About PiankaMariusz

Hi There, I arrived here to seek for answer to a problem that I could not find an answer to anywhere. In fact, I still didn't find it but having access to lab, and some thought got me the desired result.   So what is it. If you have setup a Security Web Policy based on LDAP Groups, and you authenticate using Kerberos/LDAP AD , PAN will identify you as domain\user.name You have some influence over how domain\ will look, but overall PAN will identify the user and will know groups you are a memeber of. Now, you want to introduce AzureAD SAML authentication. You found the article and followed it to the letter: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE You were able to authenticate, and get connected so what's the problem?   The problem is that your user name is no longer domain\user.name but now it is user.name@emailaddress.com , it is the account you have used to authenticate against Azure AD. The user no longer matches any groups and the desired access for this user or group of users no longer works.   I found that the Attributes in the article  do not contain group attribute.     Under AzureAD Portal for Single-Sign on I've added the attribute then for Security Groups   Its under "Add a Group Claim" Source Attribute: GroupID Customize the name of the group claim: Group   All these is case sensitive(apparently)   Once you have the extra attribute, export the XML and Import to Palo. Import it as Authentication Profile and add Group attribute you created:   When I log in using SAML now, I have different view: The User: shows the email address I used to authenticate. The Primary User name is domain\user.name   Firewall can "match" the SAML account I used to the local AD.   Now, interesting part to some is the fact that I do not use Active Sync. My Local domain is entirely different to Azure AD. They are seperate. I do have email attribute populated in my AD as the account I use with Azure though. Hope this helps someone.   Cheers Mariusz                         ... View more

I just started this problem between two PA PA-220 and VM-100 No network changes done,  31st of May ESP_TFC_PADDING_NOT_SUPPORTED in System Log , first event and suddenly customer starts to report the issues with dropping tunnels..     ... View more

I truly believe there are a lot of PAN 9.0.x instances that provide sense of security but their URL filtering is actually somehow broken. My personal experience based on two firewalls that exhibit the same characteristics tells me there is something that has gone wrong with the license.   Although the command sh ow url-cloud status shows VALID,    PAN-DB URL Filtering License :                           valid                                     Current cloud server :             serverlist.urlcloud.paloaltonetworks.com Cloud connection :                 connected                                 Cloud mode :                       public                                   URL database version - device :     20200403.20289                           URL database version - cloud :     20200403.20289   ( last update time 2020/04/03 20:12:17 ) URL database status :               good                                     URL protocol version - device :     pan/2.0.0                                 URL protocol version - cloud :     pan/2.0.0                                 Protocol compatibility status :     compatible             and show system info shows things such as:    url-db: paloaltonetworks wildfire-version: 442082-444992 wildfire-release-date: 2020/04/03 20:10:57 IST url-filtering-version: 20200403.20289 global-protect-datafile-version: unknown global-protect-datafile-release-date: unknown global-protect-clientless-vpn-version: 0 global-protect-clientless-vpn-release-date: logdb-version: 9.0.10 vm_series: vm_series-1.0.9 platform-family: vm vpn-disable-mode: off multi-vsys: off operational-mode: normal       when you try to test the URL against local database you get:  test url-info-host "247fxtradeoption.com" 247fxtradeoption.com: Doesn't exist in the URL DB   and then,    When you try to play with database e.g revert you get:   > request url-filtering revert   Server error : Not licensed     I log this to support.  However, I encourage everybody who is on version 9.0.5 or 9.0.6 to check if their PAN behaves as it should when it comes to URLs...    ... View more

There have been further findings... When I conduct    test url-info-cloud "247fxtradeoption.com"   BM: 247fxtradeoption.com,9,5,stock-advice-and-tools,low-risk 247fxtradeoption.com/4ee3f0492290c6f29384ec280a7bd715?usq=bwfyay5hbwvybhluy2tay2fzywnjb3vudgfudhmuawu=,9,6,malware so it appears that they categorised exact URL as Malware but not the main domain.   yet, each time you click on the link in the phishing email it seems to generate unique BASE64 like looking string ! Each time I look at the firewall logs, it shows only 247fxtradeoption.com/ that is it. Yet, the browser shows the long string that is different each time you click on it (very smart by the way)     Lastly, According to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNx4CAG Additional Information The below commands do not work on OS 9.0.x but will work on prior OS versions: request url-filtering download paloaltonetworks region <region_name> > request url-filtering download status vendor paloaltonetworks ... View more

So I go request url-filtering upgrade and the only option after that is brightcloud. It doesn't list paloaltonetworks as an option    as far as the URL , no steady traffic. it was a phishing link that once clicked once at approx 13.00 and then I clicked on it later myself at 17 to see if it took affect.   The link continues to work, and firewall is not blocking known malicious link and I can't trigger pan-db download in any way that I can on pan os 8.1 or 7.1   two firewalls in version 9.0.x are affected only.    ... View more

Hi Guys, I am struggling with the destination NAT here. I have a challenge where I want the IPv6 initiated host (any - internet) to be NATTED so that it can reach Private IP address port 443. https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/networking/nat64/configure-nat64/ipv6-initiated-communication.html#iddb41c324-5690-4ca3-b54a-6ec24ed3f57d Article clearly says, IPv6 initiated traffic. [...] Configure the destination IPv6 address as either the Well-Known Prefix or the NSP that the DNS64 server uses. (You do not configure the full IPv6 destination address in the rule.)[...]   I mean, what ?   I already have IPv6 on external interface on the firewall that can be reached from IPv6 network I merely want not traffic that arrives at that interface on specific port to be NATTED behind some ipv4 address I can create and be forwarded to local IP address on the LAN, that seems to be impossible to do. his is extracted from the destination IPv6 address"  How does the IPv4 of LAN suppose to be extracted from the destination IPv6 address where IPv6 address is of something entirely different( here its Palo Alto external internet facing firewall)    " ... View more

Hi There, I'm having the same issue but not on self signed certificate and on linux ( Fedora 29)  Global Protect is configured with the certificate signed by the Authorized CA. The Chain is: DigiCert Global Root CA DigiCert SHA2 Secure Server CA Server certificate.   It works perfect on Windows.   On Linux, Fedora. I get the error  Error: Gateway exgw: The server certificate is invalid. Please contact your IT administrator.   I checked if certificate is trusted    xxx\Downloads]$ trust list | grep Digi label: DigiCert Global Root CA label: DigiCert SHA2 Secure Server CA The first two are the exactly the ones that are trusted. I am puzzled. Did anybody have issues with Global Protect on linux ?  ... View more