Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About BatD
About BatD
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
01-07-2020
01:24 AM
@ehartcoghlin You are correct that the URL filtering will only work on client to server web traffic. It can only control users accessing particular domains, but not traffic initiated from those domain. The reason is that the firewall can only see the source IP in incoming traffic and URL filtering looks at the actual URL in the http headers. Surely you can filter particular emails at the email server level or if you have the feed of IPs of NRDs, then you can import it as an dynamic IP list in the firewall and block SMTP traffic based on that list.
... View more
01-07-2020
01:15 AM
@wahxwah URL is the url user is trying to access as taken from the HTTP header, or as in your case of encrypted traffic, from the SSL Certificate. Destination is the actual destination IP of the session. I am not sure why you are getting the output in the below, but there will be more information if you can share the detailed log. I wonder if you have selected the "Resolve hostname" checkbox at the bottom of the screen and the firewall is trying to do reverse lookup for the IP.
... View more
01-06-2020
03:18 PM
@blwavg The users need to be identified somehow at policy level, and the other option is to use Authentication Policy (preciously known as Captive Portal) to grant access to the firewall management. This will allow you to configure very granular control of which use can manage the firewall from particular subnet.
... View more
01-06-2020
01:36 AM
@blwavg You answered the question in your description, this can easily be achieved by using Global Protect and you shlould never really be exposing unprotected admin access to internet. If you are using UserID and dynamic admin authentication, you can potentially create granular access policies for the internal network as you described. However you cannot do it from internet, as the firewall will need to know the user to ip mapping for the specific admin and the Internet admin can have any IP.
... View more
12-13-2019
03:04 AM
@Taraka You can see details of supported platforms below. Looks like 3000 series will be supported , but 5000 ar not. https://www.paloaltonetworks.com/services/support/end-of-life-announcements/hardware-end-of-life-dates
... View more
12-12-2019
11:13 AM
@Gareth.Doyle Ok, so if the issue is that the HA was broken, but people were making changes only on the unused device, then you should be able to just export configuration and import it to the secondary panorma. The only difference between the two should be the management IP addresses and HA settings, which you can conifugre manually after the config import.
... View more
12-12-2019
11:01 AM
@Gareth.Doyle Ok, there is no floating IP, so there is nothing you can do apart from asking the users to now configure the other IP. I guess one workaround would have been to us DNS name and change the IP behind it, but to lat to that now. Be aware that the Panorama HA is not like the firewalls and you can only make changes on the Active Panorama. So they could not have configured any policies on the wrong device. Also any changes made on the Acive will be synced to the Passive.
... View more
12-12-2019
10:08 AM
@Gareth.Doyle You can't do it, but you don't really need. This is why you have the option to configure 2 Panorama IPs in each firewall. The in Panorama you specify which is your primary. appliance. There is no really a need to have afloating IP.
... View more
12-05-2019
06:55 AM
@SyedWaheed You can’t create the same service, but you need to use Appid “msrpc” instead.
... View more
12-04-2019
01:44 AM
@palomed Certainly you can also use any of the packet caputre methods to see if logs packets are sent, but I thought that you alread know that they are, becasue you have seen them in other firewall logs. It is not ideal, but the discussed above are all available commands to troubleshoot forwarding the syslog server.
... View more
12-03-2019
06:15 AM
2 Kudos
@Aashish74 Although in general this may work, there are a few points in the workflow that are not quite a best practice and can be misleading. Bi-directional is generally not recommended as you don’t have full control of the return traffic. Packets will be translated correctly from LAN to WAN, but in the opposite direction, they will match any zone to WAN , which could complicate things if you have multiple zones. I would always recommend having specific inbound destination NAT rule to your servers and a generic source NAT outbound if your servers need to connect to Internet. The second point is that you suggest adding a service to the bidirectional NAT rule, which means that the rule will match only this service port for both the inbound and outbound translation. This kind of defeats the purpose of bi-direction, as you presumably want to configure it for outbound internet traffic for your server. Next, your security rule will match the inbound packets to the server, but not outbound from the server. Finally it is not a good practice to configure the same multiple zones in source and destination.
... View more
12-03-2019
01:42 AM
1 Kudo
@palomed "show logging-status" will show all type of log statistics, including logs beeing sent to log receiveres, etc. Otherwise you can check the following logs for detailed output regarding loging: > show log system direction equal backward subtype equal syslog > less mp-log syslog-ng.log
... View more
12-02-2019
06:54 AM
1 Kudo
@rohit3120 You can run it it on endpoint, which has https connectivity to the firewall you need. You can either use curl, or just paste the url in a browser.
... View more
11-19-2019
12:44 AM
1 Kudo
@AlexandroDelAngel All of your assumptions seem correct...
... View more
11-19-2019
12:38 AM
@drewdown I think that you are missing the whole concept of Palo Alto Applications. The AppID is at the core of the firewall techology and classification can not be turned off. You can choose to ignore it, or override it, but traffic will always be classified as an App. Regarding you other question, maybe the word "Application" is confusing, but it referes to the actual traffic pattern and will not necessary match the sofware you use on your computer. You do not "classify" curl, but the traffic is be clasified as google-base, regardless of if you are using curl, firefox or chrome or any other browser.
... View more
11-18-2019
04:52 AM
@jloehler Address objects "1.1.1.1" or service objects "6500" are invalid objects, which the tool could not migrate. You need to investigate and manually update if you see any.
This could be caused by different reasons and hard to say without looking at the firewa. But as an example, destination nat rule need to alwasy match on IP or range of IPs. If the original firewall has "any" in the destination and it is then converted by the tool to destination NAT rule, then the tool will migrate it as the invalid object above.
... View more
11-12-2019
01:04 AM
@Carracido Looks like the matrix may be out of date, becaue teh admin guide says support for 6.7. One thing to note is if you deployed 8.1.0 ova the VM hardware was vmx-09, while in 9 it is vmx-10. I am not sure if this is really the rason for not working and t could be a fault condition or a bug with 9 and you can escalate it with support. " VMware ESXi with vSphere 5.5, 6.0, 6.5, and 6.7" https://docs.paloaltonetworks.com/vm-series/9-0/vm-series-deployment/set-up-a-vm-series-firewall-on-an-esxi-server/vm-series-on-esxi-system-requirements-and-limitations/vm-series-on-esxi-system-requirements.html
... View more
11-12-2019
12:53 AM
@devd_25 The licencing is quite well explained in the admin docs and user licenes based on number of users over 90 days. "The service does track the number of unique users over the last 90 days to ensure that you have purchased the proper license tier for your user base, and stricter policing of user count may be enforced if continued overages occur." https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/get-started-with-prisma-access/license-and-activate-prisma-access.html There is not really much of topology for cloud managed user access model. You set up connection from prisma cloud to to office location and all your remote users connect to the Prisma Cloud Gateways. Again explained in the admin docs: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin/get-started-with-prisma-access/prisma-access.html You should really contact your local Palo Alto support team to clarify details about the support SLAs and product trials.
... View more
11-11-2019
06:13 AM
@HyderB Once a GP user has authenticated and is given IP address, then he becomes as any other network user. It is just a matter routing of security policies. This may not be your case, but something that often goes wrong, is people not realisging that the routing of data plane interface (in your case trust and untrust) and the control plane management interface are independent of each other. Your users need to be routed correctly to you mgmt interface (if this is where you are connected to) and you mgmt interface needs to have correct routing back to the subnet of your users.
... View more
11-11-2019
01:53 AM
@MandarKulkarni You can see routing related logs below: > show log system direction equal backward subtype equal routing
> less mp-log routed.log You can also view the packet exchange by enabling debug capture: > debug routing pcap bgp ....
... View more
11-11-2019
01:45 AM
@danielmartins If you have all the available resurces the easiest will be to convert to Panorama mode and start collecting logs. It really depends on the size and design of your deployement. External log collectors can give you redundancy, additional processing power, and log collection close to the log source. However every external log collector will need additional hardware and licenses.
... View more
11-11-2019
01:27 AM
2 Kudos
@danielmartins The reason you don't see the logs is, because your Panorama is in "management-only" mode and can only used for manging firewalls, but no log collection. "Management Only mode allows the Panorama virtual appliance to operate strictly as a Panorama management server without local log collection capabilities." https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/set-up-panorama/set-up-the-panorama-virtual-appliance/set-up-the-panorama-virtual-appliance-in-management-only-mode.html
... View more
11-08-2019
03:55 AM
I want to user map configuration to AD user group for Global Protect clientless VPN. This works quite will if authentication is LDAP. Have you any idea how can I get it to work with Radius authentication? Presuming that the user has the same name as the LDAP user, would they be matched to the relevant AD group?
... View more
11-07-2019
12:32 AM
@devd_25 This is correct, SHA-512 is indeed the most secure, but not recommended for reasons mentioned by @Sai_Tumuluri - processing resources, comapability, etc.
... View more
11-06-2019
11:55 PM
@rmikalauskas The point I was trying to make is that this is expected behaviour and not a fault. I agree it is misleading and is maybe you should raise it with you Palo Alto SE or Account manager.
... View more
11-06-2019
07:50 AM
@rmikalauskas I also had the same issue and here is a detailed article explaining the reason for the discrepancies: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5aCAC
... View more
11-06-2019
07:41 AM
@sbprietoc It is because you are using the "threat summary" for base of the reports. Panorama tries to aggregate the data at 15 min intervals and you get unpredicatble results. If you use the actual "Threat" database then the "run now" should be identical to the scheduled. "The firewall aggregates the detailed logs at 15-minute intervals. To enable faster response time when generating reports, the firewall condenses the data" https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/view-and-manage-reports/custom-reports.html
... View more
11-06-2019
07:31 AM
1 Kudo
@MP18 I think that this means that firewall was not able to decrypt the session, for example if unsupported cypher. It is configurable, but by default the traffic will be passed normally and the users will not have any issues, it will just bypass the decryption policy.
... View more
11-05-2019
11:53 PM
@FarzanaMustafaAre you using SSL Decrytpion. I think that safe search will only work if you are decrypting the traffic.
... View more
11-05-2019
11:48 PM
@devd_25 The second line shows what is supported on the firewall and the first what is recommended to use.
... View more
User
Activity
User
Profile
Latest posts by BatD
| Subject | Views | Posted |
|---|---|---|
| 571 | 01-07-2020 01:24 AM | |
| 932 | 01-07-2020 01:15 AM | |
| 745 | 01-06-2020 03:18 PM | |
| 781 | 01-06-2020 01:36 AM | |
| 1473 | 12-13-2019 03:04 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 09-05-2019 01:10 AM | |
| 1 | 12-03-2019 01:42 AM | |
| 2 | 12-03-2019 06:15 AM | |
| 1 | 12-02-2019 06:54 AM | |
| 1 | 11-19-2019 12:44 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 1 | |||
| 4 | |||
| 1 |
User Badges
Public Statistics
| Date Registered | 10-05-2017 06:04 AM |
| Date Last Visited | |
| Total Messages Posted | 164 |
| Total Likes Received | 40 |
Contact Me
Latest Tags
No tags yet
Likes Given To
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
