About PiankaMariusz

I truly believe there are a lot of PAN 9.0.x instances that provide sense of security but their URL filtering is actually somehow broken. My personal experience based on two firewalls that exhibit the same characteristics tells me there is something that has gone wrong with the license.   Although the command sh ow url-cloud status shows VALID,    PAN-DB URL Filtering License :                           valid                                     Current cloud server :             serverlist.urlcloud.paloaltonetworks.com Cloud connection :                 connected                                 Cloud mode :                       public                                   URL database version - device :     20200403.20289                           URL database version - cloud :     20200403.20289   ( last update time 2020/04/03 20:12:17 ) URL database status :               good                                     URL protocol version - device :     pan/2.0.0                                 URL protocol version - cloud :     pan/2.0.0                                 Protocol compatibility status :     compatible             and show system info shows things such as:    url-db: paloaltonetworks wildfire-version: 442082-444992 wildfire-release-date: 2020/04/03 20:10:57 IST url-filtering-version: 20200403.20289 global-protect-datafile-version: unknown global-protect-datafile-release-date: unknown global-protect-clientless-vpn-version: 0 global-protect-clientless-vpn-release-date: logdb-version: 9.0.10 vm_series: vm_series-1.0.9 platform-family: vm vpn-disable-mode: off multi-vsys: off operational-mode: normal       when you try to test the URL against local database you get:  test url-info-host "247fxtradeoption.com" 247fxtradeoption.com: Doesn't exist in the URL DB   and then,    When you try to play with database e.g revert you get:   > request url-filtering revert   Server error : Not licensed     I log this to support.  However, I encourage everybody who is on version 9.0.5 or 9.0.6 to check if their PAN behaves as it should when it comes to URLs...    ... View more

There have been further findings... When I conduct    test url-info-cloud "247fxtradeoption.com"   BM: 247fxtradeoption.com,9,5,stock-advice-and-tools,low-risk 247fxtradeoption.com/4ee3f0492290c6f29384ec280a7bd715?usq=bwfyay5hbwvybhluy2tay2fzywnjb3vudgfudhmuawu=,9,6,malware so it appears that they categorised exact URL as Malware but not the main domain.   yet, each time you click on the link in the phishing email it seems to generate unique BASE64 like looking string ! Each time I look at the firewall logs, it shows only 247fxtradeoption.com/ that is it. Yet, the browser shows the long string that is different each time you click on it (very smart by the way)     Lastly, According to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNx4CAG Additional Information The below commands do not work on OS 9.0.x but will work on prior OS versions: request url-filtering download paloaltonetworks region <region_name> > request url-filtering download status vendor paloaltonetworks ... View more

So I go request url-filtering upgrade and the only option after that is brightcloud. It doesn't list paloaltonetworks as an option    as far as the URL , no steady traffic. it was a phishing link that once clicked once at approx 13.00 and then I clicked on it later myself at 17 to see if it took affect.   The link continues to work, and firewall is not blocking known malicious link and I can't trigger pan-db download in any way that I can on pan os 8.1 or 7.1   two firewalls in version 9.0.x are affected only.    ... View more

Hi Guys, I am struggling with the destination NAT here. I have a challenge where I want the IPv6 initiated host (any - internet) to be NATTED so that it can reach Private IP address port 443. https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/networking/nat64/configure-nat64/ipv6-initiated-communication.html#iddb41c324-5690-4ca3-b54a-6ec24ed3f57d Article clearly says, IPv6 initiated traffic. [...] Configure the destination IPv6 address as either the Well-Known Prefix or the NSP that the DNS64 server uses. (You do not configure the full IPv6 destination address in the rule.)[...]   I mean, what ?   I already have IPv6 on external interface on the firewall that can be reached from IPv6 network I merely want not traffic that arrives at that interface on specific port to be NATTED behind some ipv4 address I can create and be forwarded to local IP address on the LAN, that seems to be impossible to do. his is extracted from the destination IPv6 address"  How does the IPv4 of LAN suppose to be extracted from the destination IPv6 address where IPv6 address is of something entirely different( here its Palo Alto external internet facing firewall)    " ... View more

Hi There, I'm having the same issue but not on self signed certificate and on linux ( Fedora 29)  Global Protect is configured with the certificate signed by the Authorized CA. The Chain is: DigiCert Global Root CA DigiCert SHA2 Secure Server CA Server certificate.   It works perfect on Windows.   On Linux, Fedora. I get the error  Error: Gateway exgw: The server certificate is invalid. Please contact your IT administrator.   I checked if certificate is trusted    xxx\Downloads]$ trust list | grep Digi label: DigiCert Global Root CA label: DigiCert SHA2 Secure Server CA The first two are the exactly the ones that are trusted. I am puzzled. Did anybody have issues with Global Protect on linux ?  ... View more