Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
About ShaiW
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About ShaiW
Sunday
47Posts
8Likes
4Solutions
Jun 13, 2021Last Visited
User
Activity
User
Profile
Latest posts by ShaiW
| Subject | Views | Posted |
|---|---|---|
| 151 | 3 weeks ago | |
| 124 | 3 weeks ago | |
| 217 | 3 weeks ago | |
| 132 | 04-28-2021 10:57 PM | |
| 393 | 04-26-2021 11:01 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 07-08-2020 07:10 AM | |
| 1 Like | 03-23-2020 05:05 AM | |
| 1 Like | 10-07-2020 04:19 AM | |
| 1 Like | 10-07-2020 10:31 PM | |
| 1 Like | 07-26-2020 10:38 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like |
User Badges
Community Statistics
| Member Since | 10-12-2015 06:29 AM |
| Date Last Visited | Sunday |
| Posts | 47 |
| Total Likes Received | 8 |
3 weeks ago
Hi Please verify that the certificates do not exceed 825 days validity (from not-before until not-after). Reference: https://support.apple.com/en-us/HT210176 Shai
... View more
3 weeks ago
Hi
The firewall's MGT port is Out-of-Band - it is used for you connecting to web-management only and for the firewall to update itself. This port does not pass network traffic.
Data ports (eth1/1-eth1/8) - these pass network traffic. For this to work you need in & out ports:
1. Set up 2 Layer-3 Ethernet ports, one for LAN and another for WAN (for example). The firewall needs to pass traffic between 2 data ports.
2. Assign each data port a zone, for example 'trust' zone for LAN and 'untrust' zone for WAN (this will be used in policy)
3. Assign IPv4 for the data ports. For example 192.168.10.254/24 on eth1/2 and the default GW for LAN computers is 192.168.10.254 which the firewall will receive. For the WAN port - this is usually details about your ISP connectivity to the internet.
4. Policy (Security & NAT) to allow traffic LAN to WAN and to perform NAT if necessary. Make sure 'log at session end' is selected in the actions tab.
5. Create an account on https://beacon.paloaltonetworks.com, search for edu-110 and register for 'Firewall 9.1 Essentials: Configuration and Management' - this should be 13 hours long and will teach you firewall basics.
Hope this helps,
Shai
... View more
3 weeks ago
Hi
Kindly take a look here:
https://support.apple.com/en-us/HT210176
"TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate)"
and check if you use a certificate that is issued to more than 825 days - if so, generate a new one and test.
Also use GP version 5.2.6 - there is a possibly related issue fixed in it.
Shai
... View more
04-28-2021
10:57 PM
Hi Try this set device-group dg1 pre-rulebase security rules rule1 profile-setting group spg1 And a little more info about how to find set commands: 1. make this configuration on the web-ui and give it an unique name 2. on ssh type 'set cli config-output-format set' -> configure 3. now just type 'show' and search for your unique string, or type 'show | match spg1' (as in my example) Shai
... View more
04-26-2021
11:01 PM
Hi Start on the client, check the \Program Files\Palo Alto Networks\GlobalProtect\PANgps.log - you should see if the client is (or not) trying to connect via IPsec, or falling back to SSL. You can also check if the client does not have anything blocking outgoing IPSEC from his location/s. On the firewall - kind reminder that this traffic usually is source=internet zone; destination=internet zone and that the default rule here is Intrazone default (2nd from last rule). Also these rules by default do NOT have log at session end enabled so this could be why you do not see logs. You have not written the loopback assigned zone name - this will impact which rule is being hit. You can also try a packet capture on the firewall - filter by a single test client source IP and see what ports exactly are being received. If you are using a loopback because you want GP to listen on a different IP than the Interface default, for example the Interface is 203.0.113.20/24 and you want GP to listen on 203.0.113.55 - just add this IP in the IPv4 tab of the ethernet1/x (which will now show 203.0.113.20/24 and 203.0.113.55). This way you will be able to select this IP and Ethernet in the GP configuration pages and not use a loopback at all. Hope this help, Shai
... View more
04-26-2021
04:43 AM
Hi You have 2 options that I can think of: 1. you can open a support ticket of type 'admin' and they can assist 2. in the support portal under Members -> Create new user - you can create yourself a new account with the correct email address. Once created you can go to Manage Users and reassign it any 'roles' you want or even remove the roles for the old user (after you can successfully use the new one - so you are not locked out) Shai
... View more
10-07-2020
10:31 PM
1 Kudo
Hi All of the items in the Objects tab do not have any affect on traffic if they are not attached to Policies. This includes Decryption Profile/s. 1. So - the File Blocking (FB) Profile must be attached to a security rule. 2. I highly recommend splitting your issue into two parts, get FB working then tackle Decryption. For FB I would recommend you try to download this test file from Palo Alto as it uses the HTTP protocol hence no need for decryption, yet. http://wildfire.paloaltonetworks.com/publicapi/test/pe (This is an anti-virus test file, it will probably get blocked by AV software but it does not matter as all we want is for it to download or get blocked by the filewall) If you see it blocked and logged under Monitor-> Data Filtering - it means FB is working for non-encrypted traffic. Continue to enable Decryption: 3. For Decryption you really should read the above mentioned articles and notes by @BPry as enabling it requires: 3a. Generating Decryption Certificates on the firewall, self-signed for testing or Corporate CA signed (much preferred) 3b. Having them in all computers, trusted root certificate store 3c. Creating a Decryption Policy under Policies->Decryption: for testing start with: Source Zone Internal (or whatever you named it) Dest Zone External (or whatever you named it) Service: service_http + service_https Action: Decrypt Type: SSL Forward Proxy Decryption Profile: is optional 3d. In some older PANOS versions you must also allow in Security rules Application=web-browsing & service=service_https (this is not the default, hence needs adding). * This might look like easy 4 steps but trust me - it isn't. Lastly, log into the learning center at: http://education.paloaltonetworks.com/learningcenter Search for EDU-110, register for it for free and start watching this online training about the NGFW, but note that the training center is being moved you might be redirected to the new training site in a few days. Shai
