About dagibbs

spolo wrote: If it's still failing you may want to call support or open a case via the web on this one.  Here's a couple of CLI commands that may help you diagnose: First, initiate the url database download: > request url-filtering upgrade brightcloud Now check the download log: > tail follow yes mp-log pan_bc_download.log If it helps you, I checked from one of our boxes in Europe and it's having trouble also.  That box does resolve to a different IP than we do here in the US, so not sure if it's something localized or not.  I don't have a lot of time to open a case with support on this right now, but it does warrant further investigation. Hope this helps! Seems to have come good this morning - maybe Brightcloud were having an issue. Thanks anyway ... View more

bhavin_bhatt wrote: Hi, I just came across something quite interesting. A user needs to be able to translate a decent url, but by default translation is blocked by PaloAlto. Once you configure PaloAlto to allow translation, you can actually go into google translate, and translate an adult website into another language and view it within Google translate's page. My question is, i have blocked adult-and-pornography, why can i get to a dirty website, shouldn't palo pick that up. please advice, as one of the users needs translation allowed, but what i explained above is just one of the exploit... cheers Bhavin Simple - because *you* are not going to the dirty web site - Google translate is. You're hitting the Google translate page, and by your own admission you've configured the PA to allow access to it. The PA is doing exactly what it's supposed to - allowing access to the translate page. Think of it as visiting the adult page by proxy. Cheers ... View more

Ronaldgoh wrote: hi i noticed that in some "critical", "high" and "medium" severity vulnerabilities, the default action is just "alert"... especially those brute-force attempts. at the moment, our system is set for default to take care of these.  however, i remember a thread here advising to set the action to "block" for medium severity on the server side vulnerabilities...  is it safe to set action to "block" for "critical", "high" and "medium" severity for server side?  will this break applications? thanks! rgds, - ron If you raise your level to "block" and the threat is detected the firewall will, as the name suggests, block the traffic from transitting. Now, if you're 100% sure the threats being detected are valid, then I suggest you might want to block them. If, however, you're worried about false positives - then don't. The block action may well break soemthing, especially if it triggers a positive threat detection when it's not really a threat. "Alert" is good if you have time to sit and watch threat logs, and can get on top of reported threats immediately - if you're like msot people and DON'T have this time, then block is a good option. Depends how paranoid you are, and how critical potentially blocking a valid action might be. Cheers ... View more

exertum wrote: Hello dagibbs, Did you already perform your intervention (update sslvpn client software for 1.2.0 to 1.3.0)? If yes, did you faced to any issue? Thanks a lot for your help. KR, Benjamin Benjamin. No, I haven't actually been allowed to do this yet - my change management department is giving me fits, and to be honest I've had more important things to deal with, so this has been put on the back-burner. If I do it successfully, I'll post an addendum to this message chain. Cheers ... View more

bdaussin wrote: The root cause of this issue starts becoming more accurate : When an anonymous event comes from a user PC to the DC ( which has already been recognized by the AD agent ), here is the behaviour : With DC2003, the AD agent get the field "sesi10_username" with an empty value, which has no effect on the Pan Agent. With DC2008R2, the AD agent get the field "sesi10_username" with the value ANONYMOUS LOGON, which cause the PAN agent to overwrite the previous UserID-IP identification. So, how to turn around this issue ? Is there a way on the agent to ignore ANONYMOUS LOGON ? Thanks for your help. In the Palo Alto agent directory, create a file called "ignore_user_list.txt" Add your "ANONYMOUS LOGON" to this file - you may need to put it in quotes, like I jsut did, as there is a space in the username. See if this works. Cheers! ... View more

Marct wrote: The upgrade should be automatic, I think I remember reading that you may need to clear the java cache if the update fails. This is the known issu about netconnect in the release notes [21601] NetConnect may not upgrade properly from 1.1.x to 1.2 without clearing the Java cache. Regards Marc Well, I'm planning to go from 1.2 to 1.3, so I guess I'll just have to suck it and see. Thanks. ... View more

bpappas wrote: @dagibbs: I have researched the question that you brought up and you should be able to delete the software image on the active partition even if it is the installed version on the revert partition. If you cannot, please open a case with the PAN Tech Support team. Thank you, Benjamin Benjamin. Have now done so. Thank you for your input. ... View more

mario.chancay wrote: Hi, will like to understand the oppinion from the PAN community about the features that are still missing or needs to be improved. Will appreciate if you can specify by functionality like : FIREWALL Must Have : A,B,C Nice to Have : D,E,F Thks Mario Documentation, Documentation, Documentation. Without being too blunt, the documentation stinks. It needs cleared explainations, better grammar, and real-world examples instead of useless classroom types so people can sort things out without running to support. if you want examples, look at how Cisco do it. Support, Support, Support. I've had a discussion recently with my "suport partner" regarding the responses (or lack of them) from PA with respect to support calls (seriously, more than 6 weeks ona bug report, and three uploads of tech-support and logs to be told "it's not going to be fixed in this software series, upgrade to 4.x"? Come on!). ... View more

networkadmin wrote: I'd be interested in any feedback on the major benefits in going from 3.x to 4.x as well. Frankly I think Palo Alto have scored a bit of an own goal in bringing out a major OS release but doing a pretty poor job of actually telling their customers a) the benefits of upgrading and b) on what basis they should upgrade. Let me clarify that a little.  Right now, I have a box running 3.1.8.  As far as I'm aware there is no document anywhere that says "If you have a PA-500 the current recommended release of PAN-OS is xxx" so it's left for me to "somehow" figure out which version of PAN-OS I should be running.  So far as 4.x, the feedback and vibe I get from here is very non-committal and to me it almost comes across as if 4.x is still some sort of beta and isn't actually recommended for production unless you really need something it offers that 3.x doesn't have. I'm with you on this one - given what I've seen on the forums, I'm not upgrading to the 4.x series until I'm well convinced it's actually stable without introducing more bugs! Unfortunately, this means I have to live with an annoying, but non critical bug with HA synchronisation on 3.1.x - occasionally (it can be once a day, or once every 3 weeks), the "Cert and Block" pages get out of synchronisaton between the active and passive partners in the HA cluster - PA's response to my bug report/trouble ticket "It's a known bug in 3.1.x which is not going to be fixed. Upgrade to the 4.x series". Not impressed, but will NOT be upgrading until I see better comments from people here than I have so far! ... View more

psi0n wrote: Hi, yes CP was enabled. i disabled the CP Rule and disabled also the User Auth Rule, but the error is already there. on my external interface i'm not be able to see the webserver. it looks like a binding problem. in the l3svc-error.log are the following lines: default:2 main  Configuration for PanWeb Server    default:2 main  --------------------------------------------    default:2 main  Host:               CTINFPA01    default:2 main  CPU:                mips64    default:2 main  OS:                 LINUX    default:2 main  Distribution:       unknown Unknown    default:2 main  OS:                 LINUX    default:2 main  Version:            2.4.0.0    default:2 main  BuildType:          RELEASE    default:2 main  Started at:         Mon May  9 22:55:39 2011    default:2 main  Log rotation count: 0    default:2 main  --------------------------------------------    default:0 main  In mprPanEspInit()    default:0 main  In PanEspModule()    default:0 main  In mprPanMgmtInit()    default:0 main  In PanMgmtModule()    default:0 main  SSL: Need to get private key for /webserver from cryptod    default:0 main  SSL: Try# 1 to get key for web_certificate_key from cryptod    default:0 main  pclose returned 0 with errno 0 which is an error    default:0 main  Got key for web_certificate_key from cryptod I hope this could help to find the problem regards, markus Did you either generate a self-signed SSL key or import a matching key for the hsotname from a valid external certificate authority for the VPN? Sounds like you simply don;t have an SSL key bound to the VPN properly. Under the SSL VPN configuration, do you have a certificate selected? Cheers. ... View more

tpiens wrote: Hi you can delete old software via cli by using "delete software version" however: when upgrading the new image is installed on a different partition (sysroot) than the active one, this allows you to, in case of upgrade failure, roll back to the previous software without the need to reistall and keep working during the install without the need for immediate outage. That's also the reason you are not able to delete 3.1.6 as it is still installed on the alternate (backup) sysroot partition. regards Tom So how do I get rid of the old software, then? Am I unable to delete 3.1.6 until I upgrade *past* 3.1.8? The "delete software version" command from CLI gives the same result - an error which reads "Can't purge image 'panos-3.1.6' installed on active or backup sysroot" I have no need (nor do I perceive the likelihood of a need) to rollback to 3.1.6. Thanks ... View more

ldragan wrote: Here is the result : Filesystem            Size  Used Avail Use% Mounted on /dev/sda3             3.8G  1.1G  2.5G  31% / /dev/sda5             7.6G  7.4G     0 100% /opt/pancfg /dev/sda6             3.8G  727M  2.9G  20% /opt/panrepo tmpfs                 493M   37M  456M   8% /dev/shm /dev/sda8             125G   74G   45G  63% /opt/panlogs /opt/pancfg is full, how to delete some files ? All the PanOS images have been already deleted Thanks How many saved configurations do you have for audit? I have my box set to 100, and I'm only using half of that partition - have you tried dropping the number of saved configurations to a lower level to clean out some of the old ones? Device -> Management -> Number of versions for Config Audit (Whups. Sorry. I'm still on 3.1.8 - might be in a different location on the 4.0 software stream). Also depends how big your configutation is - the larger it is, the more space it takes to keep audit/rollback versions. Worth a shot. Cheers. ... View more

