[go: up one dir, main page]
This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About RH747

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
RH747
‎10-15-2025
since ‎07-14-2023
L2 Linker
User Activity
User Profile
Latest posts by RH747
View All
User Badges
Community Statistics
Member Since ‎07-14-2023 11:14 AM
Date Last Visited ‎10-15-2025 09:24 AM
Posts 22
Total Likes Received 3

Re: University Students Receiving (HTTP Status Code : 416) (CE-40862-0) On Playstation devices

by in General Topics
‎10-09-2025 06:54 AM
‎10-09-2025 06:54 AM
You can create an app override if you have specific use-cases refer to the technical documentation for your PAN-OS version. Here's the link to the latest 12.1 documentation: Device > Setup > Content-ID   Entry from 10.2 doc: Enable this HTTP partial response option to enable a client to fetch only part of a file. When a next-generation firewall in the path of a transfer identifies and drops a malicious file, it terminates the TCP session with an RST packet. If the web browser implements the HTTP Range option, it can start a new session to fetch only the remaining part of the file. This prevents the firewall from triggering the same signature again due to the lack of context into the initial session while, at the same time, allows the web browser to reassemble the file and deliver the malicious content; to prevent this, make sure to disable this option.   Allow HTTP partial response is enabled on the firewall by default. This provides maximum availability but increases the risk of a successful cyberattack. For maximum security, disable this option to prevent the web browser from starting a new session to fetch the rest of a file after the firewall terminates the original session due to malicious activity. Disabling HTTP partial response affects HTTP-based data transfers which use the RANGE header, which may cause service anomalies for certain applications. After you disable HTTP partial response, validate the operation of your business-critical applications.   If you experience HTTP data transfer disruption on a business-critical application, you can create an Application Override policy for that specific application. Because Application Override bypasses App-ID (including threat and content inspection), create an Application Override policy for only the specific business-critical application, and specify sources and destinations to limit the rule (principle of least privilege access). Do not create Application Override policy unless you must. For information about Application Override policies, refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVLCA0. ... View more

Re: finding rules that need dependent apps adding

by in Expedition Discussions
‎10-09-2025 06:28 AM
1 Kudo
‎10-09-2025 06:28 AM
1 Kudo
As far as I know, there's no real way to list that information out in bulk. The closest you could get is doing as @MRamadanAHafiez suggested and commit a change to then see the rules listed there, but you cannot export that list. Also, as a side note, you don't have to fully commit a change, you can "Validate Commit" to see the list and then revert the change without making a live commit to the config. That feature is also useful for shadowed rules. Policy Optimizer won't help you in your specific case but is extremely helpful for a multitude of other reasons.   As far as I know you'll have to go through each rule. You'll want to do that anyways if onboarding a new NGFW to clean up old rules that are either obsolete or poorly configured.   Good luck! ... View more

Re: GlobalProtect Gateway on PA-820 Stopped Responding – Guidance Needed

by in GlobalProtect Discussions
‎10-07-2025 09:21 AM
‎10-07-2025 09:21 AM
I have an extremely similar environment with a similar issue. Single PA-820 on 10.2.13-h5 with GP on loopback, with GP clients on 6.2.7. Certain users will get the certificate issue and at first thinking the certificate was the problem, I dove into troubleshooting that specifically. Upon several attempts at any fix I could find, the only solution was uninstalling and reinstalling the GP client. My support partner also could not find any solution, and we both agreed that, to save the headache, reinstalls would serve as a workaround for now. I don't believe any of the logs showed the firewall at fault and only certain users were affected while others connect flawlessly, so my issue seems to differ from yours in that regard. I only started having this issue on 10.2.13-h5 with newer GP clients (6.2.4+) and seeing that you have a different, albeit similarly adjacent issue it may be a bug within this PAN-OS release. If you find a solution let us know, I would be interested in learning more!   Also, a word of caution - I tried 11.1 on my PA-820 and it ran like absolute garbage. The release I used entirely broke my logging on the firewall. All syslog, ftp, and snmp simply stopped working without even support being able to restore it and suggested it was an 11.1 issue... I downgraded to 10.2 shortly after. I'd advise anyone to run 10.2 for as long as you can! Granted, however, this was a preferred release from ~1 year ago so perhaps they've cleaned it up by now. I'm dreading the EOL for 10.2 and the inevitable switch to 11.1. ... View more

Re: Active Directory groups w/ members from multiple domains

by in General Topics
‎10-06-2025 11:22 AM
‎10-06-2025 11:22 AM
Any luck on finding a solution? I would be interested in learning if you found something that worked! Would pulling both domains into the Palo LDAP suffice? It would be a bit more work as you would need to replicate domain groups within both, but as far as I can tell your original configuration isn't possible. ... View more

Re: 2 LANs are not reachable to eachother

by in Next-Generation Firewall Discussions
‎10-06-2025 08:27 AM
‎10-06-2025 08:27 AM
What have you seen when reviewing the traffic logs? How did you structure the allow policy? ... View more

Re: Outbound SSL Decryption Quirk

by in Next-Generation Firewall Discussions
‎10-06-2025 07:53 AM
‎10-06-2025 07:53 AM
I have checked the logs when it has happened in the past and don't see anything that consistently shows each time and it's a somewhat rare occurrence, so I don't have much to go off of with only 1 user testing. Initially I thought maybe it was an OCSP/CRL delay, but that's uncertain without logs to correlate the thought. I was hoping someone has experienced this and narrowed their findings to something specific I could check!   The profile is mostly configured to PA recommended best practice; the minimum protocol is set to 1.2 with maximum set to max. I do not have the failure checks or strip APLN enabled. Certificate used is firewall generated. ... View more

Re: WEBUI Session Timing Out

by in General Topics
‎10-06-2025 06:59 AM
‎10-06-2025 06:59 AM
The issue only truly went away for me after a factory reset of the device, unfortunately. That's unrealistic for most environments so not a real solution imo, but the only one I've found that worked permanently. Even Palo Alto support scratched their heads and basically ghosted my ticket when I opened it, lol. I'm assuming you've tried restarts on both devices, OS upgrades, access through CLI, etc. What OS are you on and does this issue persist across all browsers? Have you tried disabling the KeePass browser plugin entirely and testing? When my issue was still present Firefox always worked, thankfully. ... View more

Outbound SSL Decryption Quirk

by in Next-Generation Firewall Discussions
‎10-03-2025 10:14 AM
‎10-03-2025 10:14 AM
Hello,   I have established an outbound SSL decrypt policy that I have enabled for only myself as I test functionality. Over the past few months, I've noticed a quirk that I'm unsure of the reasoning behind. With the policy enabled, sometimes connections to certain destinations will require a reload of the webpage to establish connection.   For example: Navigate to a knowledgebase for a vendor - failed to establish connection upon first attempt Reload the webpage - successfully establish connection   This behavior is exclusive to when I have the decrypt policy enabled so I'm fairly certain that I am pointing the finger at the correct culprit. It seems a problematic destination is random, as it's not always the same sites and varies between days/weeks on occurrence.   The work around of simply refreshing the page is easy enough, my concern is when I enable this for the company and users flood my inbox with this issue for various sites and I have to tell them all to refresh... seems half-baked.   My question is - Is this normal behavior for SSL decryption, or am I missing something within the configuration? I followed the best-practice guide released by Palo Alto.   Thanks! ... View more

Re: GlobalProtect 6.2.6 - discovered issues or reliability concerns

by in GlobalProtect Discussions
‎04-24-2025 09:12 AM
‎04-24-2025 09:12 AM
I've been running 6.2.6 for a few months now and I've ran into a bug where it will not validate client certificates regardless of what I've done. Upgraded the problem devices to 6.2.7 and the issue vanished. This has only happened on a handful of clients, but noteworthy if you have a large client count. ... View more

Re: WEBUI Session Timing Out

by in General Topics
‎11-21-2024 10:17 AM
‎11-21-2024 10:17 AM
@JDBailey due to a separate issue I factory reset the firewall, reloaded my config and this issue went away. Obviously a very extreme solution to a very minor issue, but a solution none-the-less! Also, @trafsta, it's worth mentioning that before the fix 1Password was giving me issues and afterwards it works fine so that's a good point to raise and to disable autofill on the firewall webpage if you experience this. ... View more

Re: User-ID Agent Timeout Triggering

by in General Topics
‎11-01-2024 09:47 AM
‎11-01-2024 09:47 AM
Currently I have UID agents polling on my DCs. I thought about an internal GP gateway as well but decided against it initially, perhaps that would be more ideal for my desired outcome based on what I've been reading!   So, based on your response, I suppose UID does truly only poll for those few events and nothing more than that? If I want to maintain an active mapping, with no gaps, I either have to extend the cache timeout to my kerberos/gpupdate/etc polling interval or match those to my cache timeout.   Also, yes! You are correct, but I'm abiding by a slightly modified version of that NIST control that requires a few extra 'sub-controls' on top of the 'primary-control'. One of them being identification of the user within their session and another that terminates all external access after 60 minutes inactivity, so UID mapping would be great (or admittingly GP, but I haven't done anything with internal gateways, so this seemed like the easier option). Once I started looking into UID it seems I overestimated its function and it truly only polls for a few logon events and doesn't really extend beyond that.   I suppose my two options would be to adjust polling in my agent/environment to sync with each other within a 60-minute window, or setup an internal GP gateway with similar timeouts.   Time to weigh my options, thanks! ... View more

User-ID Agent Timeout Triggering

by in General Topics
‎11-01-2024 08:20 AM
‎11-01-2024 08:20 AM
I'm going through implementing a special 'modified' SP800-171R2 control list and I believe I can achieve satisfying controls such as 3.13.9 "user session timeout/terminate external access etc etc" control with the UID timeout function.   If I tied external internet access to a security group in my AD and granted users membership to that group, then when their ip-mapping cache is up for renewal and isn't renewed then they would effectively have their "session terminated" as the control requires.   However, I have several questions on how UID determines a renewal. Obviously UID caches the user's successful log in or kerberos grant and that lasts your defined cache period (45 minutes by default), but once a renewal is necessary what is criteria that UID is searching for to grant a renewed ip-mapping?   This article states a few Event ID's that UID looks for to grant a mapping, but I can almost bet money these aren't everything UID is using to define user activity: Security Event IDs from Active Directory Used with User-ID Agent    The reason I doubt that's an exhaustive list is it seems there's a large gap for security events to be missed. For example - a user logged in, and then 20 minutes later was locked out of their account. Both events happen within the 45-minute cache renew window with the lockout being the most recent event to be logged. Would UID read the Event ID 4740 for account lockout and deny a mapping renewal for that user? According to that article, no, but that seems silly, and I highly doubt that to be the case as that would leave fairly major security gaps within the UID function. Would the lockout be handled by LDAP and UID genuinely only monitors log-in activity?   If that's the case, what if a user logs in and is active for the entire 45-minutes so they don't log in a second time to trigger a renewal and the kerberos ticket lifetime is 10-hours so there wouldn't be a TGT event ID for a renewal either. Would the user need to log out/in to trigger UID to map their ID to an IP? Would I need to set our kerberos halflife to a shorter duration so the events are more frequent and keeps ip-mappings fresh?   I'm trying to understand what exactly triggers UID to grant ip-mappings and subsequently renew those mappings. If there's a way to "game the system" with the way UID processes renewals, then I may not be able to use it for meeting compliance.   Has anyone tested UID to this extent or found a document useful in explaining more about this topic?   TL; DR Is there an official exhaustive list of Event ID's that UID utilizes to trigger renewals, or adversely denials, for ip-mapping? ... View more

Re: PAN OS Upgrade recomendation on latest 10.2.11 released 8/13/24 Currently Monitoring

by in General Topics
‎08-26-2024 09:31 AM
1 Kudo
‎08-26-2024 09:31 AM
1 Kudo
Tangsuan,   Please refer to this document for more official details on upgrading PAN-OS: Support FAQ: Upgrading PAN-OS and Upgrade Paths | Palo Alto Networks   From my experience it's typically best to step up from your current release to the next base feature release and then to the preferred maintenance version of that base release. I've been told you can even skip installing the base feature version and so long as you have it downloaded that's all you need. I've tried both ways and haven't run into any issues, but I prefer the safe route of installing each step.   Simple example: 10.1.11-h5 (current) > 10.2.0 (base feature version) > 10.2.9-h1 (preferred release) In your case you are on the same base feature version as the desired maintenance release so you can update directly to 10.2.11.   However, I strongly urge you to consider the preferred release instead, unless you need a newer release for a fix to your environment. From personal experience jumping to a new release before it has been marked as preferred can cause you a massive headache. Read the patch notes thoroughly before updating to a new PAN-OS release and use caution. Refer to the linked document for more on why you want to consider this carefully.   Regards, RH747 ... View more

Re: Global Protect switching from Pre Logon to User

by in General Topics
‎07-01-2024 10:10 AM
‎07-01-2024 10:10 AM
Without seeing the GP Monitor logs it's hard to say what could be the root issue. Do you have access to these logs? Check them and note where the failure point is for more clarity on the issue. Seeing what happens at the interim step of portal-prelogin and portal-auth would be of particular interest since that's where you'll pull your user-specific IP.   From what it sounds like based on your description it could be the gateway agent client settings as that defines where users are going to be pulling their IP's. When you say you logon, do you mean log into GP or the device? Is your GP configured to pull Windows credentials or have the user login manually? Correct me where I may be wrong, but the string of events read as: User logs into device Device is already registered into pre-logon via machine cert, etc GP disconnects pre-logon connection due to 60 second disconnect rule GP does not pull the user's windows credentials properly and fails Failure point - does GP actually fail here or is this a limitation of your configuration? Logs would give more insight User must sign in manually to regain access to gateway and pull proper IP ... View more

Re: WEBUI Session Timing Out

by in General Topics
‎07-01-2024 07:34 AM
‎07-01-2024 07:34 AM
@Andreas.Hupfer wrote: since version 11.0.5 of our panorama server we are facing the same problem. As a temporary solution the following is working for me: 1) connect to the device / panorama website 2) press f12 to open the dev tools of the browser 3) navigate to the network ribbon and disable the cache (sorry for the german screenshot) 4) login 5) After login you can close the dev tools Clearing the browser data is not working for me. Disabling the cache seems to work in edge at the moment.   That worked! As a temporary solution it works flawlessly... for now at least, haha. Hopefully Palo Alto recognizes this is a problem and addresses it in future releases as this was a major pain to deal with. Our premium support partner couldn't find any solution to this issue, so I'm glad you were able to help out. I will mark this as a solution, albeit more so a temporary workaround until PA resolves it in an official release.   Thanks! ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎10-15-2025 09:24 AM
Likes From
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks