diff --git "a/csv/paloaltonetworks_messages.csv" "b/csv/paloaltonetworks_messages.csv" new file mode 100644--- /dev/null +++ "b/csv/paloaltonetworks_messages.csv" @@ -0,0 +1,209 @@ +thread_ts,messages_json +paloaltonetworks-1,"[{""user"": ""70h0rfmb"", ""timestamp"": 1694803280.0, ""content"": ""Title: Configuring Global Protect to use Azure AD (Entra ID) credentials on Intune managed machine\n Body: Hey all - Seemed to have hit a snag on trying to configure Global Protect for my organization. I deploy it just fine with Intune, portal baked in and all that. But when the users sign in, their Windows sign in credentials aren't being used to automatically connect to the VPN. It's being sent over on our domain managed machines, but not with our Intune managed ones. I've made sure the settings are right in the firewall, but I can't figure anything else out. Anyone have any experience on this?""}, {""user"": ""zps23"", ""timestamp"": 1694803831.0, ""content"": ""Not enough info to really help.\n\nWhat is your auth backend? Are you using LDAP or SAML or CIE?\n\nWhat errors do you see on the firewall?""}, {""user"": ""70h0rfmb"", ""timestamp"": 1694804993.0, ""content"": ""Oh sorry about that -\n\nWe use LDAP currently, but this is where it's weird.. we have an ldap config that's looking at our DC and users can authenticate that way. We utilize userprincipalnames for the username (which is email address). The SSO happens perfectly fine no matter who logs in.\n\nSo my first thought was, how does the client know what info to use for domain machines when it's the same login type. Do we need to change it from UPN to email address for what data is being used for the username?\n\nThis is my first deep dive into our PA and global protect so I apologize if a lot of this seems stupid and easy. I'm very green on this subject haha""}]" +paloaltonetworks-2,"[{""user"": ""151ozs"", ""timestamp"": 1694802533.0, ""content"": ""Title: For HA pairs, any reason to not use one management cert with both firewall names as subject alternative names (SANs)?\n Body: I was getting ready to redo all of our Palos' management certs when I realized I could probably just create one cert for each HA pair with the DNS names of both the firewalls in the subject alternative name attributes. I could then set this common cert as well as a common SSL/TLS cert policy pointing to that cert as part of the template stack that gets pushed to both firewalls.\n\nAny reason to not do this?""}, {""user"": ""6qgsi"", ""timestamp"": 1694805148.0, ""content"": ""Nope""}, {""user"": ""1stnubp2"", ""timestamp"": 1694811076.0, ""content"": ""We are doing that without any issues""}]" +paloaltonetworks-3,"[{""user"": ""msfsh"", ""timestamp"": 1694817805.0, ""content"": ""Title: OpenSSL showcerts on Digicert certificate gives error unable to verify the first certificate\n Body: Hi,\n\nI have some issue with my wildcard certificate that is used in Azure WAF listener.\n\nRunning the following command:\n\nopenssl s\\_client -showcerts \\\\-connect [myapp.example.com:443](https://myapp.example.com:443)\n\nGives me following error:\n\n CONNECTED(00000005)\n depth=0 verify error:num=20:unable to get local issuer certificate \n verify return:1 \n depth=0 verify error:num=21:unable to verify the first certificate \n verify return:1 \n depth=0 verify return:1\n\nBut if I am checking it from the browser then it seems like everything looks fine, It shows the following certicicates: \\*.example.com, DigiCert TLS RSA SHA256 2020 CA1, DigiCert Global Root CA.\n\nHowever, this issue causes problem for some of my API to communicate as an exception with unable to verify the first certificate occurs.\n\nDoes anyone know how I can check if my certificate is correct and that the chain in the certificate is OK?""}]" +paloaltonetworks-4,"[{""user"": ""2c207fsg"", ""timestamp"": 1694814970.0, ""content"": ""Title: Dynamic Address Group vCenter mapping\n Body: We have many Datacenters and Clusters configured in our vCenter and whenever a new one is configured we have to manually add the path to the DAG. Is there any way to get around this using wildcards or other variables?\n\nThis is an example DAG configuration:\n\n\""vcenter01\\_datacenter01\\_cluster05\\_tag-category.tag-name\"" or\n\n\""vcenter01\\_datacenter02\\_cluster10\\_tag-category.tag-name\"" or\n\n\""vcenter01\\_datacenter03\\_cluster23\\_tag-category.tag-name\""\n\nI have tried this and it doesn't work but something like:\n\n\""\\*\\_\\*\\_\\*\\_tag-category.tag-name\""\""\n\n​""}]" +paloaltonetworks-5,"[{""user"": ""jrw1ikdos"", ""timestamp"": 1694791922.0, ""content"": ""Title: VPN Failed login notification confusion\n Body: Hey all \n\n​\n\nI have VPN set up and we use Okta for authentication. I get emails on failed/successful login attempts. Recently there has been a bruteforce attempt on our VPN so I get a lot of emails, this is fine, for now. But my confusion comes with the fact that I cannot replicate the failed log in attempts. If I try to authenticate through okta with a invalid user I never get a notification.\n\n​\n\nMy question is, how can I figure out how/where they are attempting to log in that is causing these failed attempts? I'm stumped""}, {""user"": ""4yt6w"", ""timestamp"": 1694794787.0, ""content"": ""Please be aware there are Okta vulnerabilities right now.\n\nhttps://www.computerweekly.com/news/366551034/Okta-customers-targeted-in-new-wave-of-social-engineering-attacks\n\nIt is thought that the very recent MGM hack was via an Okta issue, though the full story there is still developing. \n\nIf it were Okta based, is there no logging on that side that you can glean extended information from?""}, {""user"": ""jrw1ikdos"", ""timestamp"": 1694796518.0, ""content"": ""Thank you for your response. Interestingly enough the okta side does not show any failed attempts except for my own.\n\n​\n\nThis leads me to believe they are somehow bypassing this login and attempting to send authentication attempts with another method. I'm not super familiar with how SAML works but is it possible they can send login requests directly to the firewall?\n\n​\n\nGlobalProtect logs show auth method saml and \""Authentication failed: Invalid username or password\"" for these failed attempts""}, {""user"": ""4yt6w"", ""timestamp"": 1694797894.0, ""content"": ""> I'm not super familiar with how SAML works but is it possible they can send login requests directly to the firewall?\n\nThat's a great question and I'm not entirely sure. I would consider if it was a lot of these to open an emergency ticket with Palo Alto to glean whatever is possible from the attempts.\n\nIf this is a lone attack or very low frequency, a ticket still might be necessary depending on your comfort with the failures seen or accounts being attempted. Even using SAML, under Monitor -> Logs -> GlobalProtect, we still see the connection type, the attempted user and the IP address it is attempted from.\n\nAre you not getting any of that?""}, {""user"": ""jrw1ikdos"", ""timestamp"": 1694798391.0, ""content"": ""I am getting that information, this has been going on for probably a month now. The reason I've not acted urgently on it is because it's very slow and the usernames its attempting to use don't exist so I'm honestly not very worried about it, I'm really just curious how they are attempting to log in since I cannot recreate it.\n\n​\n\nI agree that maybe I should just contact PA""}, {""user"": ""4yt6w"", ""timestamp"": 1694798578.0, ""content"": ""I wonder if there is some sort of replay or injection attack they are attempting. That would worry me greatly if is starts happening here. \n\nI think PA TAC is the way to go. If this is something like above, hopefully they might be able to spot it in progress to narrow it down.""}]" +paloaltonetworks-6,"[{""user"": ""j6gf6"", ""timestamp"": 1694809089.0, ""content"": ""Title: 1400s: how\u2019re they running so far?\n Body: I need to move to new hardware now after some EoS dates. 1410s look real appealing from the hardware perspective, but PANOS 11 still has me nervous. \n\nCan you guys who administer them let me know how\u2019s it\u2019s been so far?""}, {""user"": ""37ve4gbk"", ""timestamp"": 1694809368.0, ""content"": ""Sold a pair of 1410s and 1420s to a couple different customers recently, and no stability problems or anything like that.""}, {""user"": ""c7qeh"", ""timestamp"": 1694818525.0, ""content"": ""Been running PA-1410 on 11.0 for a few months now, upgraded from 3220s. Pretty routine / boring / nothing much to report. Also running a few PA-440 on 10.2, upgraded from PA-850 and same. Very same s%it, different day. Hell, the PA-1410 fielded a 800k+ DoS attack like a champ a few nights ago\u2026""}, {""user"": ""5jh7pojzs"", ""timestamp"": 1694814160.0, ""content"": ""11.0 is a no go, 10.2 either. 10.1 is the only stable OS with some decent longevity left. \n\nSource: work support for a major palo ASC.""}, {""user"": ""p1pda"", ""timestamp"": 1694811929.0, ""content"": ""Same have a few pairs installed already with different customers and more expecting a PO soon. No issues to speak of. 11.0 has been good so far.""}, {""user"": ""j6gf6"", ""timestamp"": 1694818717.0, ""content"": ""Yeah. I might upgrade Panorama to 11 just to support a new 1410, and leave everything else at 10.1 for now until it\u2019s more consistent. But it sounds like 1410s are ok on 11 for now.""}]" +paloaltonetworks-7,"[{""user"": ""krpry"", ""timestamp"": 1694797289.0, ""content"": ""Title: old CVE's showing up on endpoint vulnerability assessment even though up to date\n Body: I am pretty new the vulnerability assessment tool. I have numerous endpoints with similar CVEs being listed but they seem to be out of date. For example i have one (of many) machine that has CVE-2023-23403. This one is solved by update kb5023696, however that update is superseded by kb5025221, which is superseded by update kb5026361 and so on. In the end the machine in question has the updates that makes the above CVE not valid. I know we can filter out CVE's from our report but what happens if a machine actually has that vulnerability? Does anyone have experience filtering these CVEs so that updates needed are accurate?""}]" +paloaltonetworks-8,"[{""user"": ""46d15a34"", ""timestamp"": 1694796151.0, ""content"": ""Title: Add PSexec to Cortex as exception\n Body: Hi all,\n\nI've been trying to execute PSexec on my machine, but Cortex always blocks it. \n\n\n \n\nScreenshot below:\nhttps://imgur.com/6DvainA\n\n\n \n\n\nDetails:\n\n Application information:\n Application name:\tWindows host process (Rundll32)\n Application version:\t10.0.22621.1 (WinBuild.160101.0800)\n Application publisher:\tMicrosoft Corporation\n Process ID:\t27588\n Application location:\tC:\\Windows\\System32\\rundll32.exe\n Command line:\t\""C:\\WINDOWS\\system32\\RunDll32.exe\"" \n C:\\WINDOWS\\System32\\SHELL32.dll,RunAsNewUser_RunDLL Local\\{4ddb9f3f- \n 700c-4bd6-9fc0-eaf85c01d25b}.000001cc\n File origin:\tHard drive on this computer\n User name:\tadmin_as\n \n Prevention information:\n Prevention date:\tFriday, September 15, 2023\n Prevention time:\t12:35:44\n OS version:\t10.0.22621\n Component:\tBehavioral Threat Protection\n Status code:\tc0400067\n Prevention description:\tBehavioral threat detected\n Additional information 1:\tRule amsi_malicious.b.773263364473\n\n\n\n\n \n\nI've created a new malware profile and added the psexec path to it, and assigned the policy to my machine. \n\nStill has the same issue.\n\n\n \n\nI only want to enable PSexec to be run on a machine (my machine).**Is there any way to do this?** \n\n \n\nPA Support tells me that exception cannot be added.""}]" +paloaltonetworks-9,"[{""user"": ""8vst355xo"", ""timestamp"": 1694766637.0, ""content"": ""Title: High Availability on ESXi for Panorama VM\n Body: Hi, \n\nwe will deploy panorama VM on esxi server, but only bought 1 panorama license.\n\nSo our users want to use high availability from the hypervisor Esxi. Im not familiar with esxi/vsphere.\n\nThe question is, if we trigger high avilability from Esxi/vsphere, is the UUID and CPUID will change?\n\n​\n\nThanks,\n\nDenny""}, {""user"": ""bz77iuek"", ""timestamp"": 1694767318.0, ""content"": ""UUID and CPUID are unique to each firewall vm""}, {""user"": ""bz77iuek"", ""timestamp"": 1694767346.0, ""content"": ""They wont change if you implement HA""}, {""user"": ""8vst355xo"", ""timestamp"": 1694769789.0, ""content"": ""even HA from esxi?""}, {""user"": ""bz77iuek"", ""timestamp"": 1694772301.0, ""content"": ""Yes""}]" +paloaltonetworks-10,"[{""user"": ""dqlcisgg0"", ""timestamp"": 1694766381.0, ""content"": ""Title: Can create Zone for Shared Gateway on Panorama\n Body: Hi All\n\nI have a pair of Panorama managed firewalls and trying to configure a zone for the shared gateway but unable to do so . It just hangs ( Please see attachment )\n\nHowever I can perform the task locally on the firewalls although that s not the recommendation .\n\nHas anyone come across a similar situation ? Any help will be greatly appreciated . I m using version 10.2.4-h2 on both Panorama and the NGFWs\n\nLooking forward to hearing from you and thanks in advance.\n\n​""}]" +paloaltonetworks-11,"[{""user"": ""m252bam4"", ""timestamp"": 1694753442.0, ""content"": ""Title: Pa 200\n Body: Hello everyone! I am trying to setup an pa 200 just for learning purposes but I am a bit stuck at the moment. I am connecting to it via ethernet and configuring the Ip to a static ip and I'm still not having luck with it. Could someone please give me a bit if help?""}, {""user"": ""16m5mf"", ""timestamp"": 1694754449.0, ""content"": ""Do you have any policies in place to allow traffic to flow?""}, {""user"": ""b9ysa1a2"", ""timestamp"": 1694772789.0, ""content"": ""Are you connecting to your ethernet to the management port? You should be able to console into the device via the console port and check the management interface configuration \u201cshow interface management\u201d and change the IP address accordingly, don\u2019t forget to commit. If you\u2019re still having issues you should reset the entire device to its factory settings. One last thing you could try is disabling your firewall on your PC, assuming you\u2019re on a Windows machine""}, {""user"": ""m252bam4"", ""timestamp"": 1694770190.0, ""content"": ""I think I do. I am not able to change the Ip to find and manage it through my browser for some reason.""}, {""user"": ""7uevj7r2"", ""timestamp"": 1694787477.0, ""content"": ""does it have an IP address? if yes you can put a static IP on your computer on the same network and connect direclty your PC to the MGT port. From there you can have access to web UI""}]" +paloaltonetworks-12,"[{""user"": ""g5qd48tnl"", ""timestamp"": 1694716372.0, ""content"": ""Title: Blocking URLs that are using quic\n Body: Hi, trying to block a few URLs that are using the quic protocol. Could this be accomplished by using FQDNs since they are also on layer 4 with application set to 'quic'. I'm hoping this will block the quic traffic for the URLs and revert it back to TLS/SSL where it will be blocked by category.""}, {""user"": ""2z38uxaj"", ""timestamp"": 1694716664.0, ""content"": ""If you want to use URL filtering block Quick App and Encrypted DNS as one of your top rules. Then URL filtering will work fine. \n\nThe clients will fall back to traditional protocols to continue to function.""}, {""user"": ""v7o149dc"", ""timestamp"": 1694728094.0, ""content"": ""Could I ask about the use-case? Is something preventing you from blocking quic as an application using a security policy?""