About Abdul_Razaq

Hi Community   I am seeing a strange behavior with DNS traffic. I tried to resolve some FQDns which work fine (those are public fqdns). But when I do the packet capture, I can see the same packets in transmit and drop stage. By comparing the tcp port and dns transaction id, i can see those packets sent only once by end machine and the same in both transmit and drop stage. Even i can see the DNS server is responding with the IP address and from end machine, the fqdn is resolved. I am trying to figure out why the packet in drop stage as it causes confition. Also this is not happening always, this is very random.   I even tried floe capture, in flow capture I cannot see the drop, in fact there is a gap in flow capture at the time of transmitting and drop time(which means i cannot see this transmit and drop in the flow capture). ... View more

One of my setup with client certificate authentication in gateway was working fine. For some reason, it gives me 'Required client certificate not found. Please contact your IT administrator' error. The certificate is available in the client machine certificate store and PanGPS.log shows it is able to identify the same. But After which it fails and displays the error. -------------------PanGPS.log-------------- (T1784)Debug( 859): 04/20/21 14:04:39:531 Opened machine store (T1784)Debug( 872): 04/20/21 14:04:39:531 Skipped cert Policy Manager STS issued by Policy Manager STS sha1 hash is d9 7b 5c d6 a7 18 ac 55 31 63 38 8a 9a e3 9b 4f 33 1a 71 2f (T1784)Debug( 872): 04/20/21 14:04:39:531 Skipped cert Policy Manager issued by Policy Manager sha1 hash is 74 b3 29 db fd d2 57 3a e6 37 ed a8 d8 fc 90 ca 77 c0 c1 00 (T1784)Debug( 872): 04/20/21 14:04:39:531 Skipped cert *.pom.local issued by *.pom.local sha1 hash is 56 87 23 33 cd 2d 17 0a 00 57 8b 56 13 76 fd 0d c6 3e 13 55 (T1784)Debug( 868): 04/20/21 14:04:39:531 Found the cert GPA_Windows_Client issued by POM_Client_VPN sha1 hash is 51 84 70 a8 99 3d e9 9b 0f f8 28 ec 6d ac 5b 79 ea b1 de 46 in machine store (T1784)Debug( 874): 04/20/21 14:04:39:531 Finished searching machine store. (T1784)Debug(1016): 04/20/21 14:04:39:531 PrepareRequest, m_pMachineCertCtx is 000001E3BA0921F0... (T1784)Debug(1024): 04/20/21 14:04:39:532 WinHttpOpenRequest... (T1784)Debug( 442): 04/20/21 14:04:39:532 CPanHTTPSession::PostRequest: WinHttpSendRequest... (T1784)Debug( 453): 04/20/21 14:04:39:743 bResults=1, g_dwStatus = 00000000 (T1784)Debug( 675): 04/20/21 14:04:39:748 Server <portal fqdn> cert chain has been created. (T1784)Debug( 689): 04/20/21 14:04:39:748 Server <portal fqdn> cert verification passed (T1784)Debug( 721): 04/20/21 14:04:39:748 Check server certificate revocation returns TRUE (T1784)Debug( 475): 04/20/21 14:04:39:748 CPanHTTPSession::PostRequest: WinHttpReceiveREsponse... (T1784)Debug( 487): 04/20/21 14:04:39:748 CPanHTTPSession::PostRequest: WinHttpQueryHeaders... (T1784)Debug( 369): 04/20/21 14:04:39:748 Content-length: 529 (T1784)Info (1220): 04/20/21 14:04:39:748 download data success (T1784)Debug( 530): 04/20/21 14:04:39:748 CPanHTTPSession::SendRequest: WinHttpQueryHeaders... (T1784)Debug(3590): 04/20/21 14:04:39:748 Login to gateway (null) <--portal fqdn--> without ipv6 (T1784)Debug(10948): 04/20/21 14:04:39:748 StopCaptivePortalDetection() captive portal detection is in progress (T5056)Debug(5039): 04/20/21 14:04:39:748 CaptivePortalDetectionThread: IsDetectingCaptivePortal=0, PreLoginIsDone=1 (T5056)Debug(5016): 04/20/21 14:04:39:748 CaptivePortalDetectionThread: wait (-1 ms) for captive portal detection event. (T1784)Debug(3620): 04/20/21 14:04:39:748 Pre-login response is <?xml version="1.0" encoding="UTF-8" ?> <prelogin-response> <status>Error</status> <ccusername></ccusername> <autosubmit></autosubmit> <msg>Valid client certificate is required</msg> <newmsg>Required client certificate not found. Please contact your IT administrator.</newmsg> <license>yes</license> <authentication-message>Enter login credentials</authentication-message> <username-label>Username</username-label> <password-label>Password</password-label> <panos-version>1</panos-version><region>AE</region> </prelogin-response> ---------------PanGPS.log-------------- I even tried generating new certificate from same CA and imported in client machine/user store, it didnt work. Root CA is already there in the trusted CA store. Anybody encountered the same?, any solution. ... View more

Hi Community,   I am trying to figure out how the GP Ipsec connection behaves, if the IPsec fails to connect at the time of initial GP connection and the GP falls back to SSL, will GP retry IPsec after any specific interval? is this configurable ?. Also is there any way I can move the Ipsec connection from UDP/4501 to any other ports?   Thanks in advance. ... View more

Hi Community,   I am trying to parse the threat log from Palo alto. I can see the 'number-of-severity' in the custom Syslog log format. I am looking for an official document to map these numbers to the severity level. I can see the below, 4- indicate high level, 3 - indicate medium. Anybody has any official documents on this.   Thanks in advance!. ... View more

Hi Community,   We have one golden image and non-persistent VDIs are spawning from it. we installed traps in the golden image with VDI enabled=1.  I can see the golden image install type is coming as a golden image, but the VDI generated from this has install type standard instead of VDI. I can see the vdi=0 as well in the VDI machine trapsd.log. Looks like Cortex is not identifying the VDI as persistent. anyway to resolve ?.  Any way to check if the system is actually persistent ?. user logged out and logged in, which gives him a new VDI hostname (hope this looks like indicating it is non-persistent )   Thanks in advance!.   ... View more