This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About MarcelST
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About MarcelST
05-11-2022
41Posts
7Likes
2Solutions
May 11, 2022Last Visited
User
Activity
User
Profile
Latest posts by MarcelST
| Subject | Views | Posted |
|---|---|---|
| 4800 | 12-29-2021 05:00 AM | |
| 1159 | 01-14-2021 05:40 AM | |
| 1492 | 12-15-2020 02:24 AM | |
| 16329 | 12-10-2020 12:58 AM | |
| 16024 | 12-03-2020 12:57 AM | |
| 16482 | 12-02-2020 03:06 PM | |
| 3748 | 12-02-2020 01:56 AM | |
| 2212 | 11-16-2020 02:27 AM | |
| 1504 | 11-06-2020 08:29 AM | |
| 5681 | 05-29-2020 04:05 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 05-18-2020 05:27 AM | |
| 4 Likes | 12-10-2020 12:58 AM | |
| 1 Like | 12-15-2020 02:24 AM | |
| 1 Like | 03-19-2020 12:58 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 2 Likes | |||
| 1 Like | |||
| 1 Like | |||
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 06-17-2016 02:41 PM |
| Date Last Visited | 05-11-2022 12:02 PM |
| Posts | 41 |
| Total Likes Received | 7 |
12-29-2021
05:00 AM
Same issue here. We are now trying to check if this can be disabled in computers rather than create a signature exception.
... View more
01-14-2021
05:40 AM
Hi there, we are facing a weird situation with GlobalProtect pre-logon connections. We have some laptops with machine certificate only (they do not have user certificates deployed). We want them to connect using this machine certificate, as "pre-logon", so they got limited/specific access to some company resources They are able to establish GP VPN connection but their session is a normal user connection instead of a pre-logon connection because, somehow, the Machine Certificate value is used as if it were a user. So, in short, this is what I'm saying: These are some useful logs I found in the Tech Support files: 2021/01/14 13:23:05 info globalp GP-Por globalp 0 GlobalProtect portal client configuration generated. Login from: xxx.xxx.xxx.xxx, Source region: ES, User name: 7836523f-2a31-4e61-8583-252ad100fc62, Client OS version: Microsoft Windows 10 Pro , 64-bit, Config name: GP-Agent-HUB01-On-Demand. 2021/01/14 13:23:11 info globalp GP-Gat globalp 0 GlobalProtect gateway user login succeeded. Login from: xxx.xxx.xxx.xxx, Source region: ES, User name: 7836523f-2a31-4e61-8583-252ad100fc62, Client OS version: Microsoft Windows 10 Pro , 64-bit. 2021/01/14 13:23:11 info auth auth-su 0 Certificate validated for user '7836523f-2a31-4e61-8583-252ad100fc62'. From: xxx.xxx.xxx.xxx. 2021/01/14 13:23:12 info globalp GP-Gat globalp 0 GlobalProtect gateway client configuration generated. User name: 7836523f-2a31-4e61-8583-252ad100fc62, Private IP: 10.x.x.39, Client version: 5.1.3-12, Device name: COMMXTF47SVPGIT, Client OS version: Microsoft Windows 10 Pro , 64-bit, VPN type: Device Level VPN. And this is the GlobalProtect Portal profile they are matching as per the logs (GP-Agent-HUB01-On-Demand):
... View more
12-15-2020
02:24 AM
1 Kudo
It seems recently there has been change on the "gpcloudservice.com" API recently. Before the change this service was using a publicly-trusted certificate (not sure if Google, Digicert,...) but I just found out right now the site is using a Palo Alto not publicly-trusted certificate, which makes things break if you enforce the "verify=True" on requests, for example. Check it out here: https://api.gpcloudservice.com/getPrismaAccessIP/v2 Not cool for sure. This change would only do that many people sets the verify=False, which brings down security. Can this be fixed please?
... View more
12-10-2020
12:58 AM
4 Kudos
We were finally able to identify the issue with the support of the Palo Alto engineer assigned to our account. It's a bug with EDL that starts at PAN-os v9.0.0. All our firewalls that where at that version or a newer one where facing the issue, while the firewalls on lower versions where not. Furthermore, if you downgrade them it gets solved. It seems related to some characters present on EDL text file (%, $, *,.,...) that makes the auto-commit and the EDL refresh process fail starting on PANOS v9.0.0. It has not yet being identified as a bug though, but hopefully it will soon.
... View more
12-03-2020
12:57 AM
Thanks Steve. "commit force" did not helped. We just tried going into maintenance mode and reverted to a previous software version, that allowed the "auto-commit" to happen, but right after that the underlying error is still there: can't commit from Panorama or the firewall itself (stuck at some random %), can't install content updates, can't update/ugprade,...