}, {""user"": ""8e8pvsdc"", ""timestamp"": 1694744806.0, ""content"": ""Why not turn quic off in everyone\u2019s chrome browser? It\u2019s really not doing anyone any favors leaving that beta protocol enabled so google can use their client base as beta and often alpha testers.""}, {""user"": ""8qk1un9z"", ""timestamp"": 1694787672.0, ""content"": ""I just doesn't allow port 443 UDP from internal zones to external. Quic automatically downgrade to TCP and HTTP2/.0 or HTTP/1.1 when the port is closed.""}, {""user"": ""g5qd48tnl"", ""timestamp"": 1694717705.0, ""content"": ""Unfortunately, my scope is essentially just trying to block these URLs only. I am just hoping the traffic will match FQDNs or if I have to use IPs which isn't ideal.""}, {""user"": ""g5qd48tnl"", ""timestamp"": 1694732680.0, ""content"": ""Without getting into specifics, I am a small cog in the machine. I can't affect other rules or traffic essentially.""}, {""user"": ""14gpx8"", ""timestamp"": 1694779095.0, ""content"": ""You should do this as well as drop it at your perimeter. If you turn it off at the perimeter and don\u2019t turn it off on browsers, performance will suck because browsers will still try a QUIC connection first, wait for that to fail, then fall back to legacy protocols.\n\nIf you turn it off on browsers only, you stand the chance of missing a device, maybe someone has an unsanctioned browser, devices that are not under your management that make it on the network, etc..""}, {""user"": ""4yt6w"", ""timestamp"": 1694718656.0, ""content"": ""It should work with three rules, you'll need to test it.\n\n* Create an object group full of the individual objects of the FQDNs you want to apply this to. \n* Block any outbound to the internet zone with that object group as the addresses using quic protocol\n* Block any outbound to the internet zone with that object group as the addresses using either udp\\80 or udp\\443\n* Allow any outbound to the internet normally in susequent rules as determined without blocking quic, udp\\80 or udp\\443.\n\nWhat I don't know is if this will match a URL group. I say that because one of the issues with URL blocking (not FQDN) is that if it cannot match http or https, the URL group blocking is ignored, from my understanding. This is also why you don't mix URL blocking rules with other ports.""}, {""user"": ""6lriu4sg"", ""timestamp"": 1694746939.0, ""content"": ""That\u2019s generally the wrong way to do it because you\u2019ll potentially block other sites or won\u2019t block everything you intend.""}, {""user"": ""v7o149dc"", ""timestamp"": 1694739215.0, ""content"": ""Okay, fair...but that's where the rest of the policy comes in. If you want to block quic for your team, use address group or user groups to limit the scope of the impact.""}, {""user"": ""8e8pvsdc"", ""timestamp"": 1694782970.0, ""content"": ""Good point, trust but verify. Trust you disabled all of them and verify by blocking the protocol at the edge.""}, {""user"": ""g5qd48tnl"", ""timestamp"": 1694719196.0, ""content"": ""Thank you this is kind of what I had in mind, I will give it a shot and hope for the best""}, {""user"": ""4yt6w"", ""timestamp"": 1694732122.0, ""content"": ""We did the reverse, which is created a quic allow group, mostly because we actually ran into one site used by an internal team that didn't like quic being blocked. All other quic, upd\\80 and udp\\443 is blocked, forcing quic off for everything else. \n\nI know that works fine, I don't see why the reverse wouldn't work as well.""}]" +paloaltonetworks-13,"[{""user"": ""bz77iuek"", ""timestamp"": 1694733724.0, ""content"": ""Title: Disk Type for Panorama Log Storage on Azure\n Body: Hi everyone, \n\nWhat is the recommended disk type (Standard HDD, Standard SSD or Premium SSD) for log storage on Panorama in Azure? \n\nNone of the documents (Deployment Guide, KB, Panorama Admin guide) address this and I'm trying to design a cost-effective solution.\n\nThanks!""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1694737124.0, ""content"": ""Depends on the number of logs. More logs will need more iops. \nHow many firewalls sending logs? Any clue what the log rate will be?""}, {""user"": ""bz77iuek"", ""timestamp"": 1694737213.0, ""content"": ""There are 1 on-prem\n2 HA esxi \n2 HA in azure \nSending log \nHow do I define log rates ?""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1694737322.0, ""content"": ""Unless there is crazy traffic going through those, I think you\u2019ll be fine with standard HDD. Standard SSD at most.""}]" +paloaltonetworks-14,"[{""user"": ""60u62"", ""timestamp"": 1694702832.0, ""content"": ""Title: Grouping rules for my PA tool\n Body: Hello there,\n\n​\n\nI'm a looking for a tool (in a wonderful world, that is free) to help me regroup my Pa rules.\n\n​\n\nI'm in an environment with a huge historic rules, that should be factorized IMO.\n\n​\n\nIs someone knowing a tool that could allow this kind of task ?\n\n​\n\nBest regards,""}, {""user"": ""6qgsi"", ""timestamp"": 1694707795.0, ""content"": ""expedition""}, {""user"": ""60u62"", ""timestamp"": 1694764181.0, ""content"": "">expedition\n\nI didn't know it is now working aside from migrating from other vendors FW. \n\n​\n\nThanks for the information, I will definitively take a look.\n\n​\n\nBest regards,""}]" +paloaltonetworks-15,"[{""user"": ""os3hi"", ""timestamp"": 1694676701.0, ""content"": ""Title: Threat Prevention vs Advanced Threat Prevention - huge cost increase?\n Body: Hi, we've been informed that the Threat Prevention subscription on our PAN-PA-3220 has been phased out and that we have to now opt for Advanced Threat Prevention which has resulted in a pretty significant price increase. Are there any options available for us to continue using TP? Or do we just have to eat the increased cost?""}, {""user"": ""15zxsi"", ""timestamp"": 1694687318.0, ""content"": ""Talk to your sales rep for tech refresh and Go for PA 1410, it'll give you better bandwidth and over all cost.""}, {""user"": ""i5gzh"", ""timestamp"": 1694681071.0, ""content"": ""Not sure who informed you of that but it\u2019s not the truth on a 3220""}, {""user"": ""7yor6"", ""timestamp"": 1694691794.0, ""content"": ""We pushed back and they allowed us to renew with regular threat prevention this year on our 3220s.""}, {""user"": ""c8iwwydk"", ""timestamp"": 1694677380.0, ""content"": ""I believe they still have to offer TP for firewalls in an air gapped environment since they wouldn\u2019t be able to have a cloud connection to take advantage of the \u201cA\u201d in ATP.""}, {""user"": ""11qli9"", ""timestamp"": 1694692594.0, ""content"": ""Tell your rep you will be shopping other vendors, that will change their tune.""}, {""user"": ""43ro04kl"", ""timestamp"": 1694743410.0, ""content"": ""Tell the rep to get you ATP for the price of TP- they do it all the time""}, {""user"": ""3up2qoit"", ""timestamp"": 1694687522.0, ""content"": ""And you can take advantage of the core bundles which will give you ATP, AURL, AW, DNS, and SD-WAN for the cost of 2.7 subs.""}, {""user"": ""qviia"", ""timestamp"": 1694713206.0, ""content"": ""Exactly what we did.""}]" +paloaltonetworks-16,"[{""user"": ""4wsimck3"", ""timestamp"": 1694706758.0, ""content"": ""Title: Weird Global Protect Issue\n Body: I have an Global Protect Environment that consists of one Portal (Hosted in the Cloud) and three Gateways (On hosted in the Cloud and two others hosted on on-prem Firewalls). I currently have MFA Authentication setup through OKTA via Radius. We are currently running GP 6.1.0 and 10.2.x on the Firewall at this time.\n\nThe weird issue that I am noticing is specifically only for our windows endpoints is that when a user first launches their GP Agent and hits \""connect\"" the VPN process goes from \""**connecting**\"" then to \""**not connected**\"" and if left untouched for 4-5 seconds the agent will automatically prompts the user to sign in using their AD Creds. Once they sign in their is no further issues and the connection works perfectly. The process of the VPN going from \""**connecting**\"" then to \""**not connected**\"" then randomly going to user sign-in after 5 undisturbed seconds creates concerns for us because if an end user keeps clicking \""**connect**\"" rather then waiting for 5 seconds while the app says \""not connected\"" they will get stuck in a loop. \n\nMy original theory on the issue was that perhaps that was something surrounding my authentication cookie configuration, however I am starting to think not the case, as this issue appears prior to the portal/gateway authentication stage.\n\nI have tried testing around with different versions of GP throughout the major versions of 5.x.x and 6.x.x and still notice this issue throughout the different versions. I have also tested with company managed PCs and my personal PC thinking that perhaps our company PCs have a setting that is causing this issue, but still this issue exists when trying to connect to the portal. This makes me believe perhaps its not the agent itself that's the issue but something on my portal instead Unfortunately, pantac has been of no help to me either. The are claiming that this is \""expected behavior\"" which I find it really hard to believe...\n\nAny thoughts on what may be wrong?""}]" +paloaltonetworks-17,"[{""user"": ""dqlcisgg0"", ""timestamp"": 1694683303.0, ""content"": ""Title: Apps and Threats Mismatch\n Body: Hi All\n\nI have a pair of Panorama managed Firewalls configured in a HA Setup . However I m observing a mismatch on the App and Threat versions across both devices . Although the \""Synch To Peer\"" option is enabled on the App and Threat schedule settings they both appear to be running on different versions ( Please see attachments for reference)\n\nHow do I best fix that ?\n\nThanks in advance""}, {""user"": ""38yqnraq"", ""timestamp"": 1694704177.0, ""content"": ""The \""Sync to peer\"" option is likely causing your problem. This option is only meant to be used to sync to Passive devices that are using a service route for Dynamic Updates and therefore cannot retrieve the updates themselves while the dataplane is passive and down. If a device tries to install it's own dynamic updates at the same time that the peer is trying to sync to it the whole thing can fail.\n\nDisable the \""Sync to peer\"" on the schedules and just make sure that both devices are using the same Dynamic updates schedule.""}, {""user"": ""dqlcisgg0"", ""timestamp"": 1694685922.0, ""content"": ""Yes the clock is matching on both firewalls , this is synchronized by Panorama""}, {""user"": ""dqlcisgg0"", ""timestamp"": 1694695804.0, ""content"": ""It s sorted now , I use the \"" Check Now \"" option and downloaded and installed the version that matches the peer device .\n\nThanks for your help""}, {""user"": ""1jt5cf50"", ""timestamp"": 1694684826.0, ""content"": ""Did you verified the clock on each firewalls?""}, {""user"": ""4nafb"", ""timestamp"": 1694692925.0, ""content"": ""I see this happen occasionally on a HA Pair - it sometimes fixes itself on the next update or I manually download/install the update on one or both of the HA pair.\n\nUsually I notice that the latest version is downloaded but no active on one of them.\n\nNot using Panorama though.""}, {""user"": ""bf73y"", ""timestamp"": 1694723045.0, ""content"": ""Agreed. I just have both firewalls in a pair download the updates themselves and then you can create a rule in the log settings to let you know if an update fails.""}]" +paloaltonetworks-18,"[{""user"": ""cqa62xx"", ""timestamp"": 1694689484.0, ""content"": ""Title: Global Protect Error: Valid Cert required.\n Body: Hi\n\nI am having an issue with Global Protect on an M2 Macbook Pro. User cert is installed and trusted. I am using the latest install of Global Protect, and I am receiving an error saying that a valid cert is required for connection. The cert has a one year expiry date set. The same cert is working 100% on a Windows system. \n\nAny advice would be appreciated. ""}, {""user"": ""ao50hldk"", ""timestamp"": 1694694431.0, ""content"": ""Is the private key installed along with the cert? And the mac itself recognizes that the cert had the full CA chain trusted and installed?""}, {""user"": ""2z38uxaj"", ""timestamp"": 1694807747.0, ""content"": ""If you control the firewall I have had the best luck with MAC allowing the firewall to first push the certs down to the host and then doing a check for them. Manual is hit and miss typically.""}, {""user"": ""cqa62xx"", ""timestamp"": 1694703809.0, ""content"": ""The Root and the Issuing CA cert are installed yes. All certs are set as trusted.""}, {""user"": ""ao50hldk"", ""timestamp"": 1694706899.0, ""content"": ""Besides that yea private key would be the last thing. Are they in the user store or in the machine store?\n\nThe portal has a setting to where it searches either user\nOr machine store, set it to both for testing if it\u2019s already isn\u2019t there.\n\nTake pcaps on the Mac and check the ssl handshake where the sever is requesting client auth, then check to see what the client sends, is the client cert portion 0 bytes?""}]" +paloaltonetworks-19,"[{""user"": ""80kgfvtr"", ""timestamp"": 1694684826.0, ""content"": ""Title: Bidirectional Support in Prisma Cloud\n Body: Hello everyone, I had a doubt. Does Prisma cloud has Bidirectional support for status and severity changes. Like if I change status or severity on Prisma Cloud, can the same thing change on my platform automatically as well, and vice-versa. ? ""}, {""user"": ""kevpn"", ""timestamp"": 1694704009.0, ""content"": ""When you say \u201cplatform as well\u201d, what do you mean by that? Cloud providers don\u2019t natively have CSPM capabilities unless you\u2019re paying for something else, in which case we\u2019d need to know what that something else is.""}]" +paloaltonetworks-20,"[{""user"": ""7m4fg2wbv"", ""timestamp"": 1694664836.0, ""content"": ""Title: Restricting GlobalProtect user access rights in security rules\n Body: Hello everyone\uff0c\n\nThere is such a requirement. The customer wants to restrict the access rights of GP users in the security policy, and then the following configuration on firewall\n\nwe need to add AD domain control to the firewall, configure server profile and authentication profile. and complete the configuration of gp gateways and portals ,\n\nIs it necessary to do group mapping?\n\nConfiguration requirements\uff1a\n\nhttps://preview.redd.it/k90cckmzb5ob1.png?width=1031&format=png&auto=webp&s=ec379ebc3a32439c557c23b88ae4ff634ce197c1""}, {""user"": ""3kx8u"", ""timestamp"": 1694666100.0, ""content"": ""you only need to do group mapping if you want to write rules based on group membership. If all you want AD for is authentication, then you don't need to deal with group mapping.\n\nThat said, group mapping and being able to write rules based on user group membership is pretty awesome, and GlobalProtect users are a great use case for this, since by nature all of them will have been authenticated and the firewall knows who they are. UserID is more complicated for on-prem users.""}, {""user"": ""4yt6w"", ""timestamp"": 1694666547.0, ""content"": ""This is an answer in two parts. \n\nFirst, you want to set up User-Identification. This leverages a server profile (to your AD domain, usually under Server Profiles - LDAP.) But it also references the User and Group Attributes and usually a Group Include List for things that are searched within AD. To do this you'll leverage a base and bind DN with account/password that is allowed to do those lookups. You'll also need one or more AD servers that will allow the lookups from that account. \n\nAfter that's done, then the reference of the user from GP into a policy is as easy as adding that under the source category as the domain\\user and performing the allow or block as needed. You can also do this by group.