About Jafar_Hussain

Jafar_Hussain · ‎11-29-2021

@TomYoung I am facing the same issue. i have tried with the different firewalls with the same version some firewalls show the error and some do not.

Jafar_Hussain · ‎11-04-2021

Hello, I am facing an issue to get the alerts for my syslog server ( description contains 'Syslog connection broken to server[\'AF_INET.127.0.0.1:2625.\']' ) every two hours I am getting alerts. i checked the sys-ng.log and took the packet capture but I can see the same error. Below is the configuration:- sys log Server IP- 192.1681.1 protocol - UDP port - 514. Format - BSD service route is by default by management server. In the Syslog server, I am getting log properly only issue is I am getting alerts:-

Jafar_Hussain · ‎10-31-2021

@Astardzhiev We import wild card certificate *.abc.com.jk. one more test I did, I generate a self-sign certificate and attached in SSL /TLS profile then the same SSL/TLS profile configure for the Management Interface. Then i found the login page was secure but i don't want to use the self-sign certificate. i want to use a 3rd party certificate but not able to find the cause of this issue. Regards, Jafar Hussain

Jafar_Hussain · ‎10-28-2021

Hello, I want to make a secure connection for the firewall GUI access. therefore I perform the below task:- I imported the wildcard certificate in the firewall and the same certificate attached in SSL/TLS profile ( This is 3rd party certificate get by DigiCert). Then the SSL/TLS profile is configured for management settings. for troubleshooting purposes, i imported the certificate into the client machine as well. I did the above configuration and access to the firewall with a different browser like - IE, chrome, edge, firefox but all browser is showing the connection is not secure. I have two doubts:- 1- My wild certificate name is abc.com.jk which resolves my internal DNS 10.10.10.10 and my management IP address is 192.168.1.1 - Anything wrong with this or it is correct? 2 - I noticed that the certificate that I received from DigiCert its not a CA below is the image for reference- The Certificate should be the CA to make a secure connection? can anyone have suggestions on this?

Jafar_Hussain · ‎10-26-2021

We have noticed some vulnerability logs in our PA for the Telerik application in our environment. the threat vault id is 59014 but according to the link. https://threatvault.paloaltonetworks.com/?query=59014). https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization To fix this vulnerability we need to upgrade the Telerik version 2020.1.114 but my current version is more than this 2020.3.915 it means this is non-vulnerable. The issue is that I am getting vulnerability logs continuously. however, this is already fixed according to the PA KB. can anyone guide me, what is the solution for this? please note that I don't want to enable the exception for this thread id 59014.

Jafar_Hussain · ‎10-26-2021

@BPry The device was faulty. we replace the device.

Jafar_Hussain · ‎10-13-2021

@BPry I have configured AE1 group with interface ethernet 1/17 and ethernet 1/18 once I took the output for the active and passive that time I found the key for the partner I am not able to see on the passive firewall. below is the output:- Active firewall output:- *************************************************** AE group: ae1 Members: Bndl Rx state Mux state Sel state ethernet1/17 yes Current Tx_Rx Selected ethernet1/18 yes Current Tx_Rx Selected Status: Enabled Mode: Active Rate: Slow Max-port: 8 Fast-failover: Disabled Pre-negotiation: Enabled Local: System Priority: 32768 System MAC: x:x:x:x Key: 16 Partner: System Priority: 32768 System MAC: x:x:x:x Key: 11 Port State -------------------------------------------------------------------------------- Interface Port Number Priority Mode Rate Key State -------------------------------------------------------------------------------- ethernet1/17 80 32768 Active Slow 16 0x3D Partner 306 32768 Active Slow 11 0x3D ethernet1/18 81 32768 Active Slow 16 0x3D Partner 562 32768 Active Slow 11 0x3D Port Counters -------------------------------------------------------------------------------- Interface LACPDUs Marker Marker Response Error Sent Recv Sent Recv Sent Recv Unknown Illegal -------------------------------------------------------------------------------- ethernet1/17 111857 120904 0 0 0 0 0 0 ethernet1/18 111855 120931 0 0 0 0 0 0 ************************************************************************************* LACP output of the passive firewall"- *********************************************************** AE group: ae1 Members: Bndl Rx state Mux state Sel state ethernet1/17 no Defaulted Detached Unselected(Peer not detected) ethernet1/18 no Defaulted Detached Unselected(Peer not detected) Status: Enabled Mode: Active Rate: Slow Max-port: 8 Fast-failover: Disabled Pre-negotiation: Enabled Local: System Priority: 32768 System MAC: x:x:x:x Key: 16 Partner: System Priority: 0 System MAC: 00:00:00:00:00:00 Key: 0 Port State -------------------------------------------------------------------------------- Interface Port Number Priority Mode Rate Key State -------------------------------------------------------------------------------- ethernet1/17 80 32768 Active Slow 16 0x45 Partner 0 0 Passive Slow 0 0x00 ethernet1/18 81 32768 Active Slow 16 0x45 Partner 0 0 Passive Slow 0 0x00 Port Counters -------------------------------------------------------------------------------- Interface LACPDUs Marker Marker Response Error Sent Recv Sent Recv Sent Recv Unknown Illegal -------------------------------------------------------------------------------- ethernet1/17 111943 0 0 0 0 0 0 0 ethernet1/18 111874 0 0 0 0 0 0 0 ************************************************************************************************* On the passive firewall output for the AE1 :- I noticed that the prenegotiation is enabled but I didn't get the partner MAC address even I didn't get the partner key for the ethernet 1/17 and ethernet 1/18. One more point I highlight in the port counter LACPDU's the packets is sending but didn't receive any output. I would like to know, is this expected or do I need to check something on this.

