[Closed] Join the Discussion: LIVEcommunity Cyber Elite Experts

cancel
Showing results for 
Search instead for 
Did you mean: 

[Closed] Join the Discussion: LIVEcommunity Cyber Elite Experts

Community Team Member

Ask your questions now through June 30 as the LIVEcommunity Cyber Elite Experts will be available in a Q&A session for an opportunity to learn, join in, ask questions, and meet our experts! The Ask Me Anything (AMA) Event will be an opportunity to ask our Cyber Elite Experts questions about a range of technologies, solutions, and how they can help you find what you need.

 

Post your questions below Thursday, June 16 through Thursday, June 30, 2022!

 

To participate in this event, please use the Reply button below to ask your questions. Come back on Thursday, June 30 from 8 a.m. to 10 a.m. PT to join the event as our experts answer your questions!  

 

 

Please be sure to click Like if a post is helpful to you and to "Accept as Solution" to let everyone know that the answer to your question hits the mark!

 

Want to learn more details about the event? Check out this article.

 

6 ACCEPTED SOLUTIONS

Accepted Solutions

As your question is more than a issue than a general tech question I will provide some feedback even before the session, just for example.

 

It could be what you said as you did a deep investigation and if this is the issue then better raise a feature request to palo alto to add this as an option in the Globalprotect portal app settings.Also most of the Cyber Elites don't work directly for Palo Alto as we are community members just like you and we love playing with Palo Alto 🙂

 

 

https://live.paloaltonetworks.com/t5/blogs/how-to-use-palo-alto-networks-new-feature-request/ba-p/40...

 

Still as I have not used globalprotect on Linux I can't say if you have to also check the Globalprotect SSL gateway certificate if it is valid and the CA certificate that signed it is imported as a trusted cert on your linux system as newer version of the globalprotect agent want this. Also you can check your globalprotect's version and firewall version for "Known Issues" or "Addressed Issues" with the Linux globalprotect agent as Palo Alto has public articles for this.

 

 

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClixCAC

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCF4CAO&lang=en_US

 

 

https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-release-notes/globalprotect-kn...

 

View solution in original post


@rtsedaka wrote:

What a great opportunity for us to get another source of info! Thank you for that. 

 

I have some very specific config questions. I would like to know the best way to get some expert help. Is there a suggested action I should take?

 

TIA 


Hello @rtsedaka ,

As security professionals, its best to make sure we dont give out too much information publicly. If you can obfuscate or change the data I would say go ahead and post it into the community. 

Example:

My public ip is 1.1.1.1 and want to nat to an internal server ip 192.168.1.1, how would I do that? Just make sure these are not your ip's, or use use x.x.x.x, y.y.y.y., etc. Or if you screen capture, you can block out certain parts. What I do is do a screen capture, open in paint, then block out the bits I dont want public, then screen capture again. This way you cannot de-obfuscate the blocked out bits.

OtakarKlier_0-1656603106101.png

If its a question that you cannot truly change or obfuscate, I would say support is the best method.

 

That said we are here to help!

Cheers!

View solution in original post


@AVaidya1 wrote:

Hello Cyber Elite Experts, 

 

Your posts are extremely helpful. 

 

My question: What is the best way to connect with peers in this community? How do you connect and stay connected?

 

Thank you for all you do to help the community!


Hi AVaidya1
I think the first thing I need to do, is to THANK YOU for the contributions that you have posted and links to various PANW related configuration tips/tricks.  It is impressive and supportive to see the breadth of youtube videos and other great events/communications that are posted on the LiveCommunity.

To answer your question about how to connect with peers, I really find that the messaging platform within the LiveCommunity to send direct messages to various users or CyberElites, has been rewarding for me.   I have communicated a few times with @BPry@reaper,@OtakarKlier  via direct messages.  Likewise, I have ask community members to contact me and I assisted in resolving their issues, giving high value customer support.   From there, we could always connect up at a 2022 Palo Alto Ignite in Dec 2022 😛

Thanks for the message.



 

Help the community: Like helpful comments and mark solutions

View solution in original post


@vsharma1 wrote:

Could you please share how Best Practice Assessment (BPA) delivered actionable insights?


The Best thing about BPA is it gets you results based on your Industry.

Also other thing I like was to compare the BPA with any other Industries.

 

That way you can see how to config PA with more Security Posture.

Also it tells us how to more  lock down the security profiles and the firewall configuration etc.

It  is great tool to compare your current config with BPA results and do the needful.

