About AnalysisMan

AnalysisMan · ‎02-03-2020

There are two pieces in this question. I believe that you are asking related to 2) because you manually shut down the tunnel. 1) Tunnel monitor (reducing the tunnel failover time) Reduce the Monitor profile 'Interval' and 'Threshold' on the Network -> Network Profiles -> Monitor. 2) OSPF timing (reducing the convergence time) Reduce the Hello Interval (sec) - by changing the 'Hello Interval' (default: 10 seconds) on the Network -> Virtual Routers -> OSPF. Hope this helps,

AnalysisMan · ‎02-03-2020

The log shows that it's failing while validating the signature of SAML. You may try this out: 1) Uncheck 'Validate Identity Provider Certificate,' and 'Sign SAML Message to IDP' on the Device -> Server Profiles -> SAML Identity Provider. 2) Set to 'None' in 'Certificate for Signing Requests' and 'Certificate Profile' on the Device -> Authentication Profile -> authentication profile you configured for Azure SAML. Hope this helps,

AnalysisMan · ‎02-03-2020

It's hard to pinpoint the issue without details, but the article says as below. "This incorrect flow was dropped by the firewall, which caused the end hosts to not receive the IP address because the DHCP Offer never reached the DHCP relay device." 1) I recommend you to check the network reachability. 2) Check the firewall rules. 3) You may use the following CLI commands if the packets are dropping, or do a packet capture on the firewall. > show counter global filter severity drop > show counter global filter delta yes severity drop Hope this helps,

AnalysisMan · ‎02-03-2020

There is a feature called 'Data Filtering.' It's a PAN-OS feature, so it's not really tied to the hardware model. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/set-up-data-filtering.html#id664a76a7-883b-442d-a73f-bba8e6a63366 Hops this helps,

AnalysisMan · ‎01-28-2020

In your case, Packet Buffer Protection (PBP) should work, and it will protect your OSPF connections. I had many cases under high CPU spikes, and Zone Protection & DoS Protection didn't really help in my cases (probably, in your case as well.) My engineering generates aggressive traffic sometimes, and it easily spikes up high CPU on the firewall. It's impossible to control or rate limit it because they use this protocol today, but later they may use other protocols or applications. Even if your case is a bug, you can only delay the situation by upgrading the PAN-OS. The high CPU event could be happening later by other protocols or applications. I'm happy with the PBP solution since I applied it. Because it protects the firewall and never reaches 100% CPU usage. Here is the link for PBP. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/packet-buffer-protection

AnalysisMan · ‎01-27-2020

There is another way to block the email applications. You can block the application with 'gmail-base', 'yahoo-mail-base.'

AnalysisMan · ‎01-27-2020

You may block webmail domains like mail.yahoo.com, mail.google.com. Or If you have the URL Filtering license, you can block entire web-based emails with a category called 'web-based-email.'

AnalysisMan · ‎01-27-2020

You may block the Yahoo email server's domains. Incoming Mail (POP) Server: pop.mail.yahoo.com Outgoing Mail (SMTP) Server: smtp.mail.yahoo.com However, it works only for direct access from the internal client to the servers. Many users use web browsers to access their emails (webmail). Plus, there is another issue that the users may access the Yahoo emails through other email providers. (e.g., I access my Yahoo emails via Gmail - there is a feature called 'Import mail' or 'Check mail from other accounts.') That means you have to block other service providers such as Google.

AnalysisMan · ‎01-27-2020

I came across this weird source name on the traffic logs while checking a GlobalProtect issue. Has anyone seen this case? Other users' logs are displayed with corporate\domain correctly.

AnalysisMan · ‎06-06-2019

FYI - Here is a workaround for someone who wants to bring up the HA1 Backup before upgrading the PAN-OS. Step 1. Change the Port type from ha1-b to management on Active firewall and Commit (Device -> High Availability -> General > Control link (HA1 Backup) Step 2. Revert back to the previous configuration with the Port type: ha1-b, along with the IP address and Commit. This workaround should bring up the HA1 Backup. Hope this helps!

AnalysisMan · ‎06-06-2019

Thanks for your reply! Do you have the bug/issue ID? Or is this non-public one?

AnalysisMan · ‎06-06-2019

Any updates on this case? I've got the same issue on PA-3220 with PAN-OS 8.1.8. I see the symptom precisely like you that ' receive packets dropped' increased on Active firewall. I'm going to open a case with TAC.

AnalysisMan · ‎06-06-2019

Same issue on PA-3220 with PAN-OS 8.1.8.

AnalysisMan · ‎10-12-2018

You should be able to download the WildFire DB on the Customer Support Portal -> Updates -> Dynamic Updates. And then you import the package on the firewall: Device -> Dynamic Updates. Hope this helps!

AnalysisMan · ‎10-11-2018

FYI - PAN-OS 8.1.4 is released today and available, but I don't see any addressed issues with ARP. https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os-release-notes/pan-os-8-1-addressed-issues/pan-os-8-1-4-addressed-issues

AnalysisMan · ‎10-11-2018

Use the globalprotect show --error command to view errors reported by the app. user@linuxhost:~$ globalprotect show --error And make sure if your system is reachable to the VPN portal and gateways by running 'ping gp.yourcompanydomain.com' (ICMP could be blocked), or 'telnet gp.yourcompanydomain.com 443'. Also, UDP/4501 is used for IPSec tunnel connections between the GlobalProtect agents and Gateways.

