About AlexanderAstardzhiev

Hi @Efrain_Olmos ,   You need to understand that PAN firewalls have strict separation between management plane and data plane including the routing for the mgmt and data interfaces. So there is no way to route traffic received by data plane interface to the dedicated management interface, without sending this traffic via another device (switch or router).   As mentioned earlier most straight forward approach would be to create loopback, assign it with mgm-int profile and build IPsec tunnel that will accept traffic destine to that loopback (assigning the tunnel interface with IP will also do the trick). Basically it is the same approach if you use GlobalProtect, the same concept, but the tunnel is client-to-site, not site-to-site.   The biggest disadvantage of these approaches is if you have active-passive HA you will be able to reach only the current active member (since both members in the cluster are sharing one ip).   So if you want to monitor both members at the same time - any solution that involves dataplane interface with interface-management profile will not work. You will need to use the dedicated/oob management port. In that case you will need to use additional switch or a router that will make the connection between the dataplane interface and the mgmt. For example - you can connect the inside interface and mgmt interface to the same vlan, so when you build the ipsec traffic will first exit the fw, pass the layer2 switch and go to the mgmt interface. Or if the site is bit bigger and you use different networks/vlans for the mgmt and the inside you can put a route on the fw that it needs to route to the mgmt network via the core switch. ... View more

Hi @DhananjayBhakte ,   As @SteveCantwell already explain it there is default intrazone rule that is allowing the IPsec traffic. So you need explicit allow rule only  if you have override this rule and blocking any intrazone traffic that is not explicitly allowed.   One important note - Do you really need the two policy for the IPsec tunnel? @MP18 asked excellent question - from where did you expect the traffic to be initiated in normal operation of the tunnel? The question is not from where are you pinging during the troubleshoot, the question is - do you expect both sides of the tunnel to initiate traffic? You know PAN firewall is statefull firewall so it will automatically allow the reply for given request. I have seen countless time tunnel with rules allow traffic in both direction when only one will be the initiator.   When you say "tunnel is up", do you mean both phase1 and phase2 are up? If phase2 is up do you see encrypted/decrypted traffic? Which one or both?   I also agree it is time to engage the remote site to doublecheck their config   ... View more

Hi @crypto ,   That is correct, with SSL decryption firewall will have visibility over the full URL, which ensure more accurate categorization. If no SSL decryption is enabled FW will use certificate subject name or subject alternative name to identify the requested site and use this information for categorization.   One good example that saw somewhere in this forum a while ago is - take blogger.com which is categorized by PAN-DB as " Personal Sites and Blogs". If I create a blog there to discuss weapons, my blog should fall under "Weapons" category, but since your firewall doesn't have SSL decryption enabled it will only inspect the SSL certificate and will now that the user is trying to react blogger, which is save in general. But if you enable SSL decryption firewall will have access to the full URL and will know that not only user is trying to reach blogger.com, but which specific blog it is trying to reach it and apply more granular control.   Same goes for any other sites that is using wildcard certificate for the whole domain, but different subdomains are categorized differently.      To sum up - even if your don't use SSL decryption you will be able to block HTTPS. In general you probably will be fine without decryption, as you explain it correctly it will give you more visibility and you will have granular control over some edge cases URLs ... View more

If you don't understand the purpose of having multiple virtual routers this means that you really don't need it. @Abdul-Fattah in most case you are correct, but in regality every device has its limit for how many interfaces you can have per device. Here you can see comparation between the some of the low end devices - https://www.paloaltonetworks.com/products/product-comparison?chosen=vm-50,pa-220,pa-850 and look for " Max interfaces (logical and physical"   ... View more

Hi @crypto    There are several components that you need to take in consideration: 1. If you want to have full visibility over the visited URLs (not only the domain) you will need to have SSL decryption enabled. If not you will only see the visited domain - or more specifically the domain/subdomain listed in the service certificate 2. PAN FW will log URL/domain information only if this traffic match rule that is applying URL filtering profile with action different from allow.  3. Traffic log will show you only logs generated by security policy rule. If you want to see URL logs you need to look at either URL logs or Unified log (in the GUI)   So I would suggest  you to create URL filtering profile with action block for all categories that you are sure you want to block, everything else change to alert. Apply this profile to rule that is matching the web traffic from your users or application (it would be better to have separate rules for different users and application). Create decryption rule that is matching the same traffic as the security rule.    This will provide you with the required information and you only need to collect it - you can either check ACC for quick overview or use the reporting capability to provide aggregated report.  ... View more

Hi @Carracido,   The passive member disabled it routing engine. That way the firewall is not able to initiate or response to any packet send to its dataplane interfaces. Think for the tunnel monitor the same way as the HA path-monitor. - Both (tunnel monitor and path-monitor) as simple icmp ping packets generated by the FW waiting for response - When the member is in passive mode it is not able to generate those ping packets so both monitors are inactive ... View more

Hi @batd2,   All of our Panoramas are virtual. All of them are running on 8.1 and none of them support the command you have: user@panorama> show interface management Show management interface information user@panorama> show interface ethernet1/1 ethernet1/1 is not one of <management> Invalid syntax.   It seems that the physical devices are supporting these commands, but the virtual don't. Which is weird... ... View more

Hi @goran.katava,   Are you sure that you are using the GlobalProtect in SSL mode and not in IPsec mode?   In the past I had issues with IPsec based RA VPN (on another firewall vendor) for users connecting from China and the solution was to switch from IPsec to SSL for the RA VPN. This was few years ago and I am surprise to hear that the SSL based VPN is having issues.      ... View more

Hi @Sethupathi,   1. The "reject default route" from your screenshot is doing the opposite to what you want. This option will force the firewall to reject default route received by any BGP peer. To answer how it will affect your setup depends entirely of that how your firewall is receiving the default route (does it receive it via BGP or by other way static, ospf, etc). To answer will it solve your issue - definitely no. This option is to reject receiving default and you are trying to block advertisement (to specific peer)   2. The proper way to select/filter what you advertise to BGP peers is the Export rules. It is impotent to notice the following - from this document (which is not exactly what you need, but doesn't matter) There is an implicit deny rule that is triggered once any rules are created in the export or import tabs (the same is true for OSPF export). Add an allow rule to make sure you are importing other prefixes. The Import tab should now appear like the following:   ... View more

Hi @AlecWeiner ,   - What versions are the FWs? Are they running the same version? - Does both FWs are using same protocols PAP, CHAP?   I am not sure if it the same, but while ago we hit something similar - we wanted to configure RADIUS between PAN 7.1 and SafeNet (for token authentication). We hit a problem that when user entered username and password the SafeNet server was sending "Challenge" as response, which prompted the user to enter second password, even that there is no second pass. It turns out that by default the PAN 7.1 was using PAP and SafeNet was using CHAP. After forcing the FW to use CHAP everything was working fine.   In addition I would suggest you to run packet capture during the authentication attempt to capture the RADIUS traffic, I bet you will see that the server is sending the strange response (which will tell the FW to provide you with the "change password" page) ... View more

Hi @alal    Looking at the KB you post it seems the OS check comes to regex match in the HTTP header user-agent string. As a start I would suggest you to check the regex expression and see if its match what it is expected or it needs to be improved. It will be useful if you can past it here.   Googling around you should be able to find how different OS versions are described in the user-agent string. My first results says: For windows 10 it is Windows NT 10.0 for windows 8 it is 6.2, windows 8.1 it is 6.3 and windows 7 it is 6.1. https://stackoverflow.com/questions/40218173/user-agent-for-windows-7-vs-8-vs-10 So the regex expression should look like: User-Agent:.+Windows NT 6\.1   This is also very useful site - http://www.useragentstring.com/     ... View more

Hi @MickBall,   Actually he (@ChrisGapske) need to have users typing domain along their username. As you pointed out Authentication Sequence will try to authenticate a user from top to bottom. This could be a problem if you have exact same usernames in multiple domains.   Starting from 8.1 (or even 8.0 not sure exactly) authentication sequence have option to use the typed domain to determine which profile to use from the list and jump straight to it, instead of going top to bottom.   Use domain to determine authentication profile Select this option (selected by default) if you want the firewall to match the domain name that a user enters during login with the User Domain or Kerberos Realm of an authentication profile associated with the sequence and then use that profile to authenticate the user. The user input that the firewall uses for matching can be the text preceding the username (with a backslash separator) or the text following the username (with a @ separator). If the firewall does not find a match, it tries the authentication profiles in the sequence in top-to-bottom order.  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-authentication-sequence.html     ... View more

This doesn't make sense...If the problem is in the fragmented IKE packets, you shouldn't be able to build the tunnel at all. All of the renegotiation will contain packets bigger than 1500bytes and will be dropped.   VPNs going down after particular time usually happen if there is lifetime mismatch between the peers. Check the lifetime on both ends of the tunnel for phase1 and phase2. Check also if they both use the same metric - seconds, or bytes, or both.   Also insist for deeper investigation from Oracle. The answer they have provide looks more like dust in the eyes, than plausible case.   ... View more

Hi @jhwarren ,   You need to provide more information, with this poor explanation of the problem it is shooting in the dark. - Do you use full tunnel or split-tunnel VPN? - How is you security policy look like? Do you allow specific ports or using AppID? - How is you GP gateway configured - are you route the traffic base on route, domain or application? - Have you understand how whiteboard is working? Do you know what port, protocol is used? From which direction the traffic is initiated - is it possible that you need rule allowing traffic from inside to GP VPN?   You need to understand that GlobalProtect is just building logical connection from the user PC to the firewall, after that is down to basic network principles - do you have route, do you have fw rule allowing traffic, do you have reply routed back.   ... View more

Hi @MandarKulkarni,   Hold on for a second... Even tho BGP is very complex it still a dynamic routing protocol like any other. Which means that it should dynamically learn routes from other peers and advertise routes that are known.   By default, in normal situation the FW should learn/import the route (10.10.10.0/24) by PeerA and auto-magically advertise/export this route to all other BGP peers. Now I said by default and in normal situation, because there are many reasons preventing FW to advertise this route to other peers. Like any other dynamic routing protocol BGP also have some loop prevention logics built-in to the protocol itself (any device no matter if it is PA FW or a router will obey them) FW will not advertise the route to the same peer that it came FW will not advertise the route to AS if that AS number is already in the AS path for the route Which means in normal situation - that you learn route 1.1.1.1 from PeerA (with AS11), FW will automatically advertise this route to PeerB (with AS12) if AS12 is not already in the AS path for this route   You can control what you learn and what you advertise by BGP with import and export rules Import rule is controlling what FW will accept from the peers Export rule is controlling what FW will advertise to the peers Which means by default no import/export rules are configured, FW will accept anything that is send by the peers and will advertise anything (that is not filtered by the loop prevention mechanisms) to all peers. If you have configured at least one export rule, FW will advertise only the routes matching that rule and nothing else.   So back to your question: - If you ask "will it be advertised" - most probably yes if the "requirements" discussed above are met - If you ask "why it is not advertised" - I strongly recommend to first identify what is the reason to not advertise the route to other peers   Probably will repeat myself, but - the route should be advertised, but if it is not try to identify the reason. I strongly recommend - do not use redistribution rules! As @Shawverr, correctly quoted, main purpose of redistribution rule is completely different. Its purpose is to advertise route to BGP peers that FW didn't receive by BGP. For example routes that are statically configured - by default FW will not adv. static routes, or directly connected networks, or routes from other dynamic protocols (OSPF, RIP). Or if you want to advertise routes that are not in your routing table at all (for example your ISP is giving you second public range that you use for NAT, it is not configured on any of your interfaces, but still this traffic should be routed to the FW).   Up to this point we were talking only for one BGP instance. And like any other network device PA FW can only have one BGP instance per routing table - if you configure multiple VRs you can have different BGP instances (different AS). To be honest I am not sure if you can advertise routes between different VRs. I could guess you cannot, at least without static routes   ... View more

Hi @pkathiria,   lets take a step back - if  understand correctly your assumption that firewall is not syncing with AD is based on rule not matching for new user that is added to the allow user group, correct?   Have you tried all the commands that @MickBall provide you? It is very important that username from user-to-ip mapping is identical to the username from the group mapping - including the domain. ... View more

@pkathiria, 2sec is too intrusive, but most important it shouldn't even be a valid configuration. The minimum possible value is 60 sec: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm0JCAS ... View more

Hi@SteveCantwell and what will be the benefit of option 2?   @mcroninI would personally go for option 1: - The other two options bring unnecessary complexity. One public IP for site-to-site and RA VPN is simple and easy to support - If you enable GP VPN on the same interface that you use for site-to-site or on a separate, you still need to expose it and open the required ports. If it reachable from internet any scanner will detect it and will try to exploit. ... View more

Hi @FarzanaMustafa,   It doesn't sound you have enough investigation to exclude problems with adjacent devices... - Have you done a packet capture when the issue occur? - Can you confirm that the packets are coming from the right interface/zone? - Have you compare packet captures when the issue occurs and when there is not issues?     ... View more

Hi @a.jones ,   It sounds that you are mistaken tunnel interface with IPsec tunnel source interface. - " the tunnels have a local IP and peer address." - local IP and peer address are the public address of your gateway and the remote device that will be used for building the IPsec tunnel. In addition Palo Alto is using route-based VPN implementation. Which means that if you want to send traffic through the tunnel you need to have a route in the routing table pointing to that tunnel. Since the "tunnel" is logical (it doesn't exists physically) you need a logical (virtual) interface that is bound to that tunnel. - "When I configure the tunnel nat source translation I am using DIPP with the tunnel interface, IP none" - It sounds that you have bound your IPsec tunnel with tunnel interface that has no IP configured. While a tunnel interface can be configured without IP address, such source NAT rule is not valid. If you think about it you said to your FW - for source nat use the address for this interface which doesn't have ip assigned...   The two solutions would be: - Configure your Source NAT DIPP rule with "Translated address" instead of "Interface address" and define the address you want to use for the hide nat - Assign an IP address on the tunnel interface that is bound to your IPsec tunnel. After that you should be able to use it in source nat rule   I don't believe there is any difference between the two. Most important in both cases is that your proxy-id should use the NAT address as local. And at the same time the remote side of the tunnel should use the NAT address as remote proxy-id       ... View more

Hi @DShofkom33x ,   I am still searching for the best approach, but meanwhile our setup is: - Created onе "Default Device Setting" template defining only: DNS, NTP, SNMP, Banner, Dynamic Updates, ContentID and session settings, logging setting and etc (any other setting that is considered standard for us and applied on all devices) - Created one "Site Specific Network settings" template defining anything needed in the Network tab (interfaces, routing, IPsec, GP etc). In the same template defining the HA setting. For this template we have defined some template variables: $peer-ip - used in HA config general tab for peer ip address $ha1-ip - used in HA config, HA1 local IP address $ha2-ip - used in HA config, HA2 local IP address $gw-ip. - used in HA config, for path monitoring.   - Created on template stack per site - the stack include default device settings and the site specific network and HA config. - Each member in the cluster is overwritting and uses specific value for all three variables   At the beginning I liked this approach as it is using fewer tempaltes = fewer templates to support. The disadvantage is that template variables supprot only ip addresses and network. Which means that you cannot set different priority for the to members using same template (so we define it locally).   So I am starting to preffer the approach to use separate stacks for each member. Depenting on the standartization between your sites (firewalls) you can try to create two tempplate for HA peer one and HA peer two. So the two stack will use the same network template and the "standard HA" templates   ... View more

Hi @myky ,   I was using tcpdump on the management interface recently and I notice that every time the capture is started the file is overwriten, not amended. So as some kind of workaround you can just run new tcpdump with some dummy filter (at will not capture any traffic). This will overwrite and replace the content of the file from the previous capture.     ... View more

Hi @Cindy-Resiter,   For configuration simplicity I would suggest to use the firewall public IP for the GlobalProtect. The reason for that is you need to select an interface on which you want to enable the GP. So the firewall will allow you to set an IP address that is already assigned to it, and the simpliest configuration would be to just select publicaly faced interface.   Technically speaking I am not even sure that you can use different IP for the GP in all cases: - If your fiirewall is assigned with 1.1.1.1/29 and you ISP gives you (route to your FW) 2.2.2.2. You can configure the 2.2.2.2 as a loopback and use it for the GP - But if your firewall is assigned with 1.1.1.1/29 and you try to use 1.1.1.2 for GP, I don't believe FW will allow you that. If you try to configure loopback with 1.1.1.2/32 it should overlap with your public interface and commit should fail.   So my personal prefferable way to configure GlobalProtect is always use the firewall IP - simple, standard, always work, without interfering other services ... View more