About Rene_Boehme

Hi,   which PANOS version are you running? Some logs might be helpful as well.   Thanks.         ... View more

Hi,   first of all I wont recommend touching the master key and only if necessary. When prompted to enter the new key, - how do you handle to the "current key" field? - what do you enter to the rest of the fields?   I guess you can not go without either "reminder" or "auto key renewal". Has the master key changed before or is it default?     ... View more

Hi,   can you please post a screenshot of your setting under Device > Log Settings?  Can you check this article below to see if general mail function is working?   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUiCAK     ... View more

Hey, this is quiet tricky. There is a lot of stuff unknown but as you can nail it down to the OS I dont see any reason to troubleshoot GP. What you can try is to upgrade GP client to a newer version or play around with client IPSec/SSL connection setup. (see if opposite setting of yours is working better)  ... View more

Good luck. Let us know if anything is missing. ... View more

Hi,   you can go with this filter so see respective logs.   Monitor > Logs > Traffic > ( zone.src eq SRC_ZONE) and ( zone.dst eq DST_ZONE )   You can export the output shown into an CSV file.     Based on this output normally a good approach, in my opinion, is:   - setup an application group with apps you want to allow (good apps) - setup an application group with apps you do not want to allow (bad apps), - set up a policy with "application" = application group good apps, set it do allow, enable logging at session end - set up a policy with "application" = application group bad apps, set it to deny or drop (whatever suits your setup), enable logging at session end - set up a policy with "application" = any, set it to allow, enable logging at session end   Continually monitor this rules and fine tune your policy. In Policies > Name column > hover over policy name > triangle icon > log viewer. Later on it might become more difficult because with a single "allow rule" you will be forced to decide for a service (any/select/app default). In case of you need different ports other than "app-default" you need to add a specific policy.   Hope that helps. ... View more

Hi,   can you please clarify on the exact issue?   @Mohammed_Yasin wrote: The issue is that when I connected to a server through Global Protect, I can't connect to another server. I have to disconnect from Global Protect and then connect to the desired server. So basically he can connect to one server at a time.   If you are able to connect to a server through GP and can only access server 2 without GP it sounds like a "split-tunnel" issue. But as you pointed out with a different version of the OS there is no issue. Where is the junction here?     ... View more

Hi,   my first intention was PSU2 is hot standby but I was not sure. But it seems like it is this way.   admin.boehme@5250(passive)> show system environmentals power-supply ----Power Supplies---- Slot Description Alarm Inserted S1 Power Supply #1 (left) False True S1 Power Supply #2 (right) False True admin.boehme@5250(passive)> show system environmentals power ----Power---- Slot Description Alarm Volts Min V Max V S1 Power Rail: NB - Switch 1.0V Core False 0.98 0.90 1.10 S1 Power Rail: NB - Switch 1.0V Serdes False 0.97 0.90 1.10 S1 Power Rail: NB - 2.5V Power Rail False 2.43 2.25 2.75 S1 Power Rail: NB - 3.3V Power Rail False 3.23 2.97 3.63 S1 Power Rail: CE - DP0 0.90V Core False 0.90 0.81 0.99 S1 Power Rail: CE - 0.95V Power Rail False 0.95 0.85 1.04 S1 Power Rail: CE - 0.95V CE40 FPGA False 0.98 0.85 1.04 S1 Power Rail: CE - 1.0V Power Rail False 0.99 0.90 1.10 S1 Power Rail: CE - 1.2V Power Rail False 1.20 1.08 1.32 S1 Power Rail: CE - 1.35V Power Rail False 1.37 1.22 1.49 S1 Power Rail: NB - 0.9V Power Rail False 0.88 0.81 0.99 S1 Power Rail: CE - 1.5V Power Rail False 1.50 1.35 1.65 S1 Power Rail: CE - 1.8V Power Rail False 1.80 1.62 1.98 S1 Power Rail: CE - 2.5V Power Rail False 2.49 2.25 2.75 S1 Power Rail: CE - 3.3V Power Rail False 3.32 2.97 3.63 S1 Power Rail: MP - 1.8V VCCIN False 1.80 1.62 1.98 S1 Power Rail: MP - 1V05 False 1.05 0.94 1.16 S1 Power Rail: MP - 1V2_VDDQ False 1.20 1.08 1.32 S1 Power Rail: MP - 0V6_VTT False 0.61 0.54 0.66 S1 Power Rail: MP - 1V2_MAC False 1.20 1.08 1.32 S1 Power Rail: MP - 1V3_VCCKRHV False 1.31 1.17 1.43 S1 Power Rail: NB - 0.95V TCAM False 0.92 0.85 1.04 S1 Power Rail: MP - 1V5_PCH False 1.49 1.35 1.65 S1 Power Rail: MP - 1V7_SUS False 1.70 1.53 1.87 S1 Power Rail: MP - 2V5_DDR4 False 2.49 2.25 2.75 S1 Power Rail: MP - 3V3_PCH False 3.30 2.97 3.63 S1 Power Rail: MP - 3V3 False 3.30 2.97 3.63 S1 Power Rail: MP - 5V0 False 5.00 4.50 5.50 S1 Power Rail: NB - 0.95V NP False 0.93 0.85 1.04 S1 Power Rail: NB - 1.028V VCS False 1.00 0.90 1.10 S1 Power Rail: NB - 1.2V Power Rail False 1.17 1.08 1.32 S1 Power Rail: NB - 1.2V NP False 1.17 1.08 1.32 S1 Power Rail: NB - 1.5V Power Rail False 1.46 1.35 1.65 S1 Power Rail: NB - 1.8V Power Rail False 1.75 1.62 1.98 admin.boehme@5250(passive)>   It seems like power is only drained from PSU1.     ... View more

Good job. ... View more

Because its protocol 6 instead of 5.   https://de.wikipedia.org/wiki/Protokoll_(IP) ... View more

Hi,   ok now I got you. So you are correct URL filtering is working with http/https only. Futhermore it is kind of uncommon to have URL filtering active in inwards direction. So I saw the request for port 389 which is basically LDAP, dont know for 4172. However please make yourself familiar with the conecpt of an "application firewall" - we do not open ports anymore. But in term of customers request you are right, this is not going to work. ... View more

Hey,   could you please clarify what you are trying to achieve here? The application and the service are independend of each other. You can easily create a rule allowing SSL and Web-Browsing on port 389 and 4172. ... View more

Hi,   so basically I had the same issue with a customer once. They've blocked a lot of stuff include the "Google - I am no robot - capture" which was required to enter the website. So we allowed it, analyzed the webpage (in Chrome presss F12), found the respective URL and allowed it trough. Strange enough even allowing *.google.* was not working out. However you can try to go on with your category blocking and starting whitlisting those advertisements. Unfortunately I am unaware of best practice here. I good way to start is within the URL filtering log. Setup filters like (url contains 'bing') and (action eq block) so see whats blocked and allow it if suitable. For testing you can clone the respective rule and add a UserID to it so the setup can be tested on live environment without interrupting. (if no UserID in place nail the source ip down to something)   Hope that helps. ... View more

Hi, can you please set up the command this way:    test security-policy-match from untrust source 1.1.1.206 to Zone Internal destination 2.2.2.226 destination-port 22 protocol 6   - if i remember correctly zones names with blanks in it wont work on CLI - with protocol Palo does not mean the application. Check this: https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers   For the security policies it looks like they have been manipulated. Could you please copy the exact output, for related policies, of this command?   > show running security-policy       ... View more

Hi, I just did check that on my end. When I initiated a content update. (HA setup in my case)   > request content upgrade download latest sync-to-peer yes Download job enqueued with jobid 1459 Enqueued Dequeued ID PositionInQ Type Status Result Completed ------------------------------------------------------------------------------------------------------------------------------------------ 2020/09/19 14:25:36 14:25:36 1459 Downld FIN OK 14:25:38   First I checked the licences:   > request license info > request license fetch   If this shows correctly but still doenst work you can disable and reenable the licence:   > request license deactivate key features Threat_Prevention_xx_xx_xx_xxxxxx.key > request license fetch   Also check if you find something here.   > less mp-log upgradelog_err_content   And check the backend again (palo alto support server) if the licence show up correctly. Another workaround could be to download the licence.key and manual upload it to the firewall. This process could be tricky sometimes.   Hope that helps.     ... View more