Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- ›
- About Lora
About Lora
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Thursday
13Posts
1Like
1Solution
Jan 21, 2021Last Visited
User
Activity
User
Profile
Latest posts by Lora
| Subject | Views | Posted |
|---|---|---|
| 2093 | 08-16-2018 10:18 AM | |
| 5503 | 08-09-2018 12:08 PM | |
| 1888 | 08-01-2018 03:30 PM | |
| 5517 | 08-01-2018 02:13 PM | |
| 5525 | 08-01-2018 11:48 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 04-26-2017 11:25 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 3 | |||
| 1 | |||
| 12 | |||
| 2 |
by
Retired Member
|
User Badges
Public Statistics
| Date Registered | 11-13-2015 08:05 AM |
| Date Last Visited | Thursday |
| Total Messages Posted | 19 |
| Total Likes Received | 1 |
08-16-2018
10:18 AM
We are have our Service Route set to use the management interface. We are on 8.0.x, not sure what version you are on. What do you see when you issue the show url-cloud status command? Ours looks like this: show url-cloud status PAN-DB URL Filtering License : valid Current cloud server : s0100.urlcloud.paloaltonetworks.com Cloud connection : connected Cloud mode : public URL database version - device : 20180815.40205 URL database version - cloud : 20180815.40205 ( last update time 2018/08/16 13:07:14 ) URL database status : good URL protocol version - device : pan/0.0.2 URL protocol version - cloud : pan/0.0.2 Protocol compatibility status : compatible You could try capturing some packets and doing some log review to troublesoot further (unless you have already done this with TAC). The process goes something like this: Set up TCPDump PCAP to capture traffic from one CLI window tcpdump filter "host xx.xx.xx.xx" (xx= ip of the external server hosting PAN-DB) From a second CLI window; Run a manual PAN-DB refresh via the CLI by " request url-filtering download paloaltonetworks region North-America " Then export the PCAP file to your workstatoin scp export mgmt-pcap from mgmt.pcap to user@analyst_workstation_ip:./ Reviewed the PCAP using wireshark looking for possible communication errors (like tls version mismatch for example) Lastly to view the local logs from the CLI, you can issue a command such as this: tail follow yes mp-log ms.log from one terminal window while re-issuing the request url-filtering download paloaltonetworks region North-America command from a second window to see if the error message there will help pin point the issue. Good luck! Hope this helps. -Lora
... View more
08-09-2018
12:08 PM
The TLS mismatch issue has been resolved by hosting the internally sourced EDL from a more modern web server that supports TLS1.2.
... View more
08-01-2018
03:30 PM
@shresth91 you might be thinking of tcpdump here. Then you cn either export (if allowed) the pcap using scp to view in a tool of your choosing like wireshark for instance, or use the buil-in view-pcap. traceroute and ping are also available from the CLI too. Hope this helps! Best - Lora
... View more
08-01-2018
02:13 PM
PANTAC has determined this is a TLS mismatch problem and is checking to see if there is an available work around while we determine internaly if we can upgrade the server or move the EDL to a more modern host. For those following along (and since I could not find this command anywhere) this is what PANTAC did 😉 Set up TCPDump PCAP to capture traffic to the EDL from one CLI window tcpdump filter "host xx.xx.xx.xx" (xx= ip of the external server hosting the EDL) From a second CLI window; Ran a manual EDL refresh via the CLI by "request system external-list refresh type url name <name>" We then exported the PCAP file to my workstatoin scp export mgmt-pcap from mgmt.pcap to user@analyst_workstation_ip:./ Reviewed the PCAP using wireshark and discovered the Client Hello from the firewall showing TLS 1.2 and the Server Hello shows TLS 1.0, then the firewall sends a fatal error protocol version message. Lastly to view the local logs from the CLI instead of the GUI, you can issue a command such as this: tail follow yes mp-log ms.log from one terminal window while re-issuing the request system external-list refresh type url name <name> commands from a second window. In this particular case the raw logs were not more helpful than the GUI logs though - they both just stated " Unable to fetch external dynamic list. SSL connect error. Using old copy for refresh." More to come when we finally resolve the issue.
... View more
08-01-2018
11:48 AM
I tried setting the profile to none via the CLI and that didn't fix either. For those following along the CLI commands I used to set the ertificate-profile to None via the CLI on a Panroma device were: From configure mode: set shared external-list "Name of Your List" type url certificate-profile None <enter> then I isseud a comitt and exited configure and issued a commit-all shared-policy device-group <name> I then watched the system logs on the firewall directly and see the same warning messages as before. I then checked the object list entries to determine if the list had been update or not and found it was not 😞 Looks like we will need to open a case. Thanks all for the ideas!
... View more
08-01-2018
08:13 AM
We have it set to none and it's not working and that is the only log message I am able to locate 😞
... View more
08-01-2018
06:55 AM
Not that I could find anyway. I think it has to do with a new requirement in 8.0 but very strange that we didn't see it enforced until we upgraded from 8.0.6 to 8.0.10 though. Snipet from the new requirement link above: "When retrieving external dynamic lists hosted on SSL/TLS secured servers (servers with an HTTPS URL), the firewall now validates the digital certificates of the server before proceeding with the retrieval. You must now enable server authentication for these external dynamic lists for the firewall to retrieve them."
... View more
07-31-2018
12:21 PM
You can easiyly do this with the new Expedition tool. Global search and replace from one device group to the other or make them all shared so you can use them on all device groups if that makes sense.
... View more
07-31-2018
11:41 AM
After upgrading from 8.0.6 to 8.0.10 our local EDL list stopped updating. The logs message states 'Unable to fetch external dynamic list. SSL connect error. Using old copy for refresh'. Anyone have any ideas on how to fix this? I looked in the release notes from some hints and came up empty. Thanks - Lora
... View more
- Tags:
- PANOS 8.0
07-12-2017
08:42 AM
My issue was I was entering the Zones in all lower case, turns out the search is case sensitive. Thanks @reaper
... View more
07-11-2017
01:05 PM
Do we enter those searcgh strings in the search bar of the Policy tab? They don't seem to work at all for me if so. We are on the PAN OS 7.1 strand, are these only available in 8.0?
... View more
07-10-2017
12:55 PM
Thanks Reaper. I am not following what you mean about creating search strings manually though. Would you elaborate a bit more or follow up with a breif tutorial video for this too?
... View more
04-26-2017
11:25 AM
1 Kudo
The difference between FUEL Palo Alto User Group, and LIVEcommunity?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Thursday
|
Latest Blogs
Latest Posts
Copyright 2007 - 2021 - Palo Alto Networks
