About ShaiW

Update about this issue, I just got confirmation from TAC that there is a code fix for my issue that will be released in 8.1.14, 9.0.7, 8.1.13-h3 under bug ID PAN-121626.   If anyone is experiencing this also I hope this helps you.     ... View more

Hi HA1 syncs configuration and heartbeats, it uses dedicated-ha1a/ha1b ports (by default) HA2 syncs the session table, it uses a dedicated HSCI port (10gb fiber) You want both up for proper High Availability.   You can assign a Dataplane port to be of type 'HA' and then you can use it instead of the dedicated HA ports (it will be available in the drop down list under HA1/HA1 backup/HA2/HA2 backup). This can give you the option to use ethernet1/19 as type HA, used by HA1, connected over a fiber link with appropriate GBIC on both sides thus avoiding a converter.   Configuration wise: Firewall-1 Control Link (HA1) IPv4: 1.1.1.1 / 255.255.255.248 Peer HA1 IP Address (in the Setup page): 1.1.1.2 Firewall-2 Control Link (HA1) IPv4: 1.1.1.2 / 255.255.255.248 Peer HA1 IP Address (in the Setup page): 1.1.1.1   It's a bit tricky to explain all the possible scenarios, I hope it was clear. Just remember that each FW needs to know the IP address of it's peer for HA1 to come up. Lastly, use HA1 backup as management port and put 'Backup Peer HA1 IP Address=MGMT-IP of other FW. ... View more

Hi   Did you try to change/increase the values under: GlobalProtect Gateway Configuration -> Agent -> Timeout Settings? ... View more

Hi @simsim    If you need the firewall to translate the source IP address in a packet you will use Source NAT. A good example for this is users in trust zone that have private IP addresses need to be translated to the external IP address the firewall has on the untrust zone (ISP). So the firewall translates the IP address when forwarding the packet to the untrust zone.   If you need the firewall to translate the destination IP address ip a packet you will use Destination NAT. A good example of this is a web server in DMZ that has a private IP address and you need internet users to access it. So from the internet side it is accessible via the real-world IP address and the firewall translates it to a private IP address when forwarding the packet to DMZ zone.   In some cases you can also use both of them in the same NAT rule.     ... View more

Hi   Interfaces and Sub Interfaces are added under import->network as a list of interfaces. In my PA3020 I had to delete it from there before deleting the interface otherwise I got an error that it is referenced elsewhere.   As far as I know this must be done one by one, but you should check you environment, you might get more errors that this is referenced in other places (virtual router for example) which will not let you delete the sub interface until all references are deleted first.   Here is a tip: In operational mode ('>') type 'set cli config-output-format set' Then all show commands in configure show the commands, one by one as 'set' commands - this will ease finding the correct command path.   Shai   Shai ... View more

Hi,   In configure mode: 'show network interface ethernet ethernet1/20 layer3 units' will show ethernet1/20's subinterfaces   Then I had to issue: 'delete import network interface ethernet1/20.111' 'delete network interface ethernet ethernet1/20 layer3 units ethernet1/20.111'   Without the 'delete import' in my case i got a reference error.   I do not think there is a delete * command for this.   Shai ... View more

Hi You could also try adding a custom application. Objects -> Applications -> Add In the Configuration screen, make sure to use web-browsing as Parent App and check the Capable of File Transfer In the Advanced screen, add 'tcp/80' as default port and check 'File Types' & 'Viruses' In the Signatures screen, add a signature and add one Condition: Operator: Pattern Match Context: http-req-uri-path Pattern: abc\.jpg You might need to change the scope to session and re-test if it does not work at first. The premise here is to create a custom application based on web-browsing that will match when the URI (everything after the first slash for any URL/site) regex-matches abc.jpg. After you are successfuly matching (you'll see this application name in the traffic log) then just block this new custom application in policy. As stated above, this could match other traffic so be aware of this. If you take a packet-capture you should be able to see more http-headers that might help you narrowing down false positives. Lastly - rolling back in case of problems is to just disable or delete the new custom application you created. Hope this helps, Shai ... View more

I don't think 1440 is to high. What happens is that specific IP address remains in cache for 1440 minutes before it is removed, so communication from that IP address will still hit rules that have that username in them.  If a new user logs in from that IP, the record is updated to reflect the new username.     ... View more

Hi   With Client Probing enabled the firewall initiates a WMI connection to client computers  to verify that the same user is still logged in. There is more configuration to be done in the domain/client computers (allow client's windows firewall inbound WMI, account permissions...) other than enabling the 'check box'. More info here:  https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/user-identification/device-user-identification-user-mapping/enable-client-probing   Cahche values determine when the ip-to-user mapping entries get removed. Default is 45 minutes which is way to short IMHO. I set it to 5-6 hours.   Server log monitor frequency defaults to 2 seconds - the firewall will read security event log entries-deltas every 2 seconds. If you set it to 20 seconds you have up to a 20 second period were your users are still unknown to the firewall.   Session read, if enabled in the check-box, default is not checked - will have the firewall try to monitor user sessions via other means (think File & Print servers that have user sessions).   The above is from a Windows environment point. Never used a MAC :(.   Hope this helps, Shai ... View more

Hi   I use the Cyan Cisco cable with putty (set to serial, 9600 baud, no parity, xon/xoff flow control) without any problems. The console port is a must if you want or need to factory reset a device. Once the device has booted up normally, the serial behaves the same as SSH to the management IP. The Management port is a dedicated & out-of-band.   In order to set the management IP from serial, issue these commands (change IP as needed): configure set deviceconfig system ip-address 10.0.0.254 netmask 255.255.255.0 default-gateway 10.0.0.1 dns-settings servers primary 8.8.8.8 commit exit (after commit is finished)   Hope this helps, Shai   ... View more

Hi @FarzanaMustafa   1. I see you have a High-Availability cluster with 'sync to peer' - does the other device have the same error? Can you disable 'sync to peer' and schedule each FW download and install separately? 2. check disk space, connect to the MGT via ssh and type 'show system disk-space'  3. Do a commit as the error message suggests 4. If all else fails, while you are in SSH, go to 'configure' mode and do a 'commit force' 5. A firewall reboot might fix this, maybe there is something stuck. Be aware that a firewall reboot WILL cause network disruption. 6. What PAN-OS version are you running now?   Shai ... View more

Hello @ZEENMC   Quite frankly, it is a solid machine with a good (recommended) PAN-OS version. Your main issue will be the long commit times on that device, that can take 5 minutes.   If you are new to Palo Alto Firewalls, create a guest account on the learning center: https://education.paloaltonetworks.com/learningcenter search for EDU-110, request and view it (~9 hours).   Shai ... View more

Hi @ZEENMC   Palo Alto firewalls without license will: 1. Security profiles (Anti-Virus, Anti-Spyware, URL Filtering, Wildfire) will not work 2. Clientless GlobalProtect, HIP will not work 3. All the updates will not work (software and dynamic) https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloiCAC   You should be able to set up network interfaces & routing, NAT & security rules without problems but not use the above profiles in them. You will also be able to do Application based (layer-7) rules.   You could also go down the VM-series path instead of the older PA-200. The VM will give you better management performance compared to PA-200, but read this about unlicensed VMs: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm2mCAC   FYI Palo Alto provides a LAB license but I have no idea as to it's cost.   Shai   ... View more

Hi,   First, you cannot use a paid SSL certificate with SSL Decryption. Your firewall generates certificates on-the-fly for the sites your users browse to and a regular, paid, does not provide this functionality.   The last time I enabled SSL decryption with Palo Alto self-generated certificates (as opposed to, for example, Microsoft Active Directory CA services) I followed this path:   1. Generated a top-level cerftificate     For example: Name: PAN-CA, common-name: ca.paloalto.local, 'Certificate Authority=checked'     After Generation mark as trusted-root-CA 2. Generate a decryption certificate     For example: Name: PAN-Fwd-Trust, common-name: trusted.paloalto.local, Signed-By='PAN-CA', 'Certificate Authority=checked'     After Generation mark Forward Trust Certificate 3. Exported the PAN-CA (from step #1) certificate and added it to Computer-Trusted-Root-CA (mmc, certificates, computer account) 4. Added a decryption rule from one source IP for testing 5. Checked forthe 'decrypted' flag in the traffic monitor   Don't forget that depending on your rulebase, you might need a rule with Application=web-browsing & Service=tcp/443.   Hope this helps,     ... View more