About vsys_remo

Hi @Yasar2020  It really depends on the internetactivity. In my case we had situations where our 5050s were exhausted with 250mbps of internet traffic. The sessioncount I think was somewhere arount 18'000 concurrent sessions with about 12'000 decrypted sessions (it's already a while ago since I replaced them, so I am not 100% sure if I remember correctly). But with more and more websites offering decryption with stronger algorithms, the 5050 will probably have even faster not enough computing capacity for tls decryption. Without decryption the 5050s are probably still fast enough, but you cannot go higher than PAN-OS 8.1 which is also a point you should keep in mind when using these as internet firewall. ... View more

Hi @Yasar2020  Prior to propose a migration procedure, are you going to use the 5050 for ssl decryption and if yes, how many users internettraffic should be protected by this firewall and what internet bandwidth do you have? ... View more

In this case please open the website again but this time with developer tools opened in the browser and then go to the network tab. There you should see if some requests are failing. For further help here I kindly ask you to provide some more screenshots (network tab of the developer tools, security policy, logs on the firewall). ... View more

@Joshan_Lakhani Do youbuse url filtering? If yes, do you have blocked categories configured and did you also check the url log for blocked urls? Did you try with a policy that allows any? ... View more

Ok, so for example when a client asks for www.google.com you want only one IP as response? If I understood now correctly, then no, this is not possible. ... View more

Hi @Joshan_Lakhani  I see two possibilities to do this: Configure the DNS proxy feature to only correctly resolve this one dns entry you need (the client/server then needs to have this dns proxy IP configured as DNS server) Create a custom application signature where you specify the DNS entry that you want to allow ... View more

@Joshan_Lakhani So when you are behind the paloalto, you only have problems with twitter or with internetaccess in general? ... View more

@Joshan_Lakhani Some more information would be nice in order to help here ... Is internetaccess in general working? How does the security policy look like? Do you have dropped connections in the log? Is TLS decryption enabled and working properly? ... View more

Hi @raji_toor  You now reached a point where it is at least possible, that something on the firewall ist not compatible with the F5. So at this point I would recommend to open a support case and then continue with the following troubleshooting (these logs will also be required in the support case).  Obbiously you need to change the IPs and maybe also the port, depending on your configuration clear counter global debug dataplane packet-diag clear all debug dataplane packet-diag clear log log debug dataplane packet-diag set filter match source 1.1.1.1 destination 2.2.2.2 destination-port 443 protocol 6 debug dataplane packet-diag set log feature proxy basic debug dataplane packet-diag set log feature flow basic debug dataplane packet-diag set log on debug dataplane packet-diag set capture on Then you connect to the VIP with decryption enabled and right after that enter the following command. In the output, maybe you already see a specific counter which could lead to the reason of the problem show counter global filter packet-filter yes Try to connect a second time and then stop the logging and capture debug dataplane packet-diag set log off debug dataplane packet-diag set capture off Then aggregate the logs. The output of the command will show you the filename that you need to analyze debug dataplane packet-diag aggregate-logs Prior to analyze the logfile start now with generating a techsupportfile (for the supportcase) Maybe for analysis you want to copy the logile away from the firewall to open it in a texteditor but of course you can also view it in cli. About here I don't know what to do exactly, I would scroll through the logs to find something that maybe shows the reason why the TLS handshake fails after the client hello.   ... View more

Hi @Marc.Luecke  What OS version do you have and what TSA version do you use? At the time when this happens, did you check the allocated ports for this user? Did he maybe reach the 200 ports? How many users are connected to that server? Did you verify if the connection on this port really is from that user that tries to download something he should not be allowed? ... View more

Hi @raji_toor  Yes, I think you are right with this conclusion. But besides that I would recommend anyway to configure some stronger ciphersuites on the servers, you could give it a try with enabling 3DES in the decryption profile via CLI. I did not test it with an actual inbound decryption, but I was able to enable 3DES with TLS1.2 in CLI. On the WebUI then it does not even show 3DES enabled but in the configuration it is there. ... View more

