About a.jones

Hi All,   Looked at my nodes today and it looks like https://panwdbl.appspot.com is down or decommissioned. Tried going to this URL and I get a 404 error? Has this page moved and I missed a notification, down for good or just an outage? Obviously impacts some of the DBLs I have.   Regards Adrian ... View more

Hi All,   I have just migrated an active/passive pair of 5220's to Panorama. After completing this following https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management.html#id177DF10905Z I go to perform step 4 and I get an error which I can't seem to resolve. Can someone help?   Here is the error: devices -> localhost.localdomain -> template-stack -> mll.pa.fw0.eastnet_stack -> config -> devices -> localhost.localdomain -> deviceconfig -> system -> route -> service -> crl-status -> source is missing 'address' devices -> localhost.localdomain -> template-stack -> mll.pa.fw0.eastnet_stack -> config -> devices -> localhost.localdomain -> deviceconfig -> system -> route -> service -> crl-status -> source is invalid   Its stopping me in the final stages of deployment. Regards   Adrian ... View more

Hi All,   I am testing a build for Global Protect PreLogon which I have working to a degree.   When I log in for the first time I successfully connect to GP using machine cert. When I log out, it switches to the prelogon state.   When I reboot or boot the laptop, Global Protect is disconnected. Is there a way I can make GP connect as soon as the wireless interface comes up so it is in the prelogon state? All else looks good apart from that.   Using PA software 8.1.11 and GP 5.0.5   Regards   Adrian ... View more

Hi All,   I am migrating Palo Altos to a new Palo Alto. I have a question raised by the end customer. They user User-ID agents currently on their servers. Can they use the same Agents on the new Palo Alto - off the top of my head I am not sure?   Given that the new install is a later version of PAN-OS, on a VSYS, new IP ranges internally (and although non-impacting) externally etc, can we point to their current User-ID Agents or do they need to create new agents?   Regards   Adrian ... View more

Hi All,   I need to import some SSL certificates for a Global Protect instance. Customer has already supplied me with their wildcard certificates which I have imported but I cannot select them when creating an SSL/TLS Service Profile. Can I set up this way or should I generate the CSR from the firewall and get the certificates created for me?   Regards   Adrian ... View more

Hi All,   Is it possible to use a Multi-VSYS Palo Alto to have the active-primary on one Palo Alto and a second VSYS Active-Primary on the second Palo Alto in Active-Active HA mode. I've done this on Cisco Active-Active firewalls but I need to do this on a Palo Alto pair.   Regards Adrian   ... View more

Hi All,   Just a sanity check question to ensure my config and thinking okay.   We are having issues with VMWare Airwatch traffic to a cloud server for a customer that migrated across to our network. They don't seem to be able to connect to the server for deployments. Traceroute to the server blackholes within VMWare environment. Test from other sources we can connect to the server.   My rule allows traffic from the client network out to the server IP on the required port using application airwatch, service as application default. This is patted out to the firewall interface with all other traffic. Logs show rule is being hit but application incomplete indicating the TCP handshake is not completing thereby matching the traceroute issue - no server connection.   If I look at the session browser I get this: show session id 2700153 Session 2700153 c2s flow: source: 10.119.77.16 [Public_99_Inside] dst: 169.50.196.24 proto: 6 sport: 42319 dport: 443 state: INIT type: FLOW src user: unknown dst user: unknown s2c flow: source: 169.50.196.24 [Public_118_Outside] dst: 185.111.131.198 proto: 6 sport: 443 dport: 49058 state: INIT type: FLOW src user: unknown dst user: unknown Slot : 1 DP : 0 index(local): : 2700153 start time : Tue Jun 25 15:43:12 2019 timeout : 5 sec total byte count(c2s) : 78 total byte count(s2c) : 0 layer7 packet count(c2s) : 1 layer7 packet count(s2c) : 0 vsys : vsys6 application : incomplete rule : MKC Wifi-2 service timeout override(index) : False session to be logged at end : True session in session ager : False session updated by HA peer : False address/port translation : source nat-rule : Internet Nat-1(vsys6) layer7 processing : enabled URL filtering enabled : False session via syn-cookies : False session terminated on host : False session traverses tunnel : False captive portal session : False ingress interface : ae2.1530 egress interface : ae1.1521 session QoS rule : N/A (class 4) tracker stage firewall : Aged out end-reason : aged-out   Does the fact that there is an s2c flow indicate there is traffic coming back from the server or just effectively timeout traffic? It remains in State INIT and type FLOW - for me it's just due to it aging out and nothing to do with server connection.   Is there anything else that can be considered that I may have missed? I tried a 1-1 NAT and get the same results. In all cases we can only traceroute so far into VMWare to the server indicating they are blackholing our traffic for some reason. If I traceroute from my desktop, different network I can get to the server.   Thoughts or advice?   TIA   Adrian ... View more