Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- ›
- About ShaiW
About ShaiW
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Thursday
37Posts
7Likes
4Solutions
Jan 21, 2021Last Visited
User
Activity
User
Profile
Latest posts by ShaiW
| Subject | Views | Posted |
|---|---|---|
| 540 | 10-07-2020 10:31 PM | |
| 649 | 10-07-2020 04:19 AM | |
| 820 | 07-27-2020 11:29 PM | |
| 1142 | 07-26-2020 10:38 PM | |
| 1214 | 07-26-2020 04:12 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 03-23-2020 05:05 AM | |
| 1 | 10-07-2020 04:19 AM | |
| 1 | 10-07-2020 10:31 PM | |
| 1 | 07-26-2020 10:38 PM | |
| 1 | 07-08-2020 07:24 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 |
User Badges
Public Statistics
| Date Registered | 10-12-2015 06:29 AM |
| Date Last Visited | Thursday |
| Total Messages Posted | 41 |
| Total Likes Received | 7 |
10-07-2020
10:31 PM
1 Kudo
Hi All of the items in the Objects tab do not have any affect on traffic if they are not attached to Policies. This includes Decryption Profile/s. 1. So - the File Blocking (FB) Profile must be attached to a security rule. 2. I highly recommend splitting your issue into two parts, get FB working then tackle Decryption. For FB I would recommend you try to download this test file from Palo Alto as it uses the HTTP protocol hence no need for decryption, yet. http://wildfire.paloaltonetworks.com/publicapi/test/pe (This is an anti-virus test file, it will probably get blocked by AV software but it does not matter as all we want is for it to download or get blocked by the filewall) If you see it blocked and logged under Monitor-> Data Filtering - it means FB is working for non-encrypted traffic. Continue to enable Decryption: 3. For Decryption you really should read the above mentioned articles and notes by @BPry as enabling it requires: 3a. Generating Decryption Certificates on the firewall, self-signed for testing or Corporate CA signed (much preferred) 3b. Having them in all computers, trusted root certificate store 3c. Creating a Decryption Policy under Policies->Decryption: for testing start with: Source Zone Internal (or whatever you named it) Dest Zone External (or whatever you named it) Service: service_http + service_https Action: Decrypt Type: SSL Forward Proxy Decryption Profile: is optional 3d. In some older PANOS versions you must also allow in Security rules Application=web-browsing & service=service_https (this is not the default, hence needs adding). * This might look like easy 4 steps but trust me - it isn't. Lastly, log into the learning center at: http://education.paloaltonetworks.com/learningcenter Search for EDU-110, register for it for free and start watching this online training about the NGFW, but note that the training center is being moved you might be redirected to the new training site in a few days. Shai
... View more
10-07-2020
04:19 AM
1 Kudo
Hi Here are a few tips I hope will help: 1. In the blocking profile put EXE & PE together (portable-executable), direction=download, action=block, application=any (test then change as needed) make sure this is the only rule in the file blocking profile, or the top rule if other file blocking-alert rules exist. 2. Try to use a non-https protocol either FTP or HTTP as HTTPS will require you to use SSL decryption that you did not state if you were using or not. 3. I assume you checked traffic was hitting the rule that has this profile attached to it. Shai
... View more
07-27-2020
11:29 PM
Hi User-ID works by monitoring the security event log for logon events (Event ID 4624 and a few others). Non-domain computers will not have such an event, so no mapping. For these cases the easiest method is for you to set up Captive Portal. Put simply: when they try to open a web page it reaches the firewall which does not see a IP-to-User mapping and redirects the browser to a landing page on the firewall requesting credentials, these in turn get authenticated via your LDAP profile to a DC and added to the mapping table. Some notes: 1. IP's instead of usernames usually means no IP-to-User mapping for that IP address. 2. Use this command in SSH to the firewall 'show user ip-user-mapping all'. It will help debugging as this is the current known IP-to-User mapping 3. In the User-Identification window increase the cache timeout. The default is 45 minutes and is too short in my opinion. I use 300 minutes. This controls when a record is removed from the mapping table if no more updates from that IP address. 4. You can add Security policies with user type 'unknown' and also Authentication Policies to handle unknown users and what they can or cannot reach in your network. 5. You can also user Exchange Monitoring instead of, or in addition to, Captive Portal. Outlook keeps a connection to Exchange and this might be even easier to set up and detect that Captive Portal. Hope this helps,
... View more
07-26-2020
10:38 PM
1 Kudo
Hi @reaper Depending on the type & implementation of course: I mean that a proxy can hide the source IP of the user. An upstream firewall will see all web traffic originating from the proxy.
... View more
07-26-2020
04:12 AM
Hi Palo Alto NGFW does: 1. URL Categorization - you can allow and deny categories or specific URLs 2. SSL Decryption, man-in-the-middle, to allow HTTPS traffic decoding which is critical to enable for item #3 3. Scanning Profiles - Antivirus, AntiSpyware, Vulnerability, Wildfire Palo Alto NGFW does not act as a proxy-cache and does not hide Users behind it and does not do WAF. If you can live with the above pros and cons - it is up to you what you choose. Hope this helps, Shai
... View more
07-19-2020
07:23 AM
Hi I don't see that IP Address is a known variable in the URL filtering response page, if you want to try or just want the HTML file layout, download the current block page and edit it, then re-upload it: 1. Device->Response pages->click on 'URL Filtering and Category Match page' 2. Select predefined then 'export' 3. open text file with editor then import back. 4. Imported file will be called 'shared' and will be used. Take a look here for more info and the https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-response-pages https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/customize-the-url-filtering-response-pages.html Hope this help, Shai
... View more
07-19-2020
07:07 AM
Hi The firewall analyzes the traffic for each session. Let's say you browse to facebook-chat, your session starts with port 443 and the firewall finds a matching rule with application=any and service=tcp/443. When more session-data flows we see the application as facebook-base and search again for a rule this time matching application=facbeook-base - this is called application shifting. My guess is the firewall sees some traffic on your rules but the final rule allowing or denying the application gets the 'hit' count increase. Hope this help, Shai
... View more
07-15-2020
04:16 AM
Hi, Just wanted to let you know that GlobalProtect for Linux requires GlobalProtect License on the firewall hosting GP. A GlobalProtect License activates all of these: Linux client iPhone & Android HIP Globalprotect Clientless Shai
... View more
07-08-2020
07:24 AM
1 Kudo
Hi You can use Captive Portal for this. When he opens a web page and is on an unknown IP he will get redirected to a firewall hosted captive portal and asked to authenticate. Another option: If your customer can live with a GlobalProtect client software on his laptop - you can configure a GlobalProtect Internal Gateway. The client software will connect to the internal gateway but without IPsec and because GP is a source of User-ID - this could solve your problem. Just don't forget to add a PTR DNS record in the internal DNS server - this is 'Internal host detection'. Shai
... View more
07-08-2020
07:10 AM
Hi, This is explained (although not very well IMHO) in the device's help page: Source IP —For virtual wire and VLAN interfaces, enter the source IP address used in the probe packets sent to the next-hop router (Destination IP address). The local router must be able to route the address to the firewall. The source IP address for path groups associated with virtual routers will be automatically configured as the interface IP address that is indicated in the route table as the egress interface for the specified destination IP address. So these ICMP packets egress the interface via virtual router lookup, and not through the management interface. Shai Shai
... View more
07-06-2020
01:00 AM
Hi There are some lesser known files in there (/) that could take up some space, for example if a debug flow-basic was taken and not cleared. Also the Daily reports (Monitor->Reports) sit there and accumulate over time. Also, if you can open a ticket to support they can log in with root access and clear up some root access files. Shai
... View more
07-05-2020
11:58 PM
Hi The short answer is that you'll have to free up some space in the root (/) partition. There are separate partitions for logs, cfg, repo, etc but the root partition holds all the temporary stuff like software version package being downloaded and extracted, packet captures and dataplane-debug files, tech support files, etc, so if it is full you'll not be able upgrade. FYI, the downloaded OS version are stored in /opt/panrepo - not the root partition. Use this command 'show system disk-space' and also take a look at this: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClimCAC Hope this helps, Shai
... View more
06-14-2020
05:49 AM
Hi @nextgenhappiness It is NOT the firewall's fault here, I tested the HTTP download link it on my PC and in my browser's developer view I can see the download process starting with the correct link: but getting a 301 code redirecting to https://www.eicar.org/download/eicar.com so the actual download is over https. To confirm, I enabled SSL decryption on my test PC and it blocked the eicar download successfully. Shai
... View more
06-09-2020
02:48 AM
Hi I think your best bet now is to call support +14087387799 Just type '1' when asked for a serial number and you need help finding it. You should be routed to a person from the admin team and tell them your issue. As long as the customer has a valid support license they should be able to assist, even in your case that you had a crash and cannot perform this yourself. Shai
... View more
06-08-2020
07:06 AM
Hi Did you try disabling this 'Verify Update Server Identity' under Device->Setup->Services. I've see proxies that interfered with the update server certificate causing the NGFW to fail to connect. Hope this helps, Shai
... View more
Latest Blogs
Latest Posts
Copyright 2007 - 2021 - Palo Alto Networks
