, but what you describe sounds like the 3k does more/more intense reads that cause your AD to overheat. you could try playing with the read frequency, but seeing the number of users this could cause userid to not pick up on all user logins, which is also not great ... View more

Thanks for the answer but unfortunately no, it directly gives the error "Portal unreachable". ... View more

you can install a different content version, not uninstall it as the firewall needs it to function properly ... View more