About TerjeLundbo

@Alex_Samad for us the issue was not CPU load but packet buffers filling up. Unfortunately I don't have a TAC case id or issue id for this. ... View more

@Alex_Samad , this was a recommendation from our VAR/partner after consultations with TAC. 9.0.x was unusable for us. ... View more

Is it the dataplane CPU usage that is100%? We had to downgrade our 5220 firewall cluster from 9.0.4 to 8.1.11 a couple of months ago because the packet buffer filled up 100% with our normal traffic, something that was not a problem in 8.1.x. ... View more

We push dynamic updates from Panorama. The release dates are showing on the firewalls if I go to Device -> Dynamic Updates, but I'm referring to the General Information on the Dashboard. When I login to the firewalls it would be nice to see at a glance if they have been properly updated.   ... View more

I did not get a TAC ticket number at the time, since we use partner support. It might be this bug that was fixed in 8.1.3:   PAN-98530 Fixed a memory leak associated with the logrcvr process when using custom syslog filters in a syslog profile.   ... View more

On each wireless controller you need to enable logging of user authentications and you need to send each authentication event as syslog to the firewall. Commands are:   logging level notifications user process authmgr logging <FW IP address> type user severity notifications facility local1 source-interface <mgmt vlan of the controller>   ... View more

Our problem was related to syslog parsing. We send syslog from our Aruba WLAN controllers to the firewall in order to create IP-user mappings. There is a bug in 8.0.14 that will reboot the firewall if the load goes over a certain level and you use syslog parsing. From TAC:   I have revised the tech support file and it looks like we are hitting an issue. There is available workaround for this it is to change syslog profile to use regex expression instead of field identifier under: Device>User Identification>Palo Alto Networks User-ID Agent Setup>Syslog Filters. This is fixed in 8.1.4, but unfortunately PA will not release the same fix for 8.0.x We bypassed it by redirecting the syslog traffic to a Windows server running the user-id agent.     ... View more

I upgraded our firewalls (two PA-5050 in active/passive HA) to 8.0.14 yesterday morning, and 24 hours later the active firewall rebooted with the following message:   opaque: useridd: restarts exhausted, rebooting system   I've opened a TAC case, will let you know how it ends.   ... View more

We are sending syslog from the controllers direct to our firewall. What you need to do is:   1. Go to Device -> User Identification and click on the Settings Button for Palo Alto Networks User-ID Agent Setup 2. Go to the tab called Syslog Filters and add the following two profiles: Syslog Parse Profile: Aruba Login Type: Field Identifier Event String: Authentication Successful Username Prefix: username= Username Delimiter: \s Address Prefix: IP= Address Delimiter: \s Syslog Parse Profile: Aruba Logout Type: Field Identifier Event String: User de-authenticated Username Prefix: name= Username Delimiter: \s Address Prefix: IP= Address Delimiter: \s   3. Add all your controllers and/or IAPs as Syslog Sender under Device -> User Identification -> Server Monitoring on PA. Set your AD domain as Default Domain Name and set the two Syslog Parse Profiles you added in step 2 as filter for events login and logout repsectively.   There are other steps you need to do also of course, like configure controllers/IAPs to send syslog to PA for user events. Let me know if you need more info.   PS! If I remember correctly the logout event (User de-authenticated) will be logged on controllers if the user manually disconnects from the wireless network. If the device is removed from the wireless network without disconnecting I don't think anything will be logged and the IP-user-mapping will timout on PA according to your setup.   Edit: I think support for the logout event came in PAN-OS 8. Earlier versions have only login events. ... View more

We also have Aruba and Palo Alto, but we chose to have our wireless controllers (campus, not Instant) send syslog data directly to the firewall instead of to a Windows server. See if you can find the string 'User de-authenticated' in your controllers logs, those entries should include the user name. ... View more

We do not use any form of SSL decryption on our PA, but we are still able to effectively block Teamviewer. Does the firewall perhaps do some kind of hostname/FQDN match in addition to block the traffic? I see in the traffic logs that Teamviewer first tries port tcp/5938, then tcp/443 then tcp/80, but all the sessions are blocked with app-id teamviewer-base. ... View more

I've seen this before with some clients in our network. The clients had Sophos installed, and the software in some way manipulated DNS requests from the client (I haven't used Sophos myself so I cannot be any more specific). This would be DNS requests for external domains which is why your DC's forward them to external DNS servers. Palo Alto sees the DNS traffic, parses the content, notices the Sophos content and changes the appid from dns to sophos-live-protection.   We had a case with TAC about it, and the only solution they suggested was to make an Application Override.     ... View more

Update: according to TAC this is expected behaviour. When you right-click on a file or a folder and select Properties the app-id on Palo Alto will change from ms-ds-smb to active-directory. So they adviced us to open for active-directory + ms-ds-smb in all applicable policies (mostly for our management servers). Of course, if I just add active-directory in the policies I get a bunch of warnings when I commit about active-directory depending on kerberos etc.   How does the rest of the community handle this?   ... View more

Update: TAC has not been able to replicate this problem, but it looks like it only affects DFS file shares. ... View more

I have opened a TAC case for this and have sent some packet captures and logs. Will report back when I hear back from them. ... View more

I have been told that inter-VR traffic is slow, and that if you need good performance it is best to run such traffic via an external switch. I don't know if this is still the case in PAN-OS 8. ... View more

Typically wireless clients are authenticated by Radius, so information about user name and IP address will not appear in the security logs on the domain controllers. So you will have to setup your Radius server or your wireless controllers to send the information to PA. This can be done for example using XML-API or Syslog. ... View more

There could be elements on the web site that is being blocked by the firewall. Examples could be flash content if flash is not member of the allowed application group or ads identified as malware. These will be listed in your firewall logs. If you find nothing there then I would suspect client browser trouble. ... View more

Find the IP address of the web site and look in the unified log with the following filter:   ( addr.dst in x.x.x.x ) and ( action neq allow ) and ( action neq alert )   This shold get you all the traffic to that web site that has been blocked either by policy (deny rule) or threat prevention.   ... View more

We used to have loads of brute force attempts on our firewall (not RDP but SSH). After we started using EDL and blocked all traffic from these addresses the problem is much reduced. This might be able to help you combined with finetuning the threat signatures.   http://panwdbl.appspot.com   ... View more

For employee clients we use 8 days as DHCP lease time, so 4 days user-ID timeout would perhaps be a bit excessive 🙂 But thanks for all the input, I'll probably increase the timeout to 4 hours as a start.   What do others think about adding Exchange servers to the user-ID agents?   ... View more

@BPry   45 minutes. ... View more

Thanks @BPry My worry is that by setting the timeout value low to keep user-id from Citrix updated we risk timing out users working on thick clients that do not generate security log events frequently. Would adding our Exchange servers to the userid agents help with that? Our desktop/laptop users generally have Outlook open all the time. ... View more