About TommieVanHove

Hello. so in regards to the palo advisory of upgrading and rolling out device certificates we are running into an issue which I'm not sure what the impact is. we have a number of panorama managed firewall clusters. however these firewalls don't use their mgmt/oob interface for connections to palo alto services or dns. as a result after following the OTP procedure for a palo alto managed firewall the active node of the cluster gets a valid certificate without issue. the passive node remains at none. we ca make the passive node active briefly so that it can retrieve a certificate whilst active however this certificate expires after 90 days, will try to renew after 75 days by default. if the node is passive this will fail. It's unclear to me what the impac tof this is. will a (passive) firewall with an expired device certificate still be able to renew as soon as it becomes active without issue? will a firewall with an expired certificate run into any issues being connected to log collectors or panorama? I doubt we are the only people with a setup where either dns or palo alto update services are not sent out using the dedicated mgmt interface or where the dedicated mgmt interface is not allowed to go to the internet.   can anyone clarify here what the impact is and ithere is what workarounds there can be?   ... View more

So I guess I'm just curious what the overall opinion of multiple people is regarding decryption and how well they take into account local laws, etc. I get decrypting traffic can be a major step up in security and basically unlocks a lot of potential in a shiny expensive new firewall. however there's always of course some debate. so baseline: I live in a region where we can decrypt traffic( but the user has to have a disclaimer somewhere that his traffic can/will be decrypted) apart from certain types of traffic we can't decrypt: financial (due to personal bankaccount and what not) government (due to private info like an equivalent of social security number, passport id, etc) health and medicine (due to personal medical records, info, etc.) fairly straightforward. however upon inspecting all possible palo alto web categories there are 2 which may be somewhat of a gray area: stock advice and tools  (stock advice not so much, however tools I understand as apps to buy/trade stocks, etc I checked one site I use myself for stock trades. however that one is classified as financial. I'm however not confident that the url category for every stock trading tool would be classified as financial.) cryptocurrency (same as the tools. it's basically a subcategory of financial for me... I checked with the sites like coinbase, bittrex, etc.. that's cryptocurrency)   finding this above then got me thinking. do any of you manage/configure a firewall in a region with similar policies. and if so what do you do? Do you opt to decrypt a bit too much rather then take the safe route and decrypt less? regarding legal what do you think your responsibility is? eg: inform end-customer/company there are limitations but let their legal decide (apart from blatant illegal request like yes decrypt financial as well for us) or do somewhat intense research yourself? have any of you ever gotten in trouble or been addressed regarding a decryption policy you set up, or gave the instruction to set up? what's your opinion on this?         ... View more

I'm not sure if this documentation exists somewhere but I can't seem to find it. we have a customer with palo alto 5200 series firewall. due to covid-19 (as is the case with so many companies they are currently production stress testing the firewall with extra load due to teleworking, etc) the firewall handles it fine. however the ha1 and ha2 interface are seeing high traffic. and the customer is worried that might be an issue if a failover has to happen. now here's the problem: customer is using 1gb interfaces for both ha1 and ha2 link. and states  that 1gb for ha1 and 1gb for ha2 should be enough. I would like to counter that as most interfaces on the 5200 series support 10gb speeds( of course for the customer it's a bit of a costly solution if he has to provide 10gb sfp's, 10gb switches, etc in between) let alone the default hsci and aux can go even above that 10gb unfortunately I don't find any official documentation/datasheets/recommendations from palo alto stating what speeds they recommend for ha1/ha2 links if you are not using the default configured ones. does anyone know if this is available somewhere? if not my answer will have to be that seeing as the default ha link is set up for 10gb and up it's reasonable to assume that was done for a reason and not just for bragging rights " look at our 10gb ha sync". however I get the feeling our customer will only accept that explanation if I can prove it by means of a document/support case which I would like to avoid. ... View more

Hello.  We are having a minor issues on one of our customer firewalls performing decryption.  it seems certain sites. that have a certificate issued by sectigo.  chain root: Sectigo intermediate: Sectigo RSA Domain Validation Secure Server CA site certificate.   I believe the root cause of this is the fact that this CA used to be called Comodo( for which there are default trusted certificates in the palo) has been renamed to Sectigo. and I believe new certificates are issued under the new name.  This got me wondering: how does palo alto determine the Trusted CA list, how often is it updated and how is this new list pushed to the palo alto( as there is no way to force an update I assume it is only updated when upgrading ot a later hotfix or version?) I'm testing if this is indeed the root cause however I suspect it is.  users having the issue with the site receive a page stating:  issuer: Sectigo RSA Domain Validation Secure Server CA status: untrusted reason: <blanc>   and as a best practice we have the option to block untrusted certificates of course.    ... View more

Hi.  I was just wondering what most of you people do regarding preempt option for A/P clusters.  (and perhaps also some pointers regarding the different timers you can set, etc )   Main reasonis that the discussion to use preempt or not to use preempt comes up once and a while with customers and with coworkers.  so what are some of you guys' findings on the feature.  so far I have: preempt is great if you have a not fully symetrical setup( eg the internet line has lesser bandwidth on location b, or not all servers are redundantly setup, etc)   a con that get mentions ( but not yet heard anyone having issues with) is the possibility of flapping due to ongoing issues at the main site as you have no control over the failback action. it's automatic   A pro argument for not using preempt I hear a lot is that people/it admins want to control everything and want to know when they fail back( preferably do it manually) and don't want the firewall to do this automatically. but I'm nor sure if in these times of automation, scripting, etc that is actually a valid point.  (I'm also fairly certain a lot of these admins if they manage more then 20 firewalls in panorama like this there will probably be a few running on the secondary node because they haven't noticed yet.)     As you may have guessed I'm currently all for enabling preempt on our firewalls.  main reason being: our setup is largely symetrical. however a few exceptional cases in our DC aren't duplicated in our secondary dc.  I also know we don't have the human resources to check the firewalls each time and log cases/resolve firewalls that failed over to our secondary dc.  however it never hurts to also get other's opinion/experiences.    so who's pro/con and why basically?   ... View more