cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
About DelvinC
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

The Enhanced LIVEcommunity Experience is finally here! Learn all about it.

DelvinC
yesterday
since ‎04-18-2016
L2 Linker
User Activity
User Profile
User Badges
Community Statistics
Member Since ‎04-18-2016 12:43 PM
Date Last Visited yesterday
Posts 23
Total Likes Received 3

Re: Help with Threat log SCAN: Host Sweep

by in Threat & Vulnerability Discussions
2 weeks ago
2 weeks ago
I have seen these logs too.   Not been able to figure this, but, I wonder if the alert logs are generated due to source IP meeting the interval and event threshold instead of tracking it per unique source-destination IP pair when configured to alert on the Reconnaissance Protection tab . Ideally one gets to pick and choose the tracking mechanism when you block but not for alert.   Did anyone make progress with support on this? What did they have to say? ... View more

Re: GlobalProtect On-Demand using authentication profile and user certificate from PKI on gateway

by in GlobalProtect Discussions
‎01-28-2021 03:27 PM
1 Kudo
‎01-28-2021 03:27 PM
1 Kudo
Just so that I provide closure to this discussion. I managed to get this rolled out and fix the issues that I was having.   Here is what I learned during my deployment and troubleshooting: When using user certificate along with an authentication profile; you can leave the username field to "none" on the certificate profile. "Required client certificate not found" was the error that got me stuck. I was using the certificate profile to verify the certificate-status:                                        After long hours of detailed investigation I discovered that this was due to CRL verification failures. I hadn't validated the firewalls reachability to query the CRL that it was reading off the presented certificates. This lead to the discovery that the firewalls were configured with external DNS servers and that CRL verification attempts were being made against an internal FQDN. I updated the DNS servers on the firewall to lookup against internal DNS servers and everything is working like a charm! Hope someone else finds this useful when they run into a similar fit!     ... View more

Re: GlobalProtect On-Demand using authentication profile and user certificate from PKI on gateway

by in GlobalProtect Discussions
‎01-22-2021 01:47 PM
1 Kudo
‎01-22-2021 01:47 PM
1 Kudo
@MP18  Thanks for your response.   I've had success in the past deploying machine certificates for authentication. But, this time I'm specifically trying to get user certificate authentication to work with just the on-demand mode.   During my research, I came across the PAN KB article (Basic GlobalProtect Configuration with Pre-logon)  that hints that this is possible.     ... View more

GlobalProtect On-Demand using authentication profile and user certificate from PKI on gateway

by in GlobalProtect Discussions
‎01-22-2021 11:24 AM
‎01-22-2021 11:24 AM
I'm trying to setup a GlobalProtect On-Demand environment. The portal uses an LDAP server profile for authentication and has been validated to be working fine. I intend to configure the gateway to use a combination of RADIUS and certificate profile to authenticate. I've confirmed that authentication works without the certificate profile. My understanding is that certificate based authentication for the "on-demand" mode works only if the certificates are user certificates (i.e. installed in the user store). I've a PKI infrastructure in the environment that is pushing out certificates to the users. I do not intend to go down the SCEP configuration for this deployment. So far I've not been successful to get certificate profile. I'm greeted by the "Required client certificate not found" error. I've tried to play with different options on the certificate profile like subject, subject alt-name, principal name, email, etc. FYI... I have the PKI root CA and intermediate CAs already included in my certificate profile.   I wanted to know if anyone has this successfully working in this fashion using "On-demand" mode. What certificate fields or options did you use? What certificate profile options did you leverage? Any interesting scenarios you ran in your deployment? ... View more

Re: Expedition Query

by in General Topics
‎09-10-2020 08:23 AM
‎09-10-2020 08:23 AM
Hi @Yasar2020    The typical migration workflow is: Import a Configuration (from a supported vendor) Export Unused Objects Report Remove Unused Clean Invalid Objects Rename, Remap Interfaces to PAN-OS Naming Convention Import a Base Configuration (Palo Alto Networks configuration from the device that you are migrating to) Move Objects From the Configuration Migrated to the Base Configuration. Merge Remove Duplicates (if any) Generate the Output (XML, SET Commands, API Calls) Please refer to the Expedition User Guide for detailed instructions along your configuration migration: https://live.paloaltonetworks.com/t5/expedition-articles/expedition-user-guide-v1-2/ta-p/285157 ... View more

Re: Need some guidance on the VM series implementation

by in General Topics
‎08-28-2020 02:20 PM
‎08-28-2020 02:20 PM
Sounds like there is some asymmetric routing in the environment. Are there any routes (static or dynamic) on the core switch to  192.168.20.0/24 or perhaps a summary route. A traceroute from 192.168.20.10 and another traceroute from the destination should help identify any asymmetric routing paths in the environment. ... View more

Re: Expedition Query

by in General Topics
‎08-27-2020 10:30 AM
‎08-27-2020 10:30 AM
Hi @Yasar2020    You may not be able to export the config file because you've not set a base PAN config file.   Please refer the following link to learn more about using Expedition and importing your base configuration.   https://live.paloaltonetworks.com/t5/expedition-articles/expedition-user-guide-v1-2/ta-p/285157#toc-hId--1617619217   PS: You'll need to merge your configuration (Cisco ASA + Base config) before you can export it to your target firewall. The Expedition User Guide v1.2 has all the details you would need. ... View more

Re: Need some guidance on the VM series implementation

by in General Topics
‎08-27-2020 10:27 AM
‎08-27-2020 10:27 AM
Does your core switch have layer 3 interfaces for VLAN3 and VLAN11? And, were the packet captures for source or destination in VALN11? ... View more

Re: User-ID with OpenLDAP

by in General Topics
‎08-24-2020 09:34 AM
‎08-24-2020 09:34 AM
Seems like its been years since this question was asked.  Just wanted to know whether there is a different alternative for User-ID with OpenLDAP. Also, I could not access the article linked in the previous response. 😞   ... View more

Re: Updating Expedition VM beyond 1.1.57.1

by in Expedition Discussions
‎08-18-2020 08:45 PM
‎08-18-2020 08:45 PM
Yeah, I figured when I couldn't upload the Legacy VM...Lol. ... View more

Re: Updating Expedition VM beyond 1.1.57.1

by in Expedition Discussions
‎08-18-2020 11:19 AM
‎08-18-2020 11:19 AM
@dgildelaig    Thank you for your prompt response. So, do I just download the new VM using the "Get the Legacy Expedition VM" link at https://live.paloaltonetworks.com/t5/expedition-migration-tool/ct-p/migration_tool ? ... View more

