About prb

Hi @Hithead   Sure it should inspect traffic from other decoders as well.   Wildfire action is set using the highlighted column in anti-virus profile.   You might need to check lot of other factors - 1. What is the action for other decoders than smtp? 2. The policy to which the AV profile is applied. Does it process other kind of traffic? 3. If it does, do the other traffic actually carry any threat data?  4. Do you have any exceptions applied under applications tab in the screenshot above? Etc.   Thank You. ... View more

Hi @Hithead,   wildfire-virus is a subtype used for wildfire signatures delivered using wildfire signature database, to differentiate from regular anti-virus signatures.  In short, AV signatures are identified using subtype virus. Wildfire signatures are identified using subtype wildfire-virus.   Hope this helps.   Thank You.   ... View more

Hi @jdprovine,   I might be overlooking something.   But from what I see, the rule in th original log screenshot is different from the 2 screenshots below. And so are the zones between the screenshots.   Did you manage to find out the issue and resolve it?   Thank You.       ... View more

HI Satish, We have a Pa-200 specific reboot issue that is fixed in 6.0.10. From release notes, Bug# 69837 You probably might be hitting it, an upgrade to 6.0.01 would help, you can open a ticket with TAC to get more info. Thank You. ... View more

Hi Mel.Li, Did you also clear mp cache? I presume you had been trying to clear only dp logs. Command to clear mp cache, >clear user-cache-mp all Clear dp cache followed by mp clear, >clear user-cache all Hope this helps. Thank You. ... View more

Hi ctovazzi, From the logs, issue is not with unsupported cipher suite. You should verify configuration as requested by costello. If everything is fine, you can check counters to narrow down further. >show counter global | match proxy ... View more

Hi license@simac.lu Did you check authd logs to see if the authentication is successful during the first attempt? If you seeing nothing unusual, you might want to check if disk-space is almost full. >show system disk-space Thank You. ... View more

Hi ctovazzi, Can you let a pcap run on the client machine, locate the cipher suite chosen from the server hello packet and paste it here? Say for example - Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) And also output of command, >show counter global | match proxy Thank You. ... View more

HI EdwinD Not sure if you already have an answer, if not, here you go - Unfortunately, no. This is supported only starting 6.1 as described in release notes - Configurable Key Size for SSL Forward Proxy Server Certificates The firewall now supports both 2048-bit RSA keys (with SHA-256 hashing) and 1024-bit RSA keys (with SHA-1 hashing) for generating the certificates it uses to establish the SSL Forward Proxy session between itself and the client. This is an extension of the 2048-bit key support that was already available with SSL decryption. In previous releases, 2048-bit keys were supported in SSL Inbound Inspection sessions as well as in SSL Forward Proxy sessions between the firewall and the destination server. As part of the extended support for 2048-bit keys, the firewall will now by default dynamically choose the key size to use to establish SSL Forward Proxy sessions with clients, based on the key size used by the destination server. You can optionally configure a static key size for SSL Forward Proxy sessions between the firewall and clients regardless of the key size used by the destination server. You can configure the setting under, CLI:   deviceconfig {     setting {       ssl-decrypt {         fwd-proxy-server-cert-key-size {0 | 1024 | 2048};       }     }   } WebUI: Device -> Setup -> Session -> Forward Proxy Server Certificate Settings Hope this answers your query. Thank You. ... View more

Something up with SSL connectivity. Logs should give a clue. Perhaps you can open a support ticket for quicker resolution? ... View more

Bob, 6.0.1 release notes has the bug in addressed issues. 60816—Following an upgrade to PAN-OS 6.0.0, syslog connection status warnings for all defined syslog connections appeared in the system log every hour and were categorized as critical. This was caused by a scheduled hourly rotation of the syslog-ng log file, during which the syslog-ng daemon would restart. This issue has been fixed by adding a condition to the log file rotation process requiring the log file to be 10 MB or more and the connection status warning will only be seen once every few months. Rene, Might be file is over 10 MB? Or is not fixed? Or doesn't apply to Panorama? ... View more

AFAIK URL Filtering only applies to web-based applications. ... View more

You can do this using cli commands: >set session tcp-reject-non-syn no This command is non-persistent, does not survive reboot. You can also use the below configuration mode command, which requires a commit and is persistent across reboot. #set deviceconfig setting session tcp-reject-non-syn no Thanks ... View more

You need to contact Bright Cloud for category change if you believe this is a mistake. However, you shouldn't be seeing all IP address categorized as Malware Sites. For example, I am trying to check category of following IP address "199.167.52.9" and it is not a Malware Site. If you are doing a category look-up on Bright-cloud using below link, URL/IP Lookup | Webroot BrightCloud and you are not seeing the IP address as MAlware Sites, open a support case. If you do see it as Malware Sites(the IP address 203.197.123.30 indeed is), request a category change on Bright-cloud. Hope this helps. ... View more

Simple GP authentication shouldn't be affected by any refresh. If authentication for existing users are working properly (otherwise I would have requested you to check for LDAP conenctivity), check what you see in authd logs? Did you try a tcpdump or pcap of the interesting traffic on Palo Alto firewall? Did you check on DC for user authentication logs? Possibly this will help you narrow down. ... View more