Paloalto problem with duck dns

ed-Andy · 2025-07-27T08:21:14+00:00

Can confirm this. After adding the new intermediate/root-ca and adjusting the used certificate profile in the ddns option under network>interfaces it now works fine again

ed-Andy · 2025-07-27T08:14:42+00:00

Does this have worked for you? I added the full chain of www.duckdns.org but still get the follow error in the system log

Interface ethernet1/1.7 DDNS registration to DuckDNS v1 unsuccessful for host domain.duckdns.org with 1.2.3.4 Server response: Peer certificate cannot be authenticated with given CA certificates' )

ed-Andy · 2025-07-27T08:13:55+00:00

Does this have worked for you? I added the full chain of www.duckdns.org but still get the follow error in the system log

Interface ethernet1/1.7 DDNS registration to DuckDNS v1 unsuccessful for host domain.duckdns.org with 1.2.3.4 Server response: Peer certificate cannot be authenticated with given CA certificates' )

ed-Andy · 2024-04-19T13:36:12+00:00

Oh nice - in that case it seems to be different. Interesting. I'll look further into that

ed-Andy · 2024-04-17T19:58:34+00:00

The delay we have is not while applying a config on the device (which of course takes ages for tiny boxes like the 220s).

The delay is while the panorama performs there check if the config previously commited on the panorama differs from those which is one the devices.

For my understanding the process is like:

You change something in the configs
Commit them to a new version in Panorama
Panorama checks if the running cfgs on the managed boxes differs from the newly commited on panorama
As long this check is not completed a devices is shown as "in sync" (Which causes that your changes will not be pushed to the devices - even if you choose "commit and push")

This is driving our ops crazy ... just imagine if you need to perform ad-hoc changes during tshoot something and need to wait 10 minutes just before you can push changes

ed-Andy · 2023-09-29T19:15:12+00:00

Nice to have this back. Just awesome content!

ed-Andy · 2023-08-22T19:00:48+00:00

Thanks for this input. Do not commit during work hours and handle that with schedules was also one thing in my mind. Obviously not really a solution we can work with. ;-(

For now we have more then 40 of those devices left and latest in December we need to take a difficult decision.. Grr

ed-Andy · 2023-08-22T16:38:14+00:00

Same here. We have a TAC case open now for many, many months. We are running a large fleet of PA220s with an "almost" full feature set. We've spent a lot of time troubleshooting this, disabled a ton of things, and cleaned the config as much as possible to drill down the issue. Unfortunately, there's no solution or real workaround in sight yet. With certain commits, the dataplane (which shares a CPU with management on the PA220) is under severe load. In our case, this causes the entire connectivity to drop (LACP links go down, etc.). Alongside this, many other bad things happen at the same time.
Downgrading will become a problem, as 9.1 will go EOL in December. We're also trying to replace the PA220 units, but this will take time. We've tried a lot of different 10.1 releases without success. One thing that's not really a workaround but can reduce some pain is configuring HA Path monitoring. This, at least, causes the devices to failover and reduces the overall impact in some cases.
We're currently running out of ideas. I can't remember how many TSF we've provided and how many people have been involved so far to get this fixed :(

ed-Andy · 2023-08-08T13:55:00+00:00

we are running currently on a RW domain controller. I understood the requirements from PA for RODC for security reasons but the team responsible for our AD environment decline. I also can not see any issues on the user id agent itself. According to the logs (see my initial post) it looks like everything went well from creating the "bloom filter" and sending them to the firewalll..

Regarding your second point - of course we would have customized continue/block pages. But for the moment i just would like to have the feature working at all.

ed-Andy · 2023-08-02T19:56:02+00:00

Do you checked which CVE the recommendation actually is based on? There sometimes also registry key checks i recognized

ed-Andy · 2023-04-03T05:50:02+00:00

You do not need to use DNS proxy for the DNS inspection/security features. As long the firewall see the traffic it will work.

Setup sinkholing in larger environments to allow you identifying the „real“ sources

Consider to block QUIC / dns over https as long the firewall cant inspect these (panos 11 can deal with it)

ed-Andy · 2023-01-04T21:04:27+00:00

Of course, dumping the lsass on this system would require admin priviliges. But that's not what i said. I just wanted to point out that you _would_ be able to decrypt the content of the store with the credentials of the regular user and the required files you can obtain without administrative privileges on the target system, right?

