About as-mg

as-mg · ‎01-14-2019

@OtakarKlier wrote: Hello, I also saw this last week. I just checked again and it seems to be working. I would say give it a try and if it still is not working, open a case so they can work on it. Regards, Yup, it seems to have been resolved now. Time to go submit a couple dozen sites.

as-mg · ‎01-14-2019

For about the last week https://urlfiltering.paloaltonetworks.com/ has been broken in way that makes it impossible to submit reclassification requests. I have several sites that I'd like to reclassify, but I have been unable to do so. When will this be resolved? One of the issues is that a JavaScript is being loaded over plain http, so at least that one should be easy to fix.

as-mg · ‎11-13-2018

I just set up our PA-200 lab unit to do a basic test between two Windows 7 workstations, and noticed the same on PANOS 7.1. Have anyone managed to speed up SMB transfers on PANOS, or do we just have to deal with this? I'm getting anywhere between 4 to 8MB/s on the firewalls, and close to 100MB/s when doing the application override. Could anyone share some benchmarks for their own production environments?

as-mg · ‎11-13-2018

We're currently having some issues with ms-ds-smb (both v2 and v3) traffic on our PA-3020's (active/passive pair), where we are seeing a 97% speed decrease measured against direct traffic. In order to determine the source of the issue, I have tried to disable server response inspection and all the security profiles, but I'm still getting speeds around 3-4MB/s. If I create an application override rule for tcp/445 I'm suddenly seeing around 100MB/s. I don't really expect 100MB/s with threat protection enabled, but 3-4MB/s makes it seem like we're hitting a bug, and the firewall is far from overworked in terms of sessions and dataplane CPU usage. Have anyone else had issues with SMB on PANOS 8.1? This has been for the last couple of versions, and we're currrently running 8.1.4.

as-mg · ‎11-12-2018

As @ShaiW mentioned, if this is a HA setup, take a look at both firewalls. The times we've had issues with this in our environment, the solution has been to go in and delete the failing content on the passive firewall, and manually download and install it so both firewalls are in version sync. After this automatic installation started working again.

as-mg · ‎07-02-2018

Hi, We've just started to try out Traps 5.0 for a small number of agents, migrating from our on-premise 4.2.0 installation. Since we are based in Europe, we've chosen EU as our datacenter location, and company.traps.paloaltonetworks.com resolves to IP addresses hosted on AWS in Germany. However, the agents all connect to ch-company.traps.paloaltonetworks.com, which is hosted on AWS in the USA. Is this an oversight, or is there hardly any data transfered to the ch-prefixed fqdn? If all the traffic is passing trough American servers this means its suddenly under US jurisdiction. I'm by no means an expert on the law behind this, so I'm open for any discussion.

as-mg · ‎05-16-2017

Hi, We are seeing an influx of phishing mails trying to send users to sites hosted with free web hosting services. On of the things we've done to combat phishing is blocking access to unknown domains, but every subdomain of a free web hosting provider is currently being classified as "Web Hosting", causing users to be allowed access to them. In order to combat this even further, would it be possible to split free and paid web hosting into two different URL categories?

as-mg · ‎05-16-2017

This issue seems to have been a single incident, I have tried upgrading several other computers to 1703 without any issues.

as-mg · ‎04-26-2017

We're currently running 3.1.6, I have also opened a support case with Palo Alto regarding this issue. In the past we've seen issues with the localized names of ethernet adapters causing issues for GlobalProtect, and this could be related as it fails to do netsh on the interface. I'll give an update as soon as I've heard back from Palo Alto. (T6972) 04/26/17 09:24:40:925 Debug(3308): cmd = cmd /C netsh interface ip set address 5 static 192.168.0.190 255.255.255.255> "C:\Program Files\Palo Alto Networks\GlobalProtect\tmp.txt" (T6972) 04/26/17 09:24:41:072 Debug( 118): (T6972) 04/26/17 09:24:41:072 Debug(3321): cmd = cmd /C netsh interface ip set dns 5 static 192.168.0.1 validate=no > "C:\Program Files\Palo Alto Networks\GlobalProtect\tmp.txt" (T6972) 04/26/17 09:24:41:110 Debug( 118): (T6972) 04/26/17 09:24:41:110 Debug(1715): number of route is 2 (T6972) 04/26/17 09:24:41:110 Error(1747): SetIpForwardEntry(0.0.0.0) failed (The system cannot find the file specified.) (T6972) 04/26/17 09:24:41:125 Error(1747): SetIpForwardEntry(192.168.0.1) failed (The system cannot find the file specified.)