AnalysisMan · ‎10-11-2018

The VPN portal should be an external IP address or FQDN since the users are located outside, and they use external DNS servers like 8.8.8.8, and TCP/443 is used for communication between GlobalProtect agents and Portals, or GlobalProtect agents and Gateways. Also, UDP/4501 is used for IPSec tunnel connections between the GlobalProtect agents and Gateways.

AnalysisMan · ‎10-11-2018

Try this: uncheck 'Verify Update Server Identity' on the Device -> Setup -> Services tab, commit and check if it works.

AnalysisMan · ‎10-11-2018

The TAC didn't recommend PAN-OS 8.1.2 and 8.1.3. Your issue might be related to the following defect. I will go with 8.1.1 this weekend. Hope this helps! # Here is the defect PAN-101604. Please verify if it is applicable in your scenario OR not. [8.1.2 PA-3220] Firewall sends ARP broadcast request with wrong Sender/Target IPs , with "pan_plfm_fe_cp_arp_delete(src/fe/cp/pan_platform_fe_cp.c:1544): Cannot find such an entry" 1) FW sends ARP request broadcast for its own interface, with neighbor's IP as sender's IP address, triggered by neighbor's OSPF update message. 2) "show arp all" shows entries for FW's own interfaces. These entries are marked as "incomplete." Workarounds: Disable OSPF if possible OR downgrade to 8.1.1.

AnalysisMan · ‎10-11-2018

It looks like here: https://live.paloaltonetworks.com/t5/Customer-Advisories/tkb-p/SupportAnnouncements

AnalysisMan · ‎10-11-2018

I've got an update from the TAC as below. # The reason for the Microsoft issues is that an Office365 host was incorrectly categorized as 'Phishing' in an earlier PAN-DB update. This has since been flipped back to the correct category of 'computer-and-internet-info' in a subsequent update. The issue is still being analyzed as we speak. We would be posting an update to the Customer Advisory board once we have more details surrounding the incident and an RCA is determined.

AnalysisMan · ‎10-11-2018

There was a massive outage on Microsoft sites. It has been resolved now, but I was wondering if this something related to Palo Alto Dynamic updates. https://www.reddit.com/r/sysadmin/comments/9nc9oj/microsoft_authentication_issues_with_akamai_ips/ We just got nailed this morning with issues caused by Palo Alto Firewalls adding an Akamai IP/IP-range to it's blocked IP definitions in it's regular definition updates sometime in the past 12 hours. This caused a blank page for redirection to o365 authentication prior to ADFS for owa/onedrive/sharepoint/etc so users couldn't connect to these services. Just a heads up for anyone else that might be bumping into this, I hear of a number of other local orgs bumping up against this so I'm guessing it's reasonably widespread.

AnalysisMan · ‎09-26-2018

I submitted RMAs twice and got a good firewall. I couldn't believe that three firewalls were bad. That was a once - in - a - lifetime experience!

AnalysisMan · ‎09-07-2018

You won't be able to see the deny logs for the implicitly denied rule, unless you set to log it with a specific rule. You may try two options. 1) Add two Services Objects with TCP/20 and 21, and allow it on the Security Policies. 2) Do a packet capture while you are testing an FTP connection.

AnalysisMan · ‎09-07-2018

There is an option with "Allow with prompt", which shows the prompt for the upgrade. However, please keep in mind that many people do not click on the upgrade prompt. We were using this option a long time ago, and many people never upgraded their GP client. When a bug hit on GlobalProtect by Dynamic Updates, it impacted on the GP client users with lower versions. And they couldn't connect to the VPN. Therefore, I've changed the option to "Transparent" for mandatory update. Hope this helps!

AnalysisMan · ‎09-06-2018

I've got two new PA-3220s in HA (active/passive). Active firewall's HSCI port does not light up green LED, whereas passive light up green. I used an SFP+ and MM cable (tried Twinax as well). I have a replaced firewall for active firewall, but it still doesn't up. However, all HA state looks fine on the Dashboard/High Availability. Is this something expected behavior? Active firewall - no HSCI LED Passive firewall - HSCI ok

AnalysisMan · ‎12-06-2017

I'm working on the 8.0.6 upgrade as well. Last Friday, I upgraded 3 set of PA-500s in HA from 7.1.x to 8.0.6, and it seems okay, no complaints yet. However, there are always bugs in there, and it triggers in different situations. So the final decision is yours.

AnalysisMan · ‎12-01-2017

Here is my suggession for corrupted GP client. # Uninstall corrupted GP client 1. Uninstall the GP client on 'Add or remove programs' * Make sure if the following folder is deleted (hidden folder): C:\Users\username\AppData\Local\Palo Alto Networks 2. Run ‘regedit’. Edit -> Find: put ‘globalprotect’ and ‘palo alto networks’ (remove the single quotation when you put the keywords) Delete ALL the items you found with the two keywords. Be patient, and delete all the items… * Don’t use the RegCleaner tools. 3. REBOOT the system (don’t omit this step) 4. Download and install the lastest GP client from the GlobalProtect Portal. Hope this helps! - ER

AnalysisMan · ‎11-29-2017

Thanks for your comments. I am in the Panorama context, and I know that it cannot be modified on the device/firewall level if the templates pushed from Panorama.

AnalysisMan · ‎11-29-2017

There are only two super users: 'admin' and my account. My account is kind of a backup account, and I don't use it primarily.

Date Registered	‎03-11-2013 08:22 PM
Date Last Visited	2 weeks ago
Total Messages Posted	36
Total Likes Received	10

Online Status	Offline
Date Last Visited	2 weeks ago

Enterprise

Prisma

Cortex

About AnalysisMan