About BPry

@Verac22, The way to handle this really is by reporting the incorrect verdict so that it is corrected and no longer triggers. There's not a way to exclude just that one single hash unless it's an inline detection; the closets you can get to that is creating a specific profile with the threat signature excluded and associating it with a dedicated rule where that file would be matching. Obviously that doesn't mean it will only ever match that one file, but you've created the smallest possible exception as what you can currently with PAN-OS.  ... View more

@khalil.extern11, Correct. You'll want to verify that you meet the requirements to run 11.1. You can verify the checklist in the document that I shared earlier (page 106) to make sure that you've reviewed all of the upgrade considerations. Then review the release notes to verify that everything in your environment meets the minimum compatible versions HERE and ensure that you have the minimum content version of 8761 installed.  ... View more

@EduRamirez, I'm not aware of a resource where this is specifically detailed, but if you're using a normal SIEM (Graylog, Splunk, LogRythm, etc.) have their respective content packs that you can utilize  instead of having to build it out manually. If you've rolled your own maybe you can use Graylogs content pack to build out your extractors?  ... View more

@dworakj, Best practice would be that you aren't building just any 'any' application rule for a service when you're working with a NGFW that can do application identification. You are either manually specifying a service (if absolutely required) or setting application-default so that potential future default ports are actively allowed without you adjusting policy through dynamic updates. At times you'll need to for operational reasons, but it should be the exception. What you have built will allow anything running on 6665-6669, which means if I've breached one of your DMZ hosts I can now build an SSH tunnel for exfiltration once I've done a simple port scan. Note that your rule appears to be denoting that you are looking to permit this traffic, but in both your example and the description of your intent you are specifying an action of allow. I would verify that you actually want to allow this traffic and not deny it, because it would appear you have your action set incorrectly.   What you experienced earlier is 100% expected behavior with how you had the rule built. The firewall needed to allow enough traffic to pass to identify the application so that it could see if it should be allowing the traffic. Many people are initially surprised to see this behavior when a small amount of traffic is caught under the rule where they aren't expecting to see it, but it's normal and well documented as to why.  ... View more

@BigPalo, Kind of two different ways to do this that are going to do essentially the same thing. You could enforce GlobalProtect for network access and use an internal gateway to tie the authentication to Entra ID through SAML SSO, or you utilize an authentication portal with SAML SSO to Entra ID to do effectively the same thing just through the browser solely itself.  The reason I personally don't love just using an authentication policy and the authentication portal is that a user only using apps like Slack, Webex, or Teams won't actually immediately be redirected to the portal. It works fine if your users live in a browser all day, but GlobalProtect is the most straightforward solution in this case. It's a good stop-gap if we're talking about personal machines here, but if these are company owned endpoints just push the agent through Intune and be done with it would be my suggestion.  ... View more

You can upgrade directly, there is no intermediate upgrade path if you are upgrading from any 10.2 release to 11.1. You can always find the upgrade path through the PAN-OS upgrade guide that is published for your target major version; in your case that is located HERE and can be confirmed on page 123 ... View more

@dworakj, I would assume that this is the first application based rule that is in your rulebase. The firewall needs to allow enough traffic to pass to actually identify the application, which is why all of the logs that you have displayed pass so little data. Once enough traffic has passed for the firewall to identify the application, it is re-analyzed to determine whether or not the traffic should be allowed.  ... View more

@Aftab_786, Oh man ... that's a whole lot of unknowns when you have so many variables in play. I would 100% not move forward with anything outside of a maintenance window if things are currently working if you haven't had config sync in a year. It doesn't seem like you have traffic impacting config drift with a years worth of changes missing, but in most environments that would mean you're missing rules you would likely need. However 700 days without an update perhaps that isn't the case in your environment.   2. Manually make .136 active by lowering its HA priority from 100 to 50. Do you have preempt enabled so that this would actually work?  4. Once .136 becomes active, perform config sync from .136 to .135. Do you want the config from 136? If 135 is your primary and supposedly where any configuration changes would have been made, that should be your most current configuration should it not? I would be looking at the diff between peers and seeing which config you actually want to take over or at least have the knowledge needed to 'rebuild' any required changes.   Alternatively, would simply rebooting the active firewall (.135), which has been up for about 700 days, potentially resolve the login issue if the problem is related to resource exhaustion or a system fault? You have recent experience that your failover is functional, so you do have the option of simply rebooting .135 and allowing your passive firewall to take over things and seeing if that addresses your access issues. This would be my recommendation (within a maintenance window) and then you can see if that fixes your login issues and then deal with the configuration sync problems.  ... View more

@BigPalo, When you say that they're authenticating, do you mean that you're using SAML with Entra for something like GlobalProtect or an authentication policy or authenticating to the device through a hybrid or Entra-joined endpoint? I'm going to assume the later at the moment and if that's the case, you'll want to look into Cloud Identity Engine that handles this sort of thing.  ... View more

@Luis_DPS, Can you detail a little bit more what you mean by subscription? Do you have a PAYG subscription for a cloud service provider, do you want to unsubscribe from emails that you are receiving? What sort of subscription are we talking about here?  ... View more

@Hunter_Barras, Presumably you can still log into the device via SSH since you're able to restart processes. When you say that you've done a reboot, do you mean of the computer or the actual PA-1410?    Couple of things: You can just refresh the licenses through the CLI and verify the current expirations have been refreshed if your primary concern at the moment is licensing through the 'request license fetch' command. This will query the license servers so that they will apply to the device properly. This will spit out the license status once complete, but you can validate things separately by just running 'request license info'.  You can try disabling the idle-timeout completely via configure mode via 'set deviceconfig setting management idle-timeout 0' and see if that at least allows you to get back into the GUI properly. I've seen this get stuck before, but never in a way where clearing the browser cache or restarting the box itself hasn't fixed. Maybe disabling it will unjog whatever is stuck and at least allow you to get back in properly.  ... View more

@s.mousa451637, What exactly are you doing? Moving from a device with multi-vsys to one that only has a single VSYS? Migrating an existing VSYS on a multi-vsys system to it's own independent hardware?  ... View more