About pulukas

When we had this issue, we duplicated the pools creating one on both nodes so that the nat would work.  If I remember correctly you cannot use bind both in A/A.  So you essential double the number of pools and rules created in this scenario. ... View more

Can you setup a packet capture to verify which interface the logs are egressing?   the possible issues:   Logs are sourcing from the mgmt port instead of the desired port (configuration issue with service routing) Traffic is blocked by a security policy (leaving the correct port but not permitted - check the policy logs for your destination ip address in syslog) VPN not permitting the traffic (the vpn policy does not permit traffic sourced from the interface (run your ping test sourcing from the desired interface:  ping host 192.168.1.1 source 1.1.1.1   ... View more

You seem to have all the concepts correct.  Yes, Active/Active is suppose to allow this asymmetrical traffic.     I don't have access to one now, but my recollection in A/A is that nat pools get tied to a node when you create them.  Thus you might be needing to create those nat pools and matching rules on the second node.  I seem to remember I needed this duplication for the nat to correctly in these scenarios. ... View more

The Palo Alto profiles have two offerings out of the box, default and strict.  From these you can also create custom profiles with actions that you prefer.  These are the top level that apply then to all signatures.  You assign this profile to a rule for actions to actually occur.   Objects --- Security Profiles   Inside a custom profile you an also override the action select by Palo Alto as the default action for more granular control.   The basic concept of these two profile is that default will virtually NEVER have a false positive blocking of traffic.   While strict enables a strong security posture to keep even suspected threats out,   When you chose default then you need to review and analyze reports on the alerts.  And then investigate the potential issues.   When you chose strict you may get a higher volume of help desk calls, some from the false positives.  But also expect people who had actual threats blocked to call and request them be let through.   So from a workflow and business perspective each organization can choose which model to use and understand where resources will be needed.  Those with a low tolerance for false positive and help desk calls start default.  After you investigate a number of reports you can start changing the custom default action on threats you are very comfortable outright blocking for that network in your custom profile.   Those with the higher security posture work the opposite way.  Based on help desk calls you change blocking actions to alert in your custom profile by signature.   Either method can work for you as long as you commit to the correct workflow. ... View more

Using reset and icmp unreachable is primarily aimed at traffic you expect you normal end user community to generate.  This gives a user a cleaner experience of the connection failure.  Their application gets an immediate response and stops the communication attempt.  And the application has an opportunity to give a failure message then to the user. Drop on the other hand is a silent activity where we basically ignore the traffic and the attempting application has no idea why the failure occurs.  This is the preferred response when the invalid traffic is expected from malicious sources, scanners, penetrators or other "bad actors".  An affirmative quick response lets them know a firewall is in the path and also shortens the time of their recon activities. Both options apply only when we are preventing a connection, so in either case there is no session created. ... View more

The feature request system at Palo Alto is managed by your Sales engineer.  They have access to an internal database of all the requests made.  And customers can request items be added to the database and vote for existing requests. Each request gets a number i.e. FR123. Your sales engineer can record you vote for this feature, each company customer gets one vote.  They can give you the FR number and you can post it here to request other users also vote for the feature. For you testing of the email issue, I usually turn off NTP and then manually set the time to just before 2:00 AM to trigger the test. ... View more

There is a pretty full Best Practices documentation here. User-ID Best Practices - PAN-OS But they don't go on record as preferring either agent or agentless as the method in AD.  Personally, I would use the installed agent whenever practical and agentless as the fallback.  This distributes the work load on the process.  But I recognize there there is not much practical difference between the two which is probably why Palo Alto does not have a recommendation either way. ... View more

Based on this information I believe the issue is on the other device.  Since you vpn shows decap of zero, this means no packets are coming out of the tunnel from the remote side. If the PA were dropping or blocking by policy or inspection, you would see decap increment but nothing on the local host packet capture. What do the IPSEC stats for the tunnel show on the remote node? ... View more

If wildfire marked this as malicious future downloads should already be blocked by the rules.  If that is the action you have on the file block profile. Once the verdict is in future transfers are blocked only the first transfer and any that occur while the file is being first analyzed are permitted if you set the file blocking to block. If this is not working you should open a ticket to have support determine if there is a bug. ... View more

If you setup the pair as A/A then you really don't need to do anything else.  Whatever happens on the ASA a valid path will exist.  The disadvantage here is that your HA3 link will need to be sized to accommodate double your max traffic.  Sessions will be owned by the primary node and when failover occurs the traffic will start coming in and out the secondary path.  But session inspection will happen on the primary so the traffic goes over the the primary inspected and returned to the secondary for egress.  You will need to be sure you won't max out the link. If you use A/P then link and path monitoring should be able to detect the lost of your primary path and trigger the failover. ... View more