\n\nI apologize I don't have examples to link but adding User-ID based on AD is WELL covered on the Palo Alto online documentation.""}, {""user"": ""12a1gw"", ""timestamp"": 1694722958.0, ""content"": ""Hi u/tom_xia\n\nIf you only want to restrict GP users specifically, and don't need group mappings, you can just create the security policy using the GP zone. I guess you've created a specific zone for your GP clients?\n\nAs soon as you use GP, you will already have the User-ID mappings collected from the GP agent.\n\nIf you need User-ID information distributed to other firewalls, look up Data Redistribution.\n\nHope it helps, or feel free to comment any questions.""}, {""user"": ""7sfhnl2p"", ""timestamp"": 1694790625.0, ""content"": ""You can use SLDAP, SAML and Azure Directory Services to do your security group mappings \n\nor \n\nIf you want to go simply old school you can just add local user accounts to your PaloAlto and do GP that way but of course there are security considerations with this.""}, {""user"": ""7m4fg2wbv"", ""timestamp"": 1694671554.0, ""content"": ""Thank you for your answer. What I understand is that there is no need to configure group mapping.""}, {""user"": ""7m4fg2wbv"", ""timestamp"": 1694671705.0, ""content"": ""What you said is very detailed and professional.I will do further testing next time, there should be no problem.\n\nThank you\uff01""}, {""user"": ""60u62"", ""timestamp"": 1694702220.0, ""content"": ""100% agree that User-ID / Group-mapping is a really good feature. Also note that your PA will be able to map also local users (without global protect), which is allowing a lot of flexibility in your rules writing.""}]" +paloaltonetworks-21,"[{""user"": ""djpc5"", ""timestamp"": 1694676546.0, ""content"": ""Title: GlobalProtect disconnecting in remote desktop\n Body: I have a desktop that runs scripts that require access to a specific folder. To access this folder, GlobalProtect needs to be 'on'. This desktop is access remotely by two users (I and another member of my team). To access this desktop, I have to have GlobalProtect 'on' in my laptop.\n\nWhat I need is to have GlobalProtect always 'on' on the desktop. However, every time I log into the desktop, GlobalProtects asks for my credentials, so, I think GlobalProtect is randomly disconnecting, because the scripts cannot reach the specific folder.\n\nIs there something I can do to prevent that from happening?\n\nThanks.""}, {""user"": ""c8iwwydk"", ""timestamp"": 1694677640.0, ""content"": ""GP can be configured as \u201calways-on\u201d so that if there are network issues it will reconnect automatically.\n\nThe use case it solves are for where you want an endpoint to be connected immediately at login for a user. You can even configure it so that it connects before a user even logs in if you want.\n\nBut it sounds like it will help you here too.""}, {""user"": ""djpc5"", ""timestamp"": 1694680477.0, ""content"": ""I have requested the \""always-on\"" to be enabled, which I received confirmation it was, but it does not seem to be working. By looking at the docs, I did not find anything I need to do from the endpoint. Maybe I am missing something?""}, {""user"": ""xbtmk"", ""timestamp"": 1694819992.0, ""content"": ""The moment you log in to the computer via RDP, the pre-logon (always-on) session is terminated and a user-session must begin (credential popup). In order for the pre-logon session to persist after a user logs in, the `Pre-Logon Tunnel Rename Timeout (sec) (Windows Only)` option should be `-1` or set to an extended period of time in which you think you'd be able to sign in manually before it terminates.\n\nside note: Globalprotect will not take single sign-on credentials through globalprotect.""}]" +paloaltonetworks-22,"[{""user"": ""6puhf"", ""timestamp"": 1694640515.0, ""content"": ""Title: BGP Only Advertise Subnet from Larger Advertisement\n Body: Hi all,\n\nApologies if this is a dumb question, but hitting a bit of a brick wall and my google-fu is coming up short.\n\nDoes anyone know if/how you can export a route via BGP to a peer that is a subnet of a summarised route learnt from a different BGP peer (different AS)?\n\nFor example, if I'm learning [10.10.0.0/18](https://10.10.0.0/18) from BGP Peer 1 on AS1, how can I just export [10.10.40.0/24](https://10.10.40.0/24) to a different BGP peer on say AS2?\n\nIf I try to restrict the IP in the export filter, it just doesn't match (which makes sense), and doesn't get exported.\n\nThe only hit I can find is a Palo page on using route tracking to redistribute a static, which seems a touch hacky/not-easy to support (well I say support, more I worry others coming along to support this later down the line would scratch their head).\n\nThanks all!""}, {""user"": ""4yt6w"", ""timestamp"": 1694665511.0, ""content"": ""You'd have to use a static and redistribution via BGP, along with an export filter. You could go the OTHER way, like having 10.10.40.0/24 as an advertised BGP route to you and you send 10.10.0.0/18 as a summary route, but otherwise you're wanting to advertise something MORE specific than you're getting. So .... static and redistribute via BGP.\n\nMy guess, based on your use of private routes is that you're the sole peer that will advertise that to AS2? At that point what's the harm in using the static to source it from your gear? \n\nThis is when you have to traffic engineer routes a bit. If you don't get that route directly but are NOT the sole source of that route to AS2, then why are you wanting to source it from yourself? If AS2 is getting it from another source but you are backup, prepend it to them instead of just sending it out as a static redistributed into BGP.""}, {""user"": ""6puhf"", ""timestamp"": 1694678468.0, ""content"": ""Thanks all, sounds like my fears/approach are confirmed (thanks for being a sounding board!).\n\nUnfortunately I'm getting /18's, so for now I'll have to keep to advertising the /18 across as think it will be simpler for future engineers to pick up.""}, {""user"": ""yy2by0u"", ""timestamp"": 1694643737.0, ""content"": ""Are you seeing the 10.10.40.0/24 in your RIB or just the aggregate? If just the aggregate then you\u2019ll need to generate the route somehow BUT depending how you generate the route you can introduce unwanted results. Maybe static towards BGP peer in AS1 and then redistribute.""}, {""user"": ""bknba"", ""timestamp"": 1694716986.0, ""content"": ""Do you control Peer 1? If you do, this might be an option:\n\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kFJLCA2""}, {""user"": ""x04u8"", ""timestamp"": 1694658069.0, ""content"": ""This is basically accurate. To add some clarification. To advertise a prefix (subet) u have to have exactly that prefix in your route table.""}]" +paloaltonetworks-23,"[{""user"": ""64lm8o2w"", ""timestamp"": 1694643779.0, ""content"": ""Title: Learning palo alto and PCNSA\n Body: Hi everyone, \n\nI'm interested in learning palo alto firewalls but don't know where to start. I saw the PCNSA certification on their website and I'm willing to learn and study for it. I recently got my ccna so I'm pretty confident in basic networking. My question is, what's the best resource (free if possible) to learn this stuff? I saw that there is self-study material they provide on their website but is there more to it? In terms of getting hands-on experience/labbing, what's the best way to go about it? I'm willing to pay if need be but I'm also looking for something inexpensive. ""}, {""user"": ""iwa56tljh"", ""timestamp"": 1694721878.0, ""content"": ""today I passed my exam with exam dumps . try now and clear your exam in first attempt: [https://www.pass4surexams.com/palo-alto-networks/pcnsa-dumps.html](https://www.pass4surexams.com/palo-alto-networks/pcnsa-dumps.html)""}, {""user"": ""16m5mf"", ""timestamp"": 1694656001.0, ""content"": ""There are some great courses at Udemy everything from basic to advanced firewall configuration. Palo Alto Live also has bunches of videos on configuration.\n\nHere is a what to do after unpacking the NGFW kind of a course 0.\nhttps://www.youtube.com/watch?v=f0hHcITXqDw""}, {""user"": ""64lm8o2w"", ""timestamp"": 1694662109.0, ""content"": ""Thanks I'll check those out. But how about actual hands on/lab experience. Is there anything similar to how the ccna has packet tracer?""}]" +paloaltonetworks-24,"[{""user"": ""1bhdcdb"", ""timestamp"": 1694621793.0, ""content"": ""Title: Palo Alto 410 - Default route behaivor?\n Body: Hi all,\n\nI have a PA-410 at a site, and I have two ISP connections on two different interfaces. The default route for both of these connections is a [0.0.0.0/0](https://0.0.0.0/0) with the Primary one being metric 10 and the secondary being metric 200. When the primary goes down or can't ping out, it is swapped over to the secondary. I use an external ping monitor application to monitor these connections. For some reason, even though the default route is the primary one for this site, I'm still able to ping the IP address on the secondary interface from outside on the internet. Why is this? All other sites with this configuration I cannot ping the secondary IP until the first one goes down (as it should be as the firewall has no default route out to reply back).\n\nI have verified this by issuing 'show routing fib' and see the primary being the default.\n\nI see the pings in the firewall logs hitting my firewall to the secondary IP being allowed through. Why is my firewall responding?\n\n​\n\nEdit: I should note that these two interfaces are the in same zone. I see the traffic being allowed as \""intrazone default\"".""}, {""user"": ""151ozs"", ""timestamp"": 1694642757.0, ""content"": ""My experience is that Palos will allow session traffic across multiple interfaces so long as they are in the same zone. So when pings come in on ISP2, the Palo will send the replies using ISP1 and its default route.\n\nAre the ISPs in the same zone at the other sites?""}, {""user"": ""i5gzh"", ""timestamp"": 1694630291.0, ""content"": ""Sounds like the default route isn\u2019t being removed out the primary. Are you doing any tracking? You\u2019d need to track IPs out the default and make the default route dependent on those. If those fail you can remove the default route automatically""}, {""user"": ""ks5ff"", ""timestamp"": 1694639890.0, ""content"": ""Why not enable ecmp and just use both isp links? Actually you may be doing that aready? Check if ecmp is enabled could explain what is happening""}, {""user"": ""3c7af5b5"", ""timestamp"": 1694650048.0, ""content"": ""Can you post a screenshot of your static routes?""}, {""user"": ""2iok9w7f"", ""timestamp"": 1694662367.0, ""content"": ""This. Exactly. Because the interfaces are in the same zone it isn\u2019t seen as an asymmetric flow.""}, {""user"": ""38yqnraq"", ""timestamp"": 1694704804.0, ""content"": ""Yes, and the likely reason you are seeing a return on the ping at this site compared to others is that the ISP at this site is not fussy about forwarding packets from source IPs that don't match your assigned IPs. Other ISPs might drop it as a spoofed packet.""}, {""user"": ""1bhdcdb"", ""timestamp"": 1694631970.0, ""content"": ""Tracking as far as path monitoring? If so, yes it is monitored. I see the primary being up and is reflected in show routing fib. But the secondary IP on the other interface can still be pinged even though the monitor for the primary is up. In show routing fib, the primary default route is the proper one, not my secondary ISP connection. I do have monitoring on the secondary as well, in the case that fails as well as the primary, it falls back to our cellular backup. Secondary monitor is up, but route is not in fib table as the primary isn't down.""}, {""user"": ""1bhdcdb"", ""timestamp"": 1694640263.0, ""content"": ""We are not using ECMP. We don't want to use both ISP links for general internet traffic, as the secondary is used for our primary link for SD-WAN. Only time we use the secondary link for general client internet access is if the main internet goes down.""}, {""user"": ""i5gzh"", ""timestamp"": 1694632684.0, ""content"": ""Screenshot your path monitoring settings. Try remove sensitive data""}, {""user"": ""1bhdcdb"", ""timestamp"": 1694635861.0, ""content"": ""[https://imgur.com/a/b2IbUtb](https://imgur.com/a/b2IbUtb)\n\nHere you go, no sensitive info as we use templates/variables.""}]" +paloaltonetworks-25,"[{""user"": ""yy2by0u"", ""timestamp"": 1694639399.0, ""content"": ""Title: Global Protect Connecting to Portal Post-Install\n Body: Does anyone know what registry settings prevents Global Protect from automatically trying to login post-install? This is before initial connection to the portal/gateways.""}, {""user"": ""yy2by0u"", ""timestamp"": 1694659012.0, ""content"": ""We push custom options to use on-demand, default browser for SAML, and the portal address that\u2019s about it. But immediately after install it tries to connect to the portal and then fails, this is all before the user interacts with the GP client. So it\u2019s an unwanted result and tried all the different registry keys with no success.\n\non-demand\nuse-sso\nconnect method""}, {""user"": ""shq4z6me"", ""timestamp"": 1694650873.0, ""content"": ""What connect method are you using? Believe default is user logon(always-on).\n\nIf deployed/installed with on-demand should resolve auto connect on installation.""}, {""user"": ""7m4fg2wbv"", ""timestamp"": 1694666040.0, ""content"": ""Set the Global Protect connection method to On-demand (Manual user initiated connection)""}, {""user"": ""yy2by0u"", ""timestamp"": 1694686858.0, ""content"": ""It is set to on-demand via the install options. For some reason it tries to initially connect to the portal after install.""}]" +paloaltonetworks-26,"[{""user"": ""f8pfz"", ""timestamp"": 1694632956.0, ""content"": ""Title: Dual ISPs with ECMP and static route monitoring - Path monitoring fails on second route every 30-60 minutes - is this a bug?\n Body: Hi all, hoping somebody has faced a similar situation to me with configuring dual ISPs with a PA firewall. \n\nWe recently brought in a second ISP line to our building and opted to use ECMP to aggregate the links and provide failover. I configured a single virtual router with 2 default routes (1 route to each ISP) with the same metric. I enabled path monitoring on both routes using Cloudflare and Google DNS servers as the targets. Failover condition is set to all, with a 2 minute pre-emptive hold time. I also enabled ECMP, with Symmetric Return and Strict Source Path enabled, Load balancing is IP Hash using source/destination ports. I configured the appropriate NAT for each ISP as well.\n\nThe issue I'm facing is that every 30-60 minutes or so, the path monitoring fails for ISP2. It's ALWAYS ISP2. I tested the ISP2 circuit independently didn't find any issues. This failure is causing major issues as connections seem to randomly drop. \n\nMy hunch is the route monitoring packets for ISP2 are occasionally going through the wrong interface (ISP1), which is causing packets to drop and the link to fail. Is there a configuration I am missing somewhere? \n\nI'm running PanOS 10.2.4-h4 on a PA-450. I also tried PanOS 10.2.3-h4 and 10.2.5 - all exhibit the same issue. \n\n​""}, {""user"": ""briif"", ""timestamp"": 1694639411.0, ""content"": ""I have same config running perfectly for months+ on 10.1.x track in half dozen sites.""}, {""user"": ""1bvg0jmi"", ""timestamp"": 1694650632.0, ""content"": ""I've never had an issue with this. The only thing I do that you didn't mention is that I put extra static routes each direction for the IPs that I'm tracking for each. I'm 99% sure that's not necessary though, since it sources those tracking pings from the appropriate interface.""}, {""user"": ""f8pfz"", ""timestamp"": 1694642700.0, ""content"": ""Hmm.. wonder if it's something to do with 10.2.x series firmware then. Or perhaps a bug with PA-44x series. It's absurd how intermittent this issue is.\r \n\r \nI followed all available documentation to a T. The fact that the monitoring packets drop randomly after 30-60 minutes is really perplexing. I tested the circuit for hours and there were no issues.\r \n\r \nI might go the dual-virtual router method to see if it fixes the problem. Unfortunately ECMP doesn't work with multiple VRs (AFAIK). I'm beginning to hate PA now. Too many stupid little bugs that are adding up.""}, {""user"": ""15zxsi"", ""timestamp"": 1694655892.0, ""content"": ""Add static routes for each monitoring IP and point out to next hop.""}, {""user"": ""briif"", ""timestamp"": 1694645538.0, ""content"": ""Disable ecmp and change route metric to use ISP2 only for a day or two (keeping route monitoring in place) to see if the problem remains? \n\nOr make ISP1 the active, but put a policy based route in for a single host to do checks via firewall for a single inside device you control to see if you still see failures.""}, {""user"": ""f8pfz"", ""timestamp"": 1694717688.0, ""content"": ""u/bryanether u/shoieb-arshad\n\nThat's an interesting suggestion. So how would this work? If my monitoring IP is [1.1.1.1](https://1.1.1.1), do I create two additional static routes, one for each ISP, with the same metric using the respective gateway for each ISP? ie:\n\n**Static Route #1:** \n`Destination: 1.1.1.1/32` \n`Interface: ethernet1/1` \n`Next Hop: IP Address ` \n`Admin Distance: ` \n`Metric: 10`\n\n**Static Route #2:** \n`Destination: 1.1.1.1/32` \n`Interface: ethernet2/1` \n`Next Hop: IP Address ` \n`Admin Distance: ` \n`Metric: 10`""}, {""user"": ""1bvg0jmi"", ""timestamp"": 1694659444.0, ""content"": ""Yep, that's what I do. Just because I want 100% predictable behavior.""}, {""user"": ""f8pfz"", ""timestamp"": 1694649055.0, ""content"": ""Thanks for the suggestion. I'll try disabling the ECMP and will keep route monitoring in place. Will see how things look over the next day or two. \n\n Unfortunately I have two site to site VPNs configured on ISP1, and I haven't been able to get the tunnel to work properly with ISP2. So many cascading issues, trying to debug one at a time.""}, {""user"": ""1bvg0jmi"", ""timestamp"": 1694717955.0, ""content"": ""I always use different monitoring IPs too. Like 8.8.8.8 and 1.1.1.1 on the primary connection, and 8.8.4.4 and 1.0.0.1 on the secondary.""}, {""user"": ""15zxsi"", ""timestamp"": 1694718195.0, ""content"": ""No. \n\nonly add static route #1. And monitor for ISP1\nThen for static route #2 put 8.8.8.8/32. And monitor for ISP2.\n\nJust make sure it 1.1.1.1 is always ISP1. And 8.8.8.8nis always ISP2.""}, {""user"": ""38yqnraq"", ""timestamp"": 1694705296.0, ""content"": ""How did you test the pings to google/cloudflare on ISP2?\n\nSo far I'm hearing you say you have 2 problems that only happen on ISP2. That seems like a red flag to me.""}]" +paloaltonetworks-27,"[{""user"": ""gg3d6"", ""timestamp"": 1694627934.0, ""content"": ""Title: Need some help updating lists in security policy via CLI and the syntax.\n Body: Hello!\n\nI'm trying to work with the following item from one my security policies\n\nset device-group Alpha\\_Template pre-rulebase security rules \""Permit X to Y\"" application \\[ ms-office365 outlook-web-online smtp ssl web-browsing \\] \n\nI want to remove smtp via cli. But when I issue the following command:\n\nset device-group Alpha\\_Template pre-rulebase security rules \""Permit X to Y\"" application \\[ ms-office365 outlook-web-online ssl web-browsing \\] \n\nIt just adds the items in the new list, changing nothing. It doesn't treat the command as being the absolute list I want applied. Searching Palo Alto's CLI references have come up with nothing, likely because I'm not asking the right question. Can anyone give me some guidance?\n\n​""}, {""user"": ""ibia0"", ""timestamp"": 1694636256.0, ""content"": ""Use the starting keyword 'delete' and post application 'smtp'\n\nShould remove just SMTP from that rule""}, {""user"": ""91wqd"", ""timestamp"": 1694637896.0, ""content"": ""delete device-group Alpha\\_Template pre-rulebase security rules \""Permit X to Y\"" application \\[ smtp \\]""}, {""user"": ""gg3d6"", ""timestamp"": 1694637994.0, ""content"": ""Thank you. It felt weird to use delete since previously I only used it to delete whole policies.""}, {""user"": ""ibia0"", ""timestamp"": 1694638073.0, ""content"": ""It's still danger mode everytime I think about doing it (and use it often). Always lab test that delete command there first!""}]" +paloaltonetworks-28,"[{""user"": ""5qq8l"", ""timestamp"": 1694626284.0, ""content"": ""Title: HIP Check for Minimum MacOS Versions?\n Body: So I've been struggling to get an answer from Palo Alto support about this and wanted to ask the group. We're trying to get a HIP check to enforce minimum versions of MacOS and it's been difficult to get an answer. \n\nAt a high level, we'd want to pass clients who are running a MacOS higher than one of the three releases.\n\n12.6.9 +\n\n13.5.2 +\n\n14.0.1 +\n\nIs this even reasonably doable? It seems like this should be an easy regex but I'm running into dead ends from the PA team.""}, {""user"": ""kmxur"", ""timestamp"": 1694627945.0, ""content"": ""You're going to need to define HIP objects for each of the allowed versions, and then use them in a HIP profile. The OS identification is a Contains match, not regex.""}, {""user"": ""bf73y"", ""timestamp"": 1694632629.0, ""content"": ""Make sure you have the GlobalProtect Data File set to download and update in the dynamic updates section. Same place as the content updates""}, {""user"": ""5qq8l"", ""timestamp"": 1694637305.0, ""content"": ""That makes sense, if only PA explained it to us that way.""}]" +paloaltonetworks-29,"[{""user"": ""cn3l7k32"", ""timestamp"": 1694620685.0, ""content"": ""Title: How to delete Panorama pushed configure\n Body: Trying to delete a specific network configuration( IPsec tunnel) pushed from panorama .\n\nIf I select the override option, I can make modifications but I can\u2019t delete it completely from the Firewall.\n\nIs there a way to delete the panorama pushed configuration without disconnecting the firewall from panorama and making the configuration all local.""}, {""user"": ""em3neum"", ""timestamp"": 1694621911.0, ""content"": ""Not if it's in the Template that is being pushed to the FW. The only way to not push it to the FW would be to delete it from the Template or move that config to a Template that doesn't apply to that FW.""}, {""user"": ""91wqd"", ""timestamp"": 1694637771.0, ""content"": ""If you need to delete it completely remove the tunnel configuration from the template being used and do a full push of the template stack to the firewall.""}]" +paloaltonetworks-30,"[{""user"": ""ucp8a"", ""timestamp"": 1694610128.0, ""content"": ""Title: Panorama Push with Force Template Values not working? via XML API\n Body: I am using the Panorma XML API on Software Version 10.2.4.\n\nI am trying to send an API request to get the Panorama to push to a specific template-stack and force the template values. However, even after copying the exact command from the XML API docs, the PA API is still returning an error.\n\nHere is the XML command I am sending:\n\n \n\nThis is the response I get back:\n\n \n\n \n \n template-stack -> force-template-values is invalid\\]\\]> \n \n \n \n\n\nIf I specify the template name, it works fine, e.g:\n\n my-cool-template\n\n​""}, {""user"": ""t2swg2j"", ""timestamp"": 1694615843.0, ""content"": ""Did you try specifying the name along with the force?""}, {""user"": ""t2swg2j"", ""timestamp"": 1694616415.0, ""content"": ""I think you may also have to specify a value of \u201cyes\u201d inside the force tag.""}, {""user"": ""ucp8a"", ""timestamp"": 1694617198.0, ""content"": ""Yes you are right thanks, I just figured this out now too.""}]" +paloaltonetworks-31,"[{""user"": ""o5x44"", ""timestamp"": 1694609921.0, ""content"": ""Title: Auto client update for Linux?\n Body: Good day\n\nI saw that the GP gateway is capable of promt a update message to the user when there is a client update. Does this works only on windows or does it also work for Linux and Mac?""}, {""user"": ""kmxur"", ""timestamp"": 1694628006.0, ""content"": ""It works for Mac and Windows. Not Linux or mobile.""}, {""user"": ""o5x44"", ""timestamp"": 1694628517.0, ""content"": ""Oh okay, thanks for the info!""}]" +paloaltonetworks-32,"[{""user"": ""2z38uxaj"", ""timestamp"": 1694549926.0, ""content"": ""Title: Ignite 1 day VS Ignite 3 day\n Body: Just touching base with the community looking for some feedback on how people are feeling about the 1 day Ignite at multiple cities VS the historical 3 single site conference.\n\nPersonally I am not in a large city where the conference it going to be so I have to travel for two days to attend a one day conference. It appears that the one day conference is moving away from technical and to more sales driven for C level type folks. Which does not interest me as an engineer.\n\nI hope personally hope they go back to that traditional Ignite conference. Would love to hear thoughts from the rest of the members here. Thank you!""}, {""user"": ""p1pda"", ""timestamp"": 1694555963.0, ""content"": ""Agree, a three day one I would have gone to, but as you say traveling for two days for a one day event makes no sense - I\u2019m on west coast.""}, {""user"": ""b84zwlas"", ""timestamp"": 1694561356.0, ""content"": ""The one day conferences this year are focused on content for senior mgmt and leadership, so I'll be skipping this year. It even says on the homepage that if you\u2019re a cybersecurity practitioner seeking technical demos, training, and certifications, you won\u2019t find those here.""}, {""user"": ""316f9mua"", ""timestamp"": 1694563884.0, ""content"": ""Agreed, as a pre and post sales engineer being able to interact with Palo SEs and other customer/channel partners was great. Now I dont have an event to go to for Palo. We wont attend a sales focused event.""}, {""user"": ""bf73y"", ""timestamp"": 1694583816.0, ""content"": ""I think it's dumb and confusing.""}, {""user"": ""3b04ti1j"", ""timestamp"": 1694598042.0, ""content"": ""As other have said, the new travelling Ignite is geared towards leaders and \""influencers\"" (jeeez). I have been to 3 day Ignite in the past and found it really valuable. Especially the technical breakout sessions, hands on labs and talking to SEs.""}, {""user"": ""1bvg0jmi"", ""timestamp"": 1694555715.0, ""content"": ""I just found out about the new 1 day format yesterday, and I'm absolutely not a fan. Spending 3 days in Vegas is basically torture to me (even ignoring that I got food poisoning at Ignite this year) but at least I get something out of going. I see no reason for me to go to the one day one.""}, {""user"": ""bs3ejnsb"", ""timestamp"": 1694607644.0, ""content"": ""Nothing good has come from Palo the last few years. 9.1 was rock solid for us, 10.1 has been a disaster of epic proportions. I thought they went cheap on last years Ignite Conference, looks like they're rolling down the hill a little further this time.""}, {""user"": ""pddpnfq"", ""timestamp"": 1694550153.0, ""content"": ""It's confusing to me that they use the same name as Microsoft's big conference every year.""}, {""user"": ""nqh6ed9"", ""timestamp"": 1694561683.0, ""content"": ""Wtf. Really a single day?! What are they thinking. I wonder if this is a foreshadow of other \u201cspecials\u201d to come?\n\nWhere did you officially hear/see that it\u2019s this single day format?""}, {""user"": ""d0116jewf"", ""timestamp"": 1694575775.0, ""content"": ""I\u2019ve been curious about this- has it been announced that there will not be a 3 day event as in prior years?""}, {""user"": ""uwrd82fs"", ""timestamp"": 1694751073.0, ""content"": ""Incredibly thought out! Please stop!""}, {""user"": ""2z38uxaj"", ""timestamp"": 1694607791.0, ""content"": ""100% this ^""}, {""user"": ""kevpn"", ""timestamp"": 1694559242.0, ""content"": ""Palo's actually got MSFT beat here I think on timing. Here's a page for [Ignite 2012 with Palo](https://www.paloaltonetworks.com/blog/cam/ignite-2012/index.html) and [here's Microsoft in 2015 deciding to call it Ignite](https://www.itprotoday.com/cloud-computing/microsoft-ignite-new-name-teched).""}, {""user"": ""kevpn"", ""timestamp"": 1694562742.0, ""content"": ""It\u2019s a touring program. Google \u201cignite on tour\u201d and you\u2019ll see it. It makes sense it\u2019s one day if they\u2019re traveling to your backyard, larger vendors do similar things (AWS where I live in comes to mind).""}, {""user"": ""2z38uxaj"", ""timestamp"": 1694564576.0, ""content"": ""[https://register.paloaltonetworks.com/igniteontour/](https://register.paloaltonetworks.com/igniteontour/)\n\nSE also confirmed this is all they are doing this year. \""New Format\"".""}, {""user"": ""kevpn"", ""timestamp"": 1694572380.0, ""content"": ""I\u2019m an employee but personal opinion: I think this is the future honestly. Corporate travel is going to continue to be less and less common (but still common, sure) and just look at how PITA it was for some people to get to SKO with that weather (which is also only going to progressively get more extreme)""}, {""user"": ""3up2qoit"", ""timestamp"": 1694575315.0, ""content"": ""I am a partner and from what we were told, there will be no partners attending ignite because it is for customers and SKO combined SE Summit, so it looks like there won\u2019t be a summit at the beginning of next year. That\u2019s kinda sad. I enjoy going.""}, {""user"": ""10ob38"", ""timestamp"": 1694590581.0, ""content"": ""Yeah, I loved the SE Summits and did not mind traveling for those\u2026""}]" +paloaltonetworks-33,"[{""user"": ""e83ra27h"", ""timestamp"": 1694561070.0, ""content"": ""Title: Systems Engineer interview\n Body: Hey all, been a long time and have an interview coming up as a system engineer, would like to know what to kind of questions to expect..my experience is as a generalist presales engineer...so understand all concepts on a high level""}, {""user"": ""dlz8m"", ""timestamp"": 1694575138.0, ""content"": ""People who have gone through the interview process generally have to sign NDAs, just a heads up.""}, {""user"": ""17i517"", ""timestamp"": 1694624868.0, ""content"": ""Don\u2019t try to be technical, be commercial. Very important! You\u2019ll learn the tech stuff on the job.""}, {""user"": ""suz08"", ""timestamp"": 1694611799.0, ""content"": ""Probably they want to understand 3 key things. \n\nHow well you communicate. \n\nYour knowledge of Cyber Security. \n\nYour commercial skills in the target segment for the role.""}, {""user"": ""ckgmojt"", ""timestamp"": 1694650308.0, ""content"": ""So I can answer this\n They ask you about your experience with Palo Alto and networking. Then on another interview is a very simple lab with simple tasks like creating a security policy""}, {""user"": ""141t1d"", ""timestamp"": 1694688749.0, ""content"": ""If its for pre-sales, talk about being the technical advisor for customers. An SE role is typically 40% sales / 60% tech. That can swap at times.""