HITSSEC wrote: We have also noticed porn sites having a default web page that says "This is my Church".  We submit the URL to Brightcloud and we use the custom URL categories to add the sites as work-allowed until Brightcloud updates their database. We sometime use the lookup services of other URL filtering services to double check the site. We also use custom url categories for IP based urls that we identify and our DMZ hosts that are accessed using local DNS entries and thus are not FQDNs which result in being categorised as unknown. Hope this helps. Phil You don't need to go to the extent of adding a custom URL category to make this work. There's an option in the URL filtering profile setup labelled "allow list" - if you're 100% sure of the site concerned, or if Brightcloud won't re-classify the URL into a category you think it should be in, just put the URL into this field (sans the http:// or https:// protocol extension) and it'll be allowed through regardless of the brightcloud category it falls into. I use this one as a quick-fix while I wait for brightcloud to re-classify the URL if the user who needs it is really complaining and doesn't want to wait 48 hours. Cheers. ... View more

ulli.volk wrote: The following works for me in PAN-OS 4.0.2 Sorry, my bad - I didn't specify OS version. I haven't upgraded to the 4.x stream yet - running 3.1.8. Thanks anyway. ... View more

tpiens wrote: To do a mass replace you could export the config file from the device tab, open the file in any text editor, replace all instances you want to replace and reimport the file back onto the device . Yeah, I was hoping to avoid doing that. 🙂 The "replace" keyword is one of JunOS's most useful CLI editing features, and since PanOS appears to be at least based on JunOS I was hoping it'd have something similar in CLI. Guess I'll do it the hard way. Thanks. ... View more

rferry wrote: Have you tried submitting the URL and/or domains to Brightcloud to have the research the sites and potentially re-categorize?  The also ask what you believe the site should be classifed as. I do wonder how long the process takes and also wonder why the URL pattern database is only retrieved once a day (unlike the AV and Threats that are updated once an hour). BF I've had to reclassify numerous URL's, and generally the process is completed in 48 hours (24 for them to modify the database and publish, another 2 for it to be applied to the PA in the next scheduled download). The URL database is only retrieved once a day because as far as I can tell Brightcloud only publish updates once a day - so there's no point in doing it more often. Cheers. ... View more

infosecurity@egx.com.eg my Palo Alto has a time zone of Africa Cairo , in which we usually have summer time , but this year our country desided that we will not use summer time any more , But the Time is still GMT+3 in wguch it should be GMT +2 , what should i do. Temporarily change your timezone to one which is UTC+2? The actual timezone wil be wrong, but at least the time will be right. ... View more

pkruse wrote: Good morning, The problem with esftp and other encrypted ftp clients is that the control session is encrypted and we are not able to identify it as a child of the initiating parent session. On possible work around would be to setup a static NAT for the initiating IP and then you could create explicit ip to ip rules to accommodate the return session request. Naturally this would not be practical in an environment where several nodes would be using this app and the need for individual static NAT rules exhausted your available pool. There is no work around when the need is to allow an ecrypted control session through a NAT of many to one. ~Phil Phil. I'm not so concerned with identifying the session as a child of the parent link - the firewall appears to be identifying the esftp sesion as SSL, which is fine - but I've got SSL explicitely allowed, and yet the firewall still blocks the session - and I can't figure out why if it's identifying it as SSL. I've put in a work around by placing an explicit rule from the user concerned to the destintion concerned (thankfully, it's only one site!) with a blanket "allow" - but I'd still like to know why the SSL identified session bypasses my "default "allow" rule and blocks. Cheers ... View more

tanyc@digisafe.com HI I have configured PAN to be active passive HA configure. I configure link monitoring on all the interface. However, my active and passive firewall interface are connected to the same switch. If the switch fails. May I know what will happen? Both PAN devices will think the other one has failed and try to go "active". This would be a Bad Thing, as two devices would be trying to claim the same IP address, and the resulting ARP confusion would result in packet loss. You should directly connect the HA ports between the two PAN's using crossover cables (there was a bug/problem caused by not using crossover cables - I'm not sure if it's fixed yet). Just conenct HA1 on the first firewall to HA1 on the second, the same with HA2 on the first to HA2 on the second. Cheers. ... View more