... View more
10-07-2020
04:19 AM
1 Kudo
Hi Here are a few tips I hope will help: 1. In the blocking profile put EXE & PE together (portable-executable), direction=download, action=block, application=any (test then change as needed) make sure this is the only rule in the file blocking profile, or the top rule if other file blocking-alert rules exist. 2. Try to use a non-https protocol either FTP or HTTP as HTTPS will require you to use SSL decryption that you did not state if you were using or not. 3. I assume you checked traffic was hitting the rule that has this profile attached to it. Shai
... View more
07-27-2020
11:29 PM
Hi User-ID works by monitoring the security event log for logon events (Event ID 4624 and a few others). Non-domain computers will not have such an event, so no mapping. For these cases the easiest method is for you to set up Captive Portal. Put simply: when they try to open a web page it reaches the firewall which does not see a IP-to-User mapping and redirects the browser to a landing page on the firewall requesting credentials, these in turn get authenticated via your LDAP profile to a DC and added to the mapping table. Some notes: 1. IP's instead of usernames usually means no IP-to-User mapping for that IP address. 2. Use this command in SSH to the firewall 'show user ip-user-mapping all'. It will help debugging as this is the current known IP-to-User mapping 3. In the User-Identification window increase the cache timeout. The default is 45 minutes and is too short in my opinion. I use 300 minutes. This controls when a record is removed from the mapping table if no more updates from that IP address. 4. You can add Security policies with user type 'unknown' and also Authentication Policies to handle unknown users and what they can or cannot reach in your network. 5. You can also user Exchange Monitoring instead of, or in addition to, Captive Portal. Outlook keeps a connection to Exchange and this might be even easier to set up and detect that Captive Portal. Hope this helps,
... View more
07-26-2020
10:38 PM
1 Kudo
Hi @reaper Depending on the type & implementation of course: I mean that a proxy can hide the source IP of the user. An upstream firewall will see all web traffic originating from the proxy.
... View more
07-26-2020
04:12 AM
Hi Palo Alto NGFW does: 1. URL Categorization - you can allow and deny categories or specific URLs 2. SSL Decryption, man-in-the-middle, to allow HTTPS traffic decoding which is critical to enable for item #3 3. Scanning Profiles - Antivirus, AntiSpyware, Vulnerability, Wildfire Palo Alto NGFW does not act as a proxy-cache and does not hide Users behind it and does not do WAF. If you can live with the above pros and cons - it is up to you what you choose. Hope this helps, Shai
... View more
07-19-2020
07:23 AM
Hi I don't see that IP Address is a known variable in the URL filtering response page, if you want to try or just want the HTML file layout, download the current block page and edit it, then re-upload it: 1. Device->Response pages->click on 'URL Filtering and Category Match page' 2. Select predefined then 'export' 3. open text file with editor then import back. 4. Imported file will be called 'shared' and will be used. Take a look here for more info and the https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-response-pages https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/customize-the-url-filtering-response-pages.html Hope this help, Shai
... View more
07-19-2020
07:07 AM
Hi The firewall analyzes the traffic for each session. Let's say you browse to facebook-chat, your session starts with port 443 and the firewall finds a matching rule with application=any and service=tcp/443. When more session-data flows we see the application as facebook-base and search again for a rule this time matching application=facbeook-base - this is called application shifting. My guess is the firewall sees some traffic on your rules but the final rule allowing or denying the application gets the 'hit' count increase. Hope this help, Shai
... View more
07-15-2020
04:16 AM
Hi, Just wanted to let you know that GlobalProtect for Linux requires GlobalProtect License on the firewall hosting GP. A GlobalProtect License activates all of these: Linux client iPhone & Android HIP Globalprotect Clientless Shai
... View more
07-08-2020
07:24 AM
1 Kudo
Hi You can use Captive Portal for this. When he opens a web page and is on an unknown IP he will get redirected to a firewall hosted captive portal and asked to authenticate. Another option: If your customer can live with a GlobalProtect client software on his laptop - you can configure a GlobalProtect Internal Gateway. The client software will connect to the internal gateway but without IPsec and because GP is a source of User-ID - this could solve your problem. Just don't forget to add a PTR DNS record in the internal DNS server - this is 'Internal host detection'. Shai
... View more
LEGAL NOTICES
Copyright 2007 - 2021 - Palo Alto Networks
