About BLH

Hello Oasen,   I'm currently running PAN-OS 7.1.2 on a PA-200 and recently added Two-factor Authentication for administrator account logins using the Duo Security 2FA system.  Here's a link to the web site that describes how to set up 2FA with the GlobalProtect VPN.  https://duo.com/docs/paloalto   If you follow all of the steps from the beginning through "Add an Authentication Profile", you will just need to add the new DuoRADIUS Authenication Profile to the administrator accounts that you would like to have authenticated via Two-factor Authentication.   It works GREAT!   Kind regards, Jeff  ... View more

It will work on PAN-OS 7.0.4. You dont have to go in configure mode.   admin@fw63> set authentication radius-auth-type chap   Hope this helps!   Merry Christmas 🙂 ... View more

Hi, you can also search online for some nice videos from the  routehub i managed to see some good torrent files....sorry but it is a good practice to support the instructors because they have taken there precious time time to build that content. ... View more

Haven't tried applying it to such a scenario before, but you can use regex in address groups (and I guess could use that to block FQDN's ?) https://live.paloaltonetworks.com/t5/Management-Articles/RegEx-Pattern-for-FQDN-Address-Object/ta-p/60257   Edit: Missed the part about decryption. Anyway, above, for what it's worth. ... View more

We went through the same pain with two PA-2050 in a A/P cluster. At first commit times were around 3 minutes. After 3 years we waited 15+ minutes for a single commit.   I suggest to reboot some services on a weekly or even daily basis, it helps a little (really just a little!):   debug software restart device-server debug software restart management-server debug software restart web-server   That should free-up some memory for some time and commit times improve. However, I strongly suggest to upgrade to PA-3000 series. We now have two PA-3050 and commits just take ~30 seconds.  ... View more

Phonefactor works well - before Microsoft bought it. I don't know what state it is in now. But it was really nice...everyone has a phone now.... ... View more

Kirk, In your screenshot of the traffic log, the traffic you did see is hitting two different security policies - "P-SEC-allowedIP" and "Any-Out". Those are being logged. To check whether or not logging is turned on for a particular security policy, click the name of it to open its settings. In the Actions tab, you will see two check boxes, Log at Session Start and Log at Session End. I would make sure that one of those boxes is checked for any other policies that may be affecting traffic from your phone. If you're not sure which one(s) that might be, check them all. Per the documentation for 7.0, Start should be checked and End is unchecked by default. Once you're sure everything is being logged, you can filter for your phone's IP address again as the Source in the traffic log, and anything from your phone traversing the firewall to the internet should be shown. I would also do an OR and look for your phone's IP as the destination address as well, in case your requests are going out but the replies are not being allowed back in. ( addr.src in 172.20.6.111 ) OR (addr.dst in 172.20.6.111 ) Add the Action column to your traffic log view, too, and put it right next to Rule. That way you should be able to see what rules your tests are matching, and what the rule did with the traffic (allow, drop, reset, etc.) The Session End Reason field will also tell, e.g. policy-deny. Keep in mind, too, that security rules are evaluated in order from top to bottom, the first match wins. It is possible a rule higher in the list is taking precedence and blocking your traffic, despite your very permissive IS dept rule applied to that group. If you really need to dig in, there's always packet capture. Finally - don't forget to back up your current configuration before you start changing things, and don't forget to do a Commit to make changes take effect before testing. Dan ... View more

:Loving it so far, haven't tested all the new features but I do like the LLDP addition and forcing all traffic down the GP VPN. But I have had a few kinks with it, nothing serious though. ... View more

Thanks! at least I know I'm not going crazy .  Should I dare report this as a bug LOL. Thanks again for sharing. ... View more

this is resolved when you register the firewall. Unregistered firewalls do not provide logging. ... View more

The version 6 study guide has been posted. https://paloaltonetworks.csod.com/LMS/catalog/Welcome.aspx?tab_page_id=-67&tab_id=-1 Palo Alto Networks Certified Network Security Engineer (PCNSE) FAQ ... View more

Bump.. Anyone? ... View more

Thanks for update.Learned the behaviour on workstation with panos6 ... View more