About Astardzhiev

Hey @Mort2k , Probably couple of ways to achieve what you want, but here is what I will do if I were you: - Create to separate virtual-routers (VRs), one for each ISP - Create default route for each VR to respective ISP with enabled path monitor for each route - If possible directly connect the IP phone VLAN to the firewall and assign it to the second VR, so both ISP2 and IP phone VLAN to be in the same VR. - Create source NAT rules to translate IP phones traffic to public IP from ISP2 and all other traffic with public IP from ISP1 ------- At this point you should have internet access for IP phone system from ISP2 and internet access for all other systems over ISP1   - Create second default route for each VR pointing to "next-vr" with metric higher than the primary default route - Create NAT rules for IP phone system to translate source with address from ISP1 and all other systems with address from ISP2 (Note: if you use same security zone for both ISPs, you should use "destination interface" in addition to destination zone, when defining the NAT rules. If you use different zone, you don't have to define dest interface) ---- Above should allow you to automatically failover any service to backup ISP provider if there are any issues with primary ISP (path monitor will disable the preferable route to ISP and FW will use the next-vr and use the ISP from the other VR as backup internet access.     ... View more

Hey @Felixcao , Out of curiosity, but why your customer don't consider using the URL filtering license that he already have paid for? Does the firewall have Internet access through any of the dataplane interfaces - if yes you can use it for reaching the URL DB cloud with service routes = https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/service-routes PAN FW support enabling proxy for traffic to Palo cloud, it may be an option if the mgmt does not have direct internet access.   If you remove the URL filtering license, but still use URL filtering profile anywhere in the policy you may start receive warning messages when committing the policy - which are a lot more annoying.   Another question - does your customer don't want to see those logs forwarded to his external log collector or he does not want them on the firewall at all. ... View more

Hey @Adrian_Jensen ,   Thank you for sharing and help the community. You bring great value to it! ... View more

Hi @paragkarki143 , I would suggest you to validate your Data Logs format. I had issues with copy-pasting from this PDF file - there were some non-printable characters when copy from the PDF. I would suggest you to paste format into text editor and check enable "show all characters" (I personally prefer NotePad++.   We don't forward data logs to Sentinel (yet), but below is what we have in our FWs (without any extra chars) CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction PanOSActionFlags=$actionflags externalId=$seqno cat=$threatid fileId=$pcap_id PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name PanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel PanOSThreatCategory=$thr_category PanOSContentVer=$contentver PanOSAssocID=$assoc_id PanOSPPID=$ppid PanOSHTTPHeader=$http_headers PanOSRuleUUID=$rule_uuid   ... View more

Hi @ZhouYu ,   "show running security-policy" will not list if any security profile is applied on the rule. The "category" in this output is refering to custom URL category used as matching criteria.   Can you please run and provide the output > configure # show rulebase security rules test1   ... View more

Hi @BillAllen , If you want to use Custom URL as matching criterion in security rule, you don't need URL filtering license. I am not completely sure if you use the custom URL category in URL filtering profile and assign that profile to security rule, but based on other discussions here in the forum I believe it still will work.   URL filtering license will allow your firewall to query the cloud and check for URL category and apply action based on category. If you don't have license, you don't have category and you cannot determine what action to apply.   Custom URL category is like overrriding the category provided by the cloud. So I am imagine that without license no category from cloud is provided, but because you have custom category, firewall can categorize the URL and apply the action.     ... View more

Hi, @GarrettMichaelHayes , From my experience if traffic is allowed by the policy, but still dropped by the firewall, most common reason would be msiconfigured routing or zone protection. But it will difficult to guess without inspecting the actual configuration.   I cannot stress this enough, but the best way to understand the dropped packets is to use global counters with packet filters - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS - Using the GUI set a packet filter for destination (it is better to filter for destination, because filtering by source, will not match the packets after source NAT) and I would also suggest to filter by protocol "1" - to inspect only ICMP traffic while troubleshooting (and limit the noise) - Run the pings from VM machine to destination on internet that you are filtering on - Via CLI check the global counters with " > show counter global filter packet-filter yes delta yes " ('packet-filter' will show data only for the traffic that is matching your filter, while 'delta' will show you only data between the last and previous execution fo the comman - so you need to execute the command at least twice with couple of seconds in between).   As you can imagine this will require to configure everything back again like you want to do - haveing another maintenance, but this is the best way to understand why was causing the packet drop.   In addition I would suggest you to double/triple check the following configuration: - Default route: make sure default is pointing to correct next-hop IP and interface - Source NAT: make sure your NAT is matching both destination zone and destination interface (or just use any for destination interface). If you use FW interface for translated IP, edit the translated source section and select the new IP from the dropdown. - Zone protection: If you have enabled zone protection on the trust and untrust zone, check if your routing table is correct and anti-spoofing is not messing round. You may want to try to disable/remove zone protection from the zones just for the tests.   ... View more

Hi @JoseJarrin , Defining SNMP traps with Palo Alto firewalls is little different from other vendors. So the best way to check it to look at your firewall configuration. - Device -> Server profiles -> SNMP Trap - here you define SNMP server and community that firewall will use to send the traps. Nothing more - Device -> Log settings  - here you define what firewall will do for each log type.  Here you can specify log type and sub type that will be forwarded as SNMP trap to the host you defined earlier. Each log that is generated (system, traffic or security) by the firewall can be forwarded as SNMP trap (or syslog message). If you don't see your SNMP profile used anywhere in here, that means that your firewall is not sending any traps.   Another way would be to set a packet capture and filter for the SNMP server. Assuming that you use the dedicated management interface you will need to run tcpdump from command line - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS ... View more

Hi @dmoore-acc360 , I would assume that you have figured out how to setup the collector - Enabling the connector in AZ Sentinel should give you all the steps of installing and preparing the syslog listener.   From firewall prespective you need first to create Syslog profile with customized formatting. Because Sentinel expect CEF, you need to tell the firewall to use CEF for each log type (that you want to forward to Sentinel).   On the following link you will find documentation how to define CEF format for each log type based on PanOS version. - https://docs.paloaltonetworks.com/resources/cef I have notice some issues with 9.1, which I have described here - https://live.paloaltonetworks.com/t5/globalprotect-discussions/pan-os-9-1-globalprotect-cef-format/m-p/475444#M2620 ... View more

Hi @VLim , It sounds the answer is right there in your question - "traffic hit the Rules 1 due to PING application as it doesnt have any standard port configure" - Even that Palo Alto firewall is pretty smart, it doesn't re-invet how networks work .So even if you still allow applications not ports don't forget that how networks works - TCP 3-way-hand shake doesn' provide any information about the about the application used or any of the above layers. So how do you expect for the firewall to identify that you want to use facebook on the first TCP SYN -it cannot. - Using app-id firewall will need to allow some traffic to pass in order to identify the actuall application. For example web browsing - firewall will allow the TCP hanshake to complete and wait for the firsts packets that transfer actuall data and will see that it countains HTTP GET - If you have noticed when creating firewall rule for service (basically ports) you can specify: application-default, any or something specific. Application-default is related to the application signatures that FW is using to identify applications. If you go to Objects -> Applications and open details for any app, you will notice that each app definition contain standard ports. This is what FW expect to be used for such application. - So when you allow web browsing app with application-default service, firewall will again need to allow the TCP handshake to establish in order to get the HTTP traffic and identify it as web browsing, but it will allow only TCP traffic over ports 80 and 8080, because those are the only ports that FW is expecting to be used for web traffic. - If you use "any' for service, firewall will allow any session - no matter which port is used, because you simply tell it that you expect given application on any port.   Not sure what debug have you run for the above output, but if you are insterested to go deeper I would suggest you to check this traning on how to run Debug level packet tracing - https://beacon.paloaltonetworks.com/student/path/1028945?sid=4a4b7cef-fe1b-4109-a308-5f8e3e317138&sid_i=0 ... View more

Hi @BNSRIKAR ,   Unfortunately I don't agree with @Adrian_Jensen  and I would go with anwser A - I believe the confustion here is between "container app" and xxx-base app. What @Adrian_Jensen described is actually the definitiaon for container app - following link probably will explain it better than me - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltnCAC   - Take for example SMB (because facebook contain too many sub-apps). As you can see there Palo Alto provide specific signature for each SMB version, so you can have more granula control and allow/deny specific version. If SMB version doesn't bothers you and you want to allow all versions you can simply add the container app - the parent from this three. As Adrian explained if you do that any future SMB version or app signature will be included in your policy automatically.   - Now lets focus on the xxx-base application - think about how firewall identify actuall application - first it needs to allow the TCP session to establish, then endpoints will start transfering some data, with each data firewall will gather more information, which is used to identify the actuall application. xxx-base application is used when Palo Alto can identify that traffic is associated with given application, but either not enough data is processed to identify the exact fucntion/feature, or just firewall doesn't have more specific app signature.   - Going back to the question form your exam prem - Firewall has signature for "supperApp-base", at this point any traffic and feature of this app is associated with -base app-id. At some point Palo Alto have created more specific signatures that allows you to identify specific features of this app, like chat and file download. Once the new content is installed on the firewall it will be able to identify each feature of this application, but this will also means that it will block that traffc - because your policy does not allow the new applications. ... View more

Hey @IsaacCasal , Are you using default service route for DNS traffic through the management interface, or you are using different service route - either for dns service, or specific destination?     ... View more

Awesome inteview and thank you for your contribution to the community! ... View more