About cchristiansen

Nice blog Bushra.  You're a great CAP manager and a pleasure to work with.   -chadd ... View more

I am not sure what your goal is, so there may be a much better way to accomplish what your are trying to accomplish..  That being said, here is a link to the admin guide for 5.0: https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/4118-102-7-19329/PA-5.0_Administrators_Guide.pdf On pages 235 and 236 the "regex" rules are described.  This is not full blown regex as you are likely used to.  It is a very cut down version. Here are some "regex(s)" that I have come up with as an example.  The rules state that your data pattern "regex" must be at least 7bytes long.  This is constrained to the string you are searching for and not anything between brackets (so no tricking the system with logic (and, or, etc.).  In these examples I am keying on HTML form post data - so, uploading a file via a web form.  As you can see, the "string" here is "form-data": Any IP: .*(form\-data).*((([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).* RFC 1918 (10/8) IP: .*(form\-data).*(([10])\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).* RFC 1918 (172.16/12) IP: .*(form\-data).*(([172])\.((1[6-9])|(2[0-9])|(3[0-1]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).* RFC 1918 (192.168/16) IP: .*(form\-data).*(([192])\.([168])\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).* NOTE: For looking in email, you might use the string "subject" as a key word.  The "regex" would then look like this: Any IP: .*(subject).*((([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))\.(([0-9])|([0-9][0-9])|([1][0-9][0-9])|([2][0-5][0-5]))).* !!!WARNING!!!: This will slow down your commit times, and if you use all of these at the same time, your commit may fail.  This is because there is a limited memory space for compiling custom signatures.  The more complex the signature, the more memory the compile takes.  I tested these on a PA-200 and the commits failed for the most part.  I was able to get the smaller ones to commit and work, but again, this is not recommended. I hope this helps. -chadd. ... View more

Hello Daniel. You can use client certificates in both situations.  You do not need to push your root CA to the clients though.  What you can do is upload the CA public key to the firewall, and use that in a "Certificate Profile".  Then, you will just issue (sign) cerficates for your clients from the Microsoft server, and push them to your clients via a GPO. You can also have one client (machine) certifcation for all your clients and configure that as the "client certificate" on your portal and then give that same certificate to all your clients (GPO maybe).  Then that certificate will be checked against the one configured on the firewall to make sure they are the same cert. There is a third way as well, which would allow you to upload the public key (CA) to your firewall, and have that pushed out to all your clients, so that it is in their trusted root store.  That way, they don't get the nag message about a bad cert.  This is not needed though. Hope this helps. -chadd. ... View more

This configuration is actually a Palo Alto Networks recommended deployment.  If you are using 802.3ad for link aggregation, you should have no issues.  I would suggest you open a case with support so that the issue can be tracked and hopefully resolved. -chadd. ... View more

Here are a few things you can check at the command line. First check to make sure the group in question is recognized by the firewall: admin@PA-200> show user group list cn=vpn-users,ou=groups,dc=panlab,dc=local Total: 1 admin@PA-200> Next, make sure the user you are trying to authenticate with is in that group: admin@PA-200> show user group name "cn=vpn-users,ou=groups,dc=panlab,dc=local" source type: service source:      panlab-389LDAP [1     ] panlab.local\chadd admin@PA-200> As you can see in the output of the last command, domain\user is what the firewall is looking for.  The important parts of the configuration for groups to work correctly are as follows: Device->LDAP->your-ldap-profile: If your LDAP server requires the domain\user login method, you can configure the domain in your profile.  If not, then leave that field blank (try it both ways). Device->User Identification->Group Mapping Settings->Server Profile->your-group-mapping-profile: In 4.1 and later the firewall does the group mapping, so this is where you configure that.  Make sure that these settings match your LDAP install. Device->User Identification->Group Mapping Settings->Group Include List: This is an LDAP filter.  This is used to restrict the LDAP search to these groups.  It is different than the allow list in your authentication profile - this is a filter, not an ACL.  That being said, if you filter out the group you are trying to authenticating to, it obviously won't work. Some things you need to be aware of: There is a delay between the time you add/remove a user to/from a group and when the authentication works.  You can speed up the process by using the following commands: admin@PA-200> debug user-id reset group-mapping   all                        all        panlab-389LDAP   panlab-389LDAP   <value>          group mapping to reset This command is helpful if you want to get the groups to clear from the firewall and have them rediscovered. admin@PA-200> debug user-id refresh group-mapping all admin@PA-200> This command can be run to cause the firewall to pull the new mappings since last time the process ran (delta). If none of the above helps you resolve the issue, it would be great to do a packet capture between your PA and your LDAP server.  Open the pcap in a program like WireShark and filter for ldap (type ldap in the filter and hit enter).  Look for the ldap requests and ldap responses.  Make sure that when you attempt to authenticate, the firewall sends an ldap request to the LDAP server.  If it does not, make sure that your Device->Setup->Services->Service Route Configuration is set up correctly.  If it does send a request, make sure it is correct, and that you get a valid response.  In version 5.x or greater of PAN-OS, you can use tcpdump at the command line to capture this traffic - although, it is best if you scp export the pcap off the box and inspect it with a program like WireShark. All that being said, please open a case with support if you continue to have trouble. Good luck. -chadd. ... View more

Like the last respondent, I would need to know what the intent is here to provide a truely educated response.  I would say this though - if you just need a captive portal, why not use the on buit into the Palo Alto?  If you are trying to use something like Cisco ISE for the captive portal, then the real solution involves WCCP on an intermediate switch, which will intercept the http request, forward it to the proxy server, then after authentication, the switch will redirect the user to the firewall for outbound internet.  Please let us know what technolgies you are trying to leverage, and what the end goal is, and we can make better recommendations.  Good luck. -chadd. ... View more

The answer is, there are no hard and fast numbers.  In A/P, you can adjust the HA timers to deal with delay between the two sites (to a certain extent).   Less than 20ms should be a good rule of thumb.  Latency on all HA links should be the about the same and should be less than the return time of traffic to avoid having the return packet dropped on the peer unit because the session does not exist yet.  You can always contact your SE for these kinds of design questions.  I hope this helps. -chadd. ... View more

Q. When I am configuring IPsec Tunnels and have to identify local and remote  ProxyID, what IP network I should add? pre nat or post nat  network ? A. If you are going Palo Alto to Palo Alto, ProxyIDs are not required - but, I suspect that is not the case do to the nature of your question, so the answer is post NAT.  It will be what the other side expects to see as the source address of the traffic. Q. I have to configure a static rule for vpn traffic. What destination network should be in that way? is it pre nat or post nat network ? if I am adding pre nat network I faced problems that there are other static routes which is used in my local network (because some remote sites subnets are similar like my site subnets). A.  Again, this will be the post NAT address.  The traffic coming from one side to the other will have a source address of what ever you source NAT it to. NOTE:  Make sure that your ProxyIDs match on both sides of the tunnel.  If it is a Cisco ASA for example, the crypto map (ACL) will need to match the proxy IDs configured on your Palo Alto - only in reverse (local on your side is remote on the other and vise versa). Hope this helps, -chadd. ... View more

To answer your question about how long; the answer is immediate.  Are you saving the change to the device group your firewall is in, to a template (in the case of 5.x), or just to Panorama?  Give us some steps you are following (and/or screenshots), and we can better determine where the problem is. -chadd. ... View more

Your best bet is to open a case with support.  They will require a techsupport file to examine.  If there are core files, that should give an indication as to what the problem is.  You can check for cores with: > show system files I would suspect that the HA events do correlate to the problems you are seeing. -chadd. ... View more

Also, if you want to search all the logs from the command line you have this option: admin@PA-200> show log data + action                      action + app                         app + category                    category + csv-output                  csv-output + direction                   direction + dport                       dport + dst                         dst + dstuser                     dstuser + end-time                    end-time + from                        from + query                       query + receive_time                receive_time + rule                        rule + sport                       sport + src                         src + srcuser                     srcuser + start-time                  start-time + suppress-threatid-mapping   suppress-threatid-mapping + to                          to   |                           Pipe through a command   <Enter>                     Finish input admin@PA-200> show log data ... View more

Are you refering to the GUI or command line?  In the GUI, you can click the "?" at the end of the search line and it will give you information about viewing logs.  Also in the GUI, you can click any of the clickable enties within a column and it will put that filter up in the search field for you.  It will always add the next filter as an "and", but if you want, you can change that "and" to "or" if that fits your intended query better.  As for the CLI, you can download the cli guide from the support.paloaltonetworks website for the version of PAN-OS you are running.  You can also just use the "?" on the CLI as well.  For example: admin@PA-200> show session all filter ? + application         Application name + count               count number of sessions only + destination         destination IP address + destination-port    Destination port + destination-user    Destination user + egress-interface    egress interface + from                From zone + hw-interface        hardware interface + ingress-interface   ingress interface + min-kb              minimum KB of byte count + nat                 If session is NAT + nat-rule            NAT rule name + pbf-rule            Policy-Based-Forwarding rule name + protocol            IP protocol value + qos-class           QoS class + qos-node-id         QoS node-id value + qos-rule            QoS rule name + rematch             rematch sessions + rule                Security rule name + source              source IP address + source-port         Source port + source-user         Source user + ssl-decrypt         session is decrypted + start-at            Show next 1K sessions + state               flow state + to                  To zone + type                flow type   |                   Pipe through a command   <Enter>             Finish input admin@PA-200> show session all filter Hope this helps answer your question.  If not, please be more specific and I will try and get you the information you need. -chadd. ... View more

Have you thought about using custom application signatures and then using those in your security policies, in conjunction with UserID?  Here is a document on Custom Apps: Creating Custom Application Signatures There are lots of other documents in the knowledgebase that can help you as well. Good luck! -chadd. ... View more

You can use the RESTAPI.  Here is one method: The username and password for this firewall is 'admin'. First, get an API key: curl --insecure https://10.30.1.131/api/?type=keygen\&user='admin'\&password='admin ' Which returns: <response status = 'success'><result><key>LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09</key></result></response> Second, take the key and use it in the following query: curl --insecure https://10.30.1.131/api/?type=op\&key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09\&cmd= '<show><admins></admins></show>' | sed 's/<entry>/\'$'\n/g' | wc This will give you the number of admins currently logged in.  The sed command is just looking for the "<entry>" tag and replacing it with a new line so we can then pipe the output to 'wc' (counts lines). Currently there is no way to just get a count from the GUI or command line.  You can use the API from a web browser too, I just chose the use curl in this example so I could manipulate the output for a simple count. Hope this helps! -chadd. ... View more

Hello soporteseguridad, I have had quite a few questions on this topic recently and have tried lots of things.  Unfortunately none have been very helpful.  The problem with most spam is that it is valid email (not malware), just lots of it, and unsolicited.  Here are a few options that may or may not help. 1.) The answer given by HITSSEC was one that it thought would be a great idea, though I tried it, and had very weak results.  The problem was, that even when metering SMTP traffic down to something like 2pps, I was still able to pass out 80+ emails out of 100 in a couple of seconds..Not very helpful.  In addition, if your spamming from an SMTP(postfix) type server, the server will just keep trying to deliver the messages.  It will eventually succeed after your DoS rule timeout happens.  I tested this with a postfix server running on my Mac (and a handy spam script), behind my PA-200 with a DoS policy.  It didn't matter how much I decreased the allowed pps, the policy did not prevent spamming - just slowed it down some. 2.) Dynamic block lists.  This is an option available in 5.x and could be useful if you are trying to block email being sent to known relay servers, or from known IPs.  If you were so inclined, I imagine you could pull a list with a script (curl or wget) from a site that tracks spammers and make that file available on a webserver that your firewall has access to.  Then, add that path to your security rule as a dynamic block list.  This will of course not be helpful if the spam is being sent from dynamic (changing) IPs. See KB here: 3.) Dynamic address objects. Also in 5.x, you can have a dynamic address object in your security rule which can be updated via a script using the XML API on the firewall.  This could be an option if you had a method (external to the firewall) to detect and identify spammer IPs.  I have seen people use this feature to great success in conjunction with Splunk and the PaloAlto app for splunk (which contains a python script for updating dynamic address objects).  See KB here for info on dynamic address objects: Dynamic Address Objects Hope this helps, -chadd. ... View more

It is true that you are not able to simply initiate a packet capture with a security rule as the filter criteria.  However, you can do the following: admin@PA-200> show session all filter rule dns-test -------------------------------------------------------------------------------- ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port]) Vsys                                      Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 13580   dns            ACTIVE  FLOW  NS   192.168.100.50[52160]/trust/17  (10.19.0.107[39841]) vsys1                                     10.0.0.246[53]/untrust  (10.0.0.246[53]) 12502   dns            ACTIVE  FLOW  NS   192.168.100.50[49422]/trust/17  (10.19.0.107[62992]) vsys1                                     10.0.0.246[53]/untrust  (10.0.0.246[53]) 13571   dns            ACTIVE  FLOW  NS   192.168.100.50[52502]/trust/17  (10.19.0.107[15692]) vsys1                                     10.0.0.246[53]/untrust  (10.0.0.246[53]) 13590   dns            ACTIVE  FLOW  NS   192.168.100.50[62261]/trust/17  (10.19.0.107[32684]) vsys1                                     10.0.0.246[53]/untrust  (10.0.0.246[53]) admin@PA-200> show session id 13580 Session           13580         c2s flow:                 source:      192.168.100.50 [trust]                 dst:         10.0.0.246                 proto:       17                 sport:       52160           dport:      53                 state:       INIT            type:       FLOW                 src user:    unknown                 dst user:    unknown         s2c flow:                 source:      10.0.0.246 [untrust]                 dst:         10.19.0.107                 proto:       17                 sport:       53              dport:      39841                 state:       INIT            type:       FLOW                 src user:    unknown                 dst user:    unknown         start time                    : Thu Jun 20 03:48:34 2013         timeout                       : 30 sec         total byte count(c2s)         : 95         total byte count(s2c)         : 152         layer7 packet count(c2s)      : 1         layer7 packet count(s2c)      : 1         vsys                          : vsys1         application                   : dns          rule                          : dns-test         session to be logged at end   : True         session in session ager       : False         session synced from HA peer   : False         address/port translation      : source + destination         nat-rule                      : NATOUT(vsys1)         layer7 processing             : enabled         URL filtering enabled         : True         URL category                  : any         session via syn-cookies       : False         session terminated on host    : False         session traverses tunnel      : False         captive portal session        : False         ingress interface             : ethernet1/2         egress interface              : ethernet1/1         session QoS rule              : N/A (class 4) admin@PA-200> "show session all filter rule" will give you the sessions that are currently matching your rule.  You can get the session data by doing "show session id <ID>". Capturing the actual data will require a packet capture, either on the firewall or another machine. -chadd. ... View more

To answer your second question, the "Exempt Profiles" is where you can add an exception directly from that dialog.  Click on it and configure that profile with exemptions.  Hope this helps, -chadd. ... View more