Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- ›
- About as-mg
About as-mg
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Monday
47Posts
10Likes
4Solutions
Jan 18, 2021Last Visited
User
Activity
User
Profile
Latest posts by as-mg
| Subject | Views | Posted |
|---|---|---|
| 347 | 10-29-2020 02:15 AM | |
| 4813 | 06-05-2020 01:36 AM | |
| 1262 | 01-14-2019 11:33 PM | |
| 1335 | 01-14-2019 06:07 AM | |
| 8720 | 11-13-2018 05:32 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 01-14-2019 11:33 PM | |
| 1 | 11-12-2018 11:57 PM | |
| 2 | 10-27-2016 12:40 AM | |
| 1 | 07-03-2013 02:13 AM | |
| 2 | 07-03-2013 03:13 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 2 | |||
| 2 | |||
| 2 | |||
| 1 |
User Badges
Public Statistics
| Date Registered | 06-26-2013 12:35 AM |
| Date Last Visited | Monday |
| Total Messages Posted | 47 |
| Total Likes Received | 10 |
10-29-2020
02:15 AM
We're seeing a similar issue on PANOS 9.0.11 - traffic to Google.com searched first hits an IP address, which is being blocked due to the IP being classified as Unknown. After about 10-20 seconds of waiting, the user is redirected to Google, and no error message is shown to the end user. In the URL Filtering log in the firewall web UI the category and category list for the IP address is search-engines and search-engines,low-risk. A URL test from the CLI lists the IP as unknown. The traffic is identified as google-base. This started happening after upgrading from PANOS 8.1 to 9.0, and I have a theory that this is related to HTTP/2 inspection, which wasn't supported at 8.1. A similar issue, PAN-137387, should've been resolved in 9.0.9: "Fixed an issue where URL filtering used the IP address instead of the hostname, which led to incorrect URL categorization." Have anyone experienced the same on 9.0, and were you able to resolve it?
... View more
06-05-2020
01:36 AM
I've created support cases with this issue in the past, for different versions of PANOS and different hardware, and each time I've gotten the same response that goes like "SMB creates a lot of packets, which will slow down traffic when we need to inspect it" . As mentioned in my previous post, app override is not an option for us, and we've tried disabling DSRI for all the rules which are using SMB without any large benefits. We're seeing around 15-20MB/s on gigabit links onthe current TAC recommended 8.1 release. If anyone has found any way to resolve this issue, please share.
... View more
- Tags:
- m su
01-14-2019
11:33 PM
1 Kudo
@OtakarKlier wrote: Hello, I also saw this last week. I just checked again and it seems to be working. I would say give it a try and if it still is not working, open a case so they can work on it. Regards, Yup, it seems to have been resolved now. Time to go submit a couple dozen sites.
... View more
- Tags:
- p
01-14-2019
06:07 AM
For about the last week https://urlfiltering.paloaltonetworks.com/ has been broken in way that makes it impossible to submit reclassification requests. I have several sites that I'd like to reclassify, but I have been unable to do so. When will this be resolved? One of the issues is that a JavaScript is being loaded over plain http, so at least that one should be easy to fix.
... View more
11-13-2018
05:32 AM
I just set up our PA-200 lab unit to do a basic test between two Windows 7 workstations, and noticed the same on PANOS 7.1. Have anyone managed to speed up SMB transfers on PANOS, or do we just have to deal with this? I'm getting anywhere between 4 to 8MB/s on the firewalls, and close to 100MB/s when doing the application override. Could anyone share some benchmarks for their own production environments?
... View more
11-13-2018
12:04 AM
We're currently having some issues with ms-ds-smb (both v2 and v3) traffic on our PA-3020's (active/passive pair), where we are seeing a 97% speed decrease measured against direct traffic. In order to determine the source of the issue, I have tried to disable server response inspection and all the security profiles, but I'm still getting speeds around 3-4MB/s. If I create an application override rule for tcp/445 I'm suddenly seeing around 100MB/s. I don't really expect 100MB/s with threat protection enabled, but 3-4MB/s makes it seem like we're hitting a bug, and the firewall is far from overworked in terms of sessions and dataplane CPU usage. Have anyone else had issues with SMB on PANOS 8.1? This has been for the last couple of versions, and we're currrently running 8.1.4.
... View more
11-12-2018
11:57 PM
1 Kudo
As @ShaiW mentioned, if this is a HA setup, take a look at both firewalls. The times we've had issues with this in our environment, the solution has been to go in and delete the failing content on the passive firewall, and manually download and install it so both firewalls are in version sync. After this automatic installation started working again.
... View more
07-02-2018
02:19 PM
Hi, We've just started to try out Traps 5.0 for a small number of agents, migrating from our on-premise 4.2.0 installation. Since we are based in Europe, we've chosen EU as our datacenter location, and company.traps.paloaltonetworks.com resolves to IP addresses hosted on AWS in Germany. However, the agents all connect to ch-company.traps.paloaltonetworks.com, which is hosted on AWS in the USA. Is this an oversight, or is there hardly any data transfered to the ch-prefixed fqdn? If all the traffic is passing trough American servers this means its suddenly under US jurisdiction. I'm by no means an expert on the law behind this, so I'm open for any discussion.
... View more
05-16-2017
03:55 AM
Hi, We are seeing an influx of phishing mails trying to send users to sites hosted with free web hosting services. On of the things we've done to combat phishing is blocking access to unknown domains, but every subdomain of a free web hosting provider is currently being classified as "Web Hosting", causing users to be allowed access to them. In order to combat this even further, would it be possible to split free and paid web hosting into two different URL categories?
... View more
05-16-2017
03:47 AM
This issue seems to have been a single incident, I have tried upgrading several other computers to 1703 without any issues.
... View more
04-26-2017
11:11 PM
We're currently running 3.1.6, I have also opened a support case with Palo Alto regarding this issue. In the past we've seen issues with the localized names of ethernet adapters causing issues for GlobalProtect, and this could be related as it fails to do netsh on the interface. I'll give an update as soon as I've heard back from Palo Alto. (T6972) 04/26/17 09:24:40:925 Debug(3308): cmd = cmd /C netsh interface ip set address 5 static 192.168.0.190 255.255.255.255> "C:\Program Files\Palo Alto Networks\GlobalProtect\tmp.txt"
(T6972) 04/26/17 09:24:41:072 Debug( 118):
(T6972) 04/26/17 09:24:41:072 Debug(3321): cmd = cmd /C netsh interface ip set dns 5 static 192.168.0.1 validate=no > "C:\Program Files\Palo Alto Networks\GlobalProtect\tmp.txt"
(T6972) 04/26/17 09:24:41:110 Debug( 118):
(T6972) 04/26/17 09:24:41:110 Debug(1715): number of route is 2
(T6972) 04/26/17 09:24:41:110 Error(1747): SetIpForwardEntry(0.0.0.0) failed (The system cannot find the file specified.)
(T6972) 04/26/17 09:24:41:125 Error(1747): SetIpForwardEntry(192.168.0.1) failed (The system cannot find the file specified.)
... View more
04-26-2017
01:36 AM
Hi, I recently had a collegue who installed Windows 10 1703, also called the Creators Update. After the update GlobalProtect appears to be able to connect to the gatway, but it fails to retrieve an IP address and DNS servers from the firewall. Have anyone else had this issue, and have anyone been able to find a solution? I will try to have him do a reinstall of the GlobalProtect client and see if that resolves the issue.
... View more
10-27-2016
12:40 AM
2 Kudos
I finally managed to disable 3DES, but it was not as straight forward as disabling 3DES on the decryption profile for inbound SSL. To make this work, I set min. protocol version of the decryption profile to TLS 1.2, and then I had to do the same for the SSL/TLS Service Profile for each of the certificates used for inbound SSL inspection. Now the firewall will only use TLS 1.2 and 3DES is disabled across the board.
... View more
10-25-2016
05:08 AM
Hi, Yes, the GUI is showing it as disabled, yet the firewall will still offer 3DES to clients, so this is not just a cosmetic issue.
... View more
10-25-2016
04:20 AM
Hi Ben, This did not resolve the issue, but it should be disabled. The firewall still provides TLS_RSA_WITH_3DES_EDE_CBC_SHA for clients. Here's the output from show of ssl-protocol-settings for the decryption profile: (active)# show
ssl-protocol-settings {
keyxchg-algo-dhe yes;
keyxchg-algo-ecdhe yes;
min-version tls1-1;
keyxchg-algo-rsa yes;
enc-algo-3des no;
enc-algo-rc4 no;
enc-algo-aes-128-cbc yes;
enc-algo-aes-256-cbc yes;
enc-algo-aes-128-gcm yes;
enc-algo-aes-256-gcm yes;
auth-algo-sha1 yes;
auth-algo-sha256 yes;
auth-algo-sha384 yes;
}
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Monday
|
Latest Blogs
Latest Posts
Copyright 2007 - 2021 - Palo Alto Networks
