About andreip

Tested w. UID Agent 7.0.2, PANOS 7.0.2 VM-100:   In the configuration file UserIDAgentConfig.xml, for each auth source (server), there is a default-domain variable, which does not have a value by default. I tested by filling in the desired domain name to be prepended and sending via XML API usernames with and without domains and checking on firewall:   UserIDAgentConfig.xml:   <server-settings> <server-entry name="xxx" type="active-directory" address="xxx" port="" syslog-profile="" default-domain="xxx"/> </server-settings>   In the following snippets, 10.1.1.1 is the firewall, 10.1.1.201 is the domain controller with UID Agent installed   XML file sent via curl:   <uid-message> <version>1.0</version> <type>update</type> <payload> <login> <entry name="uid" ip="10.1.1.121" timeout="20"/> </login> <login> <entry name="uid2" ip="10.1.1.122" timeout="20"/> </login> <login> <entry name="beta\uid3" ip="10.1.1.123" timeout="20"/> </login> <login> <entry name="gamma\uid4" ip="10.1.1.124" timeout="20"/> </login> </payload> </uid-message>   File was sent via:   curl -vk --form file=@uid.xml https://10.1.1.201:5006   UID Agent displays username exactly how it was sent, without interpreting the separator (@ and \ tried):       and the firewall is updated:   admin@pavm-7> show user ip-user-mapping all IP Vsys From User IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 10.1.1.124 vsys1 UIA gamma\uid4 222 222 10.1.1.201 vsys1 UIA alpha\panwagent 901 901 10.1.1.121 vsys1 UIA uid 397 397 10.1.1.125 vsys1 UIA uid5@delta 1127 1127   So the default-domain variable in UID Agent configuration file doesn't seem to append or overwrite a domain name to users without domain, to get something usable for user-group mapping.   Certificate used in CP is just a method to validate an identity - since it's not correlated natively to an auth server/sequence, I doubt you can extract fields from cert (e. g. UPN) to check user-group mapping.   If you are not trying to control internet access, but access to internal resources, Kerberos challenge introduced in PANOS 7.0 (works with browser-challenge method) might help. ... View more

Please add a link to the documentation for community edition (https://www.paloaltonetworks.com/documentation/autofocus/autofocus/autofocus.html), the link displayed in various PPTs (https://live.paloaltonetworks.com/docs/DOC-9261) is no longer reachable ... View more

Hello! Assuming that there was no bidir (source static nat) or U-Turn entanglement, which was the source IP you used for ping (I presume you used 192.168.0.1, the firewall's interface in DMZ and not and not the management interface having a service route to DMZ destination) ? Have you tried to ping with LAN firewall's interface source IP in the faulty setup ? If you used DMZ interface source IP, due to the double forwarding lookup and the incoming and outgoing interface being the same, the firewall might just answered to itself that server (192.168.0.2) can be reached using DMZ interface as next-hop - a debug dataplane packet-diag set log feature flow basic and arp for non-ip packet-filter would have explained the forwarding decision (I couldn't replicate the symptom using a 7.0 VM). Hope that helps, andreip ... View more

Hi Satish, Based on your previous discussions, I assume you already checked the DPD & tunnel monitoring on PANW side. Cluster on CKPT side ? To understand which side is persisting on using the expired P1 I would do it the hard way, disabling SecureXL & clearing P1 and running VPND under debug for a while (export TDERROR_ALL_ALL=5 && export VPND_DEBUG=1 && cpstop -fwflag -proc && cpstart) or plain vpn debug trunc & analysis in IKEView on CKPT side & correlating info with debug ike global on debug & tail follow yes mp-log ikemgr.log on PANW side. Best regards, andreip ... View more

PANW MIBs provides a good indication on the upcoming products - in PAN-PRODUCTS-MIB for PAN-OS 7.0 there is a PA-7080 chassis: panPA-7080 object, OID:  .1.3.6.1.4.1.25461.2.3.34 ... View more

From CKPT's sk42315: "Based on the IKE debug, see that after the Main Mode key negotiation, the 3rd party VPN device deletes the phase2 SPI, and similarly after the phase2 key negotiation, it deletes the SPI. This is due to a difference in how Check Point and some 3rd party peers handle phase2 keys after a phase1 renegotiation. Check Point also deletes all phase2 keys for a specific phase1 SA after a phase1 renegotiation. Others continue to use the same phase2 keys until their normal expiry time. This causes something like a race condition where the tunnel will drop for about 10-15 minutes until the 2 peers can get SAs back in sync and the tunnel completes the negotiations. Solution This problem was fixed. The fix is included in: Check Point R77.10 Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway). For lower / other versions, modify the settings on the Check Point Security Gateway to be consistent with the 3rd party settings. Proceed as follows: On the Check Point Security Gateway, run: ckp_regedit -a SOFTWARE/CheckPoint/VPN1 DontDelIpsecSPI_OnP1Del -n 1 Run cpstop Run cpstart Run the command cat HKLM_registry.data | grep DontDel from $CPDIR/registry and verify the output." ... View more

Hello, You might need a correlation logic, especially that you mentioned malicious behaviour on different layers (network, application), being able to investigate an extended time interval. Usually this correlation logic is implemented in a distinct product, SIEM like, with huge processing demand for running queries on logs and flows to get a security meaning from disparate events - the firewall's goal is mainly to prevent atomic attempts and the time-related features are compound signatures operating at application level, with session & transaction visibility, zone protection profiles and DoS protection profiles. There are rudiments of correlation logic in PANOS - Botnet report and the correlation objects recently introduced in 7.0, which are looking for indicators of compromise, but maybe it will be easier to rely on a SIEM product to correlate network and threat events during an extended timespan (how many network scans are passing under detection because they occur at large intervals - seconds) and to trigger blocking via scripting (dynamic groups or dynamic block lists used in firewall policies) - implementing the duration of temporary blocking might be a challenge too. Sorry for not providing an opinion with more practical value. ... View more

Hello! You should buy a spare pre-imaged HDD, PAN-PA-5000-SSD-120-IMG - there is no option to get a software image to be written to 3rd party SSDs. Please check https://paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/technical-documentation/hardware-guides/pa-5000-series/SSD-Upgrade-Options-PA-5000_Series.pdf , Replacing a Failed SSD in a System with Only 1 SSD on page 8. ... View more