About Jatin.Singh

Our client has recently purchased the Cortex Data Lake license and we are trying to set this up for them. The firewalls are on version 10.0.7 and have valid certificates but under "Device -> Licenses", we do not see a license for Cortex Data Lake  despite trying to retrieve from license server etc.   My question is does it suppose to appear under the Device -> Licenses section?   We followed the following article to activate the  product   https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/activate-cortex-data-lake-toc/activate-cortex-data-lake-easy#id184II0S0GH3   ... View more

  Followed this KB   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS6CAK     The authentication shows successful on the inbound to Clearpass and meets all the policies required for successful login.     However the Palo sits at the login then eventually fails after about 5-10 seconds and indicates incorrect login credentials.     Palo System logs indicate Authentication failure   failed authentication for user 'test.user'. auth profile 'PALO-CLEARPASS', vsys 'shared', server profile ' PALO-Clearpass ', server address '10.x.x.x', auth protocol 'PAP', From: 10.x.x.x.     Auth d logs shows   2021-09-03 17:55:44.886 +1000 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:230): username: test.user 2021-09-03 17:55:44.886 +1000 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:390): RADIUS request type: PAP 2021-09-03 17:55:49.886 +1000 debug: auth_svr_timeout_sent_request(pan_auth_svr.c:272): timeout: authd id=6842217317271730159, username=test.user, protocol req id=123, retries=3 (max allowed retries #: 3), elapsed sec=13 (max allowed secs: 180) 2021-09-03 17:55:49.886 +1000 debug: pan_auth_response_process(pan_auth_state_engine.c:4290): auth status: auth timed out 2021-09-03 17:55:49.886 +1000 debug: pan_auth_response_process(pan_auth_state_engine.c:4529): Auth FAILED for user "test.user" thru <"PALO-CLEARPASS", "shared">: remote server 10.x.x.x.x of server profile "PALO-Clearpas s" is down, or in retry interval, or request timed out (elapsed time 13 secs, max allowed 180 secs) 2021-09-03 17:55:49.886 +1000 debug: pan_auth_response_process(pan_auth_state_engine.c:4571): Authentication failed: <profile: "PALO-CLEARPASS", vsys: "shared", username "test.user"> 2021-09-03 17:55:49.886 +1000 Error:  pan_set_admin_user_stat(pan_auth_admin_login_stat.c:260): Admin user "test.user" home dir "/opt/pancfg/home/test.user" has NOT created yet 2021-09-03 17:55:49.886 +1000 Error:  pan_auth_send_auth_resp(pan_auth_server.c:646): pan_set_admin_user_stat("test.user", False) 2021-09-03 17:55:49.887 +1000 failed authentication for user 'test.user'.   auth profile 'PALO-CLEARPASS', vsys 'shared', server profile 'PALO-Clearpass', server address '10.x.x.x.', auth protocol 'PAP', From: 10.x.x.x.x       What could be causing this issue?   Also another question is  When using RADIUS authentication for management(GUI/SSH) of firewall  do you add the administrator  test.user manually in administrators of GUI and specify the authentication profile for RADIUS on a per-user basis??? - GUI > Device > Administrators > adding the user there?? ... View more

We have implemented split tunneling in GP configuration for operating systems including Windows, iOS, and ChromeOS. It is working on all devices except Chromebooks. Doing further research, we are not very clear whether split tunneling is supported on Chrome or not. On Chromebooks we are using the "GlobalProtect for Android" app. Because there does not seem to be a "Chrome-specific" version after GP 4.1. Refer to the "Google Chrome (Installation instructions for 4.1, 5.0, 5.1, and 5.2.)" section in this link (https://docs.paloaltonetworks.com/compatibility-matrix/globalprotect/where-can-i-install-the-globalprotect-app.html#id7a3c3401-b233-43b0-8d78-dfceab88798f)   And according to  Palo Alto's GP features list (https://docs.paloaltonetworks.com/compatibility-matrix/globalprotect/what-features-does-globalprotect-support), "Split Tunnel to Exclude by Access Route" is supported on Chrome with GP 4.0.0 but not supported on Android. So which one should we refer to? Could anyone please clarify whether this feature is supported or not on Chrome OS with GP 5.2.7?   OS: 9.1.3 GP version: 5.2.7 Client OS version: Chrome R89-13729.56.0   Also we are using IPV4 routes and we can verify exclude routes is not working, because when we do a traceroute from chromebook it goes to firewall     ... View more

TMPFS partition /dev/shm on the VM series PAN.   Typically this is cleared on reboot but after upgrading to 10.0.6 its failed to clear the space on system reboot.   We have looked at the other drives on the PAN are there seems to be no capacity issues other then the tmpfs /dev/shm location at 97%.   Can you please confirm whether this is expected on later versions 10.0.x +? ... View more

Recently we added a 2TB log disk to this virtual Panorama running 8.1.19 on  VMWare ESXi 6.5     Once adding, the log redistribution process on the local log collector started as has been progressing very slowly. Over the course of 15 hours this job progressed to 7%   >show log-collector all ......   Redistribution status:    pending --- 7%       How long should this job take to complete?   Will this impact on daily operations in any way?   We followed this https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/set-up-panorama/set-up-the-panorama-virtual-appliance/expand-log-storage-capacity-on-the-panorama-virtual-appliance/add-a-virtual-disk-to-panorama-on-an-esxi-server.html (which has no mention of log redistribution or the expected time)     ... View more

  We are using OpenSSH v8.2 cannot connect to SSH hosts with SSH Proxy enabled (SSH Decryption).   Testing showing that this is due to the Palo Alto attempting to use RSA with SHA1 which has been removed by OpenSSH in v8.2.     Is there a way we can configure the Palo Alto to disable RSA/SHA1 for SSH?   ... View more