About Jatin.Singh

Panorama shows that all devices have "No device group assigned" in the Managed Devices, Summary screen, but the devices look fine in the Device groups screen. This is also resulting in being unable to commit changes to the firewalls.   This issue happened earlier on today, and went away with a reboot of Panorama, but appears to have come back.   What can be this issue?   Version -  9.1.0 ... View more

We are rolling out GP with SSO with Pre-login using certificates as of last week. The GP agents are connecting at pre-auth and subsequently doing SSO once the user signs in with cached credentials.    After the weekend, we are having multiple users reporting they cannot login.    We are seeing lots of events 'globalprotectportal-auth-fail' with description 'GlobalProtect portal user authentication failed. Login from: 124.189.178.11, Source region: AU,  User name: andrew.gee, Client OS version: Microsoft Windows 10 Enterprise , 64-bit, Reason: Cookie expired, Auth type: cookie.' We have cookie authentication override enabled on both gateway and the portal using the same CA Root, what can be the reason for this error and users not able to login ? ... View more

We are currently attempting to update our globalprotect client on our Palo Alto firewall, a PA-500. The version we are attempting to download is 5.0.8.   Currently when attempting to download we get the following error       Which hasn't given us much indication of what the issue is, and how to rectify it. We have checked the logs in an attempt to find additional information, which has given us the following information   administrator@PA-500> tail follow yes mp-log ms.log 2020-03-19 16:43:01.287 +1100 client dagger reported op command was SUCCESSFUL 2020-03-19 16:43:04.840 +1100 No upload information available sh: -o/tmp/pan/downloadprogress.10006: No such file or directory grep: /tmp/pan/downloadprogress.10006: No such file or directory NO_MATCHES 2020-03-19 16:43:06.623 +1100 Error:  pan_jobmgr_downloader_thread(pan_job_mgr.c:1110): DOWNLOAD job failed NO_MATCHES   We have also tried the following. - Restarting the Management Plane, with no change - Attempted to download PAN-OS 7.1.25 (currently running PAN-OS 7.1.5) which seems to fail with the same message - Changed the Service Route for PA updates to e1/5, with no change. - Tried a tcpdump from the management plane when clicking 'Download' but could not spot the traffic (1x port 443 tcpfump filter, 1x all traffic - pcaps attached)   There doesn't appear to be any dropped sessions in the pcap so we currently don't think it's our upstream firewall. ... View more

Hi Guys, I am just wondering if the following scenario is possible  Load balancing between the two client  VPN Gateways so half the clients connect to one VPN server at site A, and the other half connect to Site B.Palo alto firewalls on both sides. ... View more

We’ve recently upgraded our PAN from 8.0.4 to the latest version (8.1.13) successfully.   Now the issue is that we’ve been getting an email stating that “registering Wildfire Public Cloud has been successfully” every 20 minutes.   Is there a way to make this particular email to stop?   Subject:  INV-FW1 - SYSTEM ALERT : medium : Successfully registered to Public Cloud wildfire.paloaltonetworks.com domain: 1 receive_time: 2020/02/28 16:57:28 serial: 012001004743 seqno: 3597815 actionflags: 0x0 type: SYSTEM subtype: wildfire config_ver: 0 time_generated: 2020/02/28 16:57:28 dg_hier_level_1: 0 dg_hier_level_2: 0 dg_hier_level_3: 0 dg_hier_level_4: 0 vsys_name: device_name: INV-FW1 vsys_id: 0 vsys: eventid: wildfire-conn-success object: fmt: 0 id: 0 module: general severity: medium opaque: Successfully registered to Public Cloud wildfire.paloaltonetworks.com   Also I tested the wildfire connection and it is successful.     djthirl@INV-FW1> test wildfire registration This test may take a few minutes to finish. Do you want to continue? (y or n)   Test wildfire Public Cloud           Testing cloud server wildfire.paloaltonetworks.com ...         wildfire registration:         successful         download server list:          successful         select the best server:        panos.wildfire.paloaltonetworks.com ... View more

