About Willian

Hi @JDominguez   Based on your description, there are two applicable options: Standalone Deployment and Small Single Site Deployment.   Standalone Deployment    This design is typically recommended for initial proof of concept (POC) or a small site with fewer than 3000 Traps agents, use a standalone deployment to install the following Endpoint Security Manager (ESM) components on a single server or virtual machine: • ESM Server • ESM Console • Forensic (quarantine) folder • Database I don't recommend to any of my customers to use this design in production, as it does not provide any redundancy for console or cores.       Small Single Site Deployment   As per the link you posted, and the official admin guide, this design requires:   One dedicated database server One ESM Console for managing the security policy and Traps agents Two ESM Servers, one primary and one backup, on the same network segment as the database server and ESM Console One forensic folder accessible by all endpoints for storing real-time forensic details about security This is the minimal I always recommend to all my clients due to the redundancy aspects and flexibility.   Now to your questions. My recommendation is that you adopt the Small Single Site Deployment 1 x ESM Console + Core (Combined) 1 x ESM Core (Redundancy) 1 x Database Server - Notice that SQLITE is no longer supported or recommended by Palo Alto even in POCs; hence, the official recommendation for environments with more than 250 endpoints is SQL Server Enterprise or SQL Server Standard as per the below screenshot. Important: You only can have one console installed.   For further details on requirements please refer tothe following for the administrator guide: link: https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/technical-documentation/40/endpoint/endpoint-admin-guide.pdf  I hope this helps.          ... View more

@rrealica I had a meeting with the NSS engineers a few weeks back when the report was released, and the explanation was that it failed or did not do well, during the evasion tests. ... View more

Hi @Sadik_Khirbash My apologies for my fat finger. The command is: tail follow yes mp-log ikemgr.log  The phase 2 ProxyID is a crucial piece of this configuration, and it would be important for us that you ensure it configured properly. The concern is not the Phase 2 paramenters, but the Proxy ID configuration at this point. That's how your Proxy ID should be configured on the PA-200 side. Run the above command and post the output for us, then maybe we can shine some light on it for you 🙂   ... View more

Hi @BrettBrown According to the compatibility matrix below   "Do not upgradeWindows 10 to build 1703 when running Traps 4.0.0; instead, you must first upgrade to Traps 4.0.1 or a later release before you upgrade to Windows 10 1703." Based on your post, you are running Windows 10  x64 1703; hence, the install will not be supported.  https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/global/compatibility-matrix/section_6.pdf   I hope this helps. ... View more

@Justin.Abendroth   You can check for URL filtering categories in the following link or as @TranceforLife mentioned, look at your URL filtering logs in the Monitor tab. 🙂 https://urlfiltering.paloaltonetworks.com/ ... View more

Hi @Sadik_Khirbash   A few things I noticed on my end here when looking at your configuration. Although you are not showing the Phase 2 configuration on the PAN side, it is easy to spot how it should look like by looking at your ASA config.   As @BPry mentioned, Unless there is a specific reason you should not have to specify the Local and Peer ID if the VPN is between gateways with static IP addresses. In other words, unless your two firewalls are using dynamic IP address for the public IP, you should not define a Local and Peer IP whatosever, otherwise, it will mess up the phase 1 negotiation. If that's the case for you, and you really need to use this configuration, make sure that it is also properly defined on the remote side of the connection, in this case the ASA. Local Id:  172.16 .200.2 Peer Id:  172.16 .200.1 https://live.paloaltonetworks.com/t5/Configuration-Articles/IPSec-VPN-Tunnel-with-Peer-Having-Dynamic-IP-Address/ta-p/94161   Second, confirm your phase 2 ProxyID configuration on the PAN side. It should be mirrored exactly the way your ASA is showing, but in opposite directions. PAN200 - IPSEC Phase 2: ProxyID1 Local: 10.48.11.0/24 Remote: 192.168.1.0   https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-VPN/ta-p/68931   Also, run the following commands to troubleshoot and if you can post the output that would help us to assist you: Step 1: Open two Putty sessions to your PA-200. On Screen One, run the follwoing command:  tail follow yes ike tail follow yes mp-log ikemgr.log Step 2: On Screen two run the following command: Test Phase 1 test vpn ike-sa Step 3: Go back to Screen One and read the outputs. if you can copy and post in this thread that would be help us to analyze the messages.   Let us know how it goes.       ... View more

Hi @illuzian@   After you create the custom app, and the application override policy, you can create a security policy.   In the security policy, you will specify the custom application you just created, but you will not apply any security profile. This will avoid the application from being scanned by the IPS engine. Remeber that you can be selective, and apply other profiles if you need too. Since it is an internal application, and you seem to trust it, if performance is an issue, I would create this security policy with the DSRI feature in disabled state. A session on the firewall comprises two flows, client to server and server to client. The DSRI feature on the Palo Alto Networks firewall can be enabled to skip the inspection of the Server to Client flow. https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Using-DSRI-with-the-Palo-Alto-Networks-firewall/ta-p/70666   I hope this helps. ... View more

Hi @Sydney.Jin   I recommend that you remove any registry keys related to GlobalProtect, and then reboot the machine (In case you haven't done that already). Then attempt the installation one more time.   I hope this helps ... View more

Hi @Gururaj Are you using PAN-OS 8.0.x? I would setup two Authentication profiles and one Authentication Sequence profile. For example: Authentication profiles: LDAP-PROFILE01 Two Factor: Enabled Advanced: Specify the AD group you want to enforce two factor authenticantion LDAP-PROFILE02 Two Factor: Disabled Advanced: Specify "All" or the specific AD group which should not have two factor authentication enforced Authentication Sequence: LDAP-AUTH-SEQUENCE Add LDAP-PROFILE01 Add LDAP-PROFILE02 Note: The authentication sequence will try to match the username against each one of the profiles above in a sequence, once it matches, and access is validated the access is granted.   GlobalProtectPortal Specify the LDAP-AUTH-SEQUENCE Profile GlobalProtect Gateway Specify the LDAP-AUTH-SEQUENCE Profile You can still speicify in the User/Group tab inside the portal and gateway configuration the AD groups you want to allow, but the auth factor will be enforced via the profiles created before.   I hope it makes sense. ... View more

Location: Installed an evaluation for a coal export terminal customer one day in the middle of nowhere. Customer enabled SPAN/TAP on their old 3750 and brought the entire port system down.  Tip: Don't enable SPAN/TAP on old Cisco 3750 switches. Use VWire instead, and the result will still be amazing and the customer will gain the required visibility. ... View more

Hi @WSTW_SE On the PA-200, PA-220, and PA-500 firewalls, the SaaS Application Usage report is not sent as a PDF attachment in the email. Instead, the email includes a link that you must click to open the report in a web browser. All other platforms such as PA820/850, the PDF report is sent via email. https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/generate-the-saas-application-usage-report   I hope this helps. ... View more

Hi @raji_toor   You cannot completely disable the Session timeout options in a specific App-ID, but you can adjust the values to suit your needs.   Setup timeout value to zero:  A value of 0 indicates that the global session timer will be used, which is 3600 seconds for TCP .                      h ttps://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-Session-Timeout-for-TCP-based-Application/ta-p/60915 https://live.paloaltonetworks.com/t5/Featured-Articles/Tips-amp-Tricks-Session-Timeouts/ta-p/68464   Here are a couple of options that may help you: 1. Create an application override:  Application Override is where the Palo Alto Networks firewall is configured to override the normal Application Identification (App-ID) of specific traffic passing through the firewall. This will help you decrease the latecy of the App-ID engine as the application will not be inspected. Notice, that you still can apply the security profiles through a security policy for inspection. https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-How-to-Create-an-Application-Override/ta-p/65513     2. DSRI:  DSRI is used in environments where internal servers are trusted and protected by the firewall. In these cases, content inspection can be configured for only client to server (internet users to internal servers) traffic using the DSRI option. By doing this, the Server to Client flow (internal servers to internet clients) is skipped after sufficient data has been inspected by the firewall to identify the applications running over HTTP.  I am not sure if it will apply to you as I don't know how this application is being utilized. https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Using-DSRI-with-the-Palo-Alto-Networks-firewall/ta-p/70666   I hope this helps.       ... View more

Hi @vsingh The below Palo Alto article gives you lots of good information on how to mitigate this threat.   Also, make sure that your firewall has the following Vulnerability Protection signature enabled and applied to your security rules to prevent exploitation by the EternalBlue exploit. https://researchcenter.paloaltonetworks.com/2017/06/palo-alto-networks-protections-petya-ransomware/    As for checking the AV signatures (Hashes) for this malware, as @Michael_Zook mentioned, go to  https://threatvault.paloaltonetworks.com and type the name Petya in the search box, and it will list all contents for you.   I hope this helps ... View more

HI @korteke   Items in the Global whitelist section take precedence over any blacklisted items and are evaluated first in the security policy. It means, that if you restricted a path in through the restriction policy, and at the same time it is also in the Global Whitelist, the second configuration is the one that will be triggered. If you turn the "Action" to Prevention, it means that any path no explicitly whitelisted will be blocked. If you put in notification, any file being executed from a path not explicitly whitelisted, will be notified. You can turn user notification on and off as you know. One of the advantages of using the Global whitelist is that it gives you the visibility of which applications are potentially running from non authorized locations or that may potentially be malicious. In this case you have to provide the path for the actual executable.   So, in your example, if the e:\testing\*.exe is included in the Global Whitelist, it will take precedence as explained earlier, hence, you cannot have this .exe configured on both sides.    If you want to restrict the executable, do not include in the Global Whitelist, and then create a malware restriction policy instead. In order to override the default policy you need to create a user defined policy to apply further restrictions.   The malware restriction policy can be configured at the following menu: Policies > Malware >> Restricitions > Add    I have some scripts ready that may help you create these policies in the following link.   https://www.dropbox.com/sh/0e9e64aj6cxaqqh/AACiUd6I4RVKUbhHhn5IiiTla?dl=0   I hope this helps ... View more

Hi @clyde.franklin   The criteria used depends strictly on your design, how many firewalls in the environment, model of each appliance, and what logs you are ingesting. Because you have a very mixed environment with many HA pairs, I advise that you take a look at the following design document, and run some of the suggested tools in the article to get to a conclusion.   https://live.paloaltonetworks.com/t5/Management-Articles/Panorama-Sizing-and-Design-Guide/ta-p/72181   I hope this helps ... View more