This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
About ShaiW
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About ShaiW
06-29-2022
79Posts
22Likes
12Solutions
Jun 29, 2022Last Visited
User
Activity
User
Profile
Latest posts by ShaiW
| Subject | Views | Posted |
|---|---|---|
| 393 | 04-12-2022 02:00 AM | |
| 614 | 03-01-2022 05:26 AM | |
| 1011 | 01-04-2022 11:36 PM | |
| 1078 | 01-04-2022 07:04 AM | |
| 1122 | 01-03-2022 10:56 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 11-04-2018 01:39 AM | |
| 1 Like | 01-03-2022 10:56 PM | |
| 1 Like | 12-04-2021 11:46 PM | |
| 1 Like | 11-13-2021 10:46 PM | |
| 3 Likes | 11-07-2021 01:05 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like |
User Badges
Community Statistics
| Member Since | 10-12-2015 06:29 AM |
| Date Last Visited | 06-29-2022 03:04 AM |
| Posts | 79 |
| Total Likes Received | 21 |
04-12-2022
02:00 AM
Hi Why not try to read the registry value: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Version? There is a custom section in the HIP objects screen. Shai
... View more
03-01-2022
05:26 AM
Hi The Expedition (Migration Tool) is now delivered as a script you run over an installation on Ubuntu 20.04 Server. The script will then install all that is needed. Kindly see this article: https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool Under Get the Guides you'll see more in depth documentation. Hope this help, Shai
... View more
01-04-2022
11:36 PM
Hi The customer is still on PAN-OS 9 which does not support TLS 1.3 and all other web sites work fine. Its just yandex.com that does not. I am pretty sure it is not firewall related, more like a web-site issue. Shai
... View more
01-04-2022
07:04 AM
EDIT: This web site starts working if I change max version to TLS 1.3 (under decryption profile) and stops working when I set it at TLS 1.2. No other changes are made. This feels like a specific web-site issue more than a firewall one.
... View more
01-03-2022
10:56 PM
1 Kudo
Hi I have a customer that wrote to me yesterday that if they remove the checkbox for Strip ALPN while having SSL decryption enabled, a few web sites such as yandex.com stop working. I was able to reproduce this with my PA-3220 and PANOS 9.1 and also on my VM with PANOS 10, the result is ERR_HTTP2_PROTOCOL_ERROR in Edge browser. There do not appear to be any decrypt-error messages and in the traffic log it appears like a normal decrypted session. I dug through the PCAP file, can see the chosen cipher and verified that it is indeed listed as available on firewall. Also counters do not show drops. Does anyone have an idea what could cause this? Right now the customer has a decryption policy with Strip-ALPN enabled for these few sites. Thanks, Shai
... View more
12-23-2021
02:17 AM
Hi @xiaolin01 So basically what you need is to add another network segment to the firewall, but that network segment is using ethernet1/4 that now has an untagged VLAN assigned. You need to first see how the switch is configured for 10.1.240. * and 192.168.5. *. Does each subnet have a 802.1q VLAN-ID assigned to it? Assuming both have VLAN-IDs you need to add a sub-interface on ethernet1/4 and configure 10.1.240.x/yy on it along with its VLAN-ID. Next if 192.168.5.* has a VLAN-ID you will need to create another sub interface for it and move the configuration there because once you create a sub-interface - the 'parent' ethernet1/4 will be the untagged VLAN - and this all depends on the switch configuration. Next configure a trunk port on the switch and move the connection between sw<->fw to trunk (trunk ports can carry multiple VLANs). Lastly - verify rulebase allows this zone communication. I will start without NAT at the moment to see if basic communication is working. Shai
... View more
12-19-2021
12:30 AM
Hi I think your best and fastest option is to report an incorrect verdict. You can do this on the https://wildfire.paloaltonetworks.com portal after you log in and search for the hash, then click the leftmost icon to open the details where you should see a link to report. In Cortex XDR (if you have this) if you open this hash's wildfire report the top right icon should be 'report verdict as incorrect' Shai
... View more
12-06-2021
02:41 AM
Hi All firewalls have 2 default rules - intrazone-default and interzone-default. These are catch all rules at the bottom of the rulebase. Select one then click 'override' and enable log at session end. Click OK and repeat for the other rule then commit. By default any hit on either rule will not be logged at all. Try ping & traceroute from a user to 8.8.8.8 to see how the packet flows. Source-NAT should be happening only when packets egress from ethernet1/3 to the ISP. If you see more logs now, click the magnifier glass on the left and check the log-details - this will show more info like NAT, ingress & egress interfaces and packet count on the session. Shai
... View more
12-05-2021
12:16 AM
