About kalyanram.piratla

kalyanram.piratla · ‎03-22-2017

Greetings On PAN-OS 7.1.8 configuring EDL is giving some unexpected results - I have an application based security policie set for my PA management IP addresses to fetch the updates i.e. "paloalto-updates, widlfire, pan-db-cloud, ssl and web-browsing" with service set to application default. No profile actions set to block. After populating the EDL with the lists from http://panwdbl.appspot.com, I went on to one of the added lists and tried "Test Source URL" and the return message was "URL access error". As a test, - Set the service route configuration to use my external interface - "URL access error" - Then created an open policy for the management IP addresses with "any" "any" and the test source URL works returning "source URL is accessbile". Looking at the logs, I noticed the session to start on web-browsing and then move to "google-app-engine" when contacting 216.58.198.244 (panwdbl.appspot.com/lists). So deleted my wide open policy and amended the application based policy by adding "google-app-engine", set my service route back to use the management interface. Commit the configuration and it works. Google-app-engine's default ports are TCP 443 and 80 Looking in to the logs, it uses "google-app-engine" to speak to the website - is this expected behaviour? I find this to be abnormal unless I have missed a very basic point somewhere. Any ideas / thoughts will be helpful. Thanks KP

kalyanram.piratla · ‎08-26-2016

Thanks for your input - I did look at this option, but trying to understand how this can be achieved at a larger scale as there will be plenty of users external to the network who can have access to loads of templates stored on the shared drive.

kalyanram.piratla · ‎08-26-2016

You have potentially hit a bug on version 607 of Apps & Threats. I have noticed this as well and reverting to 606 has left the firewalls in a stable state. Case logged with TAC and is being investigated.

kalyanram.piratla · ‎08-24-2016

Hi Guys Wondering if anyone has any ideas on; There are external clients / users attempting to open word documents that use word templates stored on the corporate network drive. When the user is offsite and not connected to Global Protect or VPN and the user attempts to open the document, Word will attempt to open the template on the network drive and continue to do so for several minutes before giving up and eventually opening the file. For example when I open a word document that contains an embedded template, it will try and download the template from \\abc.com\applications\common\office templates\ABC templates which will cause a DNS lookup of abc.com which returns a public address on my network and therefore hits the PA. Is there any way / guidance on how we can get the firewall to reject the requests to connect to the template and therefore cause word to open the file immediately? I have tried putting in rules to reject / drop / reset when an external client tries to connect via SMB to the IPs that \\abc.com resolves to but this does not appear to work. Any thoughts on this will be greatly appreciated. Thanks in advance. KP

kalyanram.piratla · ‎08-24-2016

Out of interest, what version of Apps and Threat database are you running? Did the passive firewall go in to suspended / non-functional state after the dynamic updates database was updated?

kalyanram.piratla · ‎05-20-2016

Greetings I am not sure if anyone has come across this alert SYSTEM ALERT : critical : fail to integrate the update of registered ip addresses since 61 seconds on a regular basis? If yes, can someone please shed some light on what is causing this issue? When this alert was seen for the first time, I went on to restart the user-id agent as the alert was coming in from the User-ID which did not fix the problem. Raised this as a case and it was noted as a bug and subsequently restarting the User-ID process resolved the issue after upgrading to PAN-OS 6.1.10. It was down to out-of-sync condition between the device server and the User-ID process. Unfortunately, these alerts are back again on 6.1.10 and restarting the user-id process stops the alerts but are back again when the PA's failover. Restarting the user-id process again after the failover stops the alerts. Not sure why this is the case, so wondered if anyone has to share some valuable knowledge on this. Many Thanks

kalyanram.piratla · ‎03-07-2016

Greetings, During NAT, can the PA act as a proxy using link local IP addressing (IPv4). I know we cannot with IPv6. Cheers

kalyanram.piratla · ‎03-02-2015

Hi Guys, Just finding for options and thoughts to be honest... We have a service called Cloudware which is almost like terminal servers. What we are seeing is that users using a browser from these servers are not identified on the PAN as it is not covered by AD authentication. I am aware that it is not possible to run the TS client on Cloudware and we are looking in to ways to see how the (user's) IP is recorded within cloudware... My question is - assuming we have the data from / on the cloudware servers, is there a way this can be pushed in to the Palo Alto may be using API or any other method? Any ideas will be greatly appreciated... Cheers KP

kalyanram.piratla · ‎04-15-2014

Torm, have you managed to sort this out by any chance? The reason being - I am seeing the same behaviour on the VM platform as well. Kind Regards,

kalyanram.piratla · ‎10-08-2013

I will not permitted to do this on the live units specially when the configurations do synchronize. Secondly, I do not have spare PA-5050s to play with or for a matter of fact no spare PAs to play with...