as-mg · ‎04-26-2017

Hi, I recently had a collegue who installed Windows 10 1703, also called the Creators Update. After the update GlobalProtect appears to be able to connect to the gatway, but it fails to retrieve an IP address and DNS servers from the firewall. Have anyone else had this issue, and have anyone been able to find a solution? I will try to have him do a reinstall of the GlobalProtect client and see if that resolves the issue.

as-mg · ‎10-27-2016

I finally managed to disable 3DES, but it was not as straight forward as disabling 3DES on the decryption profile for inbound SSL. To make this work, I set min. protocol version of the decryption profile to TLS 1.2, and then I had to do the same for the SSL/TLS Service Profile for each of the certificates used for inbound SSL inspection. Now the firewall will only use TLS 1.2 and 3DES is disabled across the board.

as-mg · ‎10-25-2016

Hi, Yes, the GUI is showing it as disabled, yet the firewall will still offer 3DES to clients, so this is not just a cosmetic issue.

as-mg · ‎10-25-2016

Hi Ben, This did not resolve the issue, but it should be disabled. The firewall still provides TLS_RSA_WITH_3DES_EDE_CBC_SHA for clients. Here's the output from show of ssl-protocol-settings for the decryption profile: (active)# show ssl-protocol-settings { keyxchg-algo-dhe yes; keyxchg-algo-ecdhe yes; min-version tls1-1; keyxchg-algo-rsa yes; enc-algo-3des no; enc-algo-rc4 no; enc-algo-aes-128-cbc yes; enc-algo-aes-256-cbc yes; enc-algo-aes-128-gcm yes; enc-algo-aes-256-gcm yes; auth-algo-sha1 yes; auth-algo-sha256 yes; auth-algo-sha384 yes; }

as-mg · ‎10-25-2016

We are currently being required to disable 3DES in order to pass PCI compliance (due to the Sweet32 exploit). We have a decryption profile for all incoming traffic hitting our firewall and services behind it, where I have tried disabling 3DES. However, the firewall will still accept 3DES after doing a commit. When opening the decryption profile again. 3DES will be shown as enabled again. As you can see in the picture, 3DES seems to be disabled in the decryption profile list, but when opening the specified decryption profile it shows up as enabled. Does anyone know how to properly disable 3DES on PANOS 7.1.x?

as-mg · ‎10-25-2016

Hi, We were having the exact same issue, when our users changed from default VPN to a 2 factor authenticated one, the DNS servers would change. The change of the DNS server will cause Windows to invalidate all cached DNS entries, and it will not try to resolve them again until the invalidated cache entry has been purged. Our solution was to use the same DNS server for all VPN gateways.

as-mg · ‎06-23-2016

This was my prime suspect as well. You mention that you are currently running a script at VPN logon, is there any way to automate this in GlobalProtect?

