About AlexanderAstardzhiev

Hi @Carracido,   The passive member disabled it routing engine. That way the firewall is not able to initiate or response to any packet send to its dataplane interfaces. Think for the tunnel monitor the same way as the HA path-monitor. - Both (tunnel monitor and path-monitor) as simple icmp ping packets generated by the FW waiting for response - When the member is in passive mode it is not able to generate those ping packets so both monitors are inactive ... View more

Hi @batd2,   All of our Panoramas are virtual. All of them are running on 8.1 and none of them support the command you have: user@panorama> show interface management Show management interface information user@panorama> show interface ethernet1/1 ethernet1/1 is not one of <management> Invalid syntax.   It seems that the physical devices are supporting these commands, but the virtual don't. Which is weird... ... View more

Hi @goran.katava,   Are you sure that you are using the GlobalProtect in SSL mode and not in IPsec mode?   In the past I had issues with IPsec based RA VPN (on another firewall vendor) for users connecting from China and the solution was to switch from IPsec to SSL for the RA VPN. This was few years ago and I am surprise to hear that the SSL based VPN is having issues.      ... View more

Hi @Sethupathi,   1. The "reject default route" from your screenshot is doing the opposite to what you want. This option will force the firewall to reject default route received by any BGP peer. To answer how it will affect your setup depends entirely of that how your firewall is receiving the default route (does it receive it via BGP or by other way static, ospf, etc). To answer will it solve your issue - definitely no. This option is to reject receiving default and you are trying to block advertisement (to specific peer)   2. The proper way to select/filter what you advertise to BGP peers is the Export rules. It is impotent to notice the following - from this document (which is not exactly what you need, but doesn't matter) There is an implicit deny rule that is triggered once any rules are created in the export or import tabs (the same is true for OSPF export). Add an allow rule to make sure you are importing other prefixes. The Import tab should now appear like the following:   ... View more

Hi @AlecWeiner ,   - What versions are the FWs? Are they running the same version? - Does both FWs are using same protocols PAP, CHAP?   I am not sure if it the same, but while ago we hit something similar - we wanted to configure RADIUS between PAN 7.1 and SafeNet (for token authentication). We hit a problem that when user entered username and password the SafeNet server was sending "Challenge" as response, which prompted the user to enter second password, even that there is no second pass. It turns out that by default the PAN 7.1 was using PAP and SafeNet was using CHAP. After forcing the FW to use CHAP everything was working fine.   In addition I would suggest you to run packet capture during the authentication attempt to capture the RADIUS traffic, I bet you will see that the server is sending the strange response (which will tell the FW to provide you with the "change password" page) ... View more

Hi @alal    Looking at the KB you post it seems the OS check comes to regex match in the HTTP header user-agent string. As a start I would suggest you to check the regex expression and see if its match what it is expected or it needs to be improved. It will be useful if you can past it here.   Googling around you should be able to find how different OS versions are described in the user-agent string. My first results says: For windows 10 it is Windows NT 10.0 for windows 8 it is 6.2, windows 8.1 it is 6.3 and windows 7 it is 6.1. https://stackoverflow.com/questions/40218173/user-agent-for-windows-7-vs-8-vs-10 So the regex expression should look like: User-Agent:.+Windows NT 6\.1   This is also very useful site - http://www.useragentstring.com/     ... View more

Hi @MickBall,   Actually he (@ChrisGapske) need to have users typing domain along their username. As you pointed out Authentication Sequence will try to authenticate a user from top to bottom. This could be a problem if you have exact same usernames in multiple domains.   Starting from 8.1 (or even 8.0 not sure exactly) authentication sequence have option to use the typed domain to determine which profile to use from the list and jump straight to it, instead of going top to bottom.   Use domain to determine authentication profile Select this option (selected by default) if you want the firewall to match the domain name that a user enters during login with the User Domain or Kerberos Realm of an authentication profile associated with the sequence and then use that profile to authenticate the user. The user input that the firewall uses for matching can be the text preceding the username (with a backslash separator) or the text following the username (with a @ separator). If the firewall does not find a match, it tries the authentication profiles in the sequence in top-to-bottom order.  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-authentication-sequence.html     ... View more

This doesn't make sense...If the problem is in the fragmented IKE packets, you shouldn't be able to build the tunnel at all. All of the renegotiation will contain packets bigger than 1500bytes and will be dropped.   VPNs going down after particular time usually happen if there is lifetime mismatch between the peers. Check the lifetime on both ends of the tunnel for phase1 and phase2. Check also if they both use the same metric - seconds, or bytes, or both.   Also insist for deeper investigation from Oracle. The answer they have provide looks more like dust in the eyes, than plausible case.   ... View more

Hi @jhwarren ,   You need to provide more information, with this poor explanation of the problem it is shooting in the dark. - Do you use full tunnel or split-tunnel VPN? - How is you security policy look like? Do you allow specific ports or using AppID? - How is you GP gateway configured - are you route the traffic base on route, domain or application? - Have you understand how whiteboard is working? Do you know what port, protocol is used? From which direction the traffic is initiated - is it possible that you need rule allowing traffic from inside to GP VPN?   You need to understand that GlobalProtect is just building logical connection from the user PC to the firewall, after that is down to basic network principles - do you have route, do you have fw rule allowing traffic, do you have reply routed back.   ... View more

Hi @MandarKulkarni,   Hold on for a second... Even tho BGP is very complex it still a dynamic routing protocol like any other. Which means that it should dynamically learn routes from other peers and advertise routes that are known.   By default, in normal situation the FW should learn/import the route (10.10.10.0/24) by PeerA and auto-magically advertise/export this route to all other BGP peers. Now I said by default and in normal situation, because there are many reasons preventing FW to advertise this route to other peers. Like any other dynamic routing protocol BGP also have some loop prevention logics built-in to the protocol itself (any device no matter if it is PA FW or a router will obey them) FW will not advertise the route to the same peer that it came FW will not advertise the route to AS if that AS number is already in the AS path for the route Which means in normal situation - that you learn route 1.1.1.1 from PeerA (with AS11), FW will automatically advertise this route to PeerB (with AS12) if AS12 is not already in the AS path for this route   You can control what you learn and what you advertise by BGP with import and export rules Import rule is controlling what FW will accept from the peers Export rule is controlling what FW will advertise to the peers Which means by default no import/export rules are configured, FW will accept anything that is send by the peers and will advertise anything (that is not filtered by the loop prevention mechanisms) to all peers. If you have configured at least one export rule, FW will advertise only the routes matching that rule and nothing else.   So back to your question: - If you ask "will it be advertised" - most probably yes if the "requirements" discussed above are met - If you ask "why it is not advertised" - I strongly recommend to first identify what is the reason to not advertise the route to other peers   Probably will repeat myself, but - the route should be advertised, but if it is not try to identify the reason. I strongly recommend - do not use redistribution rules! As @Shawverr, correctly quoted, main purpose of redistribution rule is completely different. Its purpose is to advertise route to BGP peers that FW didn't receive by BGP. For example routes that are statically configured - by default FW will not adv. static routes, or directly connected networks, or routes from other dynamic protocols (OSPF, RIP). Or if you want to advertise routes that are not in your routing table at all (for example your ISP is giving you second public range that you use for NAT, it is not configured on any of your interfaces, but still this traffic should be routed to the FW).   Up to this point we were talking only for one BGP instance. And like any other network device PA FW can only have one BGP instance per routing table - if you configure multiple VRs you can have different BGP instances (different AS). To be honest I am not sure if you can advertise routes between different VRs. I could guess you cannot, at least without static routes   ... View more

Hi @pkathiria,   lets take a step back - if  understand correctly your assumption that firewall is not syncing with AD is based on rule not matching for new user that is added to the allow user group, correct?   Have you tried all the commands that @MickBall provide you? It is very important that username from user-to-ip mapping is identical to the username from the group mapping - including the domain. ... View more

@pkathiria, 2sec is too intrusive, but most important it shouldn't even be a valid configuration. The minimum possible value is 60 sec: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm0JCAS ... View more

Hi@SteveCantwell and what will be the benefit of option 2?   @mcroninI would personally go for option 1: - The other two options bring unnecessary complexity. One public IP for site-to-site and RA VPN is simple and easy to support - If you enable GP VPN on the same interface that you use for site-to-site or on a separate, you still need to expose it and open the required ports. If it reachable from internet any scanner will detect it and will try to exploit. ... View more

Hi @FarzanaMustafa,   It doesn't sound you have enough investigation to exclude problems with adjacent devices... - Have you done a packet capture when the issue occur? - Can you confirm that the packets are coming from the right interface/zone? - Have you compare packet captures when the issue occurs and when there is not issues?     ... View more

Hi @a.jones ,   It sounds that you are mistaken tunnel interface with IPsec tunnel source interface. - " the tunnels have a local IP and peer address." - local IP and peer address are the public address of your gateway and the remote device that will be used for building the IPsec tunnel. In addition Palo Alto is using route-based VPN implementation. Which means that if you want to send traffic through the tunnel you need to have a route in the routing table pointing to that tunnel. Since the "tunnel" is logical (it doesn't exists physically) you need a logical (virtual) interface that is bound to that tunnel. - "When I configure the tunnel nat source translation I am using DIPP with the tunnel interface, IP none" - It sounds that you have bound your IPsec tunnel with tunnel interface that has no IP configured. While a tunnel interface can be configured without IP address, such source NAT rule is not valid. If you think about it you said to your FW - for source nat use the address for this interface which doesn't have ip assigned...   The two solutions would be: - Configure your Source NAT DIPP rule with "Translated address" instead of "Interface address" and define the address you want to use for the hide nat - Assign an IP address on the tunnel interface that is bound to your IPsec tunnel. After that you should be able to use it in source nat rule   I don't believe there is any difference between the two. Most important in both cases is that your proxy-id should use the NAT address as local. And at the same time the remote side of the tunnel should use the NAT address as remote proxy-id       ... View more

Hi @DShofkom33x ,   I am still searching for the best approach, but meanwhile our setup is: - Created onе "Default Device Setting" template defining only: DNS, NTP, SNMP, Banner, Dynamic Updates, ContentID and session settings, logging setting and etc (any other setting that is considered standard for us and applied on all devices) - Created one "Site Specific Network settings" template defining anything needed in the Network tab (interfaces, routing, IPsec, GP etc). In the same template defining the HA setting. For this template we have defined some template variables: $peer-ip - used in HA config general tab for peer ip address $ha1-ip - used in HA config, HA1 local IP address $ha2-ip - used in HA config, HA2 local IP address $gw-ip. - used in HA config, for path monitoring.   - Created on template stack per site - the stack include default device settings and the site specific network and HA config. - Each member in the cluster is overwritting and uses specific value for all three variables   At the beginning I liked this approach as it is using fewer tempaltes = fewer templates to support. The disadvantage is that template variables supprot only ip addresses and network. Which means that you cannot set different priority for the to members using same template (so we define it locally).   So I am starting to preffer the approach to use separate stacks for each member. Depenting on the standartization between your sites (firewalls) you can try to create two tempplate for HA peer one and HA peer two. So the two stack will use the same network template and the "standard HA" templates   ... View more

Hi @myky ,   I was using tcpdump on the management interface recently and I notice that every time the capture is started the file is overwriten, not amended. So as some kind of workaround you can just run new tcpdump with some dummy filter (at will not capture any traffic). This will overwrite and replace the content of the file from the previous capture.     ... View more

Hi @Cindy-Resiter,   For configuration simplicity I would suggest to use the firewall public IP for the GlobalProtect. The reason for that is you need to select an interface on which you want to enable the GP. So the firewall will allow you to set an IP address that is already assigned to it, and the simpliest configuration would be to just select publicaly faced interface.   Technically speaking I am not even sure that you can use different IP for the GP in all cases: - If your fiirewall is assigned with 1.1.1.1/29 and you ISP gives you (route to your FW) 2.2.2.2. You can configure the 2.2.2.2 as a loopback and use it for the GP - But if your firewall is assigned with 1.1.1.1/29 and you try to use 1.1.1.2 for GP, I don't believe FW will allow you that. If you try to configure loopback with 1.1.1.2/32 it should overlap with your public interface and commit should fail.   So my personal prefferable way to configure GlobalProtect is always use the firewall IP - simple, standard, always work, without interfering other services ... View more

Hi @jesuscano,   What model are you running?   I am asking because a few months ago I notice something similar for a brand new PA-820. Before this device we had only PA-3000 and PA-5000 series. So I opened a case to TAC and the engineer was very kind to give me a very nice explanation:     The difference between those platforms (PA-3000 and PA-5000) and PA-8XX is that they have a dedicated dataplane. For platforms like PA-8XX and PA-2XX with one CPU there are always some cores dedicated to MP and others for DP, and the DP cores of that single CPU are generally maxed out.     ... View more

Hi @Pattarachai,   Can you explain a bit more your setup or what you want to achive? Like any other vendor Palo Alto support - active-standby cluster - where you deploy to FWs in HA cluster. Both firewalls share same IP address and in case of failuer on the primary member traffic is handovered to secondary member. Since both member are using same IP address for the rest of the network nothing has changed   - active-active cluster - wher both FWs in the cluster are active and used different IP address. BUT you can configure VIP (floating IP) which can be used by the neighbour devices to forward traffic to only one of the member. In case of failuer the secondary member took over the VIP addresses   - If you want to run VRRP between the FW and a router, so in case of failuer in the firewall the traffic to be send the router, so you will loose security, but will maintain connectivity - Unfortunately that is not possible. Palo Alto doesn't support any First Hop Reduncency protocols (VRRP, HRSP etc) ... View more

Hi @MandarKulkarni,   - ICMP packets generated by tunnel monitor are not logged - Packet capture on the firewall cannot capture those packets - The only way to see if tunnel monitor is sending and receiving (if receiving) packets is via the comman you already know > show vpn tunnel-flow id The ping packets generated by tunnel monitor ARE definately encrypted and send try the tunnel, that is the whole point of the tunnel monitor, to see if both phases of the IPsec tunnel are up and actual traffic can pass through it.   The common reason for your tunnel monitor to show down is - proxy id. If your tunnel is using multiple proxy id, tunnel monitor will fail. For more details see my comment in the following post - Fail-over VPN site-to-site ... View more

@BPry,   If you utilize a NAT translation for your VPN traffic to the other company, you would still require the associated route statements to actually direct the traffic to the right location. That is pretty much the same what I have said - you only (or mainly) need route for the remote networks to point to the right tunnels. But my understanding here is not the remote network overlapping with existing tunnels or local networks, but that the local network is in used behind the remote peer. Also based on the @cheez explanation I got the expression that only traffic initiated from local to remote will pass through the tunnel.   Which should means: - simple route to remote_network via tunnel.1 - source nat, with dynamic ip and port for traffic from:local_lan to:remote_network - ipsec tunnel with proxy id local:natted_ip remote:remote_network At this point it really doesn't matter what ip you will user for the source nat, as long the remote side accept it       ... View more

  Hey @BPry, Apologies, but I am confused by your reply for the routing table...   @cheezif understand your question correctly you want to: - create site-to-site IPsec tunnel - inside this tunnel hide NAT your private source behind public IP (which also used for ike peer) - use the public (peer) IP local encryption domain (proxy-id)   I haven't personaly done it, but I have seen it multiple time on other tunnel. And it shouldn't be any problem to achive this: a) on the palo the decision if traffic should be encrypted with given tunnel is based on routing (aka route-base vpn), so it doesn't matter what source are you using (as long you have a rule of course) b) when you are creating your hide NAT rule you need to specify source zone your lan and destination zone your vpn zone (where the tunnel interface is), and also match based on original destination - this will assure that only traffic to the vpn is NAT-ed           ... View more