LIVEcommunity - About MatthewSabin

MatthewSabin · ‎11-03-2020

Thanks for the tip, but it turns out that my problem wasn't about syntax but method. Pasting all of the parts of a certificate into the configuration and comitting doesn't actually "install" a certificate, or so I've learned. Rather than pasting it in, TAC informs me that I must exit configuration mode and import the certificate as below: scp import certificate source-ip <scp server IP> remote-port <scp server port> from <user>@<scp server>:<path><filename> format <pem|pkcs12> [passphrase <pass phrase>] certificate-name <name> Whe the certificate is imported, that invalid syntax line magically materializes in the show output.

MatthewSabin · ‎10-21-2020

We'll need a little more detail to give you any help. In the meantime, take a look at this thread: https://live.paloaltonetworks.com/t5/general-topics/globalprotect-the-server-certificate-is-invalid/td-p/193204/jump-to/first-unread-message --Matthew

MatthewSabin · ‎10-19-2020

I have successfully loaded my device certificate and a CA certificate from the CLI - took some seraching for format of the certificate strings, but they're in there now. One problem. In a firewall I have previously set up I show (in set format) the certificate stanza: set shared certificate wanroot subject-hash ffffffff set shared certificate wanroot issuer-hash ffffffff set shared certificate wanroot not-valid-before "May 23 02:36:33 2020 GMT" set shared certificate wanroot issuer /CN=wanroot set shared certificate wanroot not-valid-after "May 18 02:36:33 2040 GMT" set shared certificate wanroot common-name wanroot set shared certificate wanroot expiry-epoch 2220921393 set shared certificate wanroot ca yes set shared certificate wanroot subject /CN=wanroot set shared certificate wanroot public-key "-----BEGIN CERTIFICATE-----[blahblahblah]-----END CERTIFICATE-----" set shared certificate wanroot algorithm EC I get an error entering the line "set shared certificate wanroot ca yes" - Invalid syntax. What is the correct way to declare a certificate a CA certificate from the CLI? --Matthew

MatthewSabin · ‎12-13-2017

We put it in lab last week - no issues to report. We'll start testing in the production environment after the holidays.

MatthewSabin · ‎05-19-2017

I'll revive this question - as the answers didn't actually relate. The Cisco ASA packet tracer allows you to propose a hypothetical flow and runs it through the engine as if it were real. Evaluating the NAT and route dicisions which would likely apply in addition to the policy/ACL allow/deny logic. It was very helpful to see if your configured configuration should pass traffic you are planning for prior to the actual traffic arriving.

MatthewSabin · ‎05-18-2017

Thankyou chris.russell for this one, we've been pulling our hair out trying to build an XML file "template" This will make our configuration push script much easier to build.

MatthewSabin · ‎04-13-2017

I'm about 2-months in, and I'm still looking for what I need to know. What I most want is the "How to think Palo Alto" guide - the biggest picture of how the parts fit together, and the minute details of what little "other-guy" process or method doesn't work here. I'll publish it myself once I think I have it 😉

MatthewSabin · ‎03-31-2017

i'll eat my crow now... Problem solved: Bad cable/ethernet jack on upstream router. All successful connections correlate with events where a coworker was forcing the lab traffic over a different link. His timing just made my troubleshooting harder. Layer 1 sure gets in the way when you're think 4 through 7.

MatthewSabin · ‎03-28-2017

I got my SE on the case and while studying packet-captures it suddenly seemed like the communication was great until the packets got big. We wondered if it could be an MTU problem. I put a laptop in the PA220's place and ran through the connections at MTU 1500 - AOK. Put the laptop in the client's place and had to drop down to 1400 to get the transfers to go. We couldn't find anywhere in the PA220 where MTU was set below default (1500?) but when we turned on jumbo-frames and set the GlobalMTU at jumbo-default, and rebooted, all flows pass properly. Yay, but really?!

MatthewSabin · ‎03-21-2017

Is there a better way than a screen shot? Here's the ruleset I have, only NetAdmin and NTP work at this time.

MatthewSabin · ‎03-20-2017

Sorry, I confused the thread there. There are three processes which my IoT device preforms: NTP, FTP, HTTPS NTP: get the time (obviously I suppose) - this works perfectly, UDP out, UDP in session times out, repeat FTP: check for updates, download and install them automagically - the check works, the GET to pull down update fails HTTPS: send telemetry to the cloud (the function we've installed the thingh to perform) - the client hello and key negotiation work fine, firewall stops passing as soon as encryption is engaged.

MatthewSabin · ‎03-17-2017

It's not a decision I get to make - IoT means "I'll make this thing and decide how it woll communicate and you can take it or leave it" for the most part - sigh. My laptop in the thing's spot can connect on the TCP/21 port and I can authenticate etc. It's only when I try to GET a file that the connection times out. Once the server stops trying to send and the client stops trying to GET, I have CLI back and can try GET again. I've got the same behavior in the web browser. The client session starts helloing and negotiating then when TLS is engaged, I stop getting packets. Is there a knob or switch set someplace which tells the PA to analyze the streams and I've got it set at 10 when it needs to be turned down to 2?

MatthewSabin · ‎03-16-2017

I hope OP will forgive me for hijacking this thread. I too have a client behind the firewall trying to connect to an FTP site. The session end is always noted as tcp-rst-from-client. It's an IoT-thing, so I did a packet capture and see the device connect, log-in (plaintext password - ick!) and navigate to the desired directory, change to binary, attempt to get a file, after that fails, set passive and try to get the file again. My capture shows the client request the get, and the server attempt to send, but the client never gets the packet. I put my laptop in the client's spot and tried from my FTP client - same resuts. Each get times out. apparently the PA220 is eating the reply packet, yet I can't find loggin to that effect. Where do I look next?

Member Since	‎03-15-2017 03:23 PM
Date Last Visited	Tuesday
Posts	20
Total Likes Received	9

Online Status	Offline
Date Last Visited	Tuesday

Re: Certificate ca status from the CLI

Re: Gateway <name> The server Certificate is invalid

Certificate ca status from the CLI

Re: Any issues not documented on version 8.0.6?

Re: PA equivalent of ASA packet tracer?

Re: PA equivalent of ASA packet tracer?

Re: Certificate ca status from the CLI

Re: Starting with Palo Alto Networks - What I wish I had known...

Re: Starting with Palo Alto Networks - What I wish I had known...

Re: TCP-RST-FROM-CLIENT

Re: GlobalProtect: The server certificate is invalid

Re: user Id issue with active- active HA

Re: SNMP monitor parameters for Palo Alto

Re: SNMP monitor parameters for Palo Alto

Re: PA support point to multipoint IPSEC VPN?

Re: Certificate ca status from the CLI

Re: Gateway <name> The server Certificate is invalid

Certificate ca status from the CLI

Re: Any issues not documented on version 8.0.6?

Re: PA equivalent of ASA packet tracer?

Re: Starting with Palo Alto Networks - What I wish I had known...

Re: Starting with Palo Alto Networks - What I wish I had known...

Re: TCP-RST-FROM-CLIENT

Re: TCP-RST-FROM-CLIENT

Re: TCP-RST-FROM-CLIENT

Re: TCP-RST-FROM-CLIENT

Re: TCP-RST-FROM-CLIENT

Re: TCP-RST-FROM-CLIENT

Network Security

Cloud Security

Security Operations