as-mg · ‎06-22-2016

Log files. IP's: 10.20.30.1 - Local gateway 192.168.50.1 - DNS gateway 150.150.150.150 - IP address of GlobalProtect portal (T5632) 06/22/16 10:06:29:098 Debug(1119): save old dns: Wi-Fi--dhcp=1,10.20.30.1, flags=0x000001c5, use dynamic dns = 1 (T5632) 06/22/16 10:06:29:098 Debug( 785): SaveStringToPreviousSetting, str0=Wi-Fi, nStr=1 (T5632) 06/22/16 10:06:29:098 Debug( 787): str0=dhcp=1,10.20.30.1 (T5632) 06/22/16 10:06:29:098 Debug( 865): re-read previousDNSInfo return 0, dwSize=49 (T5632) 06/22/16 10:06:29:098 Debug( 867): write success nRetry=0, flush it now (T3528) 06/22/16 10:06:29:098 Info (1940): Setting debug level to 5 (T5632) 06/22/16 10:06:29:098 Debug( 875): flush key, ret = 00000000 (T5632) 06/22/16 10:06:29:098 Debug(1137): run cmd: cmd /C netsh interface ip set dns "Wi-Fi" static 192.168.50.1 validate=no > "C:\Program Files\Palo Alto Networks\GlobalProtect\tmp.txt" (T5632) 06/22/16 10:06:29:161 Debug( 95): (T5632) 06/22/16 10:06:29:161 Debug(1143): run cmd to verify previous command: cmd /C netsh interface ip show dns "Wi-Fi" > "C:\Program Files\Palo Alto Networks\GlobalProtect\tmp.txt" (T5632) 06/22/16 10:06:29:223 Debug( 95): (T5632) 06/22/16 10:06:29:223 Debug( 95): Configuration for interface "Wi-Fi" (T5632) 06/22/16 10:06:29:223 Debug( 95): Statically Configured DNS Servers: 192.168.50.1 (T5632) 06/22/16 10:06:29:223 Debug( 95): Register with which suffix: Primary only (T5632) 06/22/16 10:06:29:223 Debug( 95): (T5632) 06/22/16 10:06:29:223 Debug(1150): verify success! ------------------------------------------- (T5632) 06/22/16 10:07:01:950 Info (1680): Disconnect() called (T5632) 06/22/16 10:07:01:950 Debug( 437): vpn disconnect (T5632) 06/22/16 10:07:01:950 Debug( 438): Delete m_vpn in CControlManager::DisconnectVPN() (T6720) 06/22/16 10:07:01:950 Info ( 375): PktProcess: VPN disconnect event, get out of ProcMonitor (T6724) 06/22/16 10:07:01:950 Info ( 535): ProDrv: VPN disconnect event, get out of ProcDrv (T6724) 06/22/16 10:07:01:950 Info ( 552): ProcDrv thread dies (T6720) 06/22/16 10:07:01:950 Info ( 509): ProcDrv quit (T6720) 06/22/16 10:07:01:950 Info ( 495): ProcMonitor thread dies (T5632) 06/22/16 10:07:01:950 Debug( 221): do_disconnect is called in VPN stop (T5632) 06/22/16 10:07:01:950 Debug( 218): Disconnect udp socket (T5632) 06/22/16 10:07:04:763 Debug( 322): unset network (T5632) 06/22/16 10:07:04:763 Debug(2067): UnsetRoutes(): RestoreDefaultRoutes. (T5632) 06/22/16 10:07:04:763 Debug(2073): Unset 2 routes (T5632) 06/22/16 10:07:04:763 Debug(2092): UnsetRoutes: DeleteIpForwardEntry[0] (0.0.0.0) (T5632) 06/22/16 10:07:04:763 Debug(2092): UnsetRoutes: DeleteIpForwardEntry[1] (192.168.50.1) (T5632) 06/22/16 10:07:04:763 Debug(2110): UnsetRoutes: DeleteIpForwardEntry(150.150.150.150) (T5632) 06/22/16 10:07:04:763 Info (3054): RemoveGatewayInRouteTable(vnicIdx=17) (T5632) 06/22/16 10:07:04:763 Debug( 629): FlushDNS, string 0 is --GPDNS--:192.168.50.1 (T5632) 06/22/16 10:07:04:763 Debug( 629): FlushDNS, string 1 is Wi-Fi:dhcp=1,10.20.30.1 (T5632) 06/22/16 10:07:04:763 Debug( 629): FlushDNS, string 2 is dnsSuffix:domain.com (T5632) 06/22/16 10:07:04:763 Debug( 644): pGPDNS is --GPDNS--:192.168.50.1 (T5632) 06/22/16 10:07:04:810 Debug( 95): (T5632) 06/22/16 10:07:04:810 Debug( 95): Configuration for interface "Wi-Fi" (T5632) 06/22/16 10:07:04:810 Debug( 95): DNS servers configured through DHCP: 192.168.10.10 (T5632) 06/22/16 10:07:04:810 Debug( 95): 192.168.10.15 (T5632) 06/22/16 10:07:04:810 Debug( 95): Register with which suffix: Primary only (T5632) 06/22/16 10:07:04:810 Debug( 95): (T5632) 06/22/16 10:07:04:810 Debug( 533): FlushDNS, GPDNS information set but the current connection does not has it, return now (T5632) 06/22/16 10:07:04:810 Debug( 594): ret=0 (T3528) 06/22/16 10:07:04:810 Info (1940): Setting debug level to 5 (T5632) 06/22/16 10:07:04:810 Debug( 771): RestoreDNSSetting, return is -1 (T5632) 06/22/16 10:07:04:810 Debug(3895): DLSA, savedMetric1Routes not present, do not need to restore (T5632) 06/22/16 10:07:04:810 Debug(3383): DLSA, RestoreProxySetting now (T5632) 06/22/16 10:07:04:810 Debug(3400): ProxyDisabledByMe is false or not present, leave RestoreProxySetting now (T5632) 06/22/16 10:07:04:825 Debug( 620): PreviousDNSInfo not exit, do not need to restore, ret=00000002 (T5632) 06/22/16 10:07:04:825 Debug( 486): remove dns setting failed with ret = 00000002 (T5632) 06/22/16 10:07:04:825 Debug(1842): UnsetDNSSuffixSearchOrder returns 0 (T5632) 06/22/16 10:07:04:841 Debug(1847): UnsetDNSServerSearchOrder returns 0 (T5632) 06/22/16 10:07:04:872 Debug(1849): UnsetWINSServer returns 68 (T5632) 06/22/16 10:07:04:872 Debug( 224): unsetnetwork is called in vpn stop (T5632) 06/22/16 10:07:04:872 Debug( 322): unset network

as-mg · ‎06-22-2016

These versions matches the one in our scenario, so this sounds like a bug. Hopefully someone from PAN will notice and either post a workaround or resolve the issue in an upcoming version of either GP or PANOS.

as-mg · ‎06-22-2016

Hi, I'm having a single client, running Windows 10 Pro, that we're having issues with. When the user connects to their network at home, they are unable to connect to VPN, and it seems like the issues is caused by GlobalProtect setting the WiFi adapter's DNS-address to that of the VPN proxy DNS. I have tried against mobile hotspots, and the same issue is present here as well - I change the WiFi to use DNS obtained by DHCP, and it changes to VPN DNS as soon as it's connected once. Have anyone else encountered issues like this recently?

as-mg · ‎04-25-2016

I'm currently having an issue with users having to do "ipconfig /flushdns" in order to gain access to certain network resources when connecting to VPN. There is a registry entry called "flush-dns" located under HKEY_CURRENT_USER\Software\Palo Alto Networks\GlobalProtect\Settings which I thought I could use in order to have the client perform a DNS flush each time it changes gateway. This is described in this guide: https://www.paloaltonetworks.com/documentation/62/globalprotect/globalprotect-admin-guide/set-up-the-globalprotect-infrastructure/customizable-agent-settings.html When set to "yes" it automaticly reverts to "no" when the client is connected. Is the proper registry name flushdns or flush-dns? Is this supposed to still work with GlobalProtect 3.x?

as-mg · ‎04-15-2016

I do belive I have found how to resolve this issue in our case. The autentication profile for RADIUS used a username modifier, which used to be %USERINPUT%@%USERDOMAIN%, and which was working just fine in GlobalProtect 2.3.4. For GlobalProtect 3.0.1 %USERDOMAIN%\%USERINPUT% and using the NetBIOS name of our domain in the user domain field seems to be the correct modifier in our case.

as-mg · ‎04-15-2016

The temporary workaround is to have the users enter their username and password in the GlobalProtect agent, which seems to make everything work as it used to.

as-mg · ‎04-15-2016

Hi, After doing an upgrade from GlobalProtect 2.3.4 to 3.0.1 we're having issues with users not being able to do two factor authentication in combination with SSO. The software we're running is SecurEnvoy, which has been working fine up to the client update. Firewalls are running PAN-OS 7.0.5-h2. SecurEnvoy responds as it should, and sends the code to the user's phone, but from there the client times out and reverts to the automatic gateway. Have anyone else encountered issues with the latest GlobalProtect? Are the new GlobalProtect client dependant on PAN-OS 7.1? Agent log: (T6200) 04/15/16 10:23:18:305 Info (2468): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_RECEIVING_RESPONSE, this=0000000002340100) (T6200) 04/15/16 10:23:18:305 Info (2468): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, this=0000000002340100) (T6200) 04/15/16 10:23:18:305 Debug(2549): WINHTTP_CALLBACK_STATUS_REQUEST_ERROR, error=12152, result=1, dwCertificateError=0 (T6200) 04/15/16 10:23:18:414 Info (1573): get WINHTTP_CALLBACK_STATUS_REQUEST_ERROR while waitting for header, error=12152, ERROR_WINHTTP_INVALID_SERVER_RESPONSE! (T6200) 04/15/16 10:23:18:414 Error(3595): winhttpObj, error! ipaddress REMOVED bRetryWithoutCert is 0, bClientCertNeeded=0 (T6200) 04/15/16 10:23:18:414 Info (2468): PanWinhttpCallback(dwInternetStatus=WINHTTP_CALLBACK_STATUS_HANDLE_CLOSING, this=0000000002340100) (T6200) 04/15/16 10:23:18:414 Debug(2567): handle 0057c060 closed (T6200) 04/15/16 10:23:18:414 Debug(2571): REUSE, request closed (T6200) 04/15/16 10:23:18:414 Info ( 561): wait for closing callback success! (T1396) 04/15/16 10:23:18:414 Debug( 516): Command = <request><type>https_request</type><result>NULL</result></request> (T1396) 04/15/16 10:23:18:414 Debug( 62): OnReceive error=0 (T1396) 04/15/16 10:23:18:414 Debug( 62): OnReceive error=0 (T1396) 04/15/16 10:23:18:414 Debug( 950): status message received from the service: Service log: (T12176) 04/15/16 10:22:54:792 Debug( 319): PanGpHipMp.exe exit for checking misssing patches. (T12176) 04/15/16 10:22:54:792 Debug( 387): CheckHipMissingPatchInOtherProcess(): exits. (T12176) 04/15/16 10:22:54:792 Debug( 467): Hip missing patch checking duration is 34 (T10600) 04/15/16 10:22:58:134 Debug(2401): receive pan_msg_ping, 3 (T10600) 04/15/16 10:23:08:191 Debug(2401): receive pan_msg_ping, 3 (T10600) 04/15/16 10:23:18:258 Debug(2401): receive pan_msg_ping, 3 (T10600) 04/15/16 10:23:18:414 Debug(2559): HTTP_RPC, len=0, result is (NULL)... (T10600) 04/15/16 10:23:18:414 Error(2785): pszXmlConfig is NULL. 4278 (T10600) 04/15/16 10:23:18:414 Debug(2857): pszXmlConfig is NULL, m_bInvalidUserCredential is false. (T10600) 04/15/16 10:23:18:414 Error(1650): Failed to retrieve info for gateway REMOVED (T10600) 04/15/16 10:23:18:414 Debug(1803): close WinHttp close handle. (T10600) 04/15/16 10:23:18:414 Debug(1657): tunnel to REMOVED is not created. (T10600) 04/15/16 10:23:18:414 Debug(3721): Set state to Disconnected