@ZEBIT wrote: I configured the virtual routers: Internal: Interfaces: Ethernet 1/2 Static route: 0.0.0.0/0 to ISP and 192.168.128.0/24 next hop 192.168.128.1 Extern: Interaces: Ethernet 1/3 Static route: 0.0.0.0/0 to ISP and 192.168.128.0./24 next-vr is Internal Hi @ZEBIT You are using 2 virtual routers, on Extern VR you configured 'next-vr' static route from Extern to Internal- this is fine. But on Internal VR you configured (marked in bold above) an IP next hop of 192.168.128.1 - this is wrong because you are 'trapping' them in their network segment and not telling the firewall where to send packets. This should be: VR = Internal -> Static Route for 0.0.0.0/0 -> 'next-vr' -> 'Extern' 192.168.128.0/24 is directly connected - no need for a static route. Shai
... View more
12-04-2021
11:46 PM
1 Kudo
Hi You'll need 2 certificates to be added to the firewall then attached to both services. 1. The management interface comes by default with a self-signed certificate, and this is the error you see from chrome - alerting you to this fact. As long as the management interface is strictly on the internal LAN only (without outside access) I think the GP certificate is more urgent. Also, sometimes a valid certificate cannot be used, for example company.com external domain and company.local internal domain. This depends on a few factors. 2. GlobalProtect is a remote VPN - this really should use a valid certificate, preferably one you purchase from an SSL certificate vendor just like certificates for any web site. You import both under Device -> Certificate Management -> Certificates. Then create certificate profiles (you probably have one for GP if it is already configured) in which you assign the certificate. Lastly, for the management you assign the certificate profile under Device->Setup->Management->'SSL/TLS Service Profile'. For the GP assuming you have a certificate profile already just make note of the current certificate used in the profile and switch to the newly imported one. Finally commit. Note: Please create a configuration snapshot for backup before you start: Device->Setup->Operations->'Save named configuration snapshot'. Shai
... View more
12-01-2021
04:25 AM
Hi Here is a rather old article about this: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGKCA0 I hope it helps you 🙂 Shai
... View more
12-01-2021
04:11 AM
Hi Sign up or log in to https://beacon.paloaltonetworks.com/. Once in, search for 'pcnse' and you'll get some results for including a 'study guide' and 'exam practice questions'. All of these are done through your browser. If you are looking for hands-on your best option is a VM-series firewall with a lab license if you can buy one. You have several hypervisors to choose from (hyper-v, esx, kvm, etc). Kindly note though that PCNSE also contains questions about Panorama which is another purchase if you want to hands-on study it. Good luck, Shai
... View more
11-22-2021
11:35 PM
Hi I have done this a few weeks ago. The firewall itself can connect directly ('integrated User ID') to AD servers but this can only be done for 1 domain and maybe that is what you read in articles. The second domain must use User-ID Agent installed on a member server of that domain. There is no problem with the first domain also using User-ID Agent instead of the integrated method. You need to have 2 LDAP profiles, and 2 Group Mapping profiles - 1 for each domain. The User-ID Agent will send IP-to-User mapping for it's domain and if you type 'show user ip-user-mapping all' you should be able to see usernames from 2 domains, such as 'microsoft\username1' & 'contoso\username2'. Hope this helps, Shai
... View more
11-13-2021
10:46 PM
1 Kudo
Hi A device, or devices, are associated to template stacks. Template/s are associated to a template stack. All template values are pushed to the device/s. In this manner you can have a template for general values and another one more specific and they will combine to one set of values on the device. On a firewall under device->setup->Panorama you can delete it's panorama association and choose to save a local copy of the values or not. Note that if you do this you'll have to re-associate it to the Panorama later if more changes needed. If you delete template values the firewall/s associated to the template will have the values deleted from them. Shai
... View more
11-11-2021
07:06 AM
Hi I think the easiest way to do this is to use a 'Custom URL Category' object (under 'objects' tab) and place the URLs there one by one. Then in the SSL decryption policy you can call this URL Category. You can create this object as 'shared' by placing a check mark when creating the object. A Shared object is visible on ALL firewalls. Or you can create this object in a Parent Device Group and it will filter down to all child device groups and firewalls. If you are referring to SSL decryption exclusion - then add them under a template in 'Device'->'Certificate Management'->'SSL Decryption Exclusion' and again place a check mark on 'shared' so all firewalls will receive these. Note that you need the firewalls to be Panorama managed for above to work. Hope this helps, Shai
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-29-2022
03:04 AM
|
Latest Tags
No tags yet
Likes From
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks