About TomYoung

TomYoung · ‎04-15-2025

Hi @BigPalo , "Does anyone know if this is possible?" Yes, I do it in my company. "How can match users received from SAML with LDAP mapping?" Obviously, you must have the same usernames in your LDAP directory. In order for group mapping to work, the username in the "show user ip-user-mapping all" command must match exactly with the username in the "show user group name "<group_name_from_show_user_group_list>" command. Changing the User Domain under Device > User Identification > Group Mapping Settings caused the GP SAML usernames to change from user@domain.com to domain\user so that the LDAP groups would work. All other fields remained the default (except the Update Interval). Thanks, Tom

TomYoung · ‎04-07-2025

Hi @IMTechSupport , I sent an email to psirt@paloaltonetworks.com and I got the following response: PAN-OS runs a custom build of OpenSSH, so the version number does not necessarily correspond with applicable OpenSSH CVEs. This OpenSSH build receives regular security updates. You may find some information about the reported CVEs in our informational advisories. You can try the query feature of the security advisories site: https://security.paloaltonetworks.com/?q=<CVE> (replace <CVE> with the id of the CVE you are looking for, for eg: https://security.paloaltonetworks.com/?q=CVE-2024-1234). If there are any CVEs you are concerned about that is not mentioned in the advisories, please let us know - so that we can investigate further. That was very helpful! So, I took the list of OpenSSH 8.0p1 CVEs (in my 1st thread) and search for each one in the tool provided above. Here are the results: OpenSSH 8.0p1 Advisory Severity CVEs CWEs PANW Advisory Impact Multiple vulnerabilities in OpenSSH Medium CVE-2023-6004 CWE-78 CVE-2023-48795 CWE-326 https://security.paloaltonetworks.com/CVE-2023-48795 Fixed in multiple versions CVE-2023-51384, CVE-2023-51385 https://security.paloaltonetworks.com/PAN-SA-2024-0001 Not affected Remote code execution in OpenSSH ssh-agent Medium CVE-2023-38408 CWE-426 https://security.paloaltonetworks.com/PAN-SA-2024-0001 Not affected Multiple vulnerabilities in OpenSSH Low N/A CWE-119, CWE-415 Amazon Linux AMI update for openssh, Privilege escalation in OpenSSH Low CVE-2021-41617 CWE-269 https://security.paloaltonetworks.com/CVE-2021-41617 Not affected MitM attack in OpenSSH client Medium CVE-2020-14145 CWE-327 https://security.paloaltonetworks.com/PAN-SA-2024-0004 Fixed in 10.2.3 and above Security restrictions bypass in OpenSSH Low N/A CWE-399 Privilege escalation in OpenSSH Low CVE-2019-16905 CWE-190 https://security.paloaltonetworks.com/PAN-SA-2024-0001 Not affected So, everything is fixed in the current OpenSSH version of PAN-OS, except we have no information about 1 CVE and 3 CWEs. If you must have confirmation about the undocumented vulnerabilities, you can email the PANW PSIRT team about those specifically. Thanks, Tom

TomYoung · ‎04-07-2025

That is a great point, @CosminM ! I wonder if ... you wanted to save time (and an outage of a few minutes is acceptable), you upgrade directly (skipping a version or two), and once you start the upgrade process on the 2nd NGFW, You could then "Make local device functional" and it would become active? I guess currently there is no HA support for the Skip Software Version Upgrade feature. Thanks, Tom

TomYoung · ‎04-07-2025

Hi @A.Otsu , As you mentioned, with the Skip Software Version Upgrade feature of 11.0, you can upgrade directly from 11.0 to 11.2. This Upgrade Path is for 11.1 and later. Thanks, Tom

TomYoung · ‎04-04-2025

Hi @jstrubberg , Here is a detailed discussion of the issue -> https://live.paloaltonetworks.com/t5/globalprotect-discussions/use-auto-tagging-to-block-failed-global-protect-login-attempts/td-p/588632. Here is another post that uses automation to update an EDL -> https://live.paloaltonetworks.com/t5/general-topics/automatically-blocking-ip-s-after-a-certain-number-of-global/td-p/565062. Thanks, Tom

TomYoung · ‎04-03-2025

Hi @jortiztrb , That doesn't make sense. You may be running into a bug. I have configured BGP Conditional Advertisement on Cisco. If you configure it good enough to advertise the route, then it should automatically withdraw it. Here is a good blog on the topic. https://blog.davidvassallo.me/2013/04/04/palo-alto-networks-implementing-conditional-advertising-in-bgp/ He says "And turning it [ the monitored route ] back on reverses it, advertising only to GM, our primary peer." When the conditional prefix is not withdrawn, what does the "show routing protocol bgp policy cond-adv" show? He says you "may need to disable the primary ISP bgp peer, commit, and re-enable the bgp peer." That's a pain. Thanks, Tom