as-mg · ‎10-13-2015

I asked a Palo Alto representative about this a few months back, and support for TLS_ECDHE_RSA and TLS_DHE_RSA was planned to be implemented sometime in the first half of 2016. Could be coming in PANOS 8?

as-mg · ‎05-14-2014

This was the suggestion given us by support as well. However, they also did say that this change will be lost each time we reboot a firewall, which I would concider less handy and make this a not-so-much as permanent fix. What we're going to do from now on is also have a computer connected to the failing device via the console, and keep it logging in case the issue occurs again. It's been under a month since it last happened (PANOS 5.0.11) and the issue still persists on PANOS 6.0.2. If you have any further suggestions, I would love to hear from you.

as-mg · ‎05-14-2014

This issue occured again (third time) on our 3020 HA cluster today, running 6.0.2. Awaiting response from support.

as-mg · ‎04-30-2014

Jumbo frames are not active for our HA links. Forgot to mention that this is a 3020 cluster. After contacting support their best suggestion was to update to 5.0.12 or 6.0.2. I have upgraded both to 5.0.12 tonight, but I have a feeling that the bug fixed in 6.0.2 better describes our situation, so I will upgrade the firewalls to 6.0.2 tomorrow. Fixed in 5.0.12/6.0.1: When High Availability Active/Passive peers lost communication on HA1 and HA2 links, a race condition caused the dataplane to restart. Fixed in 6.0.2: Fixed an issue with PA-3000 Series devices where traffic could stop passing through the firewall or the dataplane could restart due to an internal path monitoring failure.

as-mg · ‎04-30-2014

Hi, I've had this happen several times as well, last one today. We also have a HA cluster, and the primary (and active) firewall suddenly stops routing traffic, and the secondary (passive) does not try to take over, and acts like everything is OK. Had to reboot the primary firewall for the secondary to become active, and I would like to avoid this happening again. I've sent tech dumps to our support contact, so hopefully I'll get a better answer than "I'm sure this won't happen again" this time. Running 5.0.11, by the way.

as-mg · ‎04-28-2014

Has anyone upgraded a HA cluster to 6.0.2? I've installed the upgrade on the passive node, and now I'm seeing "non-functional (Peer version not compatible)" on this firewall. I've set "session tcp-reject-non-syn no" on both firewalls as suggested by the release notes, and I'm ready to suspend the active firewall, but I would like to know if this will cause traffic to stop when trying to fail over to this node.

as-mg · ‎04-28-2014

Installed 6.0.2 on our lab box, and the group now shows up when doing "show user group-mapping state Group-name", but lowercase ø is still shown as Ã,. I do not recall how this looked on 5.0.9, but this could just be a cosmetic issue. Will have to do some further tests to see if the issue has been resolved or not. Would like to hear from others who have upgraded to 6.0.2 as well. EDIT: This fix has also been added to the new 5 release; 5.0.12.

Date Registered	‎06-26-2013 12:35 AM
Date Last Visited	4 weeks ago
Total Messages Posted	45
Total Likes Received	10

Online Status	Offline
Date Last Visited	4 weeks ago

Strata

Prisma

Cortex

About as-mg