}, {""user"": ""e83ra27h"", ""timestamp"": 1694659131.0, ""content"": ""Thank you!""}, {""user"": ""e83ra27h"", ""timestamp"": 1694659114.0, ""content"": ""Thank you!""}, {""user"": ""e83ra27h"", ""timestamp"": 1694659124.0, ""content"": ""Thank you!""}, {""user"": ""e83ra27h"", ""timestamp"": 1694659102.0, ""content"": ""Thank you!""}]" +paloaltonetworks-34,"[{""user"": ""ua88e460"", ""timestamp"": 1694577816.0, ""content"": ""Title: After the rule blocked Quic App, the internet is getting slow\n Body: Dear Friends, \n\nHas anyone experience this before? After I create a security rule to block \""Quic\"" as suggested by Palo, I noticed my internet speed or my Chrome browser response is getting slow, or it was just me? I also placed the rule to somewhere down the bottom...\n\nThanks\n\nLarry""}, {""user"": ""46lxm"", ""timestamp"": 1694580394.0, ""content"": ""Set a group policy (or equiv) to disable QUIC in the browser as well. That will stop it from even trying, so in theory it might speed it up since it skips that step and will go straight to using http/https like it should.""}, {""user"": ""i5gzh"", ""timestamp"": 1694578971.0, ""content"": ""Disable QUIC in chrome and see if it helps. Your browser is going to try QUIC fail then use SSL. That whole process could be perceived as \u201cslow\u201d""}, {""user"": ""9twqtwg1"", ""timestamp"": 1694578308.0, ""content"": ""I haven\u2019t noticed a difference""}, {""user"": ""quitq"", ""timestamp"": 1694578454.0, ""content"": ""We cut off all-out quic access forcing Chrome to use 443 TCP and had no fall out. Looking at a large enterprise with 13 ish main sites and many smaller sister sites.\n\nBefore you blocked quic, did you add a rule to allow SSL/http/https traffic for access?""}, {""user"": ""3xxj5"", ""timestamp"": 1694617876.0, ""content"": ""If you're not using decryption, leave quic alone. Only reason to disable it is to force SSL inspection.""}, {""user"": ""3hczxhat"", ""timestamp"": 1694594902.0, ""content"": ""YouTube seems rubbish with quic blocked, might just unblock quic in the end :)""}, {""user"": ""nu9wc"", ""timestamp"": 1694583493.0, ""content"": ""We found using the app causes chrome to slow down. I use a global policy to reject udp 443 which works like a charm.""}, {""user"": ""9twqtwg1"", ""timestamp"": 1694599739.0, ""content"": ""Are you using decryption?""}, {""user"": ""6epgk"", ""timestamp"": 1694625332.0, ""content"": ""when you block quick make sure you select send icmp unreachable to reset the udp socket on the browser""}, {""user"": ""ua88e460"", ""timestamp"": 1694580907.0, ""content"": ""Thanks""}, {""user"": ""3939q"", ""timestamp"": 1694626235.0, ""content"": ""I feel stupid now for not having done this \ud83d\ude02""}, {""user"": ""ua88e460"", ""timestamp"": 1694581025.0, ""content"": ""Getting better after I disabled the quic..""}, {""user"": ""ua88e460"", ""timestamp"": 1694580892.0, ""content"": ""thanks""}, {""user"": ""ua88e460"", ""timestamp"": 1694578645.0, ""content"": ""Yeah, there is a rule basically allow internal - external any any to allow generaal internet access. Comes before Deny Quic.. Is it required to have another rule Allowing SSL HTTP HTTPS particularly? \n\n​\n\nThanks""}, {""user"": ""6lriu4sg"", ""timestamp"": 1694620740.0, ""content"": ""Except you won\u2019t be able to see a lot of web based apps either. It\u2019ll all show up as QUIC.""}, {""user"": ""4yt6w"", ""timestamp"": 1694666965.0, ""content"": ""> Only reason to disable it is to force SSL inspection.\n\nThis also applies if SSL inspection is handled further down the line. I know that should be obvious, but we leverage a separate platform for inspection and realized we forgot to block QUIC on the Palo, which is the first point where that can be done along the way.""}, {""user"": ""ua88e460"", ""timestamp"": 1694595588.0, ""content"": ""Yeah man, I am thinking the same...still noticeably slow ...""}, {""user"": ""ua88e460"", ""timestamp"": 1694584560.0, ""content"": ""Only UDP 443? Won't affect anything else other than Quic? \n\nThanks""}, {""user"": ""6lriu4sg"", ""timestamp"": 1694620947.0, ""content"": ""Even if they aren\u2019t, not blocking QUIC will cause web apps to show up as QUIC.""}, {""user"": ""ua88e460"", ""timestamp"": 1694609088.0, ""content"": ""Not really""}, {""user"": ""ua88e460"", ""timestamp"": 1694649612.0, ""content"": ""How would I do that? Thanks""}, {""user"": ""492u7klb"", ""timestamp"": 1694780592.0, ""content"": ""Same!""}, {""user"": ""vhclcucd"", ""timestamp"": 1694608684.0, ""content"": ""Yup you have it twisted in your post, it should read: \""Google's insistence on enabling a non-standard protocol by default in their browser is causing my internet to be slow.\""""}, {""user"": ""1dg8x369"", ""timestamp"": 1694591176.0, ""content"": ""Uhm, you have a rule that says permit any any to internet with applications any? and the quic rule comes afterwards? is that rule even hitting?""}, {""user"": ""quitq"", ""timestamp"": 1694579693.0, ""content"": ""Not necessarily required if you have the access in place, but we have things locked down significantly, so we try to be as specific as possible when we are writing rules.""}, {""user"": ""i5gzh"", ""timestamp"": 1694613590.0, ""content"": ""I don\u2019t have this problem. Across multiple clients and even at my house.""}, {""user"": ""3hczxhat"", ""timestamp"": 1694595872.0, ""content"": ""Yeah easier to just not deal with the whinging \ud83d\ude02""}, {""user"": ""nu9wc"", ""timestamp"": 1694584649.0, ""content"": ""Nothing yet.""}, {""user"": ""17h9qo"", ""timestamp"": 1694636641.0, ""content"": ""It is a standard protocol as of 2021, RFC 9000.""}, {""user"": ""h8df04r1"", ""timestamp"": 1694609263.0, ""content"": ""Network down, can't reach any site for all users after changes to firewall ...""}, {""user"": ""ua88e460"", ""timestamp"": 1694591342.0, ""content"": ""Sorry I moved it back top""}]" +paloaltonetworks-35,"[{""user"": ""a0tw8eaf"", ""timestamp"": 1694527548.0, ""content"": ""Title: what do your internet rules look like?\n Body: We moved from ASA's to Palo edge firewalls.\n\nI don't think we are versed enough on palo and think we may be doing our internet rules wrong.\n\nWe block every and allow what is needed. Pre-rules are basic lan to internet other than http/https rules like some ftp, ms-updates for our wsus servers, etc.\n\nOur thinking was have one \""final\"" post-rule that uses URL filtering to allow/block traffic for service http/https traffic, works great.\n\nMy issue is we want to allow certain AD groups to either job search sites, streaming sites (youtube, etc.), zoom.\n\nWe have these rules above the URL filtering rule, my issue is, when trying to use URL categories for the above rules it's not working and I was wondering if there was some other way we should be going about this?\n\n​\n\nexample\n\npre-rule 1\n\nsource: all users\n\ndestination: n/a\n\nURL category: custom zoom URL category with \\*.zoom.us, \\*.zoomgov.com\n\napplication: zoom, ssl, stun, zoom-info\n\n​\n\npost-rule 1\n\nsource: job-search AD group\n\ndestination: n/a\n\nURL category: custom job search URL group\n\nservice: service-http, service-https\n\n​\n\npost-rule 2\n\nsource: streaming AD group\n\ndestination: n/a\n\nURL category: custom streaming URL group\n\nservice: service-http, service-https\n\n​\n\npost rule 3 \""final/last\"" rule\n\nsource: all domain users\n\ndestination: n/a\n\nURL Filter: Allows/Denys normal pre-defined categories and some custom categories (streaming-media and internet-communications-and-telephony are being blocked in the URL filtering)\n\nservice: service-http, service-https\n\n​\n\nEverything kind of worked about two weeks ago and then NONE of the URL categories work now, even if I set app and service to any, it skips those rules and goes to the post rule 3 and is denied.\n\nShould we not have just one \""final/last\"" rule and use more URL filters to allow/deny custom categories? I have a tac open for zoom not working as well as youtube, if I put the predefined category \""streaming-media\"" in my streaming rule, it works, but not with my custom URL catgegory.\n\nZoom works with 443/SSL but skips the rule when it tries to us udp 8801 which is part of the zoom application.\n\nIs there a strategy to setting up these rules better that we aren't thinking of? Any help is appreciated.\n\n​""}, {""user"": ""4yt6w"", ""timestamp"": 1694539541.0, ""content"": ""> We moved from ASA's to Palo edge firewalls.\n\nSay no more. Many of us are in the same boat. \n\nChances are for the http/https rules you have an issue with QUIC preventing the rules from matching correctly. You can help that a bit with blocking QUIC as your first rules, which forces the rest of things to not be tunneled across those ports and thus, perhaps match what you're looking for instead.\n\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC\n\nBut beyond that, be sure and leverage the BEAUTIFUL thing that Palo Alto does over ASA style rules. \n\nUse the following when setting new initial rules:\n\n* Block specific traffic as strictly as possible with App-ID within the rule.\n* Immediately have a rule after that allowing that traffic less specifically, with App-ID not used (destination and port only, match ANY application.)\n* If needed and you still have things slipping through, follow the above two with another even more loose allow rule that doesn't restrict ports at all (defined source or destination, any port, any application.)\n* Note here that you can also first filter out with User-ID, but allow any user in subsequent rules. Again, you want the net to be specific, then less specific. This lets you catch what the actual traffic is matching.\n\nThen within Palo Alto rules, you can track the hits on each of those rules and if you see slips through rule 1 or 2, you will also see any, \""Apps Seen,\"" on the final rule, or additional catch-all rules you put in place. Sometimes you might want to not block them at all during this process but set the rules as, \""Allow,\"" and, \""Log at Session End.\"" \n\nThis lets you see the miss, see what application ID it saw, change your prior rules and retest. Since the flow it also logged you can check your external logging or if within a close enough window, on the Palo Alto monitor logging, getting further information that was as well.\n\nIt's hard to show this without a visualization but here you can note the more-to-less-specific approach, the hits see, the applications seen (which is a link from the number if you click on it,) and the days since any changes to the application count.\n\nhttps://imgur.com/izU3zFg\n\nHere you can see that the very specific top two rules did not match, the more open port based rules did, so they could use some App-ID fixes, but also we have some traffic that's getting through we may not have considered (applications/ports we didn't even consider that might need to be allowed.)""}, {""user"": ""a0tw8eaf"", ""timestamp"": 1694545463.0, ""content"": ""Thank you for your reply! I have blocked QUIC as well as the ports and did not see any difference nor do I see any blocks for those yet. \n\nI have played with the rules\n\n​\n\ntop rule 1:\n\nsource: all users\n\ndestination: n/a\n\napplication: zoom, zoom-info, ssl, stun, rtcp\n\nURL category: custom zoom category with \\*.zoom.us and \\*.zoomgov.com\n\n​\n\nnext rule 2:\n\nsource: all users \ndestination: n/a \napplication: any\n\nservice: udp 8801 \nURL category: custom zoom category with \\*.zoom.us and \\*.zoomgov.com\n\n​\n\nnext rule 3:\n\nsource: all users \ndestination: n/a \napplication: zoom, zoom-info \nURL category: none\n\n​\n\nthis works as the 8801 traffic ends up hitting rule 3 where there is no URL category but the URL being used clearly show it's a \\*.zoomgov.com URL and it's using UDP 8801\n\n​\n\nReran test but changed rule 3 to the same custom zoom URL category\n\nit then skips all rules and goes straight to the explicit deny rule at the very end but just for the 8801 traffic \n\nif it's SSL/443 it hits the rule 1 and URL Category is our custom zoom url category name and it's allowed through\n\nI can't upload pics but it's plain as day that if I use our custom URL category it ignores it, if I use the same rule but allow any destination it works and the URL is still the same \\*.zoomgov.com that should be allowed in our URL category.""}, {""user"": ""4yt6w"", ""timestamp"": 1694549653.0, ""content"": ""I have a suspicion you aren't doing SSL decrypt, is that correct? I ask because sometimes actually using the URL in a policy block can be an issue if you aren't decrypting.\n\nAnd/or addition to that, and more importantly, you're combining non web ports with a custom URL as a match on the policy. Unfortunately that isn't going to work. You can match by FQDN, but trust me, I understand that's probably not going to work for a service as large as Zoom. But for sure using a URL category match will mostly ONLY work with standard web ports.\n\nNot to mention, Zoom's list of IP blocks for hosting is a nightmare:\nhttps://support.zoom.us/hc/en-us/articles/201362683-Zoom-network-firewall-or-proxy-server-settings\n\nThat being said, you -could- leverage that list and inputting a large object list covering that with the help of Palo Alto. This would allow you to reference non-web ports / applications and yet still restrict it to just those destination ranges.\n\nWhen we've entered large object lists like that in the past, the Palo Alto command line input is much preferred, Adding all of the IPs and subnets within the defined object, then applying that object as the destination for the policy rule.""}, {""user"": ""a0tw8eaf"", ""timestamp"": 1694550808.0, ""content"": ""I understand the whole standard internet ports things and using URL category, thought these were \""NGFW\"" lol\n\nmy only issue with this is, on my youtube rule, I am using service-http and service-https and app is any and youtube passes that rule and hits my default internet rule that has the URL filter on it that blocks streaming-media, why will it not work since it's using standard internet ports? The deny shows 443 as the port? \n\n​\n\nGuess I'll have to go back to the old ways and use the stupid IP addresses again :( what pain, thought my job was gonna get a whole lot easier with the URL category thing.""}, {""user"": ""4yt6w"", ""timestamp"": 1694550227.0, ""content"": ""EDIT:\nI completely forgot this might be a great use for an External Dynamic List, or EDL. You can create policies that reference an EDL, then that EDL has all of the allow/block list of IPs you want to reference within a single policy.\n\nEDL's are also more preferred for ranges that change often, Microsoft O365 ranges for example. You can either create and maintain the EDL on your own (allowing the management of the EDL on a host outside of the firewall for ease of administration,) or you can leverage a third party who can create and maintain those lists for you, or ones they actively create and update, like from here:\nhttps://www.edlmanager.com/""}, {""user"": ""4yt6w"", ""timestamp"": 1694551831.0, ""content"": ""> I understand the whole standard internet ports things and using URL category, thought these were \""NGFW\"" lol\n\nTrust me, I feel ya. They do a great job though, especially once you get past just policy rules and start applying threat prevention, etc. \n\nYou're in luck, we have all been there beating our head in with YouTube...\n\nhttps://live.paloaltonetworks.com/t5/blogs/tips-amp-tricks-allow-or-block-youtube-video/ba-p/306732\n\nI would also mention that based on your mention of your policies, if you require much more stringent URL base proxying, a common solution is to go outside of the firewall for that piece through a content filtering solution. Yes, I know, \""I should be able to do that with my Palo Alto,\"" and in most cases, you can. But there sometimes comes a point when it's a logistical or configuration nightmare working around things with just the one platform. \n\nWe leverage Zscaler for that piece. I know there are plenty of others. But for sure, you have and own the Palo Altos. Stay on TAC's back with helping assist you get through some of these blocking issues and if you get slow responses, push it through your VAR or partner as well.\n\nI should also mention, Palo Alto sold me on leaving ASA on the day I got training on the Monitor logging, searching and spotting live issues. That, all by itself, is a NIGHTMARE with ASAs. You can do it, but you're going to be all over the place from GUI to command line, to captures, etc. I remember getting pushback from an app team that I was blocking something and I went to the Palo Alto monitor, spotted every bit of their allowed traffic, added the bytes sent and received to the log headings, then tapped one button for a CSV of all of that, showing me allowing it, showing two way handshake and communication, and showing, \""not my problem.\"" The firewalls paid for themselves right then.""}, {""user"": ""a0tw8eaf"", ""timestamp"": 1694555070.0, ""content"": ""I\u2019ll look at your YouTube thing tomorrow as I just logged off. \n\nWe are moving from ASA and WSA and trying to have the palo\u2019s do an all-in-one. I\u2019m sure I can figure something out with all of it. Just a bummer we can\u2019t use the \u201ceasy\u201d way with the URL categories. \n\nWhat does everyone do for other stuff like limiting ms updates with all their IPs and URLs as well?\n\nDo people use multiple URL filters instead of the singular internet rule I am trying to use with one URL filter? \n\nMy issue with that is if you are in day the YouTube group and I am using URL filtering then your \u201cinternet rule\u201d will end up being that YouTube rule instead of the singular rule at the bottom.""}, {""user"": ""4yt6w"", ""timestamp"": 1694610347.0, ""content"": ""Ahh, great questions. Now it's time to introduce you to security profiles. \n\nCreate a few custom URL Categories for different things. We'll get to those in a bit but they can either be allow or deny URL groups, but consider them custom to you and your environment. What is an absolute no-no, and what is and must be work related, etc.\n\nNow go under Objects, Security Profiles, URL Filtering. Pick the default group there and clone it, then call the new group what you will.\n\nAdd your custom URL Categories here and select the actions needed for those categories from nothing to allow, alert, deny, drop, etc. Those are explained in long form on Palo's documentation. \n\nNow that you have a URL profile it's important to understand this is just one part of an overall security profile. You can also add anti-virus, anti-spyware, vulnerability protection, etc. These can be formed into a group just below the definitions called a security profile group. \n\nNow go back to your policies. Each and every policy can now have an associated security profile applied. And that profile includes all the URL allows/blocks, all the additional security items you add, etc. You don't have to use a single policy rule to block specific urls for everything. I can literally have just one rule:\n\nAllow-inside-to-outside\n\n... and put that after I've blocked specific things I don't want going on. But to that rule I attach the security profile that does the rest of the heavy lifting for me. (And btw, this is where we really see the NGFW kind of thing.) This is applied under the Actions tab on the policy.\n\nSome screenshots below kind of showing what I'm talking about. Of note, we, \""alert,\"" on nearly all categories of URLs for a specific reason, which is that alert will also copy the URL seen into the logs. We leverage this both to troubleshoot things on the Palo Alto under the Monitor URL Filtering log, but also allowing the URL to be passed to our logging devices internally and to our SIEM for correlation of events. I.E. \""User went to badstuff.com and clicked on the link for something and here are the actions seen afterward.\""\n\nhttps://imgur.com/a/5SAjxjT""}]" +paloaltonetworks-36,"[{""user"": ""w723yenq"", ""timestamp"": 1694559894.0, ""content"": ""Title: Allowing file-sharing apps but blocking Medium-Risk\n Body: We block Medium-Risk URLs per PANs best practices. We are looking to allow file-sharing to our sites (risk approved by senior mgmt) and I'm trying to figure out how to write a rule that allows sites like Dropbox & Onedrive but blocks other Medium-Risk sites. I created an app filter that filters on SAAS/File-Sharing and Office Applications and I'm sure applications installed on individual users' machines would work without any problem. The only problem is when I browse to [www.dropbox.com](https://www.dropbox.com) it is trying to access the site with the SSL or web-browser app-id. I can't just open those apps to medium risk. Looking for some advise on how to structure this rule set.""}, {""user"": ""bknba"", ""timestamp"": 1694560375.0, ""content"": ""We have a rule for this that references the built-in online-storage-and-backup URL category for the destination and is linked to a URL filtering profile that alerts on medium risk and online-storage-and-backup among others. Then layer on port and app-id and whatever else on top of that and it should accomplish what you're looking for.""}, {""user"": ""w723yenq"", ""timestamp"": 1694560383.0, ""content"": ""I think I have it figured out. I just need to make sure my \""file sharing\"" policy is filtering on the online-storage-and-backup category and then I can add SSL & web-browsing.""}, {""user"": ""w723yenq"", ""timestamp"": 1694560398.0, ""content"": ""Just figured it out.""}]" +paloaltonetworks-37,"[{""user"": ""532coyo9"", ""timestamp"": 1694557415.0, ""content"": ""Title: How to check an application signature on Palo Alto\n Body: Hello,\n\n​\n\nI want to ask how to check an application signature on Palo Alto like for example WhatsApp ? \n\n\nfor example WhatsApp voice , video or Audio ? so I can block on of them or analyze any of them ? \n\n\n Best Regards,""}, {""user"": ""bi7wp"", ""timestamp"": 1694557594.0, ""content"": ""https://applipedia.paloaltonetworks.com/""}, {""user"": ""kevpn"", ""timestamp"": 1694559450.0, ""content"": ""Realistically, if you're an admin, the most straightforward way is to simulate and log the traffic""}, {""user"": ""532coyo9"", ""timestamp"": 1694593911.0, ""content"": ""Thanks a lot""}]" +paloaltonetworks-38,"[{""user"": ""d6ey9v5"", ""timestamp"": 1694528044.0, ""content"": ""Title: DNS over TLS and DNS over HTTPS inspection? Confused.\n Body: I am still uncertain after reading the documentation. Does PA allow you to inspect DNS queries over TLS and HTTPS? Or does it still just forward the requests to the DNS server configured?""}, {""user"": ""bknba"", ""timestamp"": 1694550768.0, ""content"": ""For versions prior to 11.0 there's no support for inspection of encrypted DNS and PAN's recommendation has been to block that traffic. DoH inspection is added in 11.0:\n\nhttps://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/content-inspection-features/dns-security-support-for-dns-over-https""}, {""user"": ""2z38uxaj"", ""timestamp"": 1694557440.0, ""content"": ""Blocked that traffic and Google\u2019s Quic (sp) protocol. Especially if you use URL filtering. The client will resend the traffic in historically normal protocols.""}, {""user"": ""83zag91l6"", ""timestamp"": 1694599921.0, ""content"": ""I try to keep all dns traffic internal. Only letting my forward dns servers send dns traffic outbound over wan. Same with NTP. Both can be used for tunneling / exfiltration. Internal DoT can be allowed if you you have use case, but only whitelist this access.""}, {""user"": ""d6ey9v5"", ""timestamp"": 1694567759.0, ""content"": ""Appreciate the education. u/cowardlyginger and u/whiskey-water. I should have mentioned that this in regards to DNS filtering specifically. So, if I read that right, DoH and DoT inspection (DNS filter) are available in 11.0. Making sure I am clear on this.""}, {""user"": ""da5f3fdc1"", ""timestamp"": 1694596532.0, ""content"": ""Block that traffic.\n\nBesides being unfriendly for inspection and dangerous for enterprise security they are a tentative of centralizing in the hand of few an infrastructure that has been neutral and free for all.""}, {""user"": ""bknba"", ""timestamp"": 1694569427.0, ""content"": ""The 11.0 announcement only mentions DoH. Since it doesn't specifically say anything about DoT, I'd guess there's no inspection coverage there, but that's only a best guess.""}]" +paloaltonetworks-39,"[{""user"": ""12f1ra"", ""timestamp"": 1694540248.0, ""content"": ""Title: Application override - inheritance questions\n Body: Hi,\n\nI have an client-server communication using 'nearly' standard application, but in order to prevent random aging out of sessions on PA i need to adjust timers for it. My question is:\n\nIf i select parent application while creating application object for override, will it inherit parent app timers (other than ones i set specifically) and threat prevention/av signatures when handling traffic? Or does it have to be all set manually?""}, {""user"": ""i5gzh"", ""timestamp"": 1694546065.0, ""content"": ""I\u2019d say don\u2019t use app override unless you absolutely have to. It disables a bunch of security features. What\u2019s the app? If it\u2019s widely used but not in the Palo DB you can log a TAC case and they might add it as an official app with the timers it needs. \n\nhttps://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/application-override-policy#:~:text=Application%20Override%20policies%20prevent%20the,Application%20Override%20unless%20you%20must.""}, {""user"": ""12f1ra"", ""timestamp"": 1694548020.0, ""content"": ""For all intents and purposes its an already existing application in terms of app-id, and generally adheres to the standard. I know i \\_could\\_ just adjust application timers for existing app-id object, but this is an edge case of server-server traffic within secure DMZ and timers i need are quite extreme (and yes, people that wrote application will have no idea how to create some sort of keepalive).\n\nLooking at link you provided seems to indicate that what i should actually do is create custom service and apply it to normal firewall policy and it should do exactly what i want it to accomplish.\n\nBut still question remains whether custom application \\_with\\_ parent application inherits timers/other properties, because i didnt find conclusive information in palo documentation.""}, {""user"": ""i5gzh"", ""timestamp"": 1694548415.0, ""content"": ""I don\u2019t believe editing the inherited application will influence the base application. I stand under correction though. \n\nhttps://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/app-id/service-based-session-timeouts""}]" +paloaltonetworks-40,"[{""user"": ""5ifce4sx"", ""timestamp"": 1694537495.0, ""content"": ""Title: Anyone moved from Crowdstrike to Palo XSIAM\n Body: I was wondering if anyone here has gone through this move?\n\nIt is something my company is looking at.""}, {""user"": ""bf73y"", ""timestamp"": 1694580865.0, ""content"": ""I've had a few clients try to use crowdstrikes LogScale and I really mean TRY because they all complain about it not being able to ingest and parse logs properly from other sources even with engagement from CRWD. If the goal is to not only take data in but also understand the data and also perform remediation actions across various enforcement points, I've yet to see them deliver that. I had a recent engagement with a client who had falcon + LogScale, and Palo for FWs and they couldn't find out how a bad actor got in looking in LogScale. They knew something was going on but honestly were chasing the wrong things because even though they were sending FW logs to it, it just doesn't understand them. Reminds me of Splunk, it'll take the data in but you better have someone who is going to train the system to know what it's taking in. 15 mins in the Palo console and I showed them C2 and DNS tunneling that they weren't paying attention to and weren't blocking (because of really shitty FW configurations from a Cisco migration years before), and was able to get things contained and ultimately find the exposed server where the initial infection began. \n\nI've been doing this for nearly 2 decades and I really do see a future where the SOC is mostly automated, but just like you hear with chatgpt and the like, building good ML models and AI first takes having good data and a lot of it. Not every company that is trying will be able to successfully do it. \n\nDo a PoC, make them prove they can do what they say they will.""}, {""user"": ""7bnbk"", ""timestamp"": 1694541165.0, ""content"": ""I only know people who move the other way.""}, {""user"": ""4wfpg"", ""timestamp"": 1694589967.0, ""content"": ""Kind of an odd description of splunk.. ingesting new data into splunk doesn't involve \""training\"" anything, there's not some sort of ML based parsing.""}, {""user"": ""5ifce4sx"", ""timestamp"": 1694546052.0, ""content"": ""Thanks, we don't think it is the right move but executives are leaning another way.""}, {""user"": ""4gh4seoe"", ""timestamp"": 1694550300.0, ""content"": ""XSIAM hasn\u2019t been on the market long. Are you sure you aren\u2019t talking about an older endpoint solution like TRAPs which is very old and no longer sold.""}, {""user"": ""bf73y"", ""timestamp"": 1694601365.0, ""content"": ""exactly it's problem. It just ingests. It's up to you to do anything with it that is actionable.""}, {""user"": ""kevpn"", ""timestamp"": 1694553722.0, ""content"": ""I\u2019m hesitant to think there\u2019s a massive exodus of XSIAM just because XSIAM is fairly new\u2026 it was in a \u201cfirst customer\u201d program where they worked very closely with early participants for a while""}, {""user"": ""kevpn"", ""timestamp"": 1694553811.0, ""content"": ""Or even XDR. XDR is a lot better than traps but it\u2019s at least been out for more than 30 seconds.""}, {""user"": ""nqh6ed9"", ""timestamp"": 1694562488.0, ""content"": ""What do you mean mass exodus? Is xsiam worth anything or is it mostly AI/ml hype with a larger price tag and more hands on support from palo while the product settles in?""}, {""user"": ""kevpn"", ""timestamp"": 1694562614.0, ""content"": ""I am a Palo employee so I am biased beyond belief so I do not make product recs here typically\n\nI mean \u201chearing all your friends leaving XSIAM\u201d as they suggest would shock me because the ink has barely dried on most XSIAM contracts""}, {""user"": ""k3lq2"", ""timestamp"": 1694656122.0, ""content"": ""Can confirm""}, {""user"": ""kevpn"", ""timestamp"": 1694656209.0, ""content"": ""Can confirm I am not biased, XSIAM ink is still wet, or XSIAM is not good? \ud83d\ude03""}, {""user"": ""k3lq2"", ""timestamp"": 1694662503.0, ""content"": ""ink is still wet, even the early adopters (design partners) are not even a full year in yet.""}]" +paloaltonetworks-41,"[{""user"": ""b75zaghi"", ""timestamp"": 1694534976.0, ""content"": ""Title: Accessing some websites such as amazonawas.com showing as site not secure\n Body: If I add the website ro SSL exclusion list - the site starts working. \n\nI know Palo Alto has a default list of CA\u2019s that it trusts - but I can\u2019t think of a reason why this happens.\n\nFor other sites such as bbc.co.uk this doesn\u2019t happen.\n\nI do have SSL decryption enabled on the firewall and works fine for most websites""}, {""user"": ""6lriu4sg"", ""timestamp"": 1694536144.0, ""content"": ""There\u2019s a few potential problems. One of the less obvious ones is that if the web server does not provide the full CA chain, the Palo will fail decryption. Windows and other OSs will find those certs on their own. Palo sees that as a security issue. You either have to go find the rest of the chain and install the intermediate CAs on the Palo or you have to use a custom URL category and create an exception list for decryption where it won\u2019t decrypt it at all.""}, {""user"": ""57bwa"", ""timestamp"": 1694539657.0, ""content"": ""Have a look in the decryption log - the error column will tell you.\n\nProbably a new CA that your palo doesn't know about""}, {""user"": ""b75zaghi"", ""timestamp"": 1694597246.0, ""content"": ""Yes I have had a look and I am seeing \u201creceived fatal alert UnknownCA from client CA issuer \n\nHttp//alaitrust.net/1k-chain256.cer\n\nPalo Alto says not all websites send their complete certificate chain event though RFC requires them to provide a valid certificate leading to an acceptable certificate authority \n\nIf the intermediate certificate is missing from the certificate list the website server presents to the firewall, the firewall can\u2019t construct the certificate chain to the top (root) certificate \n\nWhich then presents the forward untrust certificate which is what is happening to me\n\nBut on a different firewall \u201cCisco\u201d this does not happen for the exact same website it happens on the Palo Alto firewall""}, {""user"": ""b75zaghi"", ""timestamp"": 1694597237.0, ""content"": ""Yes I have had a look and I am seeing \u201creceived fatal alert UnknownCA from client CA issuer \n\nHttp//alaitrust.net/1k-chain256.cer\n\nPalo Alto says not all websites send their complete certificate chain event though RFC requires them to provide a valid certificate leading to an acceptable certificate authority \n\nIf the intermediate certificate is missing from the certificate list the website server presents to the firewall, the firewall can\u2019t construct the certificate chain to the top (root) certificate \n\nWhich then presents the forward untrust certificate which is what is happening to me\n\nBut on a different firewall \u201cCisco\u201d this does not happen for the exact same website that it happens for on the Palo Alto firewall""}, {""user"": ""6lriu4sg"", ""timestamp"": 1694616955.0, ""content"": ""It doesn\u2019t happen on Cisco because Cisco will retrieve the certificate.""}, {""user"": ""57bwa"", ""timestamp"": 1694608171.0, ""content"": ""Have you got \""Block sessions with untrusted issuers\"" set in your decryption profile? You can ignore it for that website by creating a new profile and decryption policy.\n\nThe more secure resolution would be to add the root and intermediate certs to device > certificates and mark them as \""trusted root CA\""s""}]" +paloaltonetworks-42,"[{""user"": ""iqki9"", ""timestamp"": 1694515836.0, ""content"": ""Title: Question on Upgrading PAN-OS on VM Series\n Body: Newb question incoming.....Currently upgrading some hardware and vm-series firewalls from 9.1.x to 10.2.4-h4 and have a question about process. Hardware seems fairly straight forward if you follow the correct \""upgrade path\"". The vm-series documentation doesn't refer to following the upgrade path, does that mean on a vm-300 I can go straight from, say, 9.1.14 directly to 10.2.4-h4 ?\n\nAppreciate any help!""}, {""user"": ""briif"", ""timestamp"": 1694516967.0, ""content"": ""you need to follow the upgrade path.""}, {""user"": ""47wj4"", ""timestamp"": 1694518846.0, ""content"": ""https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan-os/determine-the-upgrade-path\n\nfollowing this guide is really about preserving your configuration. (During major revision upgrades, the config file format changes, so part of the background upgrade procedure is the firewall converting your config to the new version.) If you have a brand new firewall or VM with no configuration you want to keep, then yes - you can do it in one step.""}]" +paloaltonetworks-43,"[{""user"": ""36d7dohp"", ""timestamp"": 1694527194.0, ""content"": ""Title: Missing file upload in BPA\n Body: Hi all. New to Palo and trying to upload my tech support file into BPA. Problem is there is no button on the page to generate a new BPA assessment. Any ideas? I\u2019m logged in as super user with BPA role as well.""}, {""user"": ""qnvd8"", ""timestamp"": 1694528755.0, ""content"": ""Bpa is now aiops. Can be accessed at https://apps.paloaltonetworks.com/hub\n\nhttps://live.paloaltonetworks.com/t5/blogs/bpa-transition-to-aiops-for-ngfw/ba-p/548612#:~:text=Why%20Transition%20BPA%20to%20AIOps,like%20the%20BPA%20requires%20today.""}, {""user"": ""36d7dohp"", ""timestamp"": 1694532784.0, ""content"": ""Ah, there it is. Thank you!""}]" +paloaltonetworks-44,"[{""user"": ""8m7boma2"", ""timestamp"": 1694494378.0, ""content"": ""Title: PCNSA Cert study material\n Body: I'm taking the course by Astrit Krasniqi on Udemy and I am about half way done. The content seems pretty basic and easy, a little to much so. Has anybody taken his course to confirm what he covers is enough to pass the test? Is there any other preferred study material or supplement content you could suggest?""}, {""user"": ""6iwfgugp"", ""timestamp"": 1694496212.0, ""content"": ""edu 210""}]" +paloaltonetworks-45,"[{""user"": ""jmttq"", ""timestamp"": 1694472516.0, ""content"": ""Title: What are you blocking outbound on your App-ID rules?\n Body: Currently testing segmenting vlans with specific app-id rules. \n\nWe don't have a written policy on what traffic can go outbound. We do limit the obvious, like RDP, SMB, QUIC etc. We have several EDLs that block inbound and outbound. \n\nHowever, we don't explicitly deny specific app-ids from going outbound. Looking for some best practice App-IDs to start blocking.""}, {""user"": ""91wqd"", ""timestamp"": 1694488641.0, ""content"": ""The question should be 'What do we need to *allow*?' The business needs to make the decision about which applications are sanctioned or unsanctioned. Your risk management or information security team should be involved. There should be a clearly defined business need for every allow rule and anything else should be blocked/denied by a deny all rule at the bottom of the rule set. The main purpose of the firewall is to enable network access for the business while at the same time protecting it from network traffic that is not needed.\n\nIf you don't have a risk management or information security team or if you provide those functions, I would suggest following recommendations in [NIST SP 800-41](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf) as well as the [Center for Internet Security](https://www.cisecurity.org/controls) controls for Palo Alto as a start. There is also the [Internet Gateway BPA](https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices) and the [Security Policy BPA](https://docs.paloaltonetworks.com/best-practices/security-policy-best-practices)""}, {""user"": ""4gigy"", ""timestamp"": 1694476445.0, ""content"": ""Any and all remote access applications like Teamviewer etc unless they are actually used by the company.""}, {""user"": ""5u04b"", ""timestamp"": 1694484617.0, ""content"": ""SMTP, SMB, RDP. That's it. The business has a wide variety of needs and there is no sense in micromanaging it.""}, {""user"": ""ao50hldk"", ""timestamp"": 1694479998.0, ""content"": ""Stick in the ass corporate environments will block like games, social media, streaming etc, but in my deployments I only recommend high threat potential categories.""}, {""user"": ""rsvj6"", ""timestamp"": 1694479228.0, ""content"": ""Social media apps, online storage, games, streaming TV.""}, {""user"": ""dlz8m"", ""timestamp"": 1694475127.0, ""content"": ""I went through and created some app-id groups and filters, and I block outbound filesharing that isn't the explicit major ones, blocking outbound SMB like you already do, etc.""}, {""user"": ""100eg8"", ""timestamp"": 1694502644.0, ""content"": ""We go the \""allow\"" approach as well, otherwise people start using web apps which haven't approved by our security team and work council.""}, {""user"": ""tsmysiu"", ""timestamp"": 1694507673.0, ""content"": ""Any kind of internal authentication protocols""}, {""user"": ""2gbmjiqr"", ""timestamp"": 1694519313.0, ""content"": ""We have a group of applications that we allow. Everything else is denied unless a business case is approved for something outside of it.""}, {""user"": ""da5f3fdc1"", ""timestamp"": 1694510771.0, ""content"": ""I subscribe to this approach.\n\n \nWhat I usually do for management networks/server networks/DMZs... is that anything that has to go out must have a specified destination and a reason to, everything else is blocked.\n\nFor the client networks the only ports that can go out are 80TCP and 443TCP and there is a security profile applied with the Palo Alto best practices as well custom EDLs and also other blocks that I might like (as blocking Remote Assistance, for example).""}]" +paloaltonetworks-46,"[{""user"": ""elsufo4m"", ""timestamp"": 1694477225.0, ""content"": ""Title: Hands-on options for training?\n Body: Hi all,\n\n​\n\nI was previously PCNSE certified and it expired, and now want to go at it again just for kicks.\n\nI am trying to determine options, if any, for getting hands on with the platform in the latest version (or at least the one the exam is based on).\n\nWhile I previously worked for a company that was a PA customer, and even had a pair of lab VMs purchased for me, that was about 3 years ago, and no longer accessible or updateable.\n\nI know there's no free options, but even trying to buy something seems they only sell to companies? (which seems really messed up). And what's with all these \""credits\"" crap that seems to be the standard now?\n\n​\n\nTLDR: IS there any way for an independent guy studying to get access to a FW and/or Panorama?\n\n​""}, {""user"": ""kevpn"", ""timestamp"": 1694493171.0, ""content"": ""Common advice here is usually to pay-as-you-go a firewall in the cloud or get in touch with Fuel to see how far their resources get you.\n\n>I know there's no free options, but even trying to buy something seems they only sell to companies?\n\nLargely correct, PAN like a lot of vendors is largely B2B. I believe folks have LLC'd, etc before to get around this, but I can't speak to that or whether it makes sense.\n\n>And what's with all these \""credits\"" crap that seems to be the standard now?\n\nIf you mean for PAN in general, my grasp is at least one reason is so people can move from e.g. hardware models to cloud products without completely losing any metrics of what they've paid for.""}]" +paloaltonetworks-47,"[{""user"": ""6x7cpppc"", ""timestamp"": 1694452924.0, ""content"": ""Title: Professional Service Hours - How should I spend them?\n Body: Hello everyone. After evaluating firewalls and getting feedback, I may be going with Palo Alto for the core of an upcoming network. Our SE stated he's going to included 80 hours of Professional Service Hours at no additional charge for after the install to assist with basically day two operations. \n\nCurious if you have any thoughts on how I should use them? Anything you wish you would have used them for that you didn't? Anything you did down the road that you wish you would have have Professional Services Hours for? Thanks.""}, {""user"": ""2iok9w7f"", ""timestamp"": 1694453645.0, ""content"": ""Solid choice. What firewall manufacturer are you migrating from? I would use them to help design and configure your SSL decryption strategy. And if you aren\u2019t doing L7 app-based rules, have them help with that as well. Honestly most of the configuration is pretty trivial, but SSL decrypt can be one of the biggest pain points if not planned and configured correctly.""}, {""user"": ""384u79ao"", ""timestamp"": 1694495864.0, ""content"": ""We knew substantially more than our professional services engineer. It was very\u2026weird. Especially the part where we (not me) lie on the monthly check in calls and say everything is great, further perpetuating this mediocrity.\n\nI\u2019d take the guys advice up there and use them for very specific things.""}, {""user"": ""5jhbyzkv"", ""timestamp"": 1694454782.0, ""content"": ""Zone Protection, DoS Profiles would be one of things I would take a look at since TAC doesn't help in configuration also If your keen about your network bandwidth/throughout you could have test and get appropriate values""}, {""user"": ""37ve4gbk"", ""timestamp"": 1694456411.0, ""content"": ""Who's PS hours? PANW proper or the resellers? There will likely be more strings attached if PANW's. \n\nWhenever I give PS hours in a sale, my customers end up allocating it toward the deployment or day1 support. \n\nIf you're not using them to help with the deployment, 80 is quite a bit which means that they're probably making good margin to give that many hours so one way you could use it is to get a better price. \n\nAssuming that they can sit dormant and be used a later time (we do that), you could use the hours for periodic assessments like 6-12 months post deployment.""}, {""user"": ""unknown"", ""timestamp"": 1694458402.0, ""content"": ""[deleted]""}, {""user"": ""9ws9qq5hm"", ""timestamp"": 1694699999.0, ""content"": ""i bought the professional services for the \""cloudgenix\"" prisma SD and was a pretty big waste of $. The tech sent me a 'form' to fill in with all the IP's subnets, links, names, domains,etc. He the proceeded to create a simple dump to setup the devices. \n\nI wanted to be involved with the setup to LEARN more about this product. His was OK at setup but could not properly answer any of my questions and was horrible about explaining. \n\nWhen you buy a car you do not need to know how to change spark plugs, brakes, or the muffler. But in IT we need to know how it works and that starts with the setup. I have to be the mechanic of my environment because \""Professional services\"" will not be there when you have problems. So they need to be better at sharing, explaining, and teaching. \n\n​\n\nOverall worst $40K we ever spent!""}, {""user"": ""6x7cpppc"", ""timestamp"": 1694520980.0, ""content"": ""Migrating from ASAs and a Fortigate. Didn't even think of SSL decryption, will add that to my list as well.""}, {""user"": ""6x7cpppc"", ""timestamp"": 1694520575.0, ""content"": ""Thank you for this. Made some notes and will make sure to put this on the agenda.""}, {""user"": ""6x7cpppc"", ""timestamp"": 1694520694.0, ""content"": ""It's PANW proper and while I won't talk price, I will say the sale margin was low, I think they just really wanted the business.\n\nI like this idea of saving some for a review as well once things are completed.""}, {""user"": ""1bvg0jmi"", ""timestamp"": 1694485654.0, ""content"": ""Your math is off by half an order of magnitude (more like 40k), but your point isn't.\n\nUse them for architecture/high level engineering work, that's the level you're paying for. Generate a very specific list of what you want done, and listen to what they say.""}, {""user"": ""14vm7b"", ""timestamp"": 1694486928.0, ""content"": ""How is it 200k?\n\nRate is 250/hr\n80 hours\n$20k\n\nIf rate is 300/hr\n80 hours\n$24k\n\nHow is that even close?