Issue After creating objects, it has become necessary to change these objects to "Shared" under Panorama however this check box is grayed out. Resolution This is currently by design. If the "shared" box is not checked while creating the object it will grey out. Create a new object and check
Issue Emails are not being sent from the email server for notifications (inside Monitor > PDF Reports > Email Scheduler). Cause If the same email address is defined in the 'Override Email Addresses' list, this will prevent emails being sent to the defined email profile. Resolution Enter an optional
Issue The passive unit in an HA pair cannot sync to the active device because it does not have a certificate. When trying to sync the certificate to the passive unit it fails. When trying to add the certificate to the passive unit and perform the sync-to- peer from the
A client (192.168.69.10) in the VPN Zone needs to access a server on the DMZ with a public IP address (188.8.131.52) not configured on the device. The device should translate the public IP to the private IP of the server (172.25.3.50). The packet should be seen as sourced from an
Issue An underscore character is added to the URL variable in a block page. Resolution This is a expected behavior. The Palo Alto Networks firewall will change sensitive characters in a URL to an underscore, to prevent injection attacks from using the PANW response pages (URL block page is
Issue The URL Admin Override does not work with a new SSL certificate. Resolution Make sure that the gateway can resolve the Address field/name that is used inside of the "Edit URL Admin Override Properties" window. If the gateway cannot resolve the address or name, the override will not work.
Overview Here is the CLI command to check the interface statistics in a summarized manner: > debug dataplane internal vif link 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 RX: bytes packets errors dropped overrun mcast 353223081 1580712 0 0 0 0
Issue The Global Protect client installation is not taking the destination directory specified in the MSI installer. Instead of being installed in the default directory, C:\Program Files\PaloAltoNetworks\GlobalProtect it is putting all the files directly under C:\ Resolution The Windows default path is correct (C:\Program Files\) and the Eventvwr is
Issue Topology: Call Manager------PAN------VoIP Following an upgrade, the Call Manager is trying to send RST packets to the VoIP phones to re-initiate the connections. The firewall is not aware of the existing sessions and is dropping all the RST Packets. Resolution The RST packets are being dropped on the Palo
Issue Maintenance work performed on the passive device in a HA pair to avoid traffic interruption has had the opposite affect, causing a failover of the active device to the passive . HA was disabled on the passive unit to replace a power supply, but the failover occurred as soon
There’s a lot of technology involved in a modern enterprise network. Some of it is a part of the network itself, some of it is to keep it reliable and secure, and some of it is to keep it running like clockwork. In the best case scenario, these parts snap together like Lego. On the other hand, there are times when it seems like no amount of sweat and glue can get the parts working together. It shouldn’t be that difficult, and for the most part, it isn’t.
Details The implementation of the URG flag and pointer is not well-defined in the available RFCs, some operating systems are susceptible to attacks leveraging these fields in the TCP header. Palo Alto Networks firewall will, by default clear the URG flag and pointer. Shown below are several documents that identify
I mentioned in my last blog that we’re kicking off a Data Center Summit starting in Dallas, Texas today. One of the special guests at our seminar will be John Kindervag from Forrester Research, presenting on the Zero Trust Model. If you haven’t yet heard of Zero Trust, check out the video here. With the current state of security attacks on organizations, this new security model, called “Zero Trust” recommends that enterprise take a new architectural approach to securing their networks. Kindervag’s model recommends trusting no one (not even internal …
Issue GlobalProtect must be set up on a firewall with an internal IP address sitting behind an edge Internet device: Resolution Topology: Internal Network > PAN ( 192.168.10.2/24) > (192.168.10.1/24) Internet Router (184.108.40.206/24)---(220.127.116.11/24) ISP Setup instructions: In the above setup, the Edge Internet Router (18.104.22.168) is performing NAT
Issue: The service route configuration does not funciton if the subnet is used in the destination IP address Resolution: Currently by design, a host IP address must be used, rather than a subnet address when configuring the service route destination. Owner: yogihara
Issue: The session is timing out when using TFTP to export the running configuration from the firewall. Resolution: When sourced from an interface address, TFTP is working as expected as it is a protocol in which the response packets do not have matching ports with the request
This document demonstrates IPSec interoperability between Palo Alto Network firewalls and Cisco ASA firewall series. We will also detail IPSec configuration, statistics, and CLI outputs from both PAN-OS and Cisco ASA. owner: ksomu
WildFire has recently detected a new variant of the Waledac botnet, along with a few new modifications. As a reminder, Waledac was a fairly large spamming botnet that was taken down in 2010 when Microsoft was able to take ownership of the many domains used by the botnet. On February 2nd, WildFire began seeing a new variant of Waledac showing up in customer networks and this time its doing more than just sending spam. The new version has upgraded its malicious abilities to include stealing of passwords and authentication data. …
Issue After configuring backup interfaces on a HA cluster, there is no traffic passing through the firewall and the HA_ERR_STATE value is extremely high. Resolution Investigation shows that the HA2 and HA2-backup links are placed in the same VLAN which is causing HA2-HA2 packets to bleed onto the HA2-backup interface
PAN-OS 5.0, 5.1, 6.0, 6.1, 7.0 Overview This document describes the steps to configure GlobalProtect with a client certificate profile when using a client certificate for authentication with or without other authentication methods. The example applied in this document is done with self-signed certificates, but it can also be done
Overview There can be times that an admin will have to manually downgrade BrightCloud URL Filtering Database, this document explains how. In this example, we will be downgrading to BrightCloud DB version 3.781 (seed file) from January 23rd 2012. Steps Locate the seed file on the Dynamic Updates page and
Great info from the Palo Alto Networks Product Management Team on the latest events surrounding DNSChanger. DNSChanger is a malware family that has been around for several years now, and at its height controlled the web browsing of some 4 million PCs. DNSChanger typically masqueraded as a video codec download, and once downloaded would surreptitiously change the DNS servers of the infected host to rogue DNS servers which direct users to pay-per-click advertising networks to earn money for the perpetrators.
In a recent post for ReadWriteWeb (3 Ways Social Media Can Put Enterprises at Risk), I outlined a few IT security “blind spots” that many companies are currently trying to address when dealing with social media applications. As last week’s blog post on our Application Usage and Risk Report findings pointed out, I am convinced that social media is here to stay in the enterprise. To expand upon the points I made in that article, I’d like to add a few additional details to expound on my opinions around approaching …
This document shows how to deploy Palo Alto Networks devices into your network. Various scenarios and configurations are described. All scenarios were tested in the field running PANOS 5.0.x code. To download the diagrams and tested configurations, refer to Diagrams and Tested Configurations.