About COlson

COlson · ‎06-22-2022

Hello, Turns out there's a key part of using HIP matching that should probably be mentioned first instead of buried deeper in articles; you need to have User-ID enabled on the zone. Once that was enabled it worked fine.

COlson · ‎06-08-2022

Hello, I am testing out using HIP match for certain traffic but I am running into an issue where traffic continues to be blocked. I can see the HIP information in the log and firewalls has GP Gateway license. Originally tried to use HIP for just Anti-Malware 'Is Installed' and has 'Real Time Protection' and the traffic never passed even though in the HIP log I can see both of these being good. So then I just tried to use host information and host contains "Microsoft" (I am using a Windows 10 machine to test) and again traffic fails despite the HIP log showing the machine is Windows 10. If I remove the HIP profile from the security policy, the traffic passes without issue. I have now tested with different categories in the HIP object, testing different client machines to see if something was unusual but it doesn't matter, if the HIP Profile is in use, traffic is blocked. Is anyone familiar with what might cause the HIP information to match but traffic still not pass as expected? Thank you.

COlson · ‎04-23-2022

Hi, I could set it to IKEv2 only but the same problem arises; as soon as the the two firewalls are on different versions of PAN-OS, IKEv2 fails. I would have thought that would be the use case for IKEv2 preferred but it doesn’t seem it.

COlson · ‎04-13-2022

Hello, I’ve recently ran into an issue where I’m using IKEv2 preferred and the two firewalls are using different versions of PAN-OS. It will fail with “invalid sig.”. If both firewalls are the same PAN-OS version (this has been happening on 9.1.11-9.1-13h3… I don’t have any other versions to test), it works fine. But since I can’t update all firewalls at the same time, there are periods of time where they are different versions and that results in the tunnel dropping. Additionally, as I’m using IKEv2 preferred, I assumed that when IKEv2 failed, it would use IKEv1 but that doesn’t seem to be the case. Are both of these expected behaviors? There must be something I am missing. Thanks.

COlson · ‎01-07-2022

Hello, I am trying to troubleshoot an error in a traffic log regarding cert decryption. I have found an article from PA on it: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boONCAY but I am unable to reproduce the steps to help in troubleshooting. The fourth bullet says 'Dataplane Debug shows the following..." and I would like to see a log just they show in the example but I'm not sure where that is. The log features it references I'm familiar with for packet capture but packet capture doesn't look the example they provided. Can someone point me in the right direction of how I can reproduce that screen? Thanks.

Member Since	‎05-10-2019 02:15 PM
Date Last Visited	‎03-02-2023 10:42 PM
Posts	25
Total Likes Received	2

Online Status	Offline
Date Last Visited	‎03-02-2023 10:42 PM

About COlson

Re: GlobalProtect HIP issues

GlobalProtect HIP issues

Re: Site to Site VPN failing when IKEv2 and different PANOS

Site to Site VPN failing when IKEv2 and different PANOS

Debug Dataplane Help

Re: Service Route Help

Debug Dataplane Help

Re: Content Update Issue

Re: GlobalProtect HIP issues

GlobalProtect HIP issues

Re: Site to Site VPN failing when IKEv2 and different PANOS

Site to Site VPN failing when IKEv2 and different PANOS

Debug Dataplane Help