About Purushotham

Our customer encounter intermittent connectivity issue with IPSec IKEv1 during phase 2 rekey of IPSec Child-SA. We open case with the IPSec peer device vendor, they mention that PAN is not sending message to R2011 (IPSec peer) for deleting the SA when the SA negotiation fails.   Summary of issue: On IPsec PA-850 peer device log, it shows IKE phase-2 negotiation is failed as responder, Due to negotiation timeout for that child-SA] On IPsec 4G router side SA rekey log it shows child-SA is successful established/rekey During that 1 hour Proxy-ID traffic for that Child-SA is down. Traffic resume on next successful Child-SA rekey, SA lifetime 1 hour. From debug log (as below) negotiation timeout on PA-850 trigger by intermittent packet transmission loss on Telco 4G mobile network.  Highlight event log of “the sent the delete key message to the peer and started the negotiation as a responder.   1.re key at 5.00.07 of Child SA as responder for Proxy ID 2. Failed as negotiation as responder and didn’t send p2 delete message to peer.   2.Next re key at 5.39.12 of Child SA as responder for Proxy ID 2. Observe no existing SA (previous negotiation fail at 5.00.07am), so didn’t send p2 delete message to peer after successful rekey.   So, please advise on this behavior of the PA as a responder.       ... View more

1. Customer has encountered the new threat alert named DNS Trojan ShadowPad Detected in their network but the traffic is passing through Palo alto firewall and it is allowed and no threat alerts are triggered in Palo Alto Firewall.   2. TLS Version 1.1 Protocol Deprecated - Need to Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1. 3.IP Forwarding Enabled - Need to disable IP forwarding.   Please suggest on this. ... View more

1. Need to get the confirmation on the reason for the sudden reboot of the PA-820 device which is in High-Availability state. 2. Only the Primary Unit has faced sudden Reboot but Secondary did not, Checked for the power adapter of the Primary unit but it was fine. 3. Timestamp of the sudden reboot on a primary PA-820 (HA-Active) unit is on 9/5/2023 at around 11:36AM and for the mentioned timestamp there is alert in the system logs with the below Error Messages, please refer below.  >  DHCP lease end alert   >  -registered-Ip-max-platform-limit-exceeded alert    4. But couldn't find any proof or related articles from the Palo Alto to confirm the Root-Cause is caused due to this errors. 5.Checked this article but no use. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PM3ZCAW 6. Can anyone please assist me on this. 7. Please update if any further clarifications required.     ... View more

Device details: Model - PA 3020 Software version - PAN OS – 8.1.3   Problem Description: Please be informed that we are frequently encounter DHCP lease full (100%), and it cause interruption for our users at region side. Customer side have two vlan for DHCP lease which are vlan.960 (IP pool of XX.XX.XXX.X to XX.XX.XXX.XXX)  and vlan.959(XX.XX.XXX.X  to XX.XX.XXX.XXX) on the same management interface. We already done 1 st   level troubleshooting to release the lease but after few days, DHCP lease is full again (100%) for vlan.959. Is there any way other than releasing the DHCP lease frequently or by increasing subnet range of VLAN.     ... View more

In Preliminary checks we found that all data ports of Backend Firewalls were down we established Console access to BE Firewall, we found that Firewalls were running in the maintenance mode We managed to reboot BE Firewalls and bring them up at about 7.20pm on 15th March, all services were recovered as well. After BE Firewalls were up and checking system logs, we found that BE Firewalls were rebooted due to “dnsproxy process” was crashed causing Firewalls rebooted. This is consider PAN-OS bug and could be resolved by configuring DNS server parameter for Firewalls (can be actual or dummy DNS server even it is not using) So we need some clarifications on some of our queries below.   We see problem was raised in June 2022 about this known bug. If it is so why this was not configured properly in our set up or was not brought up during deploymnet? Did we do bug scrub of the current release? Why it was not highlighted in bug scrub? What is the permanent fix and when it will be available or is it available on which PAN OS? Is the current WA good enough to have stabilized the Firewalls   ... View more

Issue:    PNHB has performed penetration tests (PENTEST) for all our firewalls. For Palo Alto PA-820, attached herewith  vulnerabilities  list for your team to help us to  rectify. 2. Can you please clarify me on this reports generated is only the BPA suggestions for fine tuning, or they have a possibility of getting compromised. Reference information attached.     Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended. ... View more

Prerequisites Currently,  user has two admin accounts. Default local admin account(Superuser) New local admin account synchronized with Cisco Duo(Superuser) End user has to consider how to treat “Default local admin account”. As a result of consideration, the following items are the options to deal with it: Option1: To make “Default local admin account” synchronized with some authenticator like Duo or enhance the login security of this account in some way. Option2: To delete “Default local admin account”   ■Verification (Done) Option1:Paloalto claims that a local superuser account is not assigned to any form of external authentication service other than just password authentication on the firewall. This is to ensure that users can still access the firewall, in the event where the network or the authentication server goes down, and this will be the only local account to access the firewall. ⇒It means that it is impossible to make “Default local admin account” synchronized with multi-factor authenticator.   Option2:He tried to delete “Default local admin account” but it could not be carried out with the message “At least, one local Superuser needs to be defined in Administrators”.   ■What is the checking point in this issue to Paloalto？ Regarding Option 1, Please confirm more to Paloalto if there are other ways to enhance authentication and security for this option 1.   ... View more