TomYoung · ‎04-03-2025

Hi @Y.Choi436432 , I have done many packet captures on the NGFW, and I have captured plenty of TCP SYN, ACK, and SYN/ACK packets. For starters, I always specify the ingress interfaces. You would list your internal Ethernet interface and the VPN tunnel interface. I also add the drop stage. You want to know if the NGFW is dropping packets. You can use a CLI command to determine the reason for the drops. For example, you may have a Zone Protection Profile that drops SYN packets with data. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0&lang=en_US Good luck! Tom

TomYoung · ‎04-03-2025

Hi @jortiztrb , Could you provide more details? You have conditional advertisement working. Are you saying that when the Non-Exist prefix comes back, the NGFW does not automatically stop advertising the conditional prefix? Thanks, Tom

TomYoung · ‎04-03-2025

Hi @IMTechSupport , I recently had a VAPT (internal) like you, and ran across the same issue. There appears to be quite a few vulnerabilities with the current version of OpenSSH in PAN-OS. https://www.cybersecurity-help.cz/vdb/openssh/openssh/8.0p1/ I would like PANW to update the URL you provided to add PAN-OS 11.1 and 11.2. This thread was also useful https://live.paloaltonetworks.com/t5/next-generation-firewall/openssh-verification-and-upgrade/td-p/578427 because it provides (1) and easy test and (2) the PANW PSIRT email to which you can ask them about the vulnerabilities. Thanks, Tom

TomYoung · ‎03-31-2025

Hi @Demong , The PA-500 is EoL. https://www.paloaltonetworks.com/services/support/end-of-life-announcements/hardware-end-of-life-dates I am surprised you were able to download anything. To upgrade from PAN-OS 6.0.2 to 8.1.0, you would have to upgrade to 7.x 1st. With regard to SSL VPN, here are the instructions. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFbCAK No license is required for Windows and Mac devices to connect. https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses PAN-OS 6.0 supports GlobalProtect. You can configure it without having to upgrade. I am sure the GUI will be different from the doc since the PAN-OS is so old. Thanks, Tom

TomYoung · ‎03-31-2025

Hi @1treelanedrv , Correct. Your System and Traffic logs both confirm no response from the other side. Thanks, Tom

TomYoung · ‎03-31-2025

Hi @GregorJus , Does the command "show user ip-user-mapping all" show users? Does the command "show user group list" show groups? If so, pick a group and run the "show user group name "<group_name>" command. Do the usernames match the previous command exactly? The browser (step 9 in the CIE URL I provided) is not needed if you are using GP for user/IP mapping. Why can't you use the users in the security policy? They will not automatically show up in the drop down list. You have to start typing the name and they will show up. Thanks, Tom

TomYoung · ‎03-30-2025

Hi @GregorJus , Yes, it is possible. All you need to do is enable User-ID on the GP zone in order to turn it on. GP maps the username to IP address. You have to use LDAP or Cloud Identity Engine (CIE) to map users to groups. In order for group mapping to work, the username in the "show user ip-user-mapping all" command must match exactly with the username in the "show user group name "<group_name_from_show_user_group_list>" command. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/user-id/map-users-to-groups https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-users-with-the-cloud-identity-engine/configure-the-cloud-identity-engine-as-a-mapping-source-on-the-firewall https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpCCAS https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVcCAK&lang=en_US Thanks, Tom

TomYoung · ‎03-28-2025

Hi @1treelanedrv , If you don't see anything under Monitor > Logs > System, the next step is to check if you see the packets under Monitor > Logs > Traffic. You should see 2-way traffic or drops. In order to see drops, you may need to Override the interzone-default rule and configure logging. Thanks, Tom

TomYoung · ‎03-26-2025

Hi @JonButterfield , The specific error you are getting is "Invalid Body" which means the URL is correct, but the JSON is not formatted correctly, e.g. bad syntax or parameter. I like to test the URL, header, and body separately from code in order to verify I have the syntax and parameters correct before coding. A good tool for this testing is Postman. https://www.postman.com/ It is free and has Windows, Mac, and Linux clients. You could print the JSON body to the CLI to verify the syntax. I don't know PowerShell hash tables very well. Is the [pscustomobject] supposed to be [ordered]? At 1st glance, the syntax appears to be correct. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-panorama-api/get-started-with-the-pan-os-rest-api/work-with-address-objects-rest-api Thanks, Tom

Member Since	‎11-15-2017 11:37 PM
Date Last Visited	‎12-18-2025 07:22 AM
Posts	1,548
Total Likes Received	602

Online Status	Offline
Date Last Visited	‎12-18-2025 07:22 AM

Unlock your full community experience!

About TomYoung