This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About Nicka
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About Nicka
Online
14Posts
3Likes
0Solutions
Sep 21, 2023Last Visited
User
Activity
User
Profile
Latest posts by Nicka
| Subject | Views | Posted |
|---|---|---|
| 1495 | 05-05-2023 07:59 PM | |
| 1114 | 01-05-2023 01:55 PM | |
| 1153 | 01-04-2023 06:51 PM | |
| 2007 | 02-25-2022 05:56 PM | |
| 2243 | 03-12-2020 09:03 PM | |
| 5456 | 05-02-2019 03:56 PM | |
| 2173 | 07-03-2018 09:06 PM | |
| 4393 | 08-08-2017 06:26 PM | |
| 4574 | 08-08-2017 06:11 PM | |
| 4584 | 08-07-2017 02:19 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 2 Likes | 02-25-2022 05:56 PM | |
| 1 Like | 08-08-2017 06:26 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 2 Likes | |||
| 1 Like | |||
| 1 Like | |||
| 3 Likes |
User Badges
Community Statistics
| Member Since | 09-09-2014 12:33 PM |
| Date Last Visited | 09-21-2023 03:24 PM |
| Posts | 14 |
| Total Likes Received | 3 |
05-05-2023
07:59 PM
I know this post is fairly old, but thank you for this!! This was such a simple yet brilliant solution to overcome Palo Alto's terrible failure to track which interface a packet came in and should exit out of. This is also the only solution I was able to find that you can concurrently use both gateways on the same firewall over each ISP. Even better, this doesn't require loopback interfaces, NAT'ing, PBF rules, or even any sort of manual intervention when a failure occurs.
... View more
01-05-2023
01:55 PM
What format does this take? Is it the fully qualified distinguished name (like adding it to group mappings) or just the domain\name (like adding it to security policies)?
Maybe include this in future Globalprotect documentation given they don't seem to be fixing this anytime soon in Panorama...
... View more
01-04-2023
06:51 PM
Nearly 4 years later and this issue still isn't fixed... at least not in 9.1.
... View more
02-25-2022
05:56 PM
2 Kudos
I don't know if this is a 10.1.4 bug or by design but I have a pair of PA460's in HA with config sync enabled. 1. Firewall won't sync a certificate with a private key to the other firewall. It syncs the root CA only. 2. I can't sync any SSL/TLS service profile settings to the other firewall. Normally I use Panorama but I would have to be a huge masochist to upgrade it 10.1, knowing there's 50+ known bugs that have not been fixed in over 2 months. Just a suggestion but maybe enforcing known buggy software on your latest firewalls with non-existent QA might not be such a great idea?
... View more
03-12-2020
09:03 PM
Thank you for this!! I was just about to open a ticket when I came across this post. I have the exact situation, tried every possible NAT permutation possible and packets would still drop coming into the source-NAT'ed tunnel -- which do NOT show up in any log except the debug packet captures (and I have enabled logging on both inter and intra zone defaults). The fix is creating that fake route back to the LAN interface in the static routes, worked immediately after adding that entry in. Really would be nice if Palo Alto's shotty 10-year old documentation on this subject (https://live.paloaltonetworks.com/docs/DOC-1594) actually worked or hinted that you need to create a dummy route back internally somewhere.
... View more
05-02-2019
03:56 PM
Tried to work through the horribly fragmented documentation, but I have a quick question on setting up HA in AWS: Is it still suggested to swap the mangement interface when deploying the HA model? From the HA documentation section, it sounds like eth0 needs to be the management interface which is in contradiction to the other documentation in there.
... View more
07-03-2018
09:06 PM
I also have this and I absolutely hate the changes with Panorama 8. Now when committing devices, its sending the templates after the device groups which makes a lot of commit errors. I have to push the template seperately using their horrific filters, then apply the device group config changes. Normally this wouldn't be too bad, but given these are PA500's, well it takes at least 10 minutes using this method. Previously, it seemed like it was an all-in-one commit (merged both templates and device configs then sent it over) which makes far more sense then doing 2 commits seperately.
... View more
08-08-2017
06:26 PM
1 Kudo
Definitely a bug. I was able to create it on the firewall itself without that error coming up, then exported the rule and imported it back into Panorama just fine.
... View more
08-08-2017
06:11 PM
No, but I was able to get the signature to work using the (or) | and adding frivolous text. Now the issue is when adding a combo signature to include the one I just created, I get an error "Threat 41001 is not known -- cannot be added to this signature." Not sure if this is a bug (Panorama 7.1.11) but even trying to recreate the Wordpress brute-force example document from 2016 just to verify if that works -- I still get the same error. *sigh*
... View more
08-07-2017
02:19 PM
The built-in filter only looks for the 535 response. Our appliance doesn't support the AUTH command so it doesn't respond with a 535, only 502 (Unsupported command). "If a session has the same source and destination but triggers our child signature, 31709, 10 times in 60 seconds, we call it is a brute force attack. The child signature, 31709, works on 3 apps, smtp, pop3 and imap. The trigger condition is found in response code 535 in smtp, "No/bad logon/login failure" pattern in imap and "-ERR" on pop3 PASS command."
... View more
08-07-2017
01:34 PM
We have been slammed with random Chinese IP addresses attemping to brute-force accounts via SMTP. Amusingly enough, our gateway doesn't even support that feature but the amount of traffic attempting it is consuming all available ports. I was able to make a signature to catch it when the server responds back with a "502 Unsupported" command but the problem is this alone makes Palo Alto think the attacker is always the server and not the client. So I need to add something to detect the client's traffic first... The clients are sending an "AUTH LOGIN" command. I can create a rule to detect the AUTH part but the string for "LOGIN" has to be at least 7 characters, which is impossible to meet those requirements. I then tried to create a negate rule but that didn't work and it wouldn't detect the rule at all. So any ideas how to get this to work? For the time being I just created a DOS resource policy to only allow 5 concurrent source-IP connections. It works but I'd rather have a rule to actually block-IP the attacker for 30 minutes then just let them continue attacking us. I contacted support and they redirected my case to the threat team. The threat team then sent me here saying they do not offer help on custom signatures and to post any questions in the forums...
... View more
Contact Me
| Online Status |
Online
|
| Date Last Visited |
09-21-2023
03:24 PM
|
Latest Tags
No tags yet
Likes Given To
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks