About JW6224

@pulukas wrote: It sounds like you want the same layer 3 subnet configured on two interfaces and also have routing between those interfaces.  This would not be possible to commit on the PAN.   @pulukas-  I don't know if this is @junior_r's best solution, but in the scenario you describe, wouldn't that be possible if you had the L3 interfaces configured as part of two seperate vrouters, with routing between?   Just to be clear for anyone else reading this - I'm not at all saying this is a great idea.  Even if it commits, the complexity would make this only a solution for a very few, niche setups. ... View more

@BPryActually, that's the reason I found most compelling.  I too wish I had access to the official TAC published list, and YMMV with your own assigned PANW SE.  However my track record has been pretty good - the SE assigned to my companies has known our environment fairly well.  Not well enough to know server names/IPs, etc., but which general features we're using and what our configuration we used to deploy our PANW Firewalls...they've had that fairly well, and sometimes that affects whether or not a version can be recommended.  Usually that amounts to "TAC says Version X is recommended, but there's some cautions about the PA-5000 series using TS-Agents" or something like that.  But it could go/has gone the other way:  "TAC hasn't officially flagged version Y as recommended, but this has a bug fix in it that affects you and is otherwise fairly mature in the line - it just hasn't been out long enough to be recommended by TAC.  But I think you'd be safe and possibly better off considering moving to that version."   To be sure, I wish it was cut & dry/black & white - "just use TAC-approved version X".  I wish I could at least see that so I know when TAC changes their official opinion. ... View more

Does this get you close?   admin> set cli pager off admin> show counter global filter severity drop admin> show counter global filter severity drop | match "Packets dropped" flow_rcv_err                          769503        0 drop      flow      parse     Packets dropped: flow stage receive error ... View more

Could be a bug in 8.1.3.  You'd need to check with TAC.  To confirm, you're not using Global Find's Search, right?   I am afraid it shows my roots in PIX/ASA, but I always prefer the CLI, even on Panorama:   admin> set cli pager off admin> set cli config-output-format set admin> configure Entering configuration mode [edit] admin# show device-group Your_DG_Goes_Here service | match ldap set device-group Your_DG_Goes_Here service ldap protocol tcp port 389 [edit] admin# show device-group Your_DG_Goes_Here service | match "port 389" set device-group Your_DG_Goes_Here service ldap protocol tcp port 389 set device-group Your_DG_Goes_Here service tcp-389 protocol tcp port 389       ... View more

admin> find command keyword tunnel-decap show session all start-at <1-2097152> filter nat <none|source|destination|both> ssl-decrypt <yes|no> tunnel-inspected <yes|no> tunnel-decap <yes|no> decrypt-mirror <yes|no> count <yes|no> type <flow|predict> state <initial|opening|active|discard|closing|closed> from <value> to <value> source <ip/netmask> destination <ip/netmask> source-user <value> destination-user <value> source-port <1-65535> destination-port <1-65535> protocol <1-255> application <value> rule <value> nat-rule <value> qos-rule <value> pbf-rule <value> hw-interface <value> ingress-interface <value> egress-interface <value> min-kb <1-1048576> qos-node-id <0-5000>|<-2> qos-class <1-8> vsys-name <value>|<any> rematch <security-policy>   admin> show session all filter application ssl tunnel- + tunnel-decap       session is outer tunnel with inspection enabled + tunnel-inspected   session is inside tunnel   "show session all" is a command that, it will not surprise you to learn, shows all your currently active sessions.  The filter the "tunnel-decap" option specifies whether you want to look at sessions that have been decapsulated from a tunnel, such as a GRE or L2TP tunnel.  In your command, your "tunnel-decap no" specifies you're interested in sessions that are not decapsulated from a tunnel.  If you aren't doing any tunneling, my guess is that output would look identical to if you didn't have it at all. ... View more

@drewdown wrote: One last question, will this be real time or do I need to schedule it to run?  I lied as I have more questions, do I need to apply this log forwarding profile to a security rule?  I already have all my logs forwarded to PANORAMA on all of my rules but I am not clear on how log profiles are applied?  Across the board or per rule?    Not per-rule.  It is a log forward.  When you go to the Monitor tab, you will see several logs (Traffic, URL, Threat, etc.)  It is forwarding those log entries as you direct in the forwarding rule, when the firewall records each log entry.  Does that make sense? ... View more

In my experience, real time.  Including the caveats that come with that:  you may be turning on an email fire-hose if you set it to email on events that you see hundreds of each minute.  Caveat emptor.  The firewall is happy to melt your mail queue if you tell it to. ... View more

The firewall target of your Device Group must also be in scope for the Template.  If you are using shared templates/device groups, just make sure the firewall that gets the Device Groups have templates that have an email profile with the same name.   Does that help? ... View more

Not that I'm aware of.  If these are non-AD-joined, you probably won't have User-ID learned.  If your AD computers are in User-ID OK, you could potentially use a custom captive portal to indicate you need to trust a certificate...but I'd usually plan on captive portals over SSL too, so I'm not certain that will help unless you get a publicly trusted certificate issued for the captive portal, just to point them to a page where they can install/trust your CA certificate (which feels a little kludgy to me, but maybe could work in your situation.) I don't know of an elegant way to distribute the certificates from within the Palo Alto framework.  I'm used to distributing those through other means of endpoint management.  Even in Windows AD-joined environments, you still need system endpoint management to get certain browsers (e.g. Firefox) or the keystores for Java JRE's to trust your CA.  The firewall is not the best approach to do this distribution, IMHO. ... View more

That's interesting...so is this result only on Chrome 70?  Firefox/IE unaffected? I'd want to see either the Developer Tools (F12) network trace or PCAP.  Since this is over SSL, you'll likely need to employ SSLKEYLOGFILE approach to view what's happening. ... View more