About Willian

Hi @JDominguez   Based on your description, there are two applicable options: Standalone Deployment and Small Single Site Deployment.   Standalone Deployment    This design is typically recommended for initial proof of concept (POC) or a small site with fewer than 3000 Traps agents, use a standalone deployment to install the following Endpoint Security Manager (ESM) components on a single server or virtual machine: • ESM Server • ESM Console • Forensic (quarantine) folder • Database I don't recommend to any of my customers to use this design in production, as it does not provide any redundancy for console or cores.       Small Single Site Deployment   As per the link you posted, and the official admin guide, this design requires:   One dedicated database server One ESM Console for managing the security policy and Traps agents Two ESM Servers, one primary and one backup, on the same network segment as the database server and ESM Console One forensic folder accessible by all endpoints for storing real-time forensic details about security This is the minimal I always recommend to all my clients due to the redundancy aspects and flexibility.   Now to your questions. My recommendation is that you adopt the Small Single Site Deployment 1 x ESM Console + Core (Combined) 1 x ESM Core (Redundancy) 1 x Database Server - Notice that SQLITE is no longer supported or recommended by Palo Alto even in POCs; hence, the official recommendation for environments with more than 250 endpoints is SQL Server Enterprise or SQL Server Standard as per the below screenshot. Important: You only can have one console installed.   For further details on requirements please refer tothe following for the administrator guide: link: https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/technical-documentation/40/endpoint/endpoint-admin-guide.pdf  I hope this helps.          ... View more

@rrealica I had a meeting with the NSS engineers a few weeks back when the report was released, and the explanation was that it failed or did not do well, during the evasion tests. ... View more

Hi @Sadik_Khirbash My apologies for my fat finger. The command is: tail follow yes mp-log ikemgr.log  The phase 2 ProxyID is a crucial piece of this configuration, and it would be important for us that you ensure it configured properly. The concern is not the Phase 2 paramenters, but the Proxy ID configuration at this point. That's how your Proxy ID should be configured on the PA-200 side. Run the above command and post the output for us, then maybe we can shine some light on it for you 🙂   ... View more

Hi @BrettBrown According to the compatibility matrix below   "Do not upgradeWindows 10 to build 1703 when running Traps 4.0.0; instead, you must first upgrade to Traps 4.0.1 or a later release before you upgrade to Windows 10 1703." Based on your post, you are running Windows 10  x64 1703; hence, the install will not be supported.  https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/global/compatibility-matrix/section_6.pdf   I hope this helps. ... View more

@Justin.Abendroth   You can check for URL filtering categories in the following link or as @TranceforLife mentioned, look at your URL filtering logs in the Monitor tab. 🙂 https://urlfiltering.paloaltonetworks.com/ ... View more

Hi @Sadik_Khirbash   A few things I noticed on my end here when looking at your configuration. Although you are not showing the Phase 2 configuration on the PAN side, it is easy to spot how it should look like by looking at your ASA config.   As @BPry mentioned, Unless there is a specific reason you should not have to specify the Local and Peer ID if the VPN is between gateways with static IP addresses. In other words, unless your two firewalls are using dynamic IP address for the public IP, you should not define a Local and Peer IP whatosever, otherwise, it will mess up the phase 1 negotiation. If that's the case for you, and you really need to use this configuration, make sure that it is also properly defined on the remote side of the connection, in this case the ASA. Local Id:  172.16 .200.2 Peer Id:  172.16 .200.1 https://live.paloaltonetworks.com/t5/Configuration-Articles/IPSec-VPN-Tunnel-with-Peer-Having-Dynamic-IP-Address/ta-p/94161   Second, confirm your phase 2 ProxyID configuration on the PAN side. It should be mirrored exactly the way your ASA is showing, but in opposite directions. PAN200 - IPSEC Phase 2: ProxyID1 Local: 10.48.11.0/24 Remote: 192.168.1.0   https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-VPN/ta-p/68931   Also, run the following commands to troubleshoot and if you can post the output that would help us to assist you: Step 1: Open two Putty sessions to your PA-200. On Screen One, run the follwoing command:  tail follow yes ike tail follow yes mp-log ikemgr.log Step 2: On Screen two run the following command: Test Phase 1 test vpn ike-sa Step 3: Go back to Screen One and read the outputs. if you can copy and post in this thread that would be help us to analyze the messages.   Let us know how it goes.       ... View more

Hi @illuzian@   After you create the custom app, and the application override policy, you can create a security policy.   In the security policy, you will specify the custom application you just created, but you will not apply any security profile. This will avoid the application from being scanned by the IPS engine. Remeber that you can be selective, and apply other profiles if you need too. Since it is an internal application, and you seem to trust it, if performance is an issue, I would create this security policy with the DSRI feature in disabled state. A session on the firewall comprises two flows, client to server and server to client. The DSRI feature on the Palo Alto Networks firewall can be enabled to skip the inspection of the Server to Client flow. https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Using-DSRI-with-the-Palo-Alto-Networks-firewall/ta-p/70666   I hope this helps. ... View more

Hi @Sydney.Jin   I recommend that you remove any registry keys related to GlobalProtect, and then reboot the machine (In case you haven't done that already). Then attempt the installation one more time.   I hope this helps ... View more