Jafar_Hussain · ‎10-11-2021

I have the firewall 3220 model in the 9.1.11 version in HA mode. I can see all the aggregate interface in passive firewall is showing down. i want to know is this expected behaviour or not because I checked the below KB for some mode it is expected behaviour. Aggregate Interface Down on Passive Device - Knowledge Base - Palo Alto Networks moreover, my concern is at the last time the failover happen the passive device was not accessible as well as the traffic has stopped.

Jafar_Hussain · ‎09-13-2021

@BPryI have checked, according to the below documents the best practice is we should set the action drop for the evasion signature 14978. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/best-practices-for-securing-your-network-from-layer-4-and-layer-7-evasions.html moreover, if i set the action drop so the service is stopped and drop all the traffic for my server, that I have attached the antispyware profile. i have configured below antispyware profile:- so now, i want to allow the traffic but an alert should not come. what i need to do. - Do i need to allow the traffic instead of alert in the exception? - If alerts are coming so i can ignore? - or to work properly do i need to configure the DNS proxy. i believe if i configure the DNS proxy and if i will put in the antispyware rule and exception all the things is drop. it will work or not?

Jafar_Hussain · ‎09-13-2021

Dear Team, I have configured the web service behind PA. and attached the security profile . i can see in the thread logs the thread is generating "Suspicious TLS Evasion Found(14978)". i have gone through the below KB but didn't understand https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBwCCAW&lang=en_US%E2%80%A9 moreover, I can see the thread signature is showing in excpetion so I have enabled this and put the action is alert. the severity is informational. do i need to take any action on this? the severity is informational

Jafar_Hussain · ‎08-11-2021

@Astardzhiev THank you so much for your detailed explaination.

Jafar_Hussain · ‎08-10-2021

Dear Team, I have one scenario while connecting GP with LDAP user will get the IP address then the user is trying to connect internal server the traffic will go through the cisco FTD. the issue is that once traffic will pass Paloalto then we checked in he Cisco FTD the user and IP address we are getting only management IP address and service account of Paloalto :- I am giving one example for better understanding:- Example:- - UserA, UserB and UserC is the AD users. - Service account name is palo@servicecccount - Management IP of the firewall - 192.168.1.10 When USer A will connect the GLobal protect it will get the 10.0.0.1 IP address. When USer B will connect the GLobal protect it will get the 10.0.0.2 IP address. When USer C will connect the GLobal protect it will get the 10.0.0.3 IP address. Traffic flow:- GP USER > PA FIrewall > CISCO FTD > internal server(172.16.1.1) Then all the users try to access 172.16.1.1 on the CISCO FTD the IP address should show 10.0.0.1 ,10.0.0.2,10.0.0.3 with the name UserA, UserB, UserC) instead od this The Paloalto forward the detail 192.168.1.10(Managment IP) with user palo@serviceaccount . for all the AD users. ****************************************************************** Scenario 1: GP connect with local user ---> PA (IP Based) ---> Cisco (IP based) = worked Scenario 2: GP connect with LDAP user ---> PA (Ldap user based) ---> Cisco (Ldap user based -As per logs, Managment IP of PA and AD service account recieve as source) = Not worked Is this default behaviour or do i need to take any further action to resolve this.???

Jafar_Hussain · ‎08-09-2021

@vsys_remo i need to block specific information that are showing while opening a page example if any user access that page the information should not be showed that i marked in hide in the screenshot. IS this possible in palolto configaration.

Jafar_Hussain · ‎08-09-2021

I would like to know, i have hosted one website. once any one open a website the webpage will open. on that page i am getting all the information related to my environment. like domain dns name and dns admin name are disclosed. is there any way to block this. below is the example:-

Jafar_Hussain · ‎08-08-2021

Dear Team, I want to HTTP to HTTPS redirect. example:- If the user is trying to open wesite - http://abc.com it should be redirected to https://abc.com is this possible in paloalto? Regards, Jafar Hussain

Member Since	‎10-15-2019 11:13 AM
Date Last Visited	‎12-05-2021 01:27 AM
Posts	221
Total Likes Received	10

Online Status	Offline
Date Last Visited	‎12-05-2021 01:27 AM

About Jafar_Hussain

Re: XML output command of ARP managment in 9.1.11

syslog server logs

Re: Secure connection for firewall web GUI

Secure connection for firewall web GUI

Issue with the vulnerability logs.

Re: XML output command of ARP managment in 9.1.11

syslog server logs

Re: Suspicious TLS Evasion Found(14978)

Re: Psiphon application

Re: Firewall slowness

Re: upgrade OS

Re: XML output command of ARP managment in 9.1.11

syslog server logs

Re: Secure connection for firewall web GUI

Secure connection for firewall web GUI

Issue with the vulnerability logs.

Re: Passive device aggregate interface down

Re: Passive device aggregate interface down

Passive device aggregate interface down

Re: Suspicious TLS Evasion Found(14978)

Suspicious TLS Evasion Found(14978)

Re: PA VPN Authentication Via Ldap

PA VPN Authentication Via Ldap

Re: block web page content

block web page content

http to https redirect

Network Security

Cloud Security

Security Operations

About Jafar_Hussain