About Abdul_Razaq

Abdul_Razaq

Hi @NetworkSupport1Link Looks like the issue is not addressed yet. What if you disable thee curve 25519 ? is it working ?. You can add 25519 as last in the sequence. https://docs.microsoft.com/en-us/powershell/module/tls/disable-tlsecccurve?view=win10-ps

Abdul_Razaq

Hi Community, Is there any update on feature request #4603 - limit number of concurrent sessions per user for GP. Is it available now or it can be achieved by the scripts only still. Thanks in advance.

Abdul_Razaq

Hi @Sample.Wu Did you find any solution for this. Thanks in advance

Abdul_Razaq · ‎02-19-2020

Hi @raji_toor , As of my understanding, the image downloaded directly into the panorama and 'upload manually/SCP copied' will go to different partitions. You can try to clear root partition by clearing old logs if you don't want it. and try using direct download or manual upload or SCP copy. As these are going to different partitions, any of the methods might help you.

Abdul_Razaq · ‎02-19-2020

Hi @raji_toor , As @BPry mensioned, you need to keep only the current image and the base image in the box. rest you can delete and free up for making room for the image file(and its base) you are going to upgrade.

Abdul_Razaq · ‎02-19-2020

Hi @Logesh , The error look like you have configured peer identification in palo alto IKE gateway configuration to IP address of peer. but the peer is sending a FQDN. You can check the peer identification config in the remote and local device to make sure those are matching.

Abdul_Razaq · ‎02-19-2020

Hi @aimsnss , is the issue resolved ?. mostly your DNS traffic policy might not be configured for logging, that could be the reason you don't have a traffic log entry. Also, make sure the GP client IP is configured to access your internal DNS(as well as the network reachbilty) as you are using internal resolver IP in the GP configuration.

Abdul_Razaq · ‎02-19-2020

Hi Community, I have an aggregate interface from PA to cisco having 2 physical interfaces, I don't have LLDP or LACP enabled in the aggregate interface (LLDP is not enabled globally as well as in interface level). But I can see that the aggregate interface is up and passing traffic. the strange thing happens is that when I add more than 2 subinterfaces in the aggregate link, the third and later links are not passing traffic. It would be great if someone can explain this behavior. Is it normal or I am missing something?. Thanks in advance.

Abdul_Razaq · ‎01-08-2020

hi @whiskerp , Can you check the RP address for the 5th flow and check whether you have a route in the firewall into the RP pointing to a PIM neighbor.

Abdul_Razaq · ‎11-21-2019

Hi Team, I have a multicast setup. I am able to see that the PIM neighbourship is completed and igmp membership also fine. I can see my traffic in multicast fib with the correct incoming and outgoing interfaces. but the multicast packet is not reaching receiver, I can see a lot of packet drop in counter with detail "packet dropped no route for ip multicast". Any idea what will be the reason for this. Thanks in advance.

Abdul_Razaq · ‎10-21-2019

Hi Team, I have figured out the changes needed to be done in the server having core and console installed. Need to update the new password in the Log On tab on "Endpoint Security Manager" service Need to update account credentials in ESMAppPool under IIS manager -> Application pools. these configuration steps helped me to get the TRAPS in action after service account password change.

Abdul_Razaq · ‎10-21-2019

Hi @BatD , I am seeing these traffic only for third party clients, I am seeing traffic initiated from PA with source udp/4500 to client public IPs (it is blocked by policy ). As it is port 4500, I can make sure that it is because of third party client as GP uses 4501 in tunnel mode. I am wondering what is inside that packets, what PA is trying to send, is it the tunnel initiation? ( even though the policy is denying it, the IPSec connection is fine in responder mode).

Abdul_Razaq · ‎10-20-2019

Hi Team, I am seeing some traffic initiated from GP interface to outside using source port udp/4500 to public IPs of clients( GP uses 4501 and I have xauth configured). Are these traffics are because of GP xauth configuration.. anybody has noticed it before ?. I dont have any Ipsec tunnels configured from this interface. thanks in advance.

Abdul_Razaq · ‎10-20-2019

Hi Team, We have a traps ESM setup running successfully. console and core are installed in one server, But the DB is in another server. We are using windows authentication for login into DB ( ESM is configured with this domain user to login with DB while installing). now we need to change the password for this user. What are the changes I need to do in TRAPS for reflecting the password-change? thanks in advance.

Abdul_Razaq · ‎09-21-2019

Hi @SteveCantwell , @hman , Thanks for the information. I have requested TAC support for the same. Waiting for their verdict.

Abdul_Razaq · ‎09-18-2019

Hi Community. I have configured PA to fetch EDL of type IP addresses from EDL link "https://panwdbl.appspot.com/lists/ettor.txt" for blocking tor. I am able to see that the list is getting populated. But occasionally I am getting below warning while committing other configurations, EDL <name> used in policy has no valid entries I am running PanOS 9.0.3-h3 I am using the same EDL in another firewall (PanOS 8.1.9 ) as well with policy to deny traffic to these IPs. I am able to see traffic hitting this policy have action allow, when I checked the destination IP, it is not there in the list ( Not sure as this is a dynamic list and the IP might have before, but the action should not be allowed). the policy have log at end configured. Can somebody explain the above behaviour. Thanks in advance.

