Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About inzamam.shahid
About inzamam.shahid
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
10-18-2016
05:40 AM
Hi, Thanks for the info. I am not sure why it is only this website, but I think I have found out where the issue may lie. I think it may be a routing issue in the network, which needs to be corrected. I will let you know if that resolves the issue.
... View more
10-14-2016
09:07 AM
Sorry for the delay in my reply. I do not think this is ISP issue. As there are two firewalls for two sites and the other site with the same ISP is working. I have uploaded the following snips: tx_capture - is the transmit packet capture fw_capture - is the firewall packet capture rc_capture - is the recieve packet capture
... View more
10-10-2016
04:58 AM
Greetings, I hoping you guys can help me with getting to a website called "https://www.labeebyacademy.co.uk/". When a user tries to go to this website it does not load. When going through my other firewall of the other site it works fine. I have tried several things on the firewall, but this still fails to load. The website resolves to 46.37.179.197. I have PCAPs on this from the firewall. I have tried several things from the firewall: -Tried creating an allow all policy for one IP -Checked the correct NAT policy is being applied -dropped the MTU size on the external interface to various values, but this made no difference -disabled the decryption rules Now I have come to the stage of doing the pcaps from the firewall. I do suspect this to be an MTU issue. I am not sure if reducing the MTU on the external interface was correct. I have uploaded the PCAPS here hope you guys can advise further. Many Thanks,
... View more
10-04-2016
03:05 AM
Greetings All, I know that we tend to recommend PAN-DB over BrightCloud, but in this instance I have a client who prefers to use BrightCloud. Can someone please confirm how to migrate over correctly. This use to be available in the following link, but now I do not have access to it for some reason: https://live.paloaltonetworks.com/docs/DOC-5554
... View more
09-23-2016
06:41 AM
1 Kudo
I think I resolved this now finally. There is no natting happening over the VPN. Natting is happening after the traffic has gone down the VPN and then going out the external interface of the FW. To resolve this I had to do numerous packet captures and have dropped the VPN at either side to 1200 MTU and set service to any on the FW that is directly connected to the Aruba controller.
... View more
09-22-2016
03:16 AM
Hello, I have done some PCAPS on this and can see that the three-way handshake does complete. After the three way handshake the connection is being reset from the destination, the three way handshake happens again completes and the dest then resets the connection again. I am trying to get a capture from one of the working sites so I can compare how the packets are being handled, but do you know why trying to send traffic down a VPN tunnel why would the dest reset the connection?
... View more
09-20-2016
07:02 AM
1 Kudo
PAN TAC have advised that this is a bug in the code and is due to be fixed in version 7.1.6 🙂
... View more
09-20-2016
06:33 AM
This is what I am failing to understand on why it is hitting that deny rule. That deny rule is number 800 in the rule set. The commvault rules are 600 in the rule set. In the screenshot, that I provided "commVault Media Agent to Ping" & "New Backup Networks" are basically any any rules just set to specfic IP's. They let any application over any service go through. I have checked the correct zones and IP's are in the rule. When I do a a security policy match from the CLI, the rule matches rule called "NEW BACKUP NETWORKS-app" so I do not understand why unknown-tcp is being hit.
... View more
09-20-2016
04:12 AM
Please see traffic log and the rules that have been created for this. Please let me know if you guys believe this is correct and if the support route still needs to be followed.
... View more
09-19-2016
01:58 PM
Hi Guys, I hope you guys can help with classifying unknown traffic. I have read many forums for this topic none of which answer my specific question. I understand that should create a custom app if your application bespoke and it is unlikely that an APP-ID would be created. However, I am expereincing an issue with an application called "commvault" the firewall already recognises this app, but my rule does not work as the traffic is being identified as "unknown-tcp" I do not understand if the firewall already reconises this app why is this being recognised as unknown. Can you also share with me the correct procedure of getting the traffic classified as "commvault" application? I already have PCAPS from the firewall, but do not know where this should be raised. Many Thanks,
... View more
09-19-2016
01:46 PM
Thanks for the reply again. We have tested with IPsec enabled and the performance improved significantly. This, however, does not solve the problem as if the client cannot establish an IPsec connection, it will still use SSL as a fall back method and then the client will still experience the issues reported. I have now raised this upto TAC as I see no reason why SSL-VPN should de-grade performance, have not come across anything on the live community that supports this and have not found an PAN guide that supports this either. I will let you guys know when the issue has been sorted.
