XDR agent quota exceeded

By enewman
paloaltonetworks.com
 9 days ago

We're running 7.4.x currently and we've been seeing a ton of these alerts lately, and it seems to be for the same four or so machines out of several thousand. It is just alert after alert. I checked the log folders on the machines and they aren't anywhere near full for what we set for the log folder limit. I even emptied one of them and it was still generating alerts. I ended up uninstall/reinstalling and that seems to have done the trick, for now, but...

live.paloaltonetworks.com

paloaltonetworks.com

MS Autodiscover Flaw - Vulnerability

A design issue in the Microsoft Exchange Autodiscover feature can cause Outlook and other third-party Exchange client applications to leak plaintext Windows domain credentials to external servers. Domains that we need to block are listed here: https://github.com/guardicore/labs_campaigns/blob/84d8423335bf72ea078b5286db647580fb7f6a58/Autodisco... However , this list has over 9100 domains and some are not illegal...
SOFTWARE
paloaltonetworks.com

Psiphon blocking in a non-decrypted network

Recently, I have issues with the application called Psiphon, this app is eating my internet based on authentication portal page. As I check previous threads in the community, all speaking about a decrypted traffic or blocking an applications that are vital such as http-proxy. ,ike, ipsec, l2tp, ssh, ssh-tunnel. it...
TECHNOLOGY
paloaltonetworks.com

Globalprotect mobile clients unable to resolve DNS

Is there a way to restart the Globalprotect module? PC and Mac users on Globalprotect are unaffected, its only on mobile devices. This suddenly stopped working this morning. I even tried manually setting the DNS in the VPN profile to our internal DNS but is still not resolving. This is happening to all clients starting this morning.
CELL PHONES
paloaltonetworks.com

Is my firewall hacked already ?

I have a PA3020 with 7.0.5-h2 PAN-os version. I noticed that it have a lot of DNS traffic sent to strange IP address. show system resources command. I found strange process nginx and two syslog-ng there. Is it normal, how to get rid of them ?. 2797 nobody 20 0...
COMPUTERS
paloaltonetworks.com

Cortex XDR Agent and system logs

I am trying to get logs for cortex XDR agent of more than 1 month old, from system and tech support file however not getting any success. Does anyone knows any method by which we can retieve agent logs/tech support logs for more than 1 month old data?. Is it...
COMPUTERS
paloaltonetworks.com

Cortex XDR Uninstall without password and active tenant

Cortex XDR Uninstall without password and active tenant. On Windows computer we have installed the cortex XDR agent on POC tenant. The tenant was deleted but we don't uninstalled the agent on the client computer. We try to uninstall it manually, but we don' have the password. We try with...
COMPUTERS
paloaltonetworks.com

GKE. Dataplane V2

Is using Dataplane V2 supported by the cn-series firewall?. This is the Recommended option and will be enabled by default in a future release by Google.
COMPUTERS
paloaltonetworks.com

NCR saving passwords with MD5 hashing

Was wondering if someone could tell me if there's a way of changing the hashing method when passwords are saved in Palo Alto. I can see from 2010 the method is MD5 and we are also dealing with an NCR stating the same, but I can't see anywhere this can be changed/updated? If this still the current default for storing Passwords in a Palo?
COMPUTERS
paloaltonetworks.com

Panos_admpwd Hangs

Hi there, I have a super basic Ansible script that is meant to just change the admin password using SSH. --- - name: change admin password for newly deployed Palo Alto firewall hosts: firewall collections: - paloaltonetworks.panos gather_facts: no tasks: - name: Change admin password using SSH panos_admpwd: ip_address: '{{ provider.ip_address }}' newpassword: '{{ provider.new_password }}' key_filename: '{{ ansible_ssh_private_key_file }}' register: result until: not result|failed retries: 10 delay: 30 - name: panos commit panos_commit_firewall: provider: '{{ provider }}'
COMPUTERS
paloaltonetworks.com

Data Exfiltration / Large file uploads

I was wondering if anyone found an efficient query to look for data exfiltration/large file uploads?. I'm looking more from a threat hunting perspective, where I would want to trace one or multiple file being uploaded to a remote destination. Right now the only way I've found is to correlate...
COMPUTERS
paloaltonetworks.com

A customer has a question about the pa-5220 they are using.

1. Customers want to use nat. How many ips can be assigned to snat and dnat respectively?. According to the address above, pa-5220 can use up to 6000 nat rules, I wonder if this is correct. 2. Customers want to use snat and dnat in the same band. At this...
TECHNOLOGY
paloaltonetworks.com

No packet capture files are generated on pa-3060 that customers are using.

No packet capture files are generated on pa-3060 that customers are using. I have been contacted by a customer that there is a problem with packet capture. I know that executing a packet capture command triggers packet capture, and generating a pcap file containing captured packets is generated when the traffic you want to check is generated.
COMPUTERS
paloaltonetworks.com

Ping and other Applications in the same rule on a non-standard port

Ping and other Applications in the same rule on a non-standard port. Is there a way to allow ping on a rule that has another application that uses a non-standard port? So for example, if yum uses port TCP 3142 instead of its default tcp/80,21 is there a way I can attach ping to that rule and still have it work? Like on Cisco ASAs you can add icmp as a port/service.
COMPUTERS
paloaltonetworks.com

How to set selective syslog server?

Can I set palo alto to check if syslog server is up before forwarding the log, and if the main syslog server is down then forward log to another server?. I have issues that I need palo alto to not forwarding logs to both servers at the same time.
SOFTWARE
paloaltonetworks.com

DNS security license

I need to know if DNS Securtity license is included in threat prevention subscription or not. It is a separate license and not included in the Threat prevention subscription.
COMPUTERS
paloaltonetworks.com

Failed to download dynamic updates

I haven't been able to download any dynamic updates to our Palo VM-100 for a little over an hour. The message Failed to download file appears and in the system log I see connection to update server closed. For example, I also tried to download an older version of Global...
COMPUTERS
paloaltonetworks.com

Linux CLI GlobalProtect with SAML MFA connection problems

Hope someone can help. I am running into problems with Ubuntu 20.04 users that want to use CLI only. When I try to use the CLI GP client(tried version 2.4 and 2.6) on Ubuntu it opens the default browser and the MFA via Okta is successful but then nothing happens. The VPN is never setup. The last message on the CLI is "Try to launch default browser for saml login...". The normal GUI linux client works. But some users are pure Linux CLI users. NGFW is running 9.1.10 with full GP subscription.
COMPUTERS