 

Regards

 

MP

View solution in original post


@PavelK wrote:

I would like to ask Cyber Elite members their suggestion/opinion/advice how to approach a network segmentation in an organization with below scenario:

 

- 100+ sites (mixture of MPLS L2 VPN, MPLS L3 VPN, DMVPN).
- up to 1500 servers globally.
- Mixture of on-prem Data Centers with 100G DCI and also all major Public Cloud Providers.
- Different business units, some of them with a strict change control and reluctant to make changes.

 

Would you opt for hw or sw based segmentation / micro segmentation?

 

Thank you in advance!

BTW, because of time zone, I will not be able to attend live, but would still love to hear from you.


Good Day @PavelK 
There are many different directions that this conversation could go through.  Suffice to say, communication with your reseller and PANW Sales Engineers should definitely be part of the conversation.   Generally speaking, from a security posture and enforcement perspective, Prisma Access is the BEST solution for that.  It allows remote sites (and Global Protect users) to communicate to the Prisma Access cloud, with programming via the Panorama, to manage the policies and security profiles to sure communication.

At the remote sites, there should be conversations about the proper FW sizing (PA410 at smallest sites, to perhaps PA52xx series at larger campuses.   The Panorama can manage the security policies for the branch offices, yet the real question, about segmentation is about designing the network to have the FW be the inspection point for east/west traffic (i.e, the default gateway for network,with limited L3 switches in the design).  Again, because this is a large oppotunity a HLDS (high level design session) with PANW Professional Services, may be a reasonable first step towards narrowing down the focus and scope of your generalized question.

Thank you.

Help the community: Like helpful comments and mark solutions

View solution in original post


@vsharma1 wrote:

What's one feature that you like about Best Practice Assessment (BPA)? And, how does it help you to achieve greater security posture?


Hello @vsharma1 ,

I personally like the 'Security Profile Adoption', it lets me know which security policies may not have proper security profiles applied. While there are cases where you might not want to apply any, ie, Palo Alto updates, its still a good overview. Also upper managemt likes charts and graphs :).

Example:

OtakarKlier_1-1656606722017.jpeg

Hope this helps,

 

View solution in original post

21 REPLIES 21

L0 Member

This seems to be a catch-all for technical questions, so my apologies if I am not posting in the right location.  It's been difficult to figure out how to obtain support as an end-user.

 

The university I am employed by has recently moved from its old VPN to using GlobalProtect.  While previously using a derivative of Ubuntu 20.04, I was able to successfully launch and use the GlobalProtect VPN client.  I have recently upgraded to the latest Ubuntu 22.04 operating system, and I am no longer able to use the GP VPN client due to a change to the latest version of OpenSSL.

 

When launching the VPN client, the associated app's icon would blink on and off in my task bar, but nothing would ever happen.  After implementing this workaround, I was able to launch the gui VPN client, input my gateway, launch the authentication browser, successfully authenticate, and send a push to my phone (2FA).  After that, a window would open indicating the following error:
SSL handshake failed

Failed to load URL [gateway address]

QtNetwork Error 6

 

This is a known issue and is described in this bug report.  Comment #28 in the bug report indicates that the OpenSSL developers have made a deliberate decision disable unsecure renegotiation.  It seems to me that a possible fix could be for the GlobalProtect VPN client to offer an option to enable unsecure renegotiation in OpenSSL.  You can see this change to OpenSSL in the commit as well as in the upstream migration guide.

 

In order to access work-related electronic systems remotely, it's essential that the GlobalProtect VPN client is working properly for me, although as a Linux user I realize that I am in the minority unfortunately.  The VPN client worked just fine prior to upgrading my OS to the latest version so it didn't occur to me that there would be any issues after upgrading.  Could you please look into applying a fix so that the GlobalProtect VPN client is compatible with the current version of OpenSSL?  I would be happy to serve as a test subject for you if needed.  I am running OpenSSL 3.0.2 15 Mar 2022.

 

Thank you!

As your question is more than a issue than a general tech question I will provide some feedback even before the session, just for example.

 

It could be what you said as you did a deep investigation and if this is the issue then better raise a feature request to palo alto to add this as an option in the Globalprotect portal app settings.Also most of the Cyber Elites don't work directly for Palo Alto as we are community members just like you and we love playing with Palo Alto 🙂

 

 

https://live.paloaltonetworks.com/t5/blogs/how-to-use-palo-alto-networks-new-feature-request/ba-p/40...

 

Still as I have not used globalprotect on Linux I can't say if you have to also check the Globalprotect SSL gateway certificate if it is valid and the CA certificate that signed it is imported as a trusted cert on your linux system as newer version of the globalprotect agent want this. Also you can check your globalprotect's version and firewall version for "Known Issues" or "Addressed Issues" with the Linux globalprotect agent as Palo Alto has public articles for this.

 

 

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClixCAC

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCF4CAO&lang=en_US

 

 

https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-release-notes/globalprotect-kn...

 

L4 Transporter

What a great opportunity for us to get another source of info! Thank you for that. 

 

I have some very specific config questions. I would like to know the best way to get some expert help. Is there a suggested action I should take?

 

TIA 

L4 Transporter

Could you please share how Best Practice Assessment (BPA) delivered actionable insights?

L4 Transporter

What's one feature that you like about Best Practice Assessment (BPA)? And, how does it help you to achieve greater security posture?

L4 Transporter

Hello Cyber Elite Experts, 

 

Your posts are extremely helpful. 

 

My question: What is the best way to connect with peers in this community? How do you connect and stay connected?

 

Thank you for all you do to help the community!

 

Community Team Member

Hello Cyber Elites,

 

This is a question from  @jsalmans. He is having issues with FTP inbound decryption.

 

"   

I've had inbound decryption set up for our FTP server for some time.  We noticed an issue after updating to 10.0.8 (we're now on 10.1.5-h1 ) where people seemed to not be able to connect anymore.  After investigating, it appears that in Filezilla they are actually able to connect but it looks like they aren't because a TLS error occurs and the LIST command fails.  Right-clicking on the remote side and hitting Refresh several times will often eventually complete the directory listing.  This is with FTPS set to "Require explicit FTP over TLS" and with the Transfer Method set to Default (which I think may be Passive). This issue appears to be intermittent and sometimes it seems to connect fine.

 

Further investigation also showed the following:

  • The TLS error mentioned above when the LIST command fails is "GnuTLS error -110:  The TLS connection was non-properly terminated." followed by "Server did not properly shut down TLS connection" followed by "The data connection could not be established: ECONNABORTED - Connection Aborted" and then followed by "Failed to retrieve the directory listing".  Decryption logs GUI shows "General TLS Protocol Error" when this happens.
  • Error showing: "Server sent unsorted certificate chain in violation of the TLS specifications" at the start of each connection attempt
  • Changing the Transfer Method to Active seems to make it more reliable as far as connecting without a TLS error and getting the directory listed automatically (it still complains about the certificate chain)
  • Even with Active set, we then sometimes get a message indicating that the connection isn't secure because the server previously was detected as supporting TLS session resumption (I'm assuming this was either working before through the Palo and now it isn't or it's because when we've tested we've connected directly to the server which supports it)
  • Trying another client, WinSCP also doesn't list the directory on Passive.. it works when changed to Active.  I have no idea if it is getting any errors/warnings as I haven't noticed if there is a log view in that software.
  • Turning off the decryption rule resolves all of the issues.. the FTP connection is also a lot less verbose (in another words, when decryption is turned on there is a lot more chatting with commands/responses between the client and the firewall/server)

It looks like someone else has run into an issue like this before with Passive FTP and it was related to an issue with the content packs

https://live.paloaltonetworks.com/t5/general-topics/passive-ftp/td-p/11573

 

Anyone else having any issues or have any experience in what I can do to resolve this?

 

Thanks! "

 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

L6 Presenter

I would like to ask Cyber Elite members their suggestion/opinion/advice how to approach a network segmentation in an organization with below scenario:

 

- 100+ sites (mixture of MPLS L2 VPN, MPLS L3 VPN, DMVPN).
- up to 1500 servers globally.
- Mixture of on-prem Data Centers with 100G DCI and also all major Public Cloud Providers.
- Different business units, some of them with a strict change control and reluctant to make changes.

 

Would you opt for hw or sw based segmentation / micro segmentation?

 

Thank you in advance!

BTW, because of time zone, I will not be able to attend live, but would still love to hear from you.

Help the community: Like helpful comments and mark solutions.


@rtsedaka wrote:

What a great opportunity for us to get another source of info! Thank you for that. 

 

I have some very specific config questions. I would like to know the best way to get some expert help. Is there a suggested action I should take?

 

TIA 


Hello @rtsedaka ,

As security professionals, its best to make sure we dont give out too much information publicly. If you can obfuscate or change the data I would say go ahead and post it into the community. 

Example:

My public ip is 1.1.1.1 and want to nat to an internal server ip 192.168.1.1, how would I do that? Just make sure these are not your ip's, or use use x.x.x.x, y.y.y.y., etc. Or if you screen capture, you can block out certain parts. What I do is do a screen capture, open in paint, then block out the bits I dont want public, then screen capture again. This way you cannot de-obfuscate the blocked out bits.

OtakarKlier_0-1656603106101.png

If its a question that you cannot truly change or obfuscate, I would say support is the best method.

 

That said we are here to help!

Cheers!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!