About rkim

rkim · ‎08-24-2015

Just to add to this thread, yes you should be able to achieve 30Gbps max firewall performance by simply adding an NPC even if you do not use the ports on that NPC. However, there is a change that you may need to make on the system level. By default the session distribution policy is set for ingress-slot. That means that sessions will only be handled by the NPC that has connected ports. In order to load balance between all NPCs you would have to change the session distribution policy to either session-load, random or round-robin. The differences between each setting are documented here. https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/technical-documentation/hardware-guides/pa-7000-series/PA-7000-Series_Hardware_Guide.pdf Note that if in HA, the session distribution policy needs to configured the same on both HA peers separately as this is not sync'd with configurations.

rkim · ‎08-01-2014

It sounds like you are hitting phase 2 lifetime and tunnel drops due to lack of traffic across the tunnel. PANOS defaults to 1 hour for ipsec-sa 2 lifetime. Have you checked with Cisco to see what is their ipsec SA lifetime? Based on your last comment, seems that tunnel is functioning as expected. You may want to also check with Cisco to see if they have a way to keep their tunnels always up.

rkim · ‎04-01-2014

Have you seen this doc yet? User-ID Best Practices - PAN-OS 5.0, 6.0 This outlines several options for mapping users to IPs. In particular, if you have AD environment I would consider reading security logs method over WMI if you want to avoid the inherent chattiness of probing. There are other options as well such as using MS Exchange or if running 6.0.x, using syslog for ip-user mappings. -Richard

rkim · ‎03-09-2014

You don't mention anything about what PAN-OS version you are running or your management resource utilization. I would suggest following below article for some commands to view overall system utilization. Troubleshooting Slowness with Traffic, Management, or Intermittent SSL Decryption If you still have issue, I would recommend contact TAC to see if there is anything perhaps consuming inordinately large amount of resources or not. -Richard

rkim · ‎03-09-2014

2014-03-07 12:40:36 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <==== ====> Initiated SA: 126.57.38.50[500]-85.111.55.10[500] cookie:2fa8ed99f184af97:0000000000000000 <==== This could be for following reasons: 1. PAN device is sending out UDP 500 packet to start phase 1. But it is not received on SSG side. 2. SSG received PAN UDP 500 packet, but is not sending out 2nd message with responder cookie. 3. SSG received PAN UDP 500 packet and sent 2nd message with responder cookie. But it is not reaching PAN device. 4. SSG sent 2nd message and PAN device received it. But did not recognize it for some reason. Best thing to do in this case is to narrow down which side is having a problem. I would suggest running packet captures on both PAN side as well as SSG side filtering for UDP 500 packets. What you are looking for is to see if PAN is sending IKE packet and on SSG side make sure IKE is received. If PAN side shows IKE is sent but SSG side never sees the packet, then you have an issue on your provider side possibly blocking UDP port 500. Just remember for any VPN troubleshooting you always want to look at both sides of the tunnel. So let us know what SSG is seeing as well. -Richard

rkim · ‎03-09-2014

Just to add to discussion, CP works by sending a 302 redirect when HTTP GET is received. HTTPS encrypts the GET message. Hence no redirect is triggered. This is why you need SSL decryption if you want to CP HTTPS traffic. -Richard

rkim · ‎03-03-2014

These messages are seen now due to new enhancements in 6.0 related to Syslog over TCP or SSL. However, the message is incorrectly being sent once every hour. That will be addressed in upcoming 6.0.1 (reference addressed issue id 60816 once 6.0.1 becomes available). -Richard

rkim · ‎01-02-2014

To verify if traffic is transmitted or received by the PA device, you can set up packet captures. If you are not familiar with how to do that, you can follow below link. https://live.paloaltonetworks.com/docs/DOC-2542 Basically the idea is to set up transmit stage captures to see if packet was transmitted from DP and receive stage captures to see if you received a response from destination host. -Richard

rkim · ‎10-31-2013

Predict sessions are created due to ALG function in a particular application decoder. When a packet arrives which matches the predict session, it will be converted to a regular Flow session. Predict sessions do not generate a traffic log. But the resulting Flow session will. Hope that helps. -Richard

rkim · ‎10-31-2013

Currently there is no OID for tracking GP users via SNMP. However, I would advise to contact your PANW Sales Rep to inquire about roadmap for such a feature. -Richard

rkim · ‎10-31-2013

Did a quick test on PA-3020 and PA-200 and the test nat-policy-match command worked fine for me. I used PAN-OS 5.0.6 and 5.0.8. What PAN-OS version are you running? Perhaps you can try adding more parameters in your test command such as from zone, etc. See if that makes a difference. -Richard

rkim · ‎10-11-2013

Multiple gateways to single portal requires a GP Portal license on your portal firewall. Otherwise you cannot configure your second gateway on the 1st firewall. Do you have the license properly installed for GP Portal? Easiest way to check would be on GUI goto Device tab > Licenses. -Richard

rkim · ‎08-20-2013

Could you confirm that you are currently running PAN-OS 4.1.2 ? If so then there were some NAT pool leak issues resolved between that release and latest 4.1.x release which is 4.1.14. If indeed on 4.1.2 then I would recommend scheduling an upgrade to 4.1.14 and see if you still have issues. If you continue to have NAT pool issues with 4.1.14, then I would recommend to open a support case to have TAC investigate. -Richard

rkim · ‎08-20-2013

I am not familiar with CP port reuse option, but am curious if it basically disables TCP window or sequence checking. On PANW firewalls you can disable TCP window checking to work around port reuse situations. One major issue with hosts that re-use source ports for connections is that second session would use new Seq/Ack values which would likely fall outside of our normal TCP window checks. On other vendor platforms, this may also be referred to as TCP sequence checking. I normally recommend to correct the behavior to not re-use source ports at the source since this is inherently insecure behavior. But if that is not possible, then disabling the TCP window checking functionality in PAN-OS may be the best alternative. There are two ways to disable the TCP window checking. 1. Globally with configuration: # set deviceconfig setting tcp asymmetric-path bypass # commit 2. Per zone within Zone Protection Profile > Packet-Based Attack Prevention. Set Asymmetric Path to "bypass". Then apply to the zone in which client originates the session followed by commit. The risk in disabling TCP Window checking is that you can potentially open up the firewall to man-in-the-middle attacks. This is why I recommend to correct the problem at the source. -Richard

rkim · ‎07-29-2013

I believe that the feature that Juniper ScreenOS/SRX uses to support binding multiple VPNs to single tunnel interface is called next-hop tunnel binding (NHTB). This is not part of the RFC standard for IPsec and should be considered proprietary for Juniper. For the most part this allows to save on the number of tunnel interfaces that would need to be configured and is meant for hub-and-spoke configurations. The configuration though is not that simple in that despite sharing single tunnel interface as you still need to populate the NHTB table with either static NHTB entries or via routing protocol such as OSPF p2mp. For PAN-OS there are two options to do similar scenario. 1. With 5.0 you can deploy large-scale VPN with Global Protect Satellite configuration. This is closest to Juniper NHTB. It is actually similar in that you can use a single tunnel interface and then can either specify routes to advertise to GP gateway or use OSPF to learn routes from all spoke sites. But also can do much more in that the configs on each satellite site is rather easy since you point each satellite site to the GP portal to automatically get all configs about each GP gateway to connect to. 2. Configure separate tunnel interface for each spoke site. There should not be an issue with limit on number of tunnel interfaces that can be configured (actually the limit is higher than the max number if SAs that can be configured). Then you can add each of the interfaces into OSPF p2p to learn each spoke site routes. For reference, here is a good doc on the Large-Scale VPN feature in 5.0. https://live.paloaltonetworks.com/docs/DOC-4139 Hope this helps. -Richard

rkim · ‎05-02-2013

Is the OpenVPN traffic matching some other rule? If so then what application is it showing as? You may need to open a support case with TAC if the application is not recognized correctly. -Richard

rkim · ‎05-02-2013

Auth failures could imply fragmented encrypted traffic with some missing fragments. PCAPs should help determine if this is the case. Also ensure that you do not have any zone protection profiles which block frags. -Richard

rkim · ‎03-25-2013

You didn't mention what your alert and activate thresholds are set to. One thing you can do is to try lowering these values to lowest possible to ensure that the rule is having the desired affect. If they are then you can increase the values to a more real-world number. But as you mentioned that you are testing, this should help to isolate if things are working as expected. Also to help verify you can look at global counters to ensure the zone protection is working. This is done via CLI with following command. > show counter global filter delta yes | match dos Hope this helps. -Richard

rkim · ‎03-25-2013

Are you seeing the missing ip-netmask error when pushing just to 4.1.x devices? Or are you seeing also for PAN-OS 5.0 devices? Also were you able to get commits to work in the past with your current OS versions or did this break after you upgraded or performed some other action? If some action was done prior to seeing these errors, then what was the action?

rkim · ‎11-14-2012

Regarding app dependencies in rulebase, you can upgrade from 4.1.8 to 5.0.0 fine as any explicit allow rules that you already have for app dependencies will continue to work as it did before. So there should be no modifications needed there. Regarding proxy-id limits increased, this has been increased from max of 10 to 250 for all platforms except for PA-200. PA-200 will support up to 25 proxy-ids. Regarding Google safe image support, please contact your Palo Alto Networks sales rep for information about upcoming new features. -Richard

rkim · ‎11-14-2012

We are currently evaluating 4.1.9 release as more devices upgrade to that release. We expect to be in a better position to recommend 4.1.9 within the next couple of weeks if things continue to be positive with that release. Hence per Numan's response, our current recommendation is 4.1.8-h3. -Richard

rkim · ‎10-30-2012

We do not feel that using client-server collusion by starting the connection as a permitted application and switching to another is genuine or valid test. The scheme devised in the test assumes both the client and server are already under the control of the attacker. We don't know of any real-world clients or servers that can talk HTTP initially and then switch to SSH. Our app-ID has coverage for many evasive real-world tunneling applications and we continue to add coverage for more as we discover them. In this instance, we are working to enhance checks in our HTTP decoder to identify this scheme and set the session to be unknown-tcp. We are targeting to make the fix available in the next 1-2 content updates.

rkim · ‎10-17-2012

I am not aware of any such plans. You should consult with your Sales Engineer for roadmap type of questions. However, what you are requesting should be easy to do by running a cron job on a server and scripting the "show config running" output to a filename. There should be many such examples on the Internet. -Richard

rkim · ‎06-22-2012

At present time there are no Linux IPSec clients that we support. I would recommend checking with your Sales contact to get roadmap information for upcoming support.

rkim · ‎06-22-2012

So long as configs are in HA sync, commits should be possible on either active or passive device. With exception for box specific configs (HA settings, mgmt IP, etc), It should not matter which device you commit from.

rkim · ‎04-28-2012

How many groups do you have? If you have a very large number of groups (several hundred or more) then you could hit limits to number of groups that can be used in policy. If that is the case, then it is always recommended to filter groups to only those that you require in policies. -Richard

rkim · ‎03-28-2012

PAN devices cannot have rules based on MAC addresses per se. Session flow key includes following in sextuple: Source IP Source port Destination IP Destination port Protocol Zone Having said that, if in L3 mode then there would be no way to have security rules act based on MAC address. If in L2 mode then it will depend on L2 forwarding based on MAC address. In general if you need do to any sort of filtering of MAC addresses then this really needs to be done on L2 devices. That means the switch and not PA which looks at L3 and up. -Richard

rkim · ‎03-21-2012

You are basically describing a u-turn NAT scenario. Have a look at below article as it could help to understand how this scenario works. https://live.paloaltonetworks.com/docs/DOC-1678 You may also find below Tech Note useful as well. https://support.paloaltonetworks.com/index.php?option=com_pan&task=dl_tech_doc&filename=Understanding-NAT.pdf -Richard

rkim · ‎02-28-2012

What OS did you upgrade from? Was it already running 4.1.x or was it 4.0 or earlier?

rkim · ‎02-28-2012

Could be number of things such as routing issue, packet loss on PA or upstream devices, etc. I am doubtful that the code upgrade had anything to do with the issue, appears to be coincidence. I would recommend opening a support case and running combination of traffic log analysis, packet-capture, dataplane flow debug and possibly upstream device debugging. -Richard

Date Registered	‎06-03-2011 10:52 AM
Date Last Visited	yesterday
Total Messages Posted	314
Total Likes Received	47

Online Status	Offline
Date Last Visited	yesterday

Strata

Prisma

Cortex

About rkim