We are using PANOS 9.1 and latest DNS security. Any thoughts on these errors from proxy log? 172.16.1.1 and 172.16.1.3 are Microsoft AD DNS servers.Can these be effecting performance of traffic?   2020-02-17 08:30:23.583 +1100 Error:  pan_dnsproxy_recv_server_udp_cb(pan_dnsproxy_udp.c:222): [udp]: fd 48 from 172.16.1.1 to 0.0.0.0 process server failed! 2020-02-17 08:30:24.490 +1100 Error:  pan_dnsproxy_process_server_pkt(pan_dnsproxy_pkt.c:1491): [DNS Proxy/21572/12452/-]:[Drop Rcvd Server Pkt]: invalid UDP socket! 2020-02-17 08:30:24.490 +1100 Error:  pan_dnsproxy_recv_server_udp_cb(pan_dnsproxy_udp.c:222): [udp]: fd 56 from 172.16.1.1 to 0.0.0.0 process server failed! ... View more

We have utilised Marketplace in Azure to setup 2 x PAs with the intention of turning on HA. We can not locate configuration information for an Active/Active setup in an Azure environment (seemingly we can locate only Active/Passive setup information).   Can someone guide me through active/active setup in azure  ... View more

  Today whilst we were investigating the process of upgrading the disk size for our Panorama Legacy Mode VM we have accidentally re-configured the disk size from 81gb (as per the template import original size) to 150gb. This was of course different to the process as outlined by Palo Alto documentation. Within VMWARE VCSA we are unable to change the disk size back down to 81gb as we are advised that a disk size cannot be reduced below it's current size.   I would like to know that if we restart the Panorama OS or it is shut down will it cause any issues with Panorama OS working properly? My thoughts are there should be no issues as essentially Panorama OS will not know about the increase of disk space as it can't extend a partition table. I am just not sure how much it checks the disk during the boot stages and if it detects a change to the disk if that will cause a boot issue...   Can you please advise if this is a problem, as we are thinking of upgrading Panorama which is currently in Legacy mode to Panorama mode which of course requires a shutdown to begin the change. ... View more

We have one panorama virtual appliance [hostname: Panorama]  running as mgmt server & local log collector  -- Pan01 – [ collector-group : ac3 ]   2.        There are other two virtual appliance pan02 & pan03 [dedicated log collectors ] will be added to the same [ collector group :ac3 ]   Stage-1 After above 3 in the same log collector group, we’d like to enable log redundancy, as we assume this will make fw log sync between all 3 log collector members  --- if this is wrong understanding, please advise the correct way?   Stage-2 Once the log synced between all members,   we’d like to convert the Pan01 to mgmt server Only, Not collecting downstream managed fw log any more While the other two Pan02 & Pan03 will still collecting log from managed fw and be managed by Pan01 ---- during this sync and convert process, will there be any moment we will be losing any fw log forwarding from managed devices ?  -- please confirm Also, please confirm if this sync & convert approcach is doable or not? ... View more

We have a problem with the GP client and DNS. when the primary DNS server configured on the GP gateway is down, the GP client is unable to resolve FQDNs (over the split tunnel).  Once I reversed the and made the secondary (active) DNS server the primary, the GP was able to resolve internal names.   The only global timer that I can see for DNS is under Device/Setup/Services and that is for FWDN Refresh.  I currently have the two DNS servers configured by IP addresses.   The FQDN Refresh Time is set to the default of 1800 seconds.  The PA is running v8.1.9.  We only noticed this during tests as we are progressively upgrading the Domain Controllers and DNS servers.    I see in the on-line documentation that for VMs, we can set as low as 60 seconds (1 minute).  It sounds like a shorted FQDN refresh would help this issue.  Would lowering this value significantly impact overall performance?  What should we do here to fix the issue     ... View more

We seem to have a lot of SIP traffic that is reporting a Session End Reason of "resources-unavailable".  This traffic is hitting rules that don't even match.  Please refer to attached screen capture. What could be the reason?   Thanks for your assistance, ... View more