... View more
09-16-2016
06:17 AM
I have been doing some more testing on this and I do not think QoS may not be the solution. I haven't had to apply any QoS to other global protect deployments. I tested with another SSL VPN solution "SoftEther VPN" which is no longer in development, but is fine to use in a test. I thought this would be a good test of QoS, as surely this SSL VPN would suffer the same issues. I did smiliar test with the Softether VPN so moving big files from my laptop, downloading and streaming video. Here is the results from my tests: No VPN: Download 62 Mbps Upload 18.5 Mbps SoftEther: Download 59.6 Mbps Upload 15.9 Mbps Global Protect: Download: 35 Mbps Upload 16 Mbps As you can see, the upload seems fairly good, as it always has, but the download is quite significant. Around 3.8% overhead on the SoftEther connection, which I'd expect as normal overhead for a VPN. However, the Global protect shows around 43.5% losses / overhead, which seems high. Any file transfer, downloads and video streaming with SoftEther VPN remians steady with no drops, and no large difference between ethernet speed and PANGP adapter and it is not having any retransmission problem either. With this info do yout think we still need to implement QoS on the firewall? I have come across the following info with regards to speeds of SSL VPN: https://live.paloaltonetworks.com/t5/Learning-Articles/Why-is-GlobalProtect-Slower-on-SSL-VPN-Compared-to-IPsec-VPN/ta-p/61920 Would like to know your thoughts on this inlight of the above info.
... View more
09-08-2016
08:47 AM
Thanks for the reply. I have dropped the MTU sizess at both ends of the tunnel to no ovail. I have tried 1350, 1300 & 1200. The same values were set at both ends of the tunnel each time. I looked into the TCP MSS feature and it looks like it needs to be applied to the physical interface and not the tunnel. Just to clarify are you suggesting that we set an MTU size like 1300 on the tunnels and then set TCP MSS to 1500 to the external interface with the GP config.
... View more
09-08-2016
02:16 AM
Thank you for the reply. Can you explain the setting for setting gurantees for the VPN connection is there any guide that explains how to set this up exactly? I am also considering the QoS setup, but just want to know which one would work better.
... View more
09-08-2016
02:06 AM
Greetings, I wish to run an issue that one my sites is experiencing with a site to site VPN. The issue that is experienced is that some applications mainly mail application will show up in the logs as incomplete. I will aim to give you the full picture of this so you can understand the setup and hopefully advise of a solution. (Working Site)SITA A – Aruba controller that has a site to site VPN connection to a PALO. Between the PALO and the Aruba controller there is a MPLS network for this site. The applications are identified correctly and everything is working fine. This site uses a 10.10.x range for clients. The traffic is NATTED correctly and no asymmetric routing is detected. (Not working site)SITE B – Aruba controller is physically connected to a PALO, which has a site to site VPN connection to another PALO through an MPLS network. The application here get identified as incomplete when they hit the first palo which is directly connected to the Aruba controller. This site uses a 10.11.x range for clients, the traffic is NATTED correctly and no asymmetric routing is detected. It just some applications get identified as incomplete. I have dropped the MTU size between the tunnels and this has made no difference. I have compared the traffic range of 10.10 and 10.11 and both are the same, but 10.11 shows the traffic as being incomplete. I have created an any any rule for a test user and still it does not work for them. I have tried to use application over ride, but application does not work correctly. Just want to know if you guys have similar problems and hopefully can advise me going forwards. I can draw up a quick network diagram if required. Many Thanks,
... View more
09-08-2016
01:25 AM
Greetings, I am not sure if someone else has come across this issue before with global protect and just wanted to run by some of you guys. The issue that I am having with GP is that it randomly disconnects. The VPN connection perform fines when under relatively light load with no issues or disconnects. The issue arises when you begin to push the limits of the connection speed. This issue has been going on for a while and I am no wiser on how to solve this. When it first started my broadband connection was 6mb down and 1mb up that was a normal connection without the VPN. When connected on the GP the connection would show 3mb down and 1mb up. In this scenario, checking mails, general web browsing were fine, but doing something like adding a video to a skype call would cause the connection to drop, as it was too near the upper bandwidth for it to handle. I then changed my broadband provider to rule that out of the equation. I went to a fibre connection, which a speed test showed 60 and 70mb down/18mb up. The same problem is still there, but because I have raised the threshold of the what stresses the connection, I can now skype video etc without issue. However, if I were to download a large file from the web, or copy large files from a file server, the problem still remains. One of two things will happen. Either A) the connection will slow significantly. During this period, you can see that the outbound traffic on the local adapter is often 2-3 times higher than the traffic on the PanGP virtual adapter, due to the sheer volume of retransmits occurring. Or B) the connection will perform well for a minute or two, and then suddenly cut out. Sometimes it is a combination of the two, with reduced speed due to retransmits, followed by a cut out. Most of the time this does not affect me too much, because I do not move large files about. However, a couple of days ago I had to download a 2GB update, this led to disconnects every 60 – 120 seconds and made my machine unusable during the download time. I am not the only user who is experiencing this issue – I have spoken to other VPN users on different broadband providers having the same issue. The system log of PALO shows a connection released message. The logs on the GP client shows: Window session changed with state 4 user is switching off. user disconnected with state = 4 The version of GP we are using is 3.1.0, but experienced this issue on multiple other versions. Not sure what to do from here so if anyone can share some valuable knowledge/experience on this. Many Thanks,
... View more
08-16-2016
01:06 PM
We have configured a log card interface on one of our 7050 devices for submission to wildfire. This is not working. Our testing shows we cannot ping the default gateway conifgured on the interface. If we ping from the router, then no response is recived, but the packet count on the log card interface increases according for both recicieved and transmitted packets. Any ideas would be greatly appreciated.
... View more
08-15-2016
02:10 AM
Hi Guys, Just thought I should give you an update with regards to this issue, so I logged this with TAC and after the troubleshooting it has been concluded as a bug. I believe this bug is specific to us as we had three firewalls acting as User-ID agents for themselves and other firewalls. As we were not using this feature anymore we disbaled this and it bought the management CPU down. This is being tracked in bug 100988. If you would like anymore info please let me know.
... View more
07-22-2016
09:00 AM
Hello People, My client has receently upgraded to 7.1.3 and now the management plane is constantly running 100% on all firewalls. This is the following message displayed and filling up the userid.log 2016-07-22 16:43:38.660 +0100 Error: pan_user_id_agent_msgs_queue_msg(pan_user_id_agent_msgs.c:58): failed to insert msg into sending msg list We have restarted the user-id process, but that has not made a difference. Here is the output of show system resource follow: Khipu@VH-PA-3020> show system resources follow top - 16:57:59 up 4 days, 19:27, 1 user, load average: 0.59, 0.34, 0.39 Tasks: 109 total, 1 running, 108 sleeping, 0 stopped, 0 zombie Cpu0 : 71.3%us, 23.0%sy, 0.0%ni, 2.0%id, 0.0%wa, 0.0%hi, 3.7%si, 0.0%st Cpu1 : 58.8%us, 24.9%sy, 1.3%ni, 2.3%id, 0.0%wa, 0.0%hi, 12.6%si, 0.0%st Mem: 3850716k total, 3535912k used, 314804k free, 39776k buffers Swap: 2008084k total, 706888k used, 1301196k free, 1192424k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 13691 root 20 0 1990m 1.8g 117m S 171.6 48.4 29:16.95 useridd 3980 root 20 0 784m 46m 2756 S 14.6 1.2 682:57.29 logrcvr 10158 root 20 0 699m 55m 5428 S 1.3 1.5 14:23.74 mgmtsrvr 2338 root 30 10 18360 4864 2440 S 0.7 0.1 4:43.39 python 2278 root 0 -20 52896 9.8m 2788 S 0.3 0.3 8:25.44 masterd_apps 2296 root 15 -5 21664 3016 1660 S 0.3 0.1 18:26.08 sysd 3970 nobody 20 0 139m 3120 2260 S 0.3 0.1 36:37.83 appweb3 3979 root 20 0 69472 2432 2184 S 0.3 0.1 9:50.96 ikemgr 26387 Khipu 20 0 2532 1116 836 R 0.3 0.0 0:00.05 top 1 root 20 0 2084 600 572 S 0.0 0.0 0:02.87 init 2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd 3 root RT 0 0 0 0 S 0.0 0.0 0:01.36 migration/0 4 root 20 0 0 0 0 S 0.0 0.0 0:05.94 ksoftirqd/0 5 root RT 0 0 0 0 S 0.0 0.0 0:01.26 migration/1 6 root 20 0 0 0 0 S 0.0 0.0 0:07.95 ksoftirqd/1 7 root 20 0 0 0 0 S 0.0 0.0 0:15.46 events/0 8 root 20 0 0 0 0 S 0.0 0.0 1:00.75 events/1 9 root 20 0 0 0 0 S 0.0 0.0 0:00.01 khelper Khipu@VH-PA-3020> show system resources follow top - 16:58:58 up 4 days, 19:28, 1 user, load average: 0.58, 0.36, 0.39 Tasks: 110 total, 1 running, 109 sleeping, 0 stopped, 0 zombie Cpu0 : 71.1%us, 20.9%sy, 0.0%ni, 3.3%id, 0.0%wa, 0.0%hi, 4.7%si, 0.0%st Cpu1 : 56.1%us, 25.6%sy, 0.3%ni, 3.0%id, 0.0%wa, 0.0%hi, 15.0%si, 0.0%st Mem: 3850716k total, 3462776k used, 387940k free, 39976k buffers Swap: 2008084k total, 706840k used, 1301244k free, 1056956k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 13691 root 20 0 2063m 1.8g 117m S 171.2 50.0 30:58.85 useridd 3980 root 20 0 784m 47m 2756 S 14.6 1.2 683:06.00 logrcvr 10158 root 20 0 699m 55m 5428 S 1.3 1.5 14:24.19 mgmtsrvr 2296 root 15 -5 21664 3016 1660 S 0.7 0.1 18:26.21 sysd 2338 root 30 10 18360 4864 2440 S 0.7 0.1 4:43.46 python 26577 root 20 0 2164 720 592 S 0.7 0.0 0:00.02 ping 2278 root 0 -20 52896 9.8m 2788 S 0.3 0.3 8:25.52 masterd_apps 3960 root 20 0 760m 4316 2180 S 0.3 0.1 15:40.80 mongod 3970 nobody 20 0 139m 3120 2260 S 0.3 0.1 36:38.15 appweb3 3979 root 20 0 69472 2432 2184 S 0.3 0.1 9:51.05 ikemgr 3984 root 20 0 71716 1872 1544 S 0.3 0.0 2:18.80 l2ctrld 3993 root 17 -3 144m 4484 3200 S 0.3 0.1 1:58.73 routed 11443 root 20 0 13740 2592 1884 S 0.3 0.1 8:00.72 packet_path_pin 1 root 20 0 2084 600 572 S 0.0 0.0 0:02.87 init 2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd 3 root RT 0 0 0 0 S 0.0 0.0 0:01.36 migration/0 4 root 20 0 0 0 0 S 0.0 0.0 0:05.94 ksoftirqd/0 5 root RT 0 0 0 0 S 0.0 0.0 0:01.26 migration/1 6 root 20 0 0 0 0 S 0.0 0.0 0:07.95 ksoftirqd/1 Khipu@VH-PA-3020> show system resources follow top - 16:59:12 up 4 days, 19:29, 1 user, load average: 0.45, 0.34, 0.38 Tasks: 110 total, 1 running, 109 sleeping, 0 stopped, 0 zombie Cpu(s): 52.1%us, 15.8%sy, 0.1%ni, 25.4%id, 0.4%wa, 0.0%hi, 6.2%si, 0.0%st Mem: 3850716k total, 3530968k used, 319748k free, 40032k buffers Swap: 2008084k total, 706804k used, 1301280k free, 1106224k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 13691 root 20 0 2072m 1.9g 117m S 165.5 50.5 31:23.48 useridd 3980 root 20 0 784m 47m 2756 S 13.3 1.3 683:08.13 logrcvr 8804 root 20 0 43960 8552 2288 S 1.9 0.2 9:01.24 snmpd 1 root 20 0 2084 600 572 S 0.0 0.0 0:02.87 init 2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd 3 root RT 0 0 0 0 S 0.0 0.0 0:01.36 migration/0 4 root 20 0 0 0 0 S 0.0 0.0 0:05.94 ksoftirqd/0 5 root RT 0 0 0 0 S 0.0 0.0 0:01.26 migration/1 6 root 20 0 0 0 0 S 0.0 0.0 0:07.95 ksoftirqd/1 7 root 20 0 0 0 0 S 0.0 0.0 0:15.47 events/0 8 root 20 0 0 0 0 S 0.0 0.0 1:00.76 events/1 9 root 20 0 0 0 0 S 0.0 0.0 0:00.01 khelper 14 root 20 0 0 0 0 S 0.0 0.0 0:00.00 async/mgr If you could let me know how to reduce the CPU that would be great. Thanks,
... View more
03-21-2016
02:06 PM
Still does not work quite right yet as the few little niggles are still experienced.
The persistent option is not being used, but old “KIX32" scripts, AD user home drive and AD group policy preferences to see if there is more consistent results using one method over another. The worst problem still expereinced is the "welcome" screen (after logon but before desktop) waiting for ages (this has been longer than 20 mins). Currently assuming a timeout value may be showing me these results not sure where though ?
I can generally say that the drive mapping is working better since the change. Although sometimes it could be as bad as it was.
This has been tested with Windows 7 Pro OS. The version of GP is 2.3.4 of the global protect client.
The USER-ID-AGENT Security log Monitor Frequency (sec). is currently 1. The firewall is running version 7.0.5.
The long wait does not happen everytime sometimes everything works, sometimes it could take 20 mins plus to get to the desktop and whether fast or slow to the desktop the drive mapping are still very intermitten.
We have tried waiting longer than 2 min before logging into the machine, but this is still as intermitten as when I login in as soon as I am able to.
We have changed the policy to allow everything from one IP address range to another, no rule restrictions on USER/HIPS etc, but even having this is causing the same intermitten issues. Whilst, I was testing when the rule was allowing everything I saw the "ANY" rule be skipped and a lower down rule be hit, which does not look right. As there be's no reason to skip the "ANY" rule.
Any futher ideas to get this working would be greatly appreciated?
... View more
03-18-2016
09:39 AM
Testing this initially the results were looking good, but we have seen instances where things are not quite right. Basically, we have seen that once passed the login screen, at the welcome screen it could take 10 mins plus to get past it. Any ideas on how to improve this ?
The above issue was experienced after following the following link:
https://live.paloaltonetworks.com/t5/API-Articles/ Using-Pre-Logon-the-secure-way/ta-p/56819
Just to make it clear on how the above issues mentioned in this post was experienced.
... View more
03-17-2016
07:07 AM
Just to clarify on this, if a site is identifying user-to-IP mappings for the whole site then would having a User ID for GP clients start affecting other users? So basically, if we only included the VPN IP poorl ranges would this start affecting other users whose mapping is needed on the firewall?
... View more
03-17-2016
02:54 AM
Thank you both for replying.
This is for one of our customers so I'm not sure how the drives are being mapped. This was handed down to me.
Could you clarify the persistent parameter how is this configured and is there any documentation about this? Is this configured on the firewall ? The USER-ID agent or on the client PC. Sorry for asking these basic questions. I haven't come across this feature before so need the exact details.
... View more
03-16-2016
02:21 PM
Hi Community,
I just needed to run a niggling issue with some of you as we are experienicing with our global protect.
We have global protect to do pre-logon connection to the global protect gateway. Once the user is authenticated we except drives to be mapped. However, we are experiencing an intermitten random issue where sometimes all the drives are mapped fine, sometimes only some of them are mapped. We would like to improve the experience for global protect users.
When the users are connecting during the logon process it is hard to identify the parts of the logs which are relevant only to the drive mapping. The mappings are to integrated DFS servers.
Looking through the logs, once the user has logged in, there does still appear t o be a number of connections with no user against them, I believe these connections to be left over from the pre-logon connection before the user logged in (I may just be misreading the logs)
On the user-id agent would you recommending enabling the client probing would this actually help? Is there any other suggestions on what we can do to improve this experience.
Is delaying the way the drives are mapped should we delay the drive mapping process? Would this help and how can this be achieved?
Just putting this out there so we can get some ideas on this. Your help would be greatly appreciated. Please let me know if you need any further info.
Thanks
... View more
03-02-2016
02:32 AM
1 Kudo
I saw that today glad it got created it makes things much simpler!
... View more
01-22-2016
03:17 AM
Hi,
Has anyone used VYPR VPN. We are seeing users use this quiet a lot and they are bypassing the firewall to get onto whatever they want.
We have submitted to PAN to create an application for this as one does not currently exist, but we need to block this in the mean time. I know we can create a custom application for this, but I am not experienced enough to put in the details for this so it only affects that application.
Is creating a custom application the best way to block this or would anyone recommend another way ?
... View more
Labels:
11-17-2015
01:16 PM
I see lots of posts of how to install and use the migration tool, but can someone please provide steps on how to install it properly.
... View more
06-29-2018
29Posts
3Likes
0Solutions
Jun 29, 2018Last Visited
User
Activity
User
Profile
Latest posts by inzamam.shahid
| Subject | Views | Posted |
|---|---|---|
| 543 | 10-18-2016 05:40 AM | |
| 594 | 10-14-2016 09:07 AM | |
| 616 | 10-10-2016 04:58 AM | |
| 408 | 10-04-2016 03:05 AM | |
| 502 | 09-23-2016 06:41 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 09-23-2016 06:41 AM | |
| 1 | 09-20-2016 07:02 AM | |
| 1 | 03-02-2016 02:32 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 4 |
User Badges
Public Statistics
| Date Registered | 07-30-2015 06:36 AM |
| Date Last Visited | 06-29-2018 08:24 AM |
| Total Messages Posted | 29 |
| Total Likes Received | 3 |
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-29-2018
08:24 AM
|
Latest Tags
No tags yet
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
