About jsalmans

Greetings all,   I noticed that the syslog parser for User-ID allows you to enter multiple filters for each server... does anyone know how adding multiple filters of the same type (login for example) will work?  I see there is a way to move the filters up and down in the list so I'd assume there is an order of operation but if it is able to match the regex in one does it stop or does it still proceed to the next filter?  If it goes through the entire list, I'm assuming it keeps whatever user-ID it was able to last grab?   Thanks! ... View more

I haven't found anything on this so figured I'd ask here.. is there a way to set the application configuration to prevent the application from successfully connecting if another VPN is already active and connected on the system?   Only other thing I can think of would to find a list of IP ranges from known public VPN services and create policy to block VPN connectivity from those.   Thanks! ... View more

Hi all,   I was reading in some of the documentation for User-ID to see if we can improve our security a bit.  Basically, I'm currently setting User-ID logs to no timeout with the assumption that a new user login will generate a new one and override the old one.  We've been doing this because a number of users leave their computers locked instead of logging off every day so relying on a timeout period means eventually losing access to things that are utilizing the user-based policies.   The WinRM documentation from 9.0 appears to say it can be used to " map usernames from login and logout events to IP addresses" (https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/user-id-features/winrm-support-for-server-monitoring.html) but everything I've found seems to indicate AD doesn't receive logoff events from the domain-joined PCs.  Is this something that works on newer AD servers or is the documentation incorrect?   If it is incorrect, I'm curious what others are doing to get logoff events?  I could probably get the PCs to send something to a syslog server on a logoff event but I don't see any way in the syslog filter on the firewall to specific something as a logoff event vs a logon event unless the solution would just be to match the event, retrieve the IP, but put a regex for the user ID that would never match anything? ... View more

Greetings all,   I'm wondering if anyone else is using Cisco ISE for network access control and has experience integrating it to publish User ID to the Palo Alto firewalls?   I saw a support article for it but the regex appears to be out of date.  I found another guide somewhere else that suggested using field identifiers instead of regex which is what I did.  I now can get User ID for devices logging in to an 802.1x SSID, for example.   My next challenge is device that use MAC authorization, or MAB.  I know this isn't really a recommended practice but since we have on-campus housing, we need to support some SSIDs/networks that utilize this for all of those consumer devices that don't support better security like 802.1x.  I believe ISE is publishing these RADIUS connections to the firewall, however, they appear as device MAC addresses which is going to make user-based firewall rules difficult.   I know the username for the device when logging in to a MAB protected network technically is the MAC address, but we've used a previous solution for network access control that would instead publish the owner's username (i.e. the username they used to register/enroll the device) and I'm wondering if there is another way to implement the ISE/Palo connection that would give us the owner's username for these connections vs the MAC address?   Thanks! ... View more

Greetings all,   We've got a department on our network using a piece of higher-security software.  The software audit came back and indicated FIPS 140-2 encryption is required when the traffic is going across any network other than ours.   I've started looking into what that would take on our firewall so that our GlobalProtect endpoints and IPSec connections could be made compliant but I wanted to see what the common consensus here might be from others who may be using the feature.  I'm not crazy about the console port being locked out of config mode.. it's handy to have that when we need to do a more extensive design change that may result in a loss of connectivity or Panorama management.  I'm figuring the H1 link encryption and enabling FIPS-CC Mode itself will be disruptive and require outages even with an A/S HA setup for the loss of console access is concerning (we've got it in a locked rack ... I know those rack locks aren't really "secure" but it's in a locked datacenter as well).   I guess my question is, is it worth going through this or would it be better to find an alternative like a piece of software or another hardware solution (perhaps even a smaller dedicated PA just for these connections) we can provide for this specific purpose?   Thanks! ... View more

Anyone know what's up with the release notes links in PAN-OS or Panorama GUI?  Some of them are taking me to an XML response page and there is apparently an email circulating on REN-ISAC that the GlobalProtect links for 5.1.2 download a *.solitairetheme8 file (I can confirm that I'm seeing this behavior in the release notes link in Panorama this morning.   Thanks ... View more

As per usual, the most interesting part of my job always seems to come back to our on-campus students and their BYOD devices.   We've had some reports that Rainbow Six Siege is still having multiplayer issues despite most of those consoles/PCs being assigned public IP addresses (so no NAT required).  This doesn't surprise me too much since it is an Ubisoft game and I hear lots of bad things about their network stack.. plus I think a number of their games are designed around peer-to-peer once their servers handle the matchmaking part.   Now, NAT Type (essentially the indicator most of these games or consoles provide to the end user about their connectivity) apparently isn't actually just about NAT, it's also about ports.  Most of these game publishers have FAQs about what ports to open to the entire Internet.  I suspect Rainbow Six gameplay would benefit from opening some ports, especially if it actually is peer-to-peer.  We've also had some requests to open up ports that are for a number of Blizzard games and associated voice chat.   I'm curious what other people with Palo may be doing in situations like this.  I was considering if I could get custom applications made for these I could probably allow incoming connectivity so long as it matched one of the application types.  Opening up just ports seems like such a bad idea without knowing a source IP (which seems about impossible unless someone knows of some Minemeld miners for game servers) even to BYOD networks since we don't allow them to run their own routers/firewalls. ... View more

Greetings all,   I'm toning down some of our NAC enforcement in favor of trying to find other ways to secure the network (lots of users on BYOD don't like to install a 3rd party client to monitor their device).  One of the things we were doing was to check for proper DNS settings.  We block external DNS in favor of using several sets of internal servers so that our BYOD users still have access to internal services that aren't available on the public Internet.  We're also interested in possibly using a DNS security service at some point so keeping DNS queries internal seems like a good policy still.   I had originally thought to catch the DNS queries on the way out the firewall and then somehow provide a notification to the user that they need to set their DNS settings to Obtain Automatically from DHCP.  I thougth I had figured out how to do this at some point but, for the life of me, I can't remember what I was going to do.  Blocking, obviously, is no problem but is there any way to provide from the firewall to provide a notice to the end user without them running GlobalProtect or something?  For an application block like Facebook, the browser is open and intigating the app usage but DNS happens a lot behind the scenes and I wasn't sure if there was a way to display the notification.   Thanks! ... View more

Hi all,   I'm curious what others may recommend for connecting internal networks that are also untrusted.  We've got a teaching department that will probably end up running their own DHCP and DNS services, in addition to a cybersecurity program (clean lab only.. dirty lab should always be isolated).  We've previously had issues with students in these classes not following instructions and running rogue DHCP servers on bridged connections or doing ARP/Penetration scans without limiting the target ranges.   My thought was to directly connect their switch with our A/S 5250 firewalls.  Currently they're on a VLAN that flows through some of the building switches but I even want to remove that... even layer 2 some of those things they've done in the past has caused connectivity issues for users on other VLANs if the network hardware is in common.   I would think the firewalls we have should be able to handle pretty much anything these folks could thow at them but of course I recognize internal traffic and attacks (malicious or not) can be very different than what the Internet can throw at you.  Of course I don't want it to affect production, and we do pipe internal traffic through it as a central means of controlling access and security.   I'm curious what others may have done or recommend and if there are any specific areas of the config I should look at (flood control caught my eye for example).   Thanks! ... View more