About Abdul_Razaq

 Hi Community,   As per the document https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleBCAS describes, The IP-User mapping in firewall should be updated with the user used to RDP once a successful RDP is done. But I cannot see this behaviour in my environment, the username mapped with my PC is still the username I used to log in the device. I can see the RDP credential validation audit logs in Domain controller security event logs ( So hopes it is getting logged). Anybody noticed this behaviour? any idea on if anything needs to be enabled in Domain controller for this to work?   Thanks in advance. ... View more

Hi Community,   I have a requirement to add multiple client certificate into Linux GP config. Usually, whe we put 'globalprotect import-certificate --location <cert_location>', the existing client cert will be overridden with the new one and it will be imported as pan_client_cert.pfx under  /opt/paloaltonetworks/globalprotect .. Is there a way to keep both instead of override, so that i can use different client certificates while connecting to different portals. In windows, as it is taking from windows personal store, it will be discrete and we wont face this issue.   Anybody have any idea to achieve this ?.. or can we combine different .p12 files to single .pfx ?,  I am looking for some options other than adding both CAs in certificate profile   Thanks in advance!   ... View more

Hi Community,   Can anybody suggest on the minimum privileges a service account for LDAP (Settings -> Multi ESM -> DMZ AD configuration under ESM server) should have for using AD objects in ESM policy. The ESM core is not part of the domain. Having server operator privilege works fine, but i need to make the service account with very minimal permissions, preferably a read-only.   Thanks in advance. ... View more

Hi Community,   I am facing a strange issue that i cannot see the malicious domains showed in SLR report (under DNS security section) in my firewall threat logs. i can see DNS queries trying to resolve some other domains. But the interesting thing is, once i try to create SLR using same dumb file but selecting another country while generating the SLR in portal, i can see another malicious domain access and this domain is available in threat logs. I am wondering why different info just by selecting different countries while generating. Other informations are same.   Also is malware family is something SLR auto populates by considering the malware family these domains mostly use ?. Because the malware family info cannot be seen in threat logs ... View more

Hi Community,   Does the wildfire test file generate a alert/incident which can be seen XRD console ? I have a XDR agent connected to cloud. The wildfire test sample in prevented and i can see it in events of XDR agent. I cannot see this in XDR console neither in incident nor alert table. Does this expected behaviour ?. Also i noticed that one of the prevention (not the test file but other .exe) is also not visible in portal. I hope each security events in agent should create at least one alert in console.   Thanks in advance. ... View more

Hi Community,   I can see my firewall is sending DNS requests ( request for A record) to resolve some of internal hostnames. I dont have GP/detect internal host configured I dont have FQDN objects with these hostnames I have exported and checked entire config, the firewall is not having this hostname in the configuration It is requesting for A record ( so 'resolve hostname' is not causing it. Dont have DNS proxy configured in firewall This are internal hostnames, not malicious, which rule out DNS queries because of HTTP/TLS evasion This looks like firewall is trying to resolve in real time. I understands that firewall will be using DNS for  reporting, management services (such as email, Kerberos, SNMP, syslog) as per document. But not sure because of which of this reason firewall is trying to resolve these internal hostnames. It would be helpful if anybody can answer this.   Thanks in advance !  ... View more

Hi Community,   I have a requirement to have client authentication in globalprotect portal/gateway to have with LDAP first then another profile wich is SAML based. the requirement is to authenticate with SAML profile if LDAP auth fails. But as SAML profile cannot be added in authentication sequence, i cannot take advantage of authentication sequence. multiple entries in client authentication under portal -> authentication doesn't seems to be working as it is not trying for the next one as first entry fails. Their document says it is kind of security policy, so that the order should be more specific to general ( which apparently says the OS type is differentiator and it will not try next entry once a OS match happens). But the same document also says "If you need multiple configurations for one OS, you can further distinguish the configurations by your choice of authentication profile", which is very much confusing.   If anybody have any workaround or solution for achieving this, it will be helpful   Thanks in advance!   ... View more

Hi Community,   Can anybody help here. Is there any way we can make a report per endpoint group in TRAPS TMS implementation. Currently i cannot see any filters while creating a report. For example, if i have endpoint group A,B. Then is there a way i can generate different report for group A and B ?   Thanks in advance. ... View more

Hi Community,   I have an aggregate interface from PA to cisco having 2 physical interfaces, I don't have LLDP or LACP enabled in the aggregate interface (LLDP is not enabled globally as well as in interface level). But I can see that the aggregate interface is up and passing traffic. the strange thing happens is that when I add more than 2 subinterfaces in the aggregate link, the third and later links are not passing traffic. It would be great if someone can explain this behavior. Is it normal or I am missing something?.   Thanks in advance. ... View more