kalyanram.piratla · ‎10-07-2013

Hey Guys... I have done the manual configuration checks and could not find anything related to response page -> sslvpn-custom-login page. The configuration between the active and passive perfectly idetical as well.

kalyanram.piratla · ‎10-07-2013

Greetings, I am kind of stuck on a problem for which I am unable to find a resolution ... When I commit on my secondary device after adding a network setting, it fails with an error message "response page -> sslvpn-custom-login-page" unexpected here. Nowhere did I add the response page on either the active or the passive device. When the commit fails, I get an email alert with the reason stating "opaque: Commit job failed for user xxxx - schema verification failed". I do not have this issue on the active device. The active PAN commits well and the configuration does sync across, but when I do a change very specific for the passive it fails with the above messages. I am having this problem ever since I have upgraded to version 5.0.7. Tried looking wherever possible and nowhere do I find a trace of the custom response page. Any thoughts guys??? Many Thanks Kalyan

kalyanram.piratla · ‎05-09-2013

Tried all means possible. I am now raising it with TAC.

kalyanram.piratla · ‎05-08-2013

Mikand - I was under the impression that Vuln profiles with specific actions set does log the events under Threat Monitor. None of the profiles have allow as an action, so I would ideally expect to see everything being logged in. But that is not the case. For some reason I cannot see any traffic or threat logs for Sophos updates. But upon disabling the rule, the updates work but still nothing in the traffic or threat logs Cheers

kalyanram.piratla · ‎05-08-2013

Yes, I do have it as Log at session end.

kalyanram.piratla · ‎05-08-2013

Not really helpful Jamie. If there is more overhead in creating the PDF then, can you please explain why is it a sweet and simple process for the same report on a different PA-500 running version 4.1.11? These reports that are being generated on the fly are on purpose as they are requested every now and then. I can't go back to the Management and say, we will hand it over to you tomorrow, specially when PAN allows us to generate reports on the fly. And it is not just about PDF, it is the same with CSV and XML! Cheers Kalyan

kalyanram.piratla · ‎05-07-2013

Greetings, Was wondering if any one else has faced this problem. I have Sophos antivirus and when I create a rule with the vulnerability protection set to Strict, it blocks my connection to sophos server for updates. Once I relax the VP rule, it looks fine. Interestingly, I cannot see anything in the traffic/threat logs as well. Has anyone faced such a situation and if yes, how was it managed? Cheers Kalyan

kalyanram.piratla · ‎05-07-2013

Greetings All, I am presently running PanOS 5.0.4 on a PA-500 HA. When I try generating a custom report for "URL Log" for a period of 7 days for Top 50 grouped by Top 50 groups with the URL consisting of porn and category not equal to web-advertisements, it takes ages to generate the report i.e. approx. an hour and then when I try to export in either PDF or CSV format, the browser just hangs. I have tried all the browsers available. I had this issue initially with PanOS 5.0.0. Under the impression that the OS was relatively new, I kept upgrading till 5.0.4 but with no luck. I then restarted the Log Receiver, then the management server for no fun. Any one else has such problems? Any ideas or thoughts? Many Thanks Kind Regards, Kalyan

kalyanram.piratla · ‎03-19-2013

My PA-3020 is now on 5.0.3 and I am noticing that it varying between 45-75% with the device not plugged in-line.

kalyanram.piratla · ‎03-08-2013

This is leading more towards a bug in 5.0.2 related to ACC. This is the latest update I have so far!

kalyanram.piratla · ‎03-07-2013

The reboot then seems to have fixed the issue for me for the time being.

kalyanram.piratla · ‎03-07-2013

True 5.0.2 has kind of been buggy; specially with the CPU issues. But again, 5.0.1 has its own equal share in having issues. I am eagerly waiting for 5.0.3 to be released! Nevertheless, as Rkalugdan states, I will open up a case with PAN support in a bit for further forensics.

kalyanram.piratla · ‎03-07-2013

Hey Hi, I know there can be many more reasons. But a quick insight what else can I look into will be very helpful. Apart from this, are there any known issues with version 5.0.2. regarding rebooting? Regards, Kalyan

kalyanram.piratla · ‎03-07-2013

Greetings, Any idea if PAN OS 5.0.2 has a bug that could reboot the firewall on its own? This has happened yesterday, when the PA-500 self rebooted (obviously lost access to everything for a good 25 mins). First thing I did was: 1. Looked at the system logs for that specific period and there was nothing evident of why the firewall rebooted. I could only see a good gap of 15 mins with no logs; after which logging was regarding the interfaces coming up etc. 2. From the cli I used less mp-log ms.log - to find some interesting stuff (snapshot attached). At 10:36 am when the firewall went down to 10:45 am; nothing has been logged apart from the special character. I could not find any relevant information from any other logs. 3. I then generated the tech support file to figure out if the crashinfo had any information, but nothing was to be found. Any ideas? Any other ways I can find why the firewall has rebooted on its own? Many Thanks Kalyan

kalyanram.piratla · ‎03-01-2013

Hey Sean, It has indeed been a very long time and provided I get a chance to get hold of you. You guys are virtually hard to get off Coming back to this issue, it might be very much a case of a disconnect between the domains. I upgraded to 5.0.2 (risking the high data plane spike bug) but it seems that it has fixed the captive portal issue. Not sure if it was the upgrade or the device required a reboot. And I was very much inclined towards thinking the command must be for the higher spec boxes; but never mind. Regards, Kalyan

kalyanram.piratla · ‎02-27-2013

And yes, completely forgot to ask: 1. Is it a bug on v5.0.1? Could not find any relevant information in the release notes nor on the critical issues document. 2. Will upgrading it to v5.0.2 fix the problem? But I am a bit skeptical on upgrading to 5.0.2 as the bug regarding management plane hitting 100% is not I want. Regards,

kalyanram.piratla · ‎02-27-2013

Greetings, For a quick background; using PA-500 running version 5.0.1 with the User-ID agent installed for domain users as a stand alone agent on the Domain Controller and captive portal setup for AD users using wireless devices. I have Captive Portal configured with NTLM redirect setup. It was all working good with users authenticating and users being identified as abc/user_name. For the past 2 weeks, I am seeing a problem with users being identified by Captive Portal, thereby hitting the explicit deny. 1. When I do a >show user ip-user-mapping ip x.x.x.x, the user name on the Palo Alto comes up as abc.local/user_name instead of abc/user_name after authenticating using Captive Portal and is not associated to any group. 2. When I clear the user cache and re-login via Captive Portal, the user-ip to mapping is correct i.e abc/user_name, but in around 10mins, it changes to abc.local/user_name, thereby hitting the explicit deny. 3. Another strange observation is, the wireless device upon connecting to SSID and browsing through to the internet, I get blocked straight away with no Captive Portal page popping up, but after 10mins when I retry to browse to the internet (without disconnecting from the SSID), bingo I have the Captive Portal page. I authenticate and the mapping works perfectly fine and remains constant. Any thoughts on what and why this behaviour? After searching the knowledge base, I read an article "Sessions Showing Wrong Username when using Captive Portal" documented on the 19th of July 2012. It stated that "When doing NTLM authentication via Captive Portal, not every session is correctly authenticated and there seems to be irregular User/IP mappings in the logs. And this behaviour was when the main dataplane process (dp0) goes our of sync with the other dataplanes. The workaround suggested was to force all traffic to be processed by the dp0 dataplane by issuing the command via CLI; # set session processing-cpu dp0. For my surprise, I could not find this command on the CLI in either config or normal mode on either version 4.1.x or version 5.x.x. Can someone please let me know if this command is available and in which mode do I apply it? If this command is not available or changed etc etc.., can I please ask someone from PAN to update the document. It will be very much appreciated Many Thanks Kind Regards, Kalyan

kalyanram.piratla · ‎02-22-2013

Hello Everyone, Is it possible to monitor mirrored IPv6 traffic in TAP mode? I have a PA-500 and it has been enabled for IPv6 firewalling. Apart from checking this option, is there anything else that has to be done to monitor IPv6 traffic? If it is possible, will I being seeing the IPv6 traffic under Source and Destination columns? Many Thanks, Kalyan

kalyanram.piratla · ‎02-12-2013

Nope. The guest networks was taken as an example. I am trying to have this sorted for students who are handed over iPads to connect to the student SSID. So ideally they would be using their domain accounts.

kalyanram.piratla · ‎02-12-2013

Not exactly. I dont want to open up any browser or access any webpage to be captive portal'd. What I meant to say was: I take my iPad, find a SSID Guest and connect to it. Upon clicking on Guest, I would like to see the captive portal screen. Either I have completely misunderstood your opinion or my thoughts are way to fancy Cheers Kalyan

Date Registered	‎07-14-2011 07:01 AM
Date Last Visited	‎12-21-2017 11:01 AM
Total Messages Posted	175
Total Likes Received	10

Online Status	Offline
Date Last Visited	‎12-21-2017 11:01 AM

Strata

Prisma

Cortex

About kalyanram.piratla