Hi @NOC-VL  Did you try this way? Stop the PanGPS Service Change the reg key for the portal Start the PanGPS Service again ... View more

Hi @PKCCommsTeam  For this you do not need an internal gateway. You wrote that you have configured always-on mode: pre-logon or user-logon? What globalprotect version do you use? ... View more

Hi @Carracido  The objects you want to use in the template, are these objects really in "shared" context or part of a specific devicegroup? ... View more

What I meant was that you should add "vsys1+" in the GUI. At least in my case it was working in CLI and WebUI. ... View more

Hi @kams19  Thanks for bringing this to my attention. With this I tried again. So if you manually add "vsys1+" in front of the URL category name, the test works and no longer shows an error. I also tested on a firewall with a single vsys - so there is only vsys1. ... View more

@kams19 it looks like this is a bug. Only the paloalto url categories work and every custom url category leads to this error. I tested with PAN-OS 10. ... View more

@jdelio wrote: So, all links are sent to the cloud at this time, duplicate or not.   Hmn ... what if now all these attributes are the same? Either if the same email really was sent 500 times or if the same email was sent to 500 recipients in bcc. In this case the firewall would only show the actual recipient in the to field of the email but nothing about bcc. But I assume even then there it will be forwarded to wildfire 500 times. ... View more

Thanks @jdelio This makes sense, as the URL is only one of the different attributes contained in wildfire report. ... View more

Hi @kams19  With that rule theoreticaĺly every IP will match. Because of that you also configured the custom URL category. So when a host tries to connect to google.com, the tcp handshake will succed, but in the TLS handshake, the firewaĺl will see the hostname and from that point on the connection will no longer match your windows update rule and it will be dropped (except if you have some more rules that could match for that connection). In the policy match test, if you choose also the URL category, then the result will show what you actually expected. ... View more

Hi @simsim  In this case the single host will have a max. bandwidth of 10mbps and the others should get 20mbps. But it also depends if there is a priorization set on the traffic. If everything has the same priority and then th single host already consumes 10mbps, then for another host with is not limited specially, it will also get 10mbps so that you have in total the 20mbps. ... View more

Hi @simsim  What exactly do you mean with "policy for the device is set to 10mbps"? But for such situations @kiwi already wrote it perfectly: " If the devices are inline then the device with the most restricted speed will be the maximum speed for that pipe." ... View more

Ok, now it is getting kind of strange. Mainly because it does not matter if the F5 is configured for offloading or passthrough... So, this is at least how I would continue here: Check the details of a tls handshake from your F5 and also from a connection directly to a server Compare these TLS handshakes Do a packet capture on the firewall towards your F5 and the server which is not locatdd behind the firewall Compare the TLS handshakes If there is still no obvious reason in the handshakes you need to dig deeper: start a packet capture with also logging enabled and enable the features proxy basic and flow basic. During connection tests for connecrions towards your F5 check the global counters multiple times. Maybe there is already something. If not then aggregate the captured logs and analyze them, at latest there hopefully is the reason why the connection towards your F5 isn't working. (Probably this could be analyzed on the F5 also, but there I have no idea how it works as I never used such a loadbalancer/WAF) ... View more

Hi @raji_toor  Now you need to start troubleshooting the connection. As you are using the same certificate already for globalprotect, this is not the reason for this issue. First check what ciphersuites and tls versions does the server offer for a tls connection. With a website like Qualys ssllabs - as you already know - you can check what the server does offer (for this test of course you need to disble decryption). Is the server behind the firewall a windows server? If yes, which version and do you have extended master secret enabled (is enabled by default)? ... View more

The pne log entry where facebook-chat is allowed looks special as you configured it to action deny. Unfortunately it looks like the app facebook-posting needs an update/improvement to cover evrything. I would recommend to open a support case. Until there will be an improvement, you could also create a custom signature to block these postings. ... View more