LIVEcommunity - About as-mg

as-mg · ‎10-29-2020

We're seeing a similar issue on PANOS 9.0.11 - traffic to Google.com searched first hits an IP address, which is being blocked due to the IP being classified as Unknown. After about 10-20 seconds of waiting, the user is redirected to Google, and no error message is shown to the end user. In the URL Filtering log in the firewall web UI the category and category list for the IP address is search-engines and search-engines,low-risk. A URL test from the CLI lists the IP as unknown. The traffic is identified as google-base. This started happening after upgrading from PANOS 8.1 to 9.0, and I have a theory that this is related to HTTP/2 inspection, which wasn't supported at 8.1. A similar issue, PAN-137387, should've been resolved in 9.0.9: "Fixed an issue where URL filtering used the IP address instead of the hostname, which led to incorrect URL categorization." Have anyone experienced the same on 9.0, and were you able to resolve it?

as-mg · ‎06-05-2020

I've created support cases with this issue in the past, for different versions of PANOS and different hardware, and each time I've gotten the same response that goes like "SMB creates a lot of packets, which will slow down traffic when we need to inspect it" . As mentioned in my previous post, app override is not an option for us, and we've tried disabling DSRI for all the rules which are using SMB without any large benefits. We're seeing around 15-20MB/s on gigabit links onthe current TAC recommended 8.1 release. If anyone has found any way to resolve this issue, please share.

as-mg · ‎01-14-2019

@OtakarKlier wrote: Hello, I also saw this last week. I just checked again and it seems to be working. I would say give it a try and if it still is not working, open a case so they can work on it. Regards, Yup, it seems to have been resolved now. Time to go submit a couple dozen sites.

as-mg · ‎01-14-2019

For about the last week https://urlfiltering.paloaltonetworks.com/ has been broken in way that makes it impossible to submit reclassification requests. I have several sites that I'd like to reclassify, but I have been unable to do so. When will this be resolved? One of the issues is that a JavaScript is being loaded over plain http, so at least that one should be easy to fix.

as-mg · ‎11-13-2018

I just set up our PA-200 lab unit to do a basic test between two Windows 7 workstations, and noticed the same on PANOS 7.1. Have anyone managed to speed up SMB transfers on PANOS, or do we just have to deal with this? I'm getting anywhere between 4 to 8MB/s on the firewalls, and close to 100MB/s when doing the application override. Could anyone share some benchmarks for their own production environments?

as-mg · ‎11-13-2018

We're currently having some issues with ms-ds-smb (both v2 and v3) traffic on our PA-3020's (active/passive pair), where we are seeing a 97% speed decrease measured against direct traffic. In order to determine the source of the issue, I have tried to disable server response inspection and all the security profiles, but I'm still getting speeds around 3-4MB/s. If I create an application override rule for tcp/445 I'm suddenly seeing around 100MB/s. I don't really expect 100MB/s with threat protection enabled, but 3-4MB/s makes it seem like we're hitting a bug, and the firewall is far from overworked in terms of sessions and dataplane CPU usage. Have anyone else had issues with SMB on PANOS 8.1? This has been for the last couple of versions, and we're currrently running 8.1.4.

as-mg · ‎11-12-2018

As @ShaiW mentioned, if this is a HA setup, take a look at both firewalls. The times we've had issues with this in our environment, the solution has been to go in and delete the failing content on the passive firewall, and manually download and install it so both firewalls are in version sync. After this automatic installation started working again.

as-mg · ‎07-02-2018

Hi, We've just started to try out Traps 5.0 for a small number of agents, migrating from our on-premise 4.2.0 installation. Since we are based in Europe, we've chosen EU as our datacenter location, and company.traps.paloaltonetworks.com resolves to IP addresses hosted on AWS in Germany. However, the agents all connect to ch-company.traps.paloaltonetworks.com, which is hosted on AWS in the USA. Is this an oversight, or is there hardly any data transfered to the ch-prefixed fqdn? If all the traffic is passing trough American servers this means its suddenly under US jurisdiction. I'm by no means an expert on the law behind this, so I'm open for any discussion.

as-mg · ‎05-16-2017

Hi, We are seeing an influx of phishing mails trying to send users to sites hosted with free web hosting services. On of the things we've done to combat phishing is blocking access to unknown domains, but every subdomain of a free web hosting provider is currently being classified as "Web Hosting", causing users to be allowed access to them. In order to combat this even further, would it be possible to split free and paid web hosting into two different URL categories?

as-mg · ‎05-16-2017

This issue seems to have been a single incident, I have tried upgrading several other computers to 1703 without any issues.

as-mg · ‎04-26-2017

We're currently running 3.1.6, I have also opened a support case with Palo Alto regarding this issue. In the past we've seen issues with the localized names of ethernet adapters causing issues for GlobalProtect, and this could be related as it fails to do netsh on the interface. I'll give an update as soon as I've heard back from Palo Alto. (T6972) 04/26/17 09:24:40:925 Debug(3308): cmd = cmd /C netsh interface ip set address 5 static 192.168.0.190 255.255.255.255> "C:\Program Files\Palo Alto Networks\GlobalProtect\tmp.txt" (T6972) 04/26/17 09:24:41:072 Debug( 118): (T6972) 04/26/17 09:24:41:072 Debug(3321): cmd = cmd /C netsh interface ip set dns 5 static 192.168.0.1 validate=no > "C:\Program Files\Palo Alto Networks\GlobalProtect\tmp.txt" (T6972) 04/26/17 09:24:41:110 Debug( 118): (T6972) 04/26/17 09:24:41:110 Debug(1715): number of route is 2 (T6972) 04/26/17 09:24:41:110 Error(1747): SetIpForwardEntry(0.0.0.0) failed (The system cannot find the file specified.) (T6972) 04/26/17 09:24:41:125 Error(1747): SetIpForwardEntry(192.168.0.1) failed (The system cannot find the file specified.)

as-mg · ‎04-26-2017

Hi, I recently had a collegue who installed Windows 10 1703, also called the Creators Update. After the update GlobalProtect appears to be able to connect to the gatway, but it fails to retrieve an IP address and DNS servers from the firewall. Have anyone else had this issue, and have anyone been able to find a solution? I will try to have him do a reinstall of the GlobalProtect client and see if that resolves the issue.

as-mg · ‎10-27-2016

I finally managed to disable 3DES, but it was not as straight forward as disabling 3DES on the decryption profile for inbound SSL. To make this work, I set min. protocol version of the decryption profile to TLS 1.2, and then I had to do the same for the SSL/TLS Service Profile for each of the certificates used for inbound SSL inspection. Now the firewall will only use TLS 1.2 and 3DES is disabled across the board.

as-mg · ‎10-25-2016

Hi, Yes, the GUI is showing it as disabled, yet the firewall will still offer 3DES to clients, so this is not just a cosmetic issue.

as-mg · ‎10-25-2016

Hi Ben, This did not resolve the issue, but it should be disabled. The firewall still provides TLS_RSA_WITH_3DES_EDE_CBC_SHA for clients. Here's the output from show of ssl-protocol-settings for the decryption profile: (active)# show ssl-protocol-settings { keyxchg-algo-dhe yes; keyxchg-algo-ecdhe yes; min-version tls1-1; keyxchg-algo-rsa yes; enc-algo-3des no; enc-algo-rc4 no; enc-algo-aes-128-cbc yes; enc-algo-aes-256-cbc yes; enc-algo-aes-128-gcm yes; enc-algo-aes-256-gcm yes; auth-algo-sha1 yes; auth-algo-sha256 yes; auth-algo-sha384 yes; }

Member Since	‎06-26-2013 12:35 AM
Date Last Visited	Tuesday
Posts	47
Total Likes Received	11

Online Status	Offline
Date Last Visited	Tuesday

Re: google searched blocked

Re: 97% speed decrease on SMB traffic (PANOS 8.1)

Re: URL Filter Test A Site page is broken

URL Filter Test A Site page is broken

Re: 97% speed decrease on SMB traffic (PANOS 8.1)

Re: 97% speed decrease on SMB traffic (PANOS 8.1)

Re: URL Filter Test A Site page is broken

Re: Wildfire Update failure

Re: How to properly disable 3DES encryption algorithm?

External dashboard based on PANOS API

Re: Wildfire Update failure

Re: Seperate URL categories for free and paid web hosting?

Re: Can't remove vsys specific SSL TLS Service Profile

Re: GlobalProtect 3.0.2 setting VPN DNS on WiFi adapter

Re: GlobalProtect 3.0.2 setting VPN DNS on WiFi adapter

Re: google searched blocked

Re: 97% speed decrease on SMB traffic (PANOS 8.1)

Re: URL Filter Test A Site page is broken

URL Filter Test A Site page is broken

Re: 97% speed decrease on SMB traffic (PANOS 8.1)

97% speed decrease on SMB traffic (PANOS 8.1)

Re: Wildfire Update failure

EU hosted Traps 5.0 management, clients check in to the US

Seperate URL categories for free and paid web hosting?

Re: Issues with GlobalProtect on Windows 10 1703

Re: Issues with GlobalProtect on Windows 10 1703

Issues with GlobalProtect on Windows 10 1703

Re: How to properly disable 3DES encryption algorithm?

Re: How to properly disable 3DES encryption algorithm?

Re: How to properly disable 3DES encryption algorithm?

Network Security

Cloud Security

Security Operations