Abdul_Razaq · ‎08-27-2019

Hi Community, Does disabling HA using the master switch ( Device -> High availability -> general -> setup ->enable HA checkbox) will cause the interfaces to go down and up ?. I understand that the interface mac has to be changed from virtual to physical one, does it cause a flap. I have faced an issue that disabling caused aggregate interface to go down, I didn't notice other interfaces (maybe flap is fast enough not to be noticed). Thanks in advance !.

Abdul_Razaq · ‎08-08-2019

Hi Community, I have recently noticed that the email subject field in wildfire submission log is shortened, ie, I am not able to see the full subject name. Is there any specific limit for number of characters in that field ?. Thanks in advance.

Abdul_Razaq · ‎07-22-2019

Hi @feelgood , Hope you have configured the NAT and security rule properly. refer below doc for help. https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping

Abdul_Razaq · ‎07-21-2019

Hi Team, @reaper , @BPry Recently I have come across a scenario that palo alto was dropping TCP SYN packets which have ECN and CWR bits set. upon checking the global counter, i have seen that the drop reason was 'process owner message err, no predict'. anybody have seen this?. PA doesn't support SYN packets with ECN and CWR set ?.. Once I disable this enhancement in windows using the command 'netsh int tcp set global ecncapability=disabled', the session is getting established and the thinks are working fine.

Abdul_Razaq · ‎07-02-2019

Hi @simsim , I was just giving an analogy ( please dont consider Byte or bit difference or interframe gap). i was just conveying that if your actual data is packed to smaller packet size, you need to have overhead for all, all togather matching to link speed. so actual data transferred will be lower. But if you have bigger packet size, the number of packet will be less, you need header for all (header size will be the same regardless of data size). so you can transfer more data at a given time. Usually packet per second will be almost same for one platform for any packet size, which gives more data transfer for bigger packets.

Abdul_Razaq · ‎07-02-2019

Hi @simsim , To make it simple, smaller packet size means the whole chunk of data into smaller packets, and need to add l2/l3 headers for each. example for transferring 900Mb of actual data we need to transfer 100 Mb of headers. considering the link speed, 1 Gbps, per second only 900Mb is transfered ( less throughput) If the packet size is high, we need only less number of l2/l3 headers, may be 980 Mb data need 20Mb header, which gives higher actual throughput. You can check MTU of patch using ICMP packet with df bit set. Usually voice packets will be smaller.

Abdul_Razaq · ‎07-02-2019

Hi @karthikeyanB , You can configure 2 VPN tunnels with each of remote side ISP connecting IP as remote peer. Configure tunnel monitor on primary one then configure two routes to remote LAN through each of the VPN tunnel with lower metric on primary. Configure proper security policy for both the connections. So if primary VPN is down, as the tunnel monitor is configured, the route to remote LANwill be removed and new route with higher metric will be in action which will make the secondary tunnel UP.

Abdul_Razaq · ‎06-27-2019

@Tarczynski-SA , You need to configure tunnel monitor on main tunnel. Destination IP can be any pingable IP reachable through tunnel(IP at cisco side). Please note that the source of this monitor ping will be tunnel IP, make sure this communication is added in proxy ID ( 172.16.30.1 to destination) . Monitor profile should be 'fail-over'. Follow this document for tunnel monitor configuration, https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/vpns/set-up-site-to-site-vpn/set-up-tunnel-monitoring/define-a-tunnel-monitoring-profile.html#

Abdul_Razaq · ‎06-27-2019

@ROSSIGNOL Make sure you are putting only IP as portal ( dont include https://....).

Abdul_Razaq · ‎06-27-2019

@Tarczynski-SA , you can create a secondary tunnel and add route of remote LAN with higher metric through that tunnel. you need to have tunnel monitoring enabled in primary to remove the primary static route from the routing table, so once the primary tunnel is down, the route willl be trough secondary tunnel, and the tunnel will come up.

Abdul_Razaq · ‎05-06-2019

Hi @chuckles , For remote vpn for mac and windows without using HIP profile, you need not have a licence purchased. but if you want to connect mobile devices or need to use hip profiles, you need licence. For your info, https://docs.paloaltonetworks.com/globalprotect/8-0/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses

Abdul_Razaq · ‎05-06-2019

Hi @chuckles , Hope the below KB helps, https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcPCAS

Abdul_Razaq · ‎05-06-2019

Hi @mike406 , As @BPry mentioned, the way firewalls will identify the base URL is by examinig the servername field in client hello. if your communication is through ssl, the communication will be encrypted after ssl handshake, so the GET messages afterwards will be encrypted, you wont ba able to see it unless you have decryption configured.

Abdul_Razaq · ‎05-05-2019

Hi Community, Hope somebody can address my below query. I am able to see the Release date of App&threat version 8146-5421 as 2019-04-25 UTC in both threat vault and support portal( is it actually UTC time??, i am seeing 1-day gap here !), But my firewall have the details pf release date as 2019-04-26 07:24:00 GST (2019-04-26 in UTC aswell). I understand that PA didnt mention the release time along with date and there is timezone difference as well. But still, is there a gap between first release and making the content available for download ? in firewall In Threatvault

Date Registered	‎11-06-2018 12:48 AM
Date Last Visited	yesterday
Total Messages Posted	83
Total Likes Received	16

Online Status	Offline
Date Last Visited	yesterday

Strata

Prisma

Cortex

About Abdul_Razaq