Updating Expedition VM beyond 1.1.57.1

by in Expedition Discussions
‎08-18-2020 11:06 AM
‎08-18-2020 11:06 AM
My Expedition VM is currently running version 1.1.57.1.   I happened to notice from the Expedition release notes that there are hot fixes up to version 1.1.79.1.   I attempted the regular Expedition VM update and it didn't seem to get me anywhere. I've included the output when I attempt to update Expedition below. I couldn't locate any documentation on the LIVEcommunity for a similar issue.   Has the Expedition VM stopped receiving further updates?   Any help on this is appreciated.   expedition@Expedition:~$ sudo apt-get update Get:1 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB] Hit:2 http://us.archive.ubuntu.com/ubuntu bionic InRelease Get:3 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB] Hit:4 http://ppa.launchpad.net/deadsnakes/ppa/ubuntu xenial InRelease Get:5 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB] Fetched 252 kB in 0s (301 kB/s) Reading package lists... Done expedition@Expedition:~$ sudo apt-get install expedition-beta Reading package lists... Done Building dependency tree Reading state information... Done expedition-beta is already the newest version (1.1.57.1). 0 upgraded, 0 newly installed, 0 to remove and 604 not upgraded. expedition@Expedition:~$ sudo bash /var/www/html/OS/BPA/updateBPA306.sh gpg: keyring `/tmp/tmpfem5rf_s/secring.gpg' created gpg: keyring `/tmp/tmpfem5rf_s/pubring.gpg' created gpg: requesting key 6A755776 from hkp server keyserver.ubuntu.com gpg: /tmp/tmpfem5rf_s/trustdb.gpg: trustdb created gpg: key 6A755776: public key "Launchpad PPA for deadsnakes" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) OK Hit:1 http://us.archive.ubuntu.com/ubuntu bionic InRelease Get:2 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB] Hit:3 http://ppa.launchpad.net/deadsnakes/ppa/ubuntu xenial InRelease Get:4 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB] Get:5 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB] Fetched 252 kB in 0s (264 kB/s) Reading package lists... Done Reading package lists... Done Building dependency tree Reading state information... Done python3.7 is already the newest version (3.7.9-1+xenial1). 0 upgraded, 0 newly installed, 0 to remove and 604 not upgraded. WARNING: Skipping best-practice-assessment-ngfw-pano as it is not installed. Requirement already up-to-date: lxml in /usr/local/lib/python3.7/dist-packages (4.5.2) Requirement already up-to-date: matplotlib in /usr/local/lib/python3.7/dist-packages (3.3.1) Requirement already satisfied, skipping upgrade: certifi>=2020.06.20 in /usr/local/lib/python3.7/dist-packages (from matplotlib) (2020.6.20) Requirement already satisfied, skipping upgrade: numpy>=1.15 in /usr/local/lib/python3.7/dist-packages (from matplotlib) (1.17.4) Requirement already satisfied, skipping upgrade: pyparsing!=2.0.4,!=2.1.2,!=2.1.6,>=2.0.3 in /usr/local/lib/python3.7/dist-packages (from matplotlib) (2.4.5) Requirement already satisfied, skipping upgrade: python-dateutil>=2.1 in /usr/local/lib/python3.7/dist-packages (from matplotlib) (2.8.1) Requirement already satisfied, skipping upgrade: cycler>=0.10 in /usr/local/lib/python3.7/dist-packages (from matplotlib) (0.10.0) Collecting pillow>=6.2.0 Using cached Pillow-7.2.0-cp37-cp37m-manylinux1_x86_64.whl (2.2 MB) Requirement already satisfied, skipping upgrade: kiwisolver>=1.0.1 in /usr/local/lib/python3.7/dist-packages (from matplotlib) (1.1.0) Requirement already satisfied, skipping upgrade: six>=1.5 in /usr/lib/python3/dist-packages (from python-dateutil>=2.1->matplotlib) (1.10.0) Requirement already satisfied, skipping upgrade: setuptools in /usr/local/lib/python3.7/dist-packages (from kiwisolver>=1.0.1->matplotlib) (41.6.0) Installing collected packages: pillow Attempting uninstall: pillow Found existing installation: Pillow 5.4.1 Uninstalling Pillow-5.4.1: Successfully uninstalled Pillow-5.4.1 ERROR: After October 2020 you may experience errors when installing or updating packages. This is because pip will change the way that it resolves dependency conflicts. We recommend you use --use-feature=2020-resolver to test your packages with the new resolver before it becomes the default. bpa 3.21.3 requires Pillow<=5.4.1, but you'll have pillow 7.2.0 which is incompatible. Successfully installed pillow-7.2.0 The directory '/home/expedition/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. The directory '/home/expedition/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag. Collecting pip Downloading https://files.pythonhosted.org/packages/5a/4a/39400ff9b36e719bdf8f31c99fe1fa7842a42fa77432e584f707a5080063/pip-20.2.2-py2.py3-none-any.whl (1.5MB) 100% |████████████████████████████████| 1.5MB 3.3MB/s bpa 3.21.3 has requirement Pillow<=5.4.1, but you'll have pillow 7.2.0 which is incompatible. Installing collected packages: pip Found existing installation: pip 20.2.2 Uninstalling pip-20.2.2: Successfully uninstalled pip-20.2.2 Successfully installed pip-20.2.2 ln: failed to create symbolic link '/usr/local/bin/python3': File exists ln: failed to create symbolic link '/usr/local/bin/pip3': File exists Collecting Pillow<=5.4.1 Using cached Pillow-5.4.1-cp37-cp37m-manylinux1_x86_64.whl (2.0 MB) Installing collected packages: Pillow Attempting uninstall: Pillow Found existing installation: Pillow 7.2.0 Uninstalling Pillow-7.2.0: Successfully uninstalled Pillow-7.2.0 ERROR: After October 2020 you may experience errors when installing or updating packages. This is because pip will change the way that it resolves dependency conflicts. We recommend you use --use-feature=2020-resolver to test your packages with the new resolver before it becomes the default. matplotlib 3.3.1 requires pillow>=6.2.0, but you'll have pillow 5.4.1 which is incompatible. Successfully installed Pillow-5.4.1 Processing /var/www/html/OS/BPA/best_practice_assessment_ngfw_pano-master.zip Installing build dependencies ... done Getting requirements to build wheel ... done Installing backend dependencies ... done Preparing wheel metadata ... done Requirement already satisfied, skipping upgrade: Pillow<=5.4.1 in /usr/local/lib/python3.7/dist-packages (from BPA==3.21.3) (5.4.1) Requirement already satisfied, skipping upgrade: lxml in /usr/local/lib/python3.7/dist-packages (from BPA==3.21.3) (4.5.2) Requirement already satisfied, skipping upgrade: pandas>=0.22.0 in /usr/local/lib/python3.7/dist-packages (from BPA==3.21.3) (0.25.3) Requirement already satisfied, skipping upgrade: dataclasses in /usr/local/lib/python3.7/dist-packages (from BPA==3.21.3) (0.6) Requirement already satisfied, skipping upgrade: iptools in /usr/local/lib/python3.7/dist-packages (from BPA==3.21.3) (0.7.0) Requirement already satisfied, skipping upgrade: PyMySQL in /usr/local/lib/python3.7/dist-packages (from BPA==3.21.3) (0.9.3) Requirement already satisfied, skipping upgrade: seaborn in /usr/local/lib/python3.7/dist-packages (from BPA==3.21.3) (0.9.0) Requirement already satisfied, skipping upgrade: XlsxWriter in /usr/local/lib/python3.7/dist-packages (from BPA==3.21.3) (1.2.5) Requirement already satisfied, skipping upgrade: pendulum in /usr/local/lib/python3.7/dist-packages (from BPA==3.21.3) (2.0.5) Requirement already satisfied, skipping upgrade: svglib<=0.9.0 in /usr/local/lib/python3.7/dist-packages (from BPA==3.21.3) (0.9.0) Requirement already satisfied, skipping upgrade: requests in /usr/lib/python3/dist-packages (from BPA==3.21.3) (2.9.1) Requirement already satisfied, skipping upgrade: SQLAlchemy in /usr/local/lib/python3.7/dist-packages (from BPA==3.21.3) (1.3.11) Requirement already satisfied, skipping upgrade: xlrd in /usr/local/lib/python3.7/dist-packages (from BPA==3.21.3) (1.2.0) Requirement already satisfied, skipping upgrade: six in /usr/lib/python3/dist-packages (from BPA==3.21.3) (1.10.0) Requirement already satisfied, skipping upgrade: reportlab<=3.5.18 in /usr/local/lib/python3.7/dist-packages (from BPA==3.21.3) (3.5.18) Requirement already satisfied, skipping upgrade: Jinja2 in /usr/local/lib/python3.7/dist-packages (from BPA==3.21.3) (2.10.3) Requirement already satisfied, skipping upgrade: python-dateutil>=2.6.1 in /usr/local/lib/python3.7/dist-packages (from pandas>=0.22.0->BPA==3.21.3) (2.8.1) Requirement already satisfied, skipping upgrade: pytz>=2017.2 in /usr/local/lib/python3.7/dist-packages (from pandas>=0.22.0->BPA==3.21.3) (2019.3) Requirement already satisfied, skipping upgrade: numpy>=1.13.3 in /usr/local/lib/python3.7/dist-packages (from pandas>=0.22.0->BPA==3.21.3) (1.17.4) Requirement already satisfied, skipping upgrade: scipy>=0.14.0 in /usr/local/lib/python3.7/dist-packages (from seaborn->BPA==3.21.3) (1.3.2) Requirement already satisfied, skipping upgrade: matplotlib>=1.4.3 in /usr/local/lib/python3.7/dist-packages (from seaborn->BPA==3.21.3) (3.3.1) Requirement already satisfied, skipping upgrade: pytzdata>=2018.3 in /usr/local/lib/python3.7/dist-packages (from pendulum->BPA==3.21.3) (2019.3) Requirement already satisfied, skipping upgrade: tinycss2>=0.6.0 in /usr/local/lib/python3.7/dist-packages (from svglib<=0.9.0->BPA==3.21.3) (1.0.2) Requirement already satisfied, skipping upgrade: cssselect2>=0.2.0 in /usr/local/lib/python3.7/dist-packages (from svglib<=0.9.0->BPA==3.21.3) (0.2.2) Requirement already satisfied, skipping upgrade: MarkupSafe>=0.23 in /usr/local/lib/python3.7/dist-packages (from Jinja2->BPA==3.21.3) (1.1.1) Requirement already satisfied, skipping upgrade: certifi>=2020.06.20 in /usr/local/lib/python3.7/dist-packages (from matplotlib>=1.4.3->seaborn->BPA==3.21.3) (2020.6.20) Requirement already satisfied, skipping upgrade: pyparsing!=2.0.4,!=2.1.2,!=2.1.6,>=2.0.3 in /usr/local/lib/python3.7/dist-packages (from matplotlib>=1.4.3->seaborn->BPA==3.21.3) (2.4.5) Requirement already satisfied, skipping upgrade: kiwisolver>=1.0.1 in /usr/local/lib/python3.7/dist-packages (from matplotlib>=1.4.3->seaborn->BPA==3.21.3) (1.1.0) Requirement already satisfied, skipping upgrade: cycler>=0.10 in /usr/local/lib/python3.7/dist-packages (from matplotlib>=1.4.3->seaborn->BPA==3.21.3) (0.10.0) Requirement already satisfied, skipping upgrade: webencodings>=0.4 in /usr/local/lib/python3.7/dist-packages (from tinycss2>=0.6.0->svglib<=0.9.0->BPA==3.21.3) (0.5.1) Requirement already satisfied, skipping upgrade: setuptools>=39.2.0 in /usr/local/lib/python3.7/dist-packages (from tinycss2>=0.6.0->svglib<=0.9.0->BPA==3.21.3) (41.6.0) Building wheels for collected packages: BPA Building wheel for BPA (PEP 517) ... done Created wheel for BPA: filename=BPA-3.21.3-py3-none-any.whl size=2232529 sha256=fb9d6b843703f54a4f81b22b7e4a6359e4f9749e420fbe19d3462f6a24673dae Stored in directory: /root/.cache/pip/wheels/c3/c1/c1/03a40ae23b0210b5bfa1961f3d65264c9b62e4218ddb58d2d9 Successfully built BPA Installing collected packages: BPA Attempting uninstall: BPA Found existing installation: BPA 3.21.3 Uninstalling BPA-3.21.3: Successfully uninstalled BPA-3.21.3 Successfully installed BPA-3.21.3 expedition@Expedition:~$   ... View more

Re: Threat log original destination required in vm firewall deployed in aws

by in General Topics
‎06-26-2020 02:05 PM
‎06-26-2020 02:05 PM
If we were to look at this problem from a different perspective, what are we trying to achieve by looking at the threat logs? Are you just looking to block the threats or identify the impacted server? ... View more

Re: Certificate issue

by in General Topics
‎06-26-2020 01:04 PM
‎06-26-2020 01:04 PM
It wouldn't hurt to try.  ... View more

Re: Certificate issue

by in General Topics
‎06-24-2020 01:14 PM
‎06-24-2020 01:14 PM
If you happen to have the Root CA and Intermediate Root CA certificates, can you try importing the certificates as child certificates in the top to bottom fashion. Or try installing it as a chained certificate. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
yesterday
Likes Given To
View All
Likes From
View All
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2021 - Palo Alto Networks