... View more
12-02-2020
03:06 PM
We are struggling with the following error and Palo Alto TAC is not able to provide the proper support, they are just asking us to do an RMA or to factory reset, but the truth is that we are having the same issue in 2 different firewall clusters with different configs and specs. After the firewalls powers on/reboot the "auto-commit" gets stuck at 55%: Once it get canceled or it fails, we try to run a commit and we get the following error: On CLI with: "tail follow yes mp-log devsrv.log" we get: 2020-12-02 23:38:04.925 +0100 debug: pan_log_handle_needcfg(pan_log_handler.c:396): ctrl can't receive config push 2020-12-02 23:38:09.927 +0100 debug: pan_ctrl_need_cfg_cb(pan_controller_proc.c:1359): sysd_notify_change: get need config notification from cfgpush.s1.comm.need-cfg 2020-12-02 23:38:09.930 +0100 debug: pan_cfgagent_can_receive_cfg(pan_cfgagent.c:239): cfgagent's previous config still in use 2020-12-02 23:38:09.930 +0100 debug: pan_log_handle_needcfg(pan_log_handler.c:396): ctrl can't receive config push 2020-12-02 23:38:14.931 +0100 debug: pan_ctrl_need_cfg_cb(pan_controller_proc.c:1359): sysd_notify_change: get need config notification from cfgpush.s1.comm.need-cfg 2020-12-02 23:38:14.935 +0100 debug: pan_cfgagent_can_receive_cfg(pan_cfgagent.c:239): cfgagent's previous config still in use 2020-12-02 23:38:14.935 +0100 debug: pan_log_handle_needcfg(pan_log_handler.c:396): ctrl can't receive config push 2020-12-02 23:38:19.934 +0100 debug: pan_ctrl_need_cfg_cb(pan_controller_proc.c:1359): sysd_notify_change: get need config notification from cfgpush.s1.comm.need-cfg 2020-12-02 23:38:19.938 +0100 debug: pan_cfgagent_can_receive_cfg(pan_cfgagent.c:239): cfgagent's previous config still in use 2020-12-02 23:38:19.938 +0100 debug: pan_log_handle_needcfg(pan_log_handler.c:396): ctrl can't receive config push We have gone through all the solutions I could find out there but nothing worked and Palo Alto support seems to not be able to help.
... View more
12-02-2020
01:56 AM
Make sure you have the GlobalProtect license installed on that Gateway, as license is required for some advanced features like split tunneling.
... View more
11-16-2020
02:27 AM
The following guide provides the parsing for CEF-style Log Formats for PAN-OS 9.1: https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cef/pan-os-91-cef-configuration-guide.pdf We have been using this for a while, but because now we have a 2nd source of logs (PRISMA) aside from Panorama, we just found out the parsing suggested for "Threat" log is not correct in our opinion, and that was causing some issues on our SIEM use-cases. In short, this field is wrong and should be replaced by $subtype: Threat CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$threatid|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction PanOSActionFlags=$actionflags externalId=$seqno cat=$threatid fileId=$pcap_id PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name PanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel PanOSThreatCategory=$thr_category PanOSContentVer=$contentver PanOSAssocID=$assoc_id PanOSPPID=$ppid PanOSHTTPHeader=$http_headers PanOSURLCatList=$url_category_list PanOSRuleUUID=$rule_uuid PanOSHTTP2Con=$http2_connection PanDynamicUsrgrp=$dynusergroup_name How can we get this fixed in the document? Additionally, is it possible to get the document updated with PAN-OS 10 in here?
... View more
11-06-2020
08:29 AM
We just implemented SAML with Panorama 9.1 and ADFS on M$ Server 2016. We had to disable the encryption of the response, though. What we are now struggling is with trying to have SSO detecting the user without having to type it, which is how we have all the other applications configured.
... View more
05-29-2020
04:05 AM
What GP version are you using? TO me, deploying GP v5.1.1 solved the issue.Before we were using v4.something.
... View more
05-19-2020
01:45 AM
You need to do a GP connection refresh, and after connection is reestablished exit & access again Zoom, that should do it. What version of GP are you using? My tests showed that begore GP v5.1.1 lots of things are not right with the split tunnel.
... View more
05-18-2020
05:31 AM
https://support.zoom.us/hc/en-us/articles/201362683-Network-Firewall-or-Proxy-Server-Settings-for-Zoom
... View more
05-18-2020
05:27 AM
1 Kudo
Hi, I've been doing some research on the option of using DHCP relay on Palo Alto for all the GlobalProtect gateways, and i'ts not clear to me if it's possible or not. The thing is, we want to enable Secure DNS records registration for the GlobalProtect IP network pools, but because currently the Palo Altos are the ones providing the IP, instead of doing DHCP relay to our internal DHCP servers, we can't enable it.
... View more
05-18-2020
03:34 AM
Hi there, We have Aruba ClearPass configured to send User-IP mappings via XML-API directly to all the Palo Alto MGMT IPs we have on premises. Now, with PRISMA firewalls being added into our infra I'm wondering how to make Prisma firewalls fitting into the picture: can I directly send events via XML-API from Aruba ClearPass to Prisma MGMT firewall IP address? Or should I redesign my architecture, like having Prisma firewalls grab this logs from another firewall/panorama instead?
... View more
04-07-2020
01:43 AM
I finally found the solution. On our case, having the Zoom binary in %AppData% was making the split tunnel not working correctly and Zoom UDP/8801 traffic was sent through the tunnel. We end up deploying the Zoom package centrally with SCCM to al laptops. Now, with Zoom on C:\Prgoram Files x86 the Zoom exclusion by Process is doing the trick finally.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-11-2022
12:02 PM
|
Latest Tags
No tags yet
Likes From
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks