About jsalmans

Ok, I'm at my wit's end with TAC.. after 7 months of explaining the issues, collecting logs, and then starting over when a new agent takes the case, I'm hoping the community can help me.   I've had inbound decryption set up for our FTP server for some time.  We noticed an issue after updating to 10.0.8 (we're now on 10.1.5-h1 )  where people seemed to not be able to connect anymore.  After investigating, it appears that in Filezilla they are actually able to connect but it looks like they aren't because a TLS error occurs and the LIST command fails.  Right-clicking on the remote side and hitting Refresh several times will often eventually complete the directory listing.  This is with FTPS set to "Require explicit FTP over TLS" and with the Transfer Method set to Default (which I think may be Passive). This issue appears to be intermittent and sometimes it seems to connect fine.   Further investigation also showed the following: The TLS error mentioned above when the LIST command fails is "GnuTLS error -110:  The TLS connection was non-properly terminated." followed by "Server did not properly shut down TLS connection" followed by "The data connection could not be established: ECONNABORTED - Connection Aborted" and then followed by "Failed to retrieve the directory listing".  Decryption logs GUI shows "General TLS Protocol Error" when this happens. Error showing: "Server sent unsorted certificate chain in violation of the TLS specifications" at the start of each connection attempt Changing the Transfer Method to Active seems to make it more reliable as far as connecting without a TLS error and getting the directory listed automatically (it still complains about the certificate chain) Even with Active set, we then sometimes get a message indicating that the connection isn't secure because the server previously was detected as supporting TLS session resumption (I'm assuming this was either working before through the Palo and now it isn't or it's because when we've tested we've connected directly to the server which supports it) Trying another client, WinSCP also doesn't list the directory on Passive.. it works when changed to Active.  I have no idea if it is getting any errors/warnings as I haven't noticed if there is a log view in that software. Turning off the decryption rule resolves all of the issues.. the FTP connection is also a lot less verbose (in another words, when decryption is turned on there is a lot more chatting with commands/responses between the client and the firewall/server) It looks like someone else has run into an issue like this before with Passive FTP and it was related to an issue with the content packs https://live.paloaltonetworks.com/t5/general-topics/passive-ftp/td-p/11573   Anyone else having any issues or have any experience in what I can do to resolve this?   Thanks! ... View more

I saw the announcement that they were going to start requiring MFA for logging in on the Palo Alto websites and it mentions a code via email, however, I was already set up to use an authenticator app for this.  When I went to log in today, it seems to be ignoring my account settings and doing the email code every time.  I tried switching to the email method, saving, and then changing back to the authenticator option and saving again but it still seems to only give me the option to email a code at login.   Is anyone else running into this too? ... View more

Greetings all,   As the title suggests, I'm attempting to get Panorama and our two PAN 5250 on to our new data lake.  I've got the Device Certs installed using the OTP from the Support Portal and I installed (but didn't configure beyond the re-verifying using the OTP from data lake) the latest Cloud Services plugin on Panorama.   I can see all of the Device Certificate status as green on the data lake inventory, and I can see updated last contact info from Panorama, but the PAN-OS version is NA on Panorama's inventory entry and there is a warning symbol about installing Cloud Services Plugin 2.2 or higher (I installed 3.0).  The firewalls managed by Panorama are both showing Disconnected with no Last Contact Time.   Any ideas what I might be missing here?  I feel like I've gone in circles all day in the documentation for this setup  😂   Thanks! ... View more

Greetings all,   Taking another look at our user-id mappings with our server team today and we've landed on trying 90 minutes for AD.  We set this on the agents installed on two of our AD servers and the firewall is showing the new logs coming in as having the correct timeout.   Next, I'm trying to figure out how to do this with our wireless.  With Cisco ISE, I'm collecting the mappings via syslog profiles on the firewall but I don't see a way to limit the timeout there.  The wireless controller has a max session timeout at around 240 minutes and I figured you'd probably want to set the corresponding user-ID mapping timeouts to just over that.   The User-ID Agent Config box has a timeout value that can be enabled and set but I wasn't sure if this would affect the syslog profiles and whether this would override the timeouts the AD agents are sending?   Thanks! ... View more

Greetings all!   I've run into an interesting issue and I'm hoping someone here may have some previous experiences or maybe something on best practices I'm missing.   Basically, we have a site-to-site loopback interface set up and we have several tunnels that utilize this and each connects to its own security zone.  So far, this has all been working as far as I know.  We now have yet another tunnel that utilizes this same type of setup on the same loopback as the others, however, the team that uses it has noticed issues with the applications that go across it... namely that some transactions complete and some do not.  Looking at the session logs, I can see a number of tcp-fin but also some aged-out and some tcp server resets.   We got on a call with the team that manages the network/servers on the remote side and found that lowering the MTU on the servers to 1400 seems to resolve it and all transactions work correctly at that point.  I'm fairly certain that, on our side of the bridge, the DC networking hardware has jumbo frames configured and so does the datacenter interface on the firewall itself.  They wouldn't hit a smaller MTU until the traffic starts to traverse the site-to-site.  I don't know what hardware that the remote side uses to terminate or to carry the traffic to the servers.   The site-to-site loopback on our side looks like it is configured with default MTU and Adjust TCP MSS is not configured.  The tunnel interface for this particular site-to-site is also using default MTU.  I'm guessing I need to either adjust the MTU on the loopback/tunnel (if I have to adjust on the loopback, I wonder how this will impact all of the other tunnel interfaces also utilizing it) or turn on the TCP MSS adjustment?   Thanks! ... View more

Greetings all,   I noticed that the syslog parser for User-ID allows you to enter multiple filters for each server... does anyone know how adding multiple filters of the same type (login for example) will work?  I see there is a way to move the filters up and down in the list so I'd assume there is an order of operation but if it is able to match the regex in one does it stop or does it still proceed to the next filter?  If it goes through the entire list, I'm assuming it keeps whatever user-ID it was able to last grab?   Thanks! ... View more

I haven't found anything on this so figured I'd ask here.. is there a way to set the application configuration to prevent the application from successfully connecting if another VPN is already active and connected on the system?   Only other thing I can think of would to find a list of IP ranges from known public VPN services and create policy to block VPN connectivity from those.   Thanks! ... View more

Hi all,   I was reading in some of the documentation for User-ID to see if we can improve our security a bit.  Basically, I'm currently setting User-ID logs to no timeout with the assumption that a new user login will generate a new one and override the old one.  We've been doing this because a number of users leave their computers locked instead of logging off every day so relying on a timeout period means eventually losing access to things that are utilizing the user-based policies.   The WinRM documentation from 9.0 appears to say it can be used to " map usernames from login and logout events to IP addresses" (https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/user-id-features/winrm-support-for-server-monitoring.html) but everything I've found seems to indicate AD doesn't receive logoff events from the domain-joined PCs.  Is this something that works on newer AD servers or is the documentation incorrect?   If it is incorrect, I'm curious what others are doing to get logoff events?  I could probably get the PCs to send something to a syslog server on a logoff event but I don't see any way in the syslog filter on the firewall to specific something as a logoff event vs a logon event unless the solution would just be to match the event, retrieve the IP, but put a regex for the user ID that would never match anything? ... View more