I m currently unable to authenticate through Global Protect. I’ve looked at the config which looks correct and I can’t see anything obvious in the logs. Are you able to assist? I’ve paste the logs below.       2019-09-16 14:03:19.305 +1000 debug: _get_auth_prof_detail(pan_auth_util.c:1068): non-admin user thru Global Protect "sagierhartla@wyongccs.nsw.edu.au" ; auth  profile "GP-VPN-AUTH" ; vsys "vsys1" 2019-09-16 14:03:19.305 +1000 debug: _get_authseq_profile(pan_auth_util.c:860): Auth profile/vsys (GP-VPN-AUTH/vsys1) is NOT auth sequence 2019-09-16 14:03:19.305 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for GP-VPN-AUTH-vsys1-mfa 2019-09-16 14:03:19.305 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1024): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: GP-VPN-AUTH/vsys1) 2019-09-16 14:03:19.305 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1035): MFA configured, but bypassed for GP user ''. (prof/vsys: GP-VPN-AUTH/vsys1) 2019-09-16 14:03:19.305 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2560): Keep original username, i.e., whatever end-user typed, "sagierhartla@wyongccs.nsw.edu.au" in request->username 2019-09-16 14:03:19.305 +1000 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:579): This is a single vsys platform, group check for allow list is performed on "vsys1" 2019-09-16 14:03:19.306 +1000 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1817): Authenticating user "sagierhartla@wyongccs.nsw.edu.au" with <profile: "GP-VPN-AUTH", vsys: "vsys1"> 2019-09-16 14:03:19.306 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for GP-VPN-AUTH-vsys1 2019-09-16 14:03:19.306 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:655): but auth server id vector is empty for GP-VPN-AUTH-vsys1 2019-09-16 14:03:19.306 +1000 Error:  _begin_auth(pan_auth_state_engine.c:1915): sending request for user "sagierhartla@wyongccs.nsw.edu.au": no remote server in auth profile "GP-VPN-AUTH" is available (could be FQDN resolution failure) 2019-09-16 14:03:19.306 +1000 failed authentication for user 'sagierhartla@wyongccs.nsw.edu.au'.   auth profile 'GP-VPN-AUTH', vsys 'vsys1', From: 220.233.83.161. 2019-09-16 14:03:19.306 +1000 debug: _log_auth_respone(pan_auth_server.c:268): Sent PAN_AUTH_FAILURE auth response for user 'sagierhartla@wyongccs.nsw.edu.au' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 6730648317623110501) 2019-09-16 14:03:35.492 +1000 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "GP-VPN-AUTH", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or invalid keytab) 2019-09-16 14:03:35.492 +1000 debug: pan_authd_handle_is_kerberized_req(pan_authd_kerberos_sso.c:1050): return is_kerberized = false for <profile: "GP-VPN-AUTH", vsys: "vsys1", remotehost "", krb_sso_hostname "vpn.wyongccs.nsw.edu.au"> 2019-09-16 14:03:35.560 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:997): profiledomain triggered via sysd 2019-09-16 14:03:35.560 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:1017): get domain for vsys1/GP-VPN-AUTH 2019-09-16 14:03:35.560 +1000 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "GP-VPN-AUTH", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or invalid keytab) 2019-09-16 14:03:35.560 +1000 debug: _get_profile_domain(pan_auth_sysd.c:980): auth prof "GP-VPN-AUTH" on vsys "vsys1" has domain: "wyongccs" 2019-09-16 14:03:35.564 +1000 debug: pan_auth_request_process(pan_auth_state_engine.c:3344): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 99962, body length 2384 2019-09-16 14:03:35.564 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2371): Trying to authenticate (init auth): <profile: "GP-VPN-AUTH", vsys: "vsys1", policy: "", username "sagierhartla"> ; timeout setting: 25 secs ; authd id: 6730648317623110504 2019-09-16 14:03:35.564 +1000 debug: _get_auth_prof_detail(pan_auth_util.c:1068): non-admin user thru Global Protect "sagierhartla" ; auth  profile "GP-VPN-AUTH" ; vsys "vsys1" 2019-09-16 14:03:35.564 +1000 debug: _get_authseq_profile(pan_auth_util.c:860): Auth profile/vsys (GP-VPN-AUTH/vsys1) is NOT auth sequence 2019-09-16 14:03:35.564 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:645): could not find auth server id vector for GP-VPN-AUTH-vsys1-mfa 2019-09-16 14:03:35.564 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1024): MFA is not configured for the auth profile. No mfa server ids for the user "" (prof/vsys: GP-VPN-AUTH/vsys1) 2019-09-16 14:03:35.564 +1000 debug: add_info_from_auth_profile_to_request(pan_auth_util.c:1035): MFA configured, but bypassed for GP user ''. (prof/vsys: GP-VPN-AUTH/vsys1) 2019-09-16 14:03:35.564 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2560): Keep original username, i.e., whatever end-user typed, "sagierhartla" in request->username 2019-09-16 14:03:35.564 +1000 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:579): This is a single vsys platform, group check for allow list is performed on "vsys1" 2019-09-16 14:03:35.565 +1000 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1817): Authenticating user "sagierhartla" with <profile: "GP-VPN-AUTH", vsys: "vsys1"> 2019-09-16 14:03:35.565 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for GP-VPN-AUTH-vsys1 2019-09-16 14:03:35.565 +1000 debug: _retrieve_svr_ids(pan_auth_service.c:655): but auth server id vector is empty for GP-VPN-AUTH-vsys1 2019-09-16 14:03:35.565 +1000 Error:  _begin_auth(pan_auth_state_engine.c:1915): sending request for user "sagierhartla": no remote server in auth profile "GP-VPN-AUTH" is available (could be FQDN resolution failure) 2019-09-16 14:03:35.565 +1000 failed authentication for user 'sagierhartla'.   auth profile 'GP-VPN-AUTH', vsys 'vsys1', From: 220.233.83.161. 2019-09-16 14:03:35.565 +1000 debug: _log_auth_respone(pan_auth_server.c:268): Sent PAN_AUTH_FAILURE auth response for user 'sagierhartla' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 6730648317623110504) 2019-09-16 14:03:39.165 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:997): profiledomain triggered via sysd 2019-09-16 14:03:39.166 +1000 debug: authd_sysd_profile_domain_callback(pan_auth_sysd.c:1017): get domain for vsys1/GP-VPN-AUTH 2019-09-16 14:03:39.166 +1000 debug: pan_auth_cache_get_authprof_info(pan_auth_cache_authprof_n_authseqprof.c:176): prof "GP-VPN-AUTH", vsys "vsys1" (method: LDAP (active directory)) has sso hash table id: 0 (0 means no or invalid keytab) 2019-09-16 14:03:39.166 +1000 debug: _get_profile_domain(pan_auth_sysd.c:980): auth prof "GP-VPN-AUTH" on vsys "vsys1" has domain: "wyongccs" 2019-09-16 14:03:39.169 +1000 debug: pan_auth_request_process(pan_auth_state_engine.c:3344): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 99964, body length 2384 2019-09-16 14:03:39.169 +1000 debug: _authenticate_initial(pan_auth_state_engine.c:2371): Trying to authenticate (init auth): <profile: "GP-VPN-AUTH", vsys: "vsys1", policy: "", username "spadmin"> ; timeout setting: 25 secs ; authd id: 6730648317623110506   ... View more

I'm noticing several failed login attempts to our firewall for my domain admin account username.  This does not actually exist on our firewall as a user, and as such is being rejected.   I only log into our firewall using HTTPS access, i occasional use SSH, but have not for any of the events shown in the screenshot provided.   The logins seem to occur just after 9AM, 12PM and 4PM each day.  Is it possible that this is a false positive event on the Palo Alto, or that my windows desktop is somehow compromised?   how do we check that? ... View more

I have an issue with a Panorama VM indicating high memory usage. Using the following resources:  top - 10:59:58 up 82 days, 1:07, 1 user, load average: 4.22, 3.89, 3.87 Tasks: 156 total, 1 running, 152 sleeping, 0 stopped, 3 zombie Cpu(s): 39.2%us, 1.8%sy, 0.0%ni, 58.0%id, 0.9%wa, 0.0%hi, 0.1%si, 0.0%st Mem: 16447708k total, 16354760k used, 92948k free, 13208k buffers Swap: 2097084k total, 2091588k used, 5496k free, 8151152k cached This has only recently occurred, hasn't always been the case in terms of memory usage.    What info shall we pass on to Palo TAC team or what can be cause of this? ... View more

I got an issue to update a cert on PA pair. The issue is very similar to what it describes under https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldECAS I import the new cert to both PA FW units and change config to use the new cert. However it comes with config out-of-sync issue and somehow the new cert on passive unit is removed after committing config. any fix for the issue? ... View more