About BPry

@smarcyes, I think this really depends on what you're trying to do. For instance, when I block QUIC traffic outbound to my untrust zone I may not want to just outright drop UDP/443 traffic at the very top of my rulebase. While that's usually going to be QUIC, it is used for other traffic that I might actually want to allow through. In that instance, doing it off of the QUIC app-id signature might be preferred. Keeping in mind that as soon as QUIC is identified after the traffic is going to get dropped. So while you're allowing some traffic to proceed, the firewall does a very good job of identifying the traffic quickly and dropping it.  When you're talking about something like tcp/22 in the case of SSH, depending on the zone and my intent I might not have that same concern. I might actually want to block any tcp/22 traffic to my untrust zone regardless of app-id. In that case, just dropping it from a service aspect means I don't have to allow any traffic to traverse that port. Same thing for port 445 across the untrust zone regardless of TCP or UDP, I might just want to drop all of that traffic outright.    Just to bring up as well, I don't see a general need for deny rules in most well-kept rulebases. You need to have something that would otherwise allow the traffic to be processed anyways. So in the case of SSH, that's something that I would actively have to allow, and where it is allowed in the rulebase I ensure that it's very targeted to include utilizing user-id to lock it down to specific people (or groups) to very targeted destinations. Same with the SMB example utilized in these examples; I'd argue that anything allowing SMB across zones should be heavily targeted and defined. I see some people unknowingly allowing access to applications to their untrust zone when doing audits. Generally, this is because they created a rule that essentially says anything from trust to untrust with application any with service application-default action allow. This is pretty poor way to build outside access from a security aspect, but it's where more of these deny rules off of app-id come into play for people. I'd argue that you should be maintaining application-groups based off of set criteria when allowing outbound untrust traffic. That would be the more "secure" way of allowing internet access, and it does away with the vast majority of deny entries in a rulebase.  ... View more

@CHKlomp, You can't check AD membership for a device that isn't joined to the domain unless you were using machine certificates for authentication, but in your case the device isn't joined to AD yet and therefore likely doesn't have a machine certificate.  Honestly, the only way I can think of checking for something like this would require creating a new HIP-Object entry and checking the host name. To do that securely, you would need to create a new entry for every single device. You could create a generic Host Name contains 'naming convention' to have a more broad HIP object capture these hosts and use that to build out your HIP-Profile, but I wouldn't really say that's a safe solution.   Effectively: Create a HIP Object to capture the naming convention from the the host itself. ("Hostname-Check") Create  a HIP Object to capture if the device is joined to the domain. ("Domain-Check") Create a HIP-Profile that checks for devices that meet the Hostname-Check but not the domain check. Use the HIP-Profile you created to allow enough access to join the device to the domain, but then also drop any and all other traffic from the host until it passes the Domain-Check you created. The HIP-Profile would end up looking something like this depending on what you actually named things to identify hosts that match Hostname-Check but don't actually pass the Domain-Check validation: "Hostname-Check" and not "Domain-Check"   ... View more

@Mike.Palmer, Interesting, this is not an issue I've come across with any of my installations or validation testing. What happens if you make a test client configuration and don't split-tunnel the traffic, does that change behavior at all? If you take a PCAP on the endpoint do you see the traffic attempting to traverse the PanGP adapter?  ... View more

!!! sig: An unexpected error occurred while validating driver package. Catalog = pangpd64.cat, Error = 0xE0000244 !!! sig: Driver package is considered unsigned, and Code Integrity is enforced. !!! sig: Driver package failed signature validation. Error = 0xE0000244 sto: {DRIVERSTORE IMPORT VALIDATE: exit(0xe0000244)} 14:23:26.036 The driver is failing signature validation on Windows 8.1. You'll probably want to open a case with TAC and share these logs so that they can validate if its a systemic issue across 8.1 running the latest updates or not since Windows 8.1 is a supported release for GlobalProtect 6.0. I unfortunately don't keep any Windows 8.1 images around to see if this is reproducible or not. ... View more

@HSi-Salem, Since your saying your configuring an additional gateway, do you already have this setup working on another gateway, or is this a new configuration for you?  What configuration method are you using (SAML/RADIUS/API)?  ... View more

@Niren.Vekaria, In addition to what @SteveCantwell mentioned, if you have Exchange in your environment you can use that to pull user-id from its logs as well. Exchange in general causes way more events to read from during normal operations than a just pulling through AD DCs.  ... View more

@SSargent_ICTWA, I'd honestly bypass support with this and push this through your account team instead. Your not likely to have a good time going through TAC to get this passed to the right internal teams since most of the front-line likely doesn't even understand what your asking. While your SE might not know where to put a ticket like this, they could pass it along through their channels and hopefully get it to someone that does know what internal team handles PANs DNS records.  ... View more

@dmoore-acc360, Troubleshooting information is really something I've best found in KB articles and by learning more about the feature itself. The majority of actual troubleshooting documentation for PAN is internal documentation and really isn't available to customers.  Policy troubleshooting is relatively straight-forward once you understand all of the options and the top-down analysis of the firewall however. Assuming that you actively know about the test functionality to verify that you have a matching policy, what additional documentation were you hoping to find?    (Text doesn't always pass tone well, so just to be clear the last question is a genuine question. What type of troubleshooting documentation are you hoping to find an equivalent of? Could you share an example of the Cisco document that you're referencing).  ... View more

@LeeSeeman, In an Active/Passive setup whichever unit you offline in this process doesn't matter. It could be the primary or secondary unit; outside of device priority and having preempt enabled, Active/Passive primary/secondary doesn't really matter. When you're actually making the configuration changes you need to make in an active/active situation, that's when primary/secondary becomes drastically more important as you setup device-binding. If you're just introducing active/active, you would likely want to make the "active" firewall you leave up the primary so that all of the active-active-device-binding conversions to primary are active on the firewall that you're leaving online.  I'm kind of curious why you think active/active is going to help you with a latency issue though; seems like you may be going down the wrong path there.  ... View more

@Kathiravan_R, What did you upgrade from? If you performed a major version upgrade and the logs are still being converted this wouldn't be a big shock.  Also as a side-note, are you on a M-100? If not, you really should migrate to a fully supported PAN-OS version. Even if you still have older hardware, Panorama itself will continue to manage any legacy firewalls without issue and doesn't need to be kept on an EoL release if you aren't running an M-100.  ... View more

@Scot-Oceus, I'd take a look at your Max Session Count configuration and verify what this is set to.  show deviceconfig setting management admin-session  Might also just try seeing the max-session-count and max-session-time to 0 so those aren't coming into play.  set deviceconfig setting management admin-session max-session-count 0 set deviceconfig setting management admin-session max-session-time 0 ... View more

@OtakarKlier, I haven't found a great way of dealing with these sort of situations. If you use FQDN you'll occasionally have things get out of sync between the firewall and the client (which may not matter depending on requirements), and URL Categories as you mentioned will only work with a HTTP request.  I've been using EDLs as a solution for this and using an external script to feed addresses for the EDL with the firewall. The firewall only supports updating the EDLs every fine minutes, but you can speed that up by dropping it to manual and using the API to request the refresh of the EDL on a more frequent basis. Not really solving the issue, but it gets closer to working without as many issues.  ... View more