About SThatipelly

SThatipelly

I have GP users whose logs show multiple attempts to public IPs on port 137. I have checked this KB https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLfCAK and made sure user-id is not enabled on Internet interface but I have it enabled on GP interface.Image above shows the NBNS pcap captured on firewall.Anyone experiencing this?

SThatipelly

@OtakarKlier thanks. I thought of the same solution but wanted to get an opinion before bringing into prod.

SThatipelly

I have 4 public IP addresses that are needed to NAT to a one single private IP server in DMZ. They all listen on same port and same application. Anyway I can get this done without greatly impacting users? Thanks.

SThatipelly

@vsys_remo @JoergSchuetter thank you both for your responses.

SThatipelly

@vsys_remo @JoergSchuetter thanks for your responses. Do I need to purchase GP gateway license to enable support for Linux?

SThatipelly

I have a consultant who is asking if the Global Protect VPN would connect with an OpenVPN-based client? I suspect he is working from a Linux PC. does Palo support it?

SThatipelly · ‎01-27-2020

yes, we have some internal apps that work only with IE.

SThatipelly · ‎01-22-2020

8.1.10. Thank you for your time testing this in your lab. 🙂

SThatipelly · ‎01-22-2020

@BPry Sorry for my poor explanation. As you might already know, there is a critical zero day bug discovered in IE browser and Mircosft hasn't come up with patch yet. So in the meantime, I would like to block all access to internet from IE browsers. After following your suggestion, I am able to block around 60% of the decrypted traffic. But for some sites like twitter, google etc, application still shows twitter-base and google-base although the user-agent string matches my custom IE application and are being allowed. I made sure they are decrypted.

SThatipelly · ‎01-22-2020

@BPry Yes the application is matching IE traffic but not matching google searches although they are decrypted.

SThatipelly · ‎01-22-2020

@BPry Thank you so much for your response. I followed your suggestion and am blocking some sites. but, I can google search any webpage with no issue. I checked the user-agent string for the searches and they match my application but is still being allowed. I made sure decryption is turned on for google search and included all url categories in deny rule. ( user_agent contains 'Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko' )

SThatipelly · ‎01-21-2020

I am trying to block Internet Explorer traffic going out to the internet from my internal users. I have decryption in place and followed this article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEdCAK I am seeing some websites being blocked but some of them are not despite decryption. Has anyone tried blocking IE? Please let me know. TIA

SThatipelly · ‎01-13-2020

Last week I rebooted the problem firewall and failed-over to it. It was to my surprise that the issue was fixed and working fine now.

SThatipelly · ‎01-07-2020

@OtakarKlier I have defined my data interfaces in the virtual router configuration. does that mean the pings will be sourced through them but not Management port?

SThatipelly · ‎01-07-2020

@OtakarKlier thanks for sharing the links. Unfortunately, those 2 articles donot have the info I am looking for.

SThatipelly · ‎01-06-2020

I would like to configure HA failover condition that utilizes my data interface to perform path monitoring. this way, firewalls will failover when there is a routing issue. I don't see an option to use a source interface/ IP under HA-path Monitoring-Add virtual router path. is there any way to accomplish this? Thanks.

SThatipelly · ‎01-06-2020

@Nehmaan I interchanges the cables to make sure it's not switching/routing issue. last night after a reboot and failover, adjacency came back up again. so, I think it's clearly a software bug.

SThatipelly · ‎01-03-2020

I'm currently running 8.1.10 on PA-820 firewalls. They are in A/P failover pair. Last night, all of a sudden primary firewall started showing "( eventid eq routed-OSPF-neighbor-down )" in system logs and OSPF went down. I failed over to secondary and connections were restored. These 2 firewalls are connected to 2 switchports which are both part of same VLAN and SVI.I verified both the switchports are sending ospf hello packets for every 10 seconds and verified them on packet capture. I interchanged the cables going to firewalls between switchports and that didn't recreate the issue.so this ruled out the switch/router from the equation. I am wondering if this is a software bug? if it is, why didn't both firewalls get hit? or is it a hardware bug? please post your ideas. thanks.

SThatipelly · ‎10-30-2019

@kiwi i am running 8.1.10 and I see the following details: I am under impression that traffic quota accounts for both Traffic and URL logs. I don't see an option anywhere for just URL logs.

SThatipelly · ‎10-30-2019

My firewall has traffic logs stored that are 18 days older but URL logs just 10 days. why is it so? where is the settings that can tune my firewall to store same amount of Traffic logs and URL logs? thanks.

SThatipelly · ‎10-23-2019

2hrs on PAN agent

SThatipelly · ‎10-23-2019

@MickBall At some random times, traffic log doesn't show the username associated with that IP. but just after short duration(random) it picks it back and shows both IP and username.

SThatipelly · ‎10-23-2019

@MickBall thank you. I was using PAN agent at first but noticed user-ids kept dropping so moved to windows agent. I see the same issue again and so thought of having them both enabled. do you also see some of the usernames not being populated at times on your firewall?

SThatipelly · ‎10-22-2019

I have 8900 user-ids in my environement. using PA-5020, is it advisable to have both user-id agents turned on? I would like to have as much reliability as possible so the security policies will accurately filter based on usernames. thanks.

SThatipelly · ‎10-18-2019

what is the max session limit for SSL decryption on PA-5220 box? Thanks.

SThatipelly · ‎10-16-2019

@BPry thanks. I have the Alert policy today but I see so many URLs. it can only get messier if I allow them as facebook adds new urls often. I think is better not to go this way and convince my management to block entire facebook.

SThatipelly · ‎10-16-2019

I know there are multiple discussion threads on how to allow just one FB page but block all other access . I tried every single of them and none worked properly. I created a url filtering profile allowing just my company page and blocked social media but the problem is when a user first clicks my company page he/she would be taken to a login page. how do I efficiently allow it? Also, by doing this, I broke the page layout. all the graphics won't load. Also, the logout button won't show up when I allowed just that page. did anyone performed this task? if so, please let me know. thanks.

SThatipelly · ‎10-14-2019

@OtakarKlier can you please let me know the policy details. I'll try to create it on my end. these are creating a lot of noise on my firewalls.

SThatipelly · ‎10-08-2019

I have a VPN request where peer's IP range is conflicting with one of my internal IP range. They are asking me if I can do a NAT on my end to resolve it but based on my experience it must be them who should do a NAT. please correct me if I'm wrong.

SThatipelly · ‎10-02-2019

True. Shortened URLs in emails really cause issues to both admins and users . We train our users to look at the link before clicking them but these links are giving them hard time. so, I was looking at blocking them in the initial stage itself. I wish Palo has a url category called 'shortened links'

Date Registered	‎08-03-2017 01:42 PM
Date Last Visited	Sunday
Total Messages Posted	171
Total Likes Received	4

Online Status	Offline
Date Last Visited	Sunday

Enterprise

Prisma

Cortex

About SThatipelly