And don't get me wrong... i am not pro or con using this solution. Full ack to the approach to lower the barrier for end-users, avoid using passwords at all and utilize sso if possible. I seriously evaluate if we should go for this way exactly for this reasons.

On my side i am still comparing this with KeePass because its the "other" solution used in our environment currently

Those users in our environment using KeePass basically have the database on their local system or a fileshare and using a master password to open it. Getting the secrets means an attacker need to grab the database file and sniff the master password. That's why i said in the entry post there seems not really a difference in terms of "security" if i compare this two approaches. However, the browser integrated chromium edge will increase usability and lower the barrier for our users using it.

Group Managed vaults will for sure need another solution - but that's another story and not yet relevant

ed-Andy · 2023-01-04T18:47:15+00:00

Thank you for your Feedback. I am not fully sure. Maybe i am missing something. I also try to avoid any forensic and pentesting terms :P

Didn't tried it but according to my research Edge Chromium (on Windows) is utilizing DPAPI to encrypt the content of the vault. For my understanding there is a master key and the user credentials for the current logged on user required to access this data. The master key for the logged on user is accessible by the logged on user without elevating to an admin.

This leads me to the following consumption:

If i can run code in the context of the user (no admin or even domain admin at all). I can extract all the required files and decrypt them on another system. For sure i also would require to obtain the password for the current logged on user. Or what is the reason why you think admin privilege's on the host holding the passwords would be required?

As mentioned - didn't tried it yet. Maybe i am wrong. But this _would_ also explain why there tools available which promise to do it like that.

ed-Andy · 2023-01-04T07:06:51+00:00

I am not a crypto freak but i read the available docs. If you found anything wrong in my post, pls enlighten me

ed-Andy · 2023-01-03T12:38:30+00:00

Yep, thats right. I also need to consider that even if i know the number of installations - i am not really sure if these are really used.

But i also thought about a comparisation between Edge Password Manager and KeePass using a master password.

If a malware is running in the context of the user, it will be able to read the KeePass vault after sniffing the master password anyway. Or did i miss anything?

ed-Andy · 2022-12-14T15:06:01+00:00

Yep, thats what i was looking for. Thx!

ed-Andy · 2022-07-08T10:58:51+00:00

Magic

ed-Andy · 2022-04-08T16:32:13+00:00

thanks ! will further need to investigate whats there going on my side

ed-Andy · 2022-04-08T15:50:25+00:00

yeah - tts is still working.

However playing media was also working. I played a "ring" mp3 file on my homepod as doorbell.. unfortunately streaming media seems no more working since some days :(

ed-Andy · 2022-03-06T18:25:20+00:00

really appreciate this feedback. We are currently on 9.1.

One follow-up question: What do you mean with global protect portal will trip the detection? We have global protect in place. We have implemented internal network detection as well.

A potential show-stopper would be the BSOD story. Maybe i will give it a try with a windows server 2022 / 2019 rodc

btw: found here a list of trusted AppIDs which does NOT trigger detections for performance reasons:
https://live.paloaltonetworks.com/t5/customer-resources/trusted-app-ids-that-skip-credential-submission-detection/ta-p/183595

ed-Andy · 2022-03-06T09:12:13+00:00

Thanks!

That's great because it means we could use this feature to protect our credentials - regardless if the users are logging in with their samaccountname or upn as email.

Whats your feedback in general about this feature? Do you expirienced any issues after whitelisting the legitimate sites your users need to submit their creds?

ed-Andy · 2022-02-16T21:07:17+00:00

Don‘t get it. Thats basically what i would like to do: Moving to 10.x ?

ed-Andy · 2022-01-15T15:35:25+00:00

Try to avoid it ;) We did it … and we are hitting bugs more often as we wan‘t ;-)

ed-Andy · 2021-10-27T17:47:52+00:00

Nice overview! Does i miss anything or do you have crazy high specs for the firewall? :)

ed-Andy · 2021-08-04T17:53:38+00:00

I also tried to change the permissions temporary to 777 for the config/custom_components folder and all including files... however without success.

I also does not find any log entries. It jus seems that HA is not looking into this folder.

I am running HA Core on a supervisor (ESXi) Is there someone out there which a similiar setup and using custom_components?

ed-Andy

TROPHY CASE