About drewdown

drewdown · ‎02-04-2020

Thanks that worked. How do I get a FEED BASE URL configured for this? The goal there is to reference the list of github IPs via an EDL.

drewdown · ‎02-04-2020

Did you manually add that or import it? If manually can you copy/paste the syntax used to create it? I tried to create a new miner using those same settings but it won't let me save it and I am not sure why. IE the OK box has a red circle with a line through it so I am doing something wrong.

drewdown · ‎02-03-2020

Thanks man, will configure and let you know how it goes.

drewdown · ‎01-29-2020

Still fighting this issue. I tried your self signed cert as well from github and now I get a different error message when attempting to authenticate to minemeld using that cert profile: description contains 'EDL server certificate authentication failed....Reason: SSL peer certificate or SSH remote key was not OK' Update: So I changed the URL to include the server name instead of the IP address of minemeld and that seems to have fixed it. I can see the IPs and URLs now and all is well again. So: https://minemeld.mydomain.com/feeds/o365-any-any-ipv4-feed vs https://10.10.10.1/feeds/o365-any-any-ipv4-feed First one works, second does not after generating the self signed cert on minemeld itself.

drewdown · ‎01-28-2020

More digging shows this in the logs although not sure if its relevant because I still can't get the list to populate: description contains 'EDL server certificate authentication failed. The associated external dynamic list has been removed, which might impact your policy. EDL Name: o365-IPv4-01, EDL Source URL: https://youriphere/feeds/o365-any-any-ipv4-feed, CN: please use a real certificate, Reason: unable to get local issuer certificate ( description contains 'EDL(o365-IPv4-01) No changes to authentication status, still failing. ' ) The cert I used was the godaddy one from the mine meld install walk through that you wrote @lmori : https://live.paloaltonetworks.com/t5/MineMeld-Articles/Connecting-PAN-OS-to-MineMeld-using-External-Dynamic-Lists/ta-p/190414

drewdown · ‎01-28-2020

As you can see the list is empty on the device but if I go to that URL it shows all the O365 IPs. I am also referencing it on a security policy but it still won't populate. I am using Panorama to do this if that matters, youandme@fw3060-678876(active)> request system external-list show type ip name o365-IPv4 o365-IPv4 o365-IPv4-01 o365-IPv4-01 o365-IPv6 o365-IPv6 <name> <name> admin@fw1-3060-qts(active)> request system external-list show type ip name o365-IPv4-01 Server error : external dynamic list file either empty or not found https://youriphere/feeds/o365-any-any-ipv4-feed 101.28.252.0-101.28.252.255 103.9.8.0-103.9.11.255 112.25.33.0-112.25.33.255 115.231.150.0-115.231.150.255 123.150.49.0-123.150.49.255 123.235.32.0-123.235.32.255 125.65.247.0-125.65.247.255 139.217.17.219-139.217.17.219 139.217.19.156-139.217.19.156 139.217.21.3-139.217.21.3 139.217.25.244-139.217.25.244 139.219.145.0-139.219.145.31 139.219.146.0-139.219.146.255 139.219.156.0-139.219.159.255 139.219.16.0-139.219.16.31 139.219.17.0-139.219.17.255 139.219.24.0-139.219.27.255 168.63.252.62-168.63.252.62 171.107.84.0-171.107.84.255 171.111.154.0-171.111.154.255 ..............

drewdown · ‎01-28-2020

I want to feed o365 IPv4/URLs into external dynamic lists and reference them in policies using those EDLs as source and or destination objects. I configure the cert profile as well and I when browse to the URL in question I get a list of IPs but for whatever reason it doesn't look like PAN is creating the list correctly. IE its blank. I guess I would want to use the o365-worldwide-any-miner ?

drewdown · ‎01-28-2020

Weird because now that I am looking at this seems my external lists referencing mine meld are blank. So something is amiss. Either I have an older version of feed/nodes or something else entirely. I had set this up awhile ago and just assumed it was running. Some of URL references were simply https://youriphere/feeds/office365_IPv4s , was that used at one time? I went ahead and re-imported the configuration from the how-to and I can see it populating data. But my external mine meld dynamic IP lists are still blank. I tested source URL and it comes back successful but still seem to missing something. Basically I want to allow all O365 IPs on a specific policy via source IP using mind meld. Is this the way I would do that? Specific policy referencing mine meld external dynamic IP list as the source or destination?

drewdown · ‎01-28-2020

Here you go: VERSION: 0.9.52 O365-40.92.0.0-15

drewdown · ‎01-28-2020

Seeing an issue using minemeld and O365 IPs and not having the same IPs that Microsoft is advertising that need to be allowed. Is there any easy way to confirm what is there and and what isn't via minemeld? I've been using for awhile but only now did I notice that some of the CIDRs aren't coming across via minemeld.

drewdown · ‎01-21-2020

Can you share the syntax you used to do this? Thanks

drewdown · ‎01-21-2020

Little confused on how I actually do this. I want a list generated on minemeld from the following page: https://api.github.com/meta How do I go about making it so that list is referenced via a policy to allow github APP to that list of IPs? I am already using minemeld for o365 but that was canned and this isn't. Appreciate any help anyone can provide. Thanks

drewdown · ‎01-21-2020

With dest as any is there a downside to it? Meaning if it is set to ANY is it going to match and allow before it sees github or an IP related to github? No interest in manually entering all of those and I want to lock this down. I do use minemeld for o356 URLs but its been awhile since I did anything with it. Got a link to how I can configure it to pull github IPs? Edit I changed the dest to ANY and its still denying SSH to 'lb-140-82-114-3.iad.github.com' eventhough I have that policy to allow *.github.com. Honestly now that I look at it I don't know whats going on because before I made any changes it appears it was allowed sometimes and not others to same URL/IP over ssh. Anything before 7:11 was locked down to destination, the 7:11 attempt was just using the URL category with destination as ANY. Also it seems I went over this before and URL Category ONLY works http/SSL traffic and not SSH so I have to either allow github to ANY, configure all those IPs or use minemeld. For all the cool features PAN has somethings leave a lot to be desired.

drewdown · ‎01-21-2020

Hi..I want to be able to allow a specific set of apps to *.github.com. To do this would I simply specify a custom URL with *.github.com and destination of ANY? That would then only allow those apps to *.github.com? I ask just because I am wary of having the destination as ANY and not clear on which takes precedence. Currently I have it locked down to destination IPs and FQDN of github.com but that doesn't always work because IPs change and some of the valid traffic gets denied.

drewdown · ‎11-25-2019

Yeah pretty much. I think this thread has run its course, thanks everyone for the insight.

drewdown · ‎11-25-2019

Again I get all that and I don't expect it to be perfect but when I want to allow CURL and to do-so I need to allow google-base that can be confusing to me and I am sure others. Granted PA does make it easy to see what its doing and allow the appropriate app-id.

drewdown · ‎11-19-2019

I get the whole concept and I am using app-ids on the permit statement and denying everything else across this environment so its not that. What I didn't get is that if I did that and didn't allow whatever traffic pattern was being matched it would be dropped. I assumed, albeit incorrectly, that if I allowed 80/443 and curl uses 80/443 and there is no 'curl' app-id it would be allowed.

drewdown · ‎11-18-2019

I wish I could remember what our PA rep told me about actual application-id adoption rate, but it was something paltry at best across the board. Either way I know how to configure them and I think you missed the point of my argument. Which was why is curl being classified as google-base? I was also simply asking how to allow 80/443 and NOT classify the traffic at the same time. Whether I do that or not is really up to me.

drewdown · ‎11-18-2019

Yeah that is pretty much it. I understand it now but I guess I was just assuming if I allowed 80/443 via 'web-browsing' then it would allow all 80/443 and not try and match the traffic to a specific application-id. Having only recently gone to 8.1 and this being a new deployment using the same thought process as the previous ones it was odd to me that it broke a fair amount of connectivity based on not allowing whatever APP the PAN was classifying it as. For instance users were trying to curl www.google.com and the PAN was classifying that as 'google-base' but I would never equate curl to google-base (no curl app-id) so I would have never allowed it. Its only when I looked at the logs I saw what it was doing and once I allowed google-base the curl commands worked. Anyways if I wanted to allow outbound 80/443 and not match any application how would I do that?

drewdown · ‎11-18-2019

I use both but running into an issue with Lab specific traffic where I will allow a list of applications with service set to ANY but the PAN classifies some 443 traffic as (for example) 'windows push notification' or 'soap' but I am not allowing either of those APPs so it drops it. I am allowing web-browsing and windows push/soap both use tcp/443 so it seems to be classifying 443 traffic as any application that may or may not use tcp/443. How do I get around having to allow every application that may or may not use 80/443 or any other ports for that matter? I tried setting it to application-default but it still seems to be happening. Not doing any SSL decryption. What is odd is this seems to be a new problem for me since going to 8.1 from 8.0 for the longest time. Not sure I have run into this before and presently managed roughly 10 HA pairs of PANs across our environment.

drewdown · ‎09-24-2019

@MichaelShelton I changed the zone names on the FW to all lowercase and committed it but when I did that the tunnel between that FW and our on-prem FW went down. I had to bounce the tunnel to get it passing traffic again....odd but whatever. As far as the logging goes I am not logging anything to Panorama on the FW. Those 'Test-Alerts' are configured on the Panorama and pushed to my other managed PANs. On the FW I am trying to import logging is only set to 'Log at Session End' and Forwarding set to 'none' on every policy. Are you are saying to disable the log settings on the 2 shared POST security policies on the PANORAMA? This stuff is so cryptic, sometimes I love PAN and other times I want to beat it like a red headed stepchild.

drewdown · ‎09-24-2019

We have a handful of standalone PAs that we want to import into Panorama. However in our first interation it failed with the following errors and I am not sure why. The entire process isn't made clear to me either via PA (like a lot of their stuff but I digress) so I was wondering if anyone has done this and can help point me in the right direction? Commit/validation fails on the following items on the firewall after import/export back to it from the Panorama: Validation Error: log-settings -> profiles -> Forward to Panorama and Email -> match-list -> test-Alerts -> send-email 'Test Alerts' is not a valid reference log-settings -> profiles -> Forward to Panorama and Email -> match-list -> test-Alerts -> send-email is invalid log-settings -> profiles -> Forward to Panorama and Email -> match-list is invalid log-settings -> profiles is invalid log-settings is invalid shared is invalid rulebase -> security -> rules -> outbound-block-all -> from 'trust' is not an allowed keyword rulebase -> security -> rules -> outbound-block-all -> from 'trust' is not a valid reference rulebase -> security -> rules -> outbound-block-all -> from is invalid rulebase -> security -> rules -> outbound-block-all -> to 'untrust' is not an allowed keyword rulebase -> security -> rules -> outbound-block-all -> to 'untrust' is not a valid reference rulebase -> security -> rules -> outbound-block-all -> to is invalid rulebase -> security -> rules -> untrust-block-all -> from 'untrust' is not an allowed keyword rulebase -> security -> rules -> untrust-block-all -> from 'untrust' is not a valid reference rulebase -> security -> rules -> untrust-block-all -> from is invalid rulebase -> security -> rules is invalid rulebase -> security is invalid rulebase is invalid vsys is invalid devices is invalid In VSYS vsys1 from zone trust of type unknown and to zone untrust of type unknown are incompatible in security rule outbound-block-all Configuration is invalid 2 errors when trying to do this, both of which appear to be originating from the PAN > FW. The first one is a log setting on the 'outbound-block-all' rule on the PAN. That specific log settings doesn't exist on the FW. Again same rule that is already on the PAN in 'Post Rules,' its shared between all of our existing DGs on the PAN. The only difference between the zones on the FW and the PAN is the first letter is capitalized which I assume is why it chokes? I changed the zone names to match on the FW but not sure what to do about the log/email settings? Also not sure why its complaining about 'shared' as well.

drewdown · ‎07-10-2019

Welp PA support managed to figure this out. The issue was when we RMA'd the m-100 and imported the configuration the serial number for the log-collector changed and therefore it stopped showing the logs eventhough the FWs were sending them. What is odd is the 'log-collector' is the PANORAMA itself and we had to re-import the configuration to get back to square 1. It took PA 3 weeks to figure this out and I caution anyone who has a Panorama to tread lightly if and when it dies and you have to RMA it.

drewdown · ‎07-08-2019

I saw that article along with every other PAN tech document regarding this and none of it fixed our issue. Going on 2 weeks with no resolution from PAN support and having it escalated. I know they are human but we aren't paying a grip for these as well as support to not get resolutions to our problems. We are going on a month of issues with our M-100 and still aren't where we were prior to having these issues. I don't anyone that would be ok with this, would you?

drewdown · ‎06-27-2019

Woes with RMA M-100 continue. Sometime yesterday logs stopped showing up on our m-100 and no idea why. It was working after we restored the configuration but stopped yesterday. I can push policies to the FWs and as far as they can tell they are forwarding logs to Panorama but I simply don't see them there. I cannot manage the firewalls from the PAN itself but they show as 'connected.' It seems to be a registration or handshake issue between the panorama and all my firewalls. We have a case open with support and of course they got no idea why its happening. I swear PA support is the absolute worst and although they make a good product it completely blows when it doesn't work because its almost impossible to find out on your own or with their support why its not working right. Has anyone seen this problem before? If so what was the fix?

drewdown · ‎06-20-2019

Which is what I had prior but that didn't get migrated. I eventually downloaded AV/Apps and threats and installed the latest version on the PANORAMA. Once I did that the 'Predefined IP lists' showed up and I could referrence them in the shared policies. Whats odd is that I logged back in Panorama today and neither of the antivirus or apps that I installed yesterday are showing as 'installed.'

drewdown · ‎06-19-2019

I had to RMA our m-100 and when I did that I lost the external dynamic lists on the PANORAMA itself. They are still locally on the managed FWs but I cannot referrence them on the Panorama. Of course that broke all outbound traffic because the top rule to block all traffic to those lists wasn't matching anything on the destination side (thanks PAN support). I disabled those rules and it fixed the problem but know I need to know how to either referrence those lists or get them configured and or imported into Panorama. I had this working prior but I don't remember how. Edit: My specific problem is from the new m-100 when I try to add a 'Predifined IP List' the drop-down in the 'Source' is blank. Whereas on the previous m-100 it shows the 2 IP and domain lists.

drewdown · ‎06-19-2019

Whatever you do make very sure that all of your objects and policies move. I just went through RMA'ing an M-100 and PAN support was anything but convicing walking me through the migration. The biggest break was the external dynamic IP lists not migrating or not showing up on the new Panorama so the rules referrencing them just referrenced ANY and it broke all outbound traffic. Why or how those lists are missing is beyond me.

drewdown · ‎06-13-2019

I see that but still can't seem to find a way to move the existing logs from current PAN to the new one? Or I just start fresh and lose all that historical data? All of our logs are local the existing M-100. Do I have to move the logs off and then phsyically move the RAID disks from the failing one to the new one?

drewdown · ‎06-13-2019

We had to RMA our m-100 Panorama and now I want to replace the failing one with the new one but for the life of me can't seem to figure out the steps to do that. The link from this page: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClNMCA0 is broken and support has been less than helpful. Has anyone done this before and if so how did you do it? I would want whatever logs moved over as well as the config and licenses and I would think there is a walkthrough somewhere but have yet to find it.

Date Registered	‎08-20-2015 10:23 AM
Date Last Visited	‎02-06-2020 10:59 AM
Total Messages Posted	98
Total Likes Received	11

Online Status	Offline
Date Last Visited	‎02-06-2020 10:59 AM

Strata

Prisma

Cortex

About drewdown