\n\nOP should always use the hours for the hardest items, the more advanced components""}, {""user"": ""37ve4gbk"", ""timestamp"": 1694535230.0, ""content"": ""Respectfully, how do you know their margin was low? \n\nIn any case, despite what others are suggesting on here, I think it would be prudent to not use them for things that would be best for a consistent resource. Like, you just want to avoid paying the $500/hr or whatever they'd charge for additional hours (their list is $550/hr). Honestly though, Idk what their PS is actually like because I've never seen anyone pay (and we are the ones that the customers go to for the actual deployment/implementation services)""}, {""user"": ""6x7cpppc"", ""timestamp"": 1694520766.0, ""content"": ""I like this idea as well, I will generate a list, and get it ready for our upcoming sessions.""}, {""user"": ""6x7cpppc"", ""timestamp"": 1694536481.0, ""content"": ""As far as margin, I took a look at list price for the equipment, services and SFP's. Then compared that against the offered percent %. \n\nIt was against Palo Alto and another vendor, the other vendor offered a higher % off. We showed the % off offered by the other vendor, our rep said not only will match that percent off but we will throw in 80 hours of professional services time that will start after we help you migrate over. CEO said okay, let's do it.""}, {""user"": ""37ve4gbk"", ""timestamp"": 1694537617.0, ""content"": ""Man, that's apples to oranges. There is not a \""normal\"" discount level among vendors out there. For example, if you bought something from PANW at 40% off list vs buying something from Cisco at 40% off list.""}, {""user"": ""6x7cpppc"", ""timestamp"": 1694549851.0, ""content"": ""Now I'm curious if we got hosed or not :) So, while not giving away the *exact* price if one were to have bought 4 5410's for $24,450 a piece, is that a good deal?""}, {""user"": ""37ve4gbk"", ""timestamp"": 1694550128.0, ""content"": ""Sent you a chat-- but yea that's a good price for just the 5410s appliances themselves""}, {""user"": ""6x7cpppc"", ""timestamp"": 1694570879.0, ""content"": ""Thanks for validating, it seemed like it. The services were discounted at an equal margin. Once everything was quoted, they added in the Professional Service Hours and zeroed it out. I'm sure they made money on the SFP's and cables though--nobody priced those out, just told them to add them on and call it a day.""}]" +paloaltonetworks-48,"[{""user"": ""7hcsltow"", ""timestamp"": 1694464537.0, ""content"": ""Title: Renewing a Cert\n Body: Hey everyone, my ssl decrypt cert is going to expire soon. I was curious about how renewing the cert works since it is just a self signed cert. The cert is deployed all over my enterprise, which includes primarily windows and Chrome devices. However, we do allow BYOD on our WiFi. If I renew the cert and extend the time will all those BYOD users have to load the new cert? Or does the old cert still work and just extends the time? I\u2019m not super familiar with certs so I\u2019m treading on new waters.""}, {""user"": ""ibia0"", ""timestamp"": 1694467839.0, ""content"": ""The joy with a self signed CA...you'll have to push the new CA cert to all your devices. Just renewing it won't 'update' it.\n\nId suggest getting in contact with your enterprise certificate team and migration to them proving you an intermediate cert off the main internal CA so they control the chain of trust, not you. (Easy mode)\n\nOr renew/generate a new one and contact your end user device management team to push to those. (hard mode)""}, {""user"": ""91wqd"", ""timestamp"": 1694474485.0, ""content"": ""If it\u2019s self signed, yes you will need to go through the same process you did to initially deploy the certificate. \n\nBest option is to establish an Enterprise CA for your internal devices. For BYOD you should use a public CA to sign the certificate so it will be initially trusted.""}]" +paloaltonetworks-49,"[{""user"": ""164gcr"", ""timestamp"": 1694466958.0, ""content"": ""Title: Explicit Allow Rapid 7 URL Traffic to Whole Org\n Body: Hi All,\n\nSo we are deploying Rapid 7 agent to the organization and I need to allow the 2 wildcard domains ( so cant use a FQDN object as a destination in a security ) for this to work so I have looked into URL filtering. \n\nThe problem I am having is I want to log the URL traffic that uses this rule for visibility. Looking into the Palo logging capability if I use a URL Category within a Security rule it doesn't log. If I use a URL Filtering Profile with that custom category it logs but I cant figure out how to ONLY just allow a custom category and not block/allow other traffic. Is there something in the URL filtering profile that I can set it just to care about a single category versus taking action on the rest ?\n\nWould a combination of a URL Category within a Security Rule and a URL Filtering Profile on the same rule have the outcome I am looking for ?\n\nWe use Syslog as well to send to our SIEM if that helps around the logging requirement. ""}, {""user"": ""66ovb"", ""timestamp"": 1694469976.0, ""content"": "">Would a combination of a URL Category within a Security Rule and a URL Filtering Profile on the same rule have the outcome I am looking for?\n\nYes, that is exactly what you need. Allow rule with custom url category specified. Url filtering profile, with action set to alert on said custom url category.""}, {""user"": ""164gcr"", ""timestamp"": 1694481951.0, ""content"": ""The problem there is the inbuilt categories would then also have some type of action ( allow/block required ). Does having the URL category in the rule then limit the \""allows\"" or \""blocks\"" in the URL filter ?""}, {""user"": ""66ovb"", ""timestamp"": 1694521792.0, ""content"": ""Usually, when I apply these rules, since custom categories take precedence, and you have specified the rule itself to only apply to the custom category. I alert the custom category in the url profile, none for all other custom categories, and block all predefined categories.\n\nI hope that makes sense.""}]" +paloaltonetworks-50,"[{""user"": ""11o6u1"", ""timestamp"": 1694466720.0, ""content"": ""Title: Securtiy rule not working with HIP object\n Body: There are two WAN rules, and in addition to the top rule, I added HIP. I added a HIP object to the profile using \""and.\"" In the HIP object, I removed everything specific and added two checks that only look at the hostname and domain information confirmed through the agent. Nothing else remains except for these.\n\n​\n\nNo matter how many combinations I've tried, I just can't establish a VPN connection with the rule involving HIP; I always connect with the rule that doesn't have the next HIP check.\n\n​\n\nI've tried AND, OR, and various features within the rule, including quarantine and no-hip.\n\n​\n\nWhy do you think it's not working? What am I missing? I see that it's a match in the HIP-Match logs, so why isn't the connection being established through the HIP-applied rule? \n\\*\\*and notification is success\n\nIf didn't understand me i'm sorry sometime my english is not enough-Best Regards, Cheerss""}, {""user"": ""ds0je"", ""timestamp"": 1694468799.0, ""content"": ""You are trying to limit the initial connection to GP Portal/Gateway via HIP objects? Is that what I am reading?""}, {""user"": ""11o6u1"", ""timestamp"": 1694498759.0, ""content"": ""Yes that's right""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1694573478.0, ""content"": ""That isn\u2019t how HIP checks work. HIP can\u2019t stop someone from connecting to VPN, it can stop them from being able to reach anything internal though. \n\nThink about it like this, the HIP feature is built into the GP client. When you connect, the client sends the HIP profile to the Gateway. How could the firewall get the HIP profile if you are t even connected to VPN?""}]" +paloaltonetworks-51,"[{""user"": ""128ufv"", ""timestamp"": 1694443863.0, ""content"": ""Title: Trying to allow specific outbound URLs and blocked URLs not showing in logs.\n Body: I am trying to figure out if there may be a way to find URLs that are being blocked for an application so I can allow. We have a very strict outbound policy and only allow specific apps. We have a vendor that does not know what services their app uses (the vendor is a fortune 500 company!) so we are left with the task of figuring this out. I have a specific URL category on the allow rule for the sites we know about. I have a catch all rule with all categories allowed in the url filtering that I thought should catch anything not caught by the previous allow rule. I have the firewall providing DNS proxy but I can't seem to find anything in the cache and we can see the IPs of the blocked sites but not the URLs. Is there a way to tie the DNS request to the IP? We used developer mode on the browser based portion but the integrated app is the problem. We are unable to install any tools on the workstation due to strict policy but I think that may be the only way forward.\n\nAnyone run across this and have an idea how to get around?""}, {""user"": ""2iok9w7f"", ""timestamp"": 1694461304.0, ""content"": ""Do you have the action set to \u201calert\u201d for the categories on the security profile? It set to \u201callow\u201d it will never show up in the logs.""}, {""user"": ""5hw479ms"", ""timestamp"": 1694455776.0, ""content"": ""Have you looked at the threat logs versus the traffic logs, the URLs will usually show up there.""}, {""user"": ""1bvg0jmi"", ""timestamp"": 1694489249.0, ""content"": ""If there's no host header or sni, it's not going to show up in the URL logs, nor can it be blocked/allowed by URL.""}, {""user"": ""11o6u1"", ""timestamp"": 1694461806.0, ""content"": ""Have you checked Threat and URL Filtering? If this doesn't work for you, there are a few applications that show the addresses the server is trying to go to.""}, {""user"": ""ajcthz98"", ""timestamp"": 1694508790.0, ""content"": ""Create/Clone a URL Filtering Profile that will allow and log (alert) all safe categories, then uncheck the \u201clog container page only\u201d option on the URL Filtering Profile. Apply this URL Filtering Profile to your catch all policy. If you still don\u2019t see what you are hoping for, then possibly your previous policy is silently blocking the URLs you are in search of. In that case, swap the policies briefly to gain visibility.\n\nFor me, the unchecking of the \u201clog container page only\u201d option was a little bit of a \u201cHoly Grail\u201d moment.\n\nI don\u2019t keep this special URL Filtering Profile in use all time, but instead only when trying to discover URLs an application is trying to use. I then create a Custom URL Category containing the discovered URLs to apply to a policy. (We also have a strict outbound policy.)""}, {""user"": ""15jrca"", ""timestamp"": 1694519276.0, ""content"": ""Are you after URLs or Services?\nIf none of the above have worked so far, capture some packets from the server hosting the app when attempting to connect. Check the URI/URL for DNS. \nIf looking for services. From server hosting use NETSTAT from CMD, PowerShell or Linux equivalent.""}, {""user"": ""2gbmjiqr"", ""timestamp"": 1694520233.0, ""content"": ""If it's a safe company, create an allow all policy for one IP or user. Go to that site and see what shows up.""}, {""user"": ""56dcd86r"", ""timestamp"": 1694528386.0, ""content"": ""Create a rule at the end of your internet place allow your-Src - >any (internet), in the profile, add a url profile with block all to all Url categories. This will block out of L7 and it will show up to your Url monitoring.\nConclusion, you allow L4 traffic, you block your L7 traffic - > you get a report on your logs""}, {""user"": ""128ufv"", ""timestamp"": 1694487220.0, ""content"": ""Yep all set to alert""}, {""user"": ""128ufv"", ""timestamp"": 1694487199.0, ""content"": ""Yep. Even checked unified just in case""}, {""user"": ""128ufv"", ""timestamp"": 1694487269.0, ""content"": ""Any that don't require an install? Workstation locked down tight....""}, {""user"": ""128ufv"", ""timestamp"": 1694550137.0, ""content"": ""I have exactly this but I'm going to try the log container only and see if that might help""}]" +paloaltonetworks-52,"[{""user"": ""2veaua92"", ""timestamp"": 1694471192.0, ""content"": ""Title: Palo Alto stopped dynamic updates?\n Body: Hi, so I'm in the middle of migrating our current ASA firewalls onto Palo Altos, so far so good, I'm pretty far along now. One issue I have ran into recently is that after migrating the OOB network onto the Palo Altos, they no longer update themselves through dynamic updates. The OOB management interface on the Palos is the primary int out for traffic originating from the firewalls themselves. Here is the current traffic flow for them now from the OOB int:\n\nFirewall OOB int >>>>> GW on ASA MGMT FW >>>> Route for MGMT network outbound back to Palo Alto LAN MGMT Zone interface (not the OOB MGMT interface) and then out.\n\nSo the traffic comes back into the firewall onto another interface and now it doesn't work. Currently I have an application filter setup to allow all Palo Alto update applications outbound, and nothing! I've tried allowing just the OOB MGMT IP add out as well on that LAN zone int and still nothing. I'm at a bit of a loss to be honest.\n\nAny ideas anyone?\n\nThanks""}, {""user"": ""412mcpi6"", ""timestamp"": 1694481452.0, ""content"": ""You probably need to configure a security policy to allow the traffic destined for the PA updates server.""}, {""user"": ""ggxts"", ""timestamp"": 1694471509.0, ""content"": ""If the default gateway for the management port is on the palo's you'll probably want to drop the management port completely, or have it route to another device on the network. \n\nBut what you can do is go to Device -> Setup -> Services and update the Service Route Configuration.""}, {""user"": ""nux47"", ""timestamp"": 1694523699.0, ""content"": ""have you checked your dns?""}, {""user"": ""3c7af5b5"", ""timestamp"": 1694533096.0, ""content"": ""Service routes is likely the issue. All updates, ldap queries, ntp, dns, etc. go out the management port by default. If the management network doesn't allow internet access, you'll need to configure separate service routes for any services that need it.""}, {""user"": ""eigr8x5r"", ""timestamp"": 1694573394.0, ""content"": ""Really a bit confused with key word and route what you are using here. OOB in Palo means Management interface in Palo?\n\nDefault Palo takes management interface to get updates. If your management IP don't have access to internet, then it won't. And also you don't need any security policies to make management interface get updates from Palo.\n\nOtherside if you are using any available ethernet interface as Management/OOB then you need security policy, change service route configuration. Also this interface IP should have internet access""}, {""user"": ""2veaua92"", ""timestamp"": 1694521170.0, ""content"": ""Yeah I've done that and I've done an allow as well to everything for the MGMT ip also.""}, {""user"": ""2veaua92"", ""timestamp"": 1694471621.0, ""content"": "">If the default gateway for the management port is on the palo's you'll probably want to drop the management port completely\n\nIt's not, it's on an ASA MGMT int""}, {""user"": ""2veaua92"", ""timestamp"": 1694535528.0, ""content"": ""Why wouldn't the mgmt network allow Internet access if I've allowed it via a security policy? \n\nIf you see my replies to the other person on this post then you'll see where I'm up to with it.\n\nThanks for the help""}, {""user"": ""412mcpi6"", ""timestamp"": 1694528572.0, ""content"": ""What are the traffic logs showing?""}, {""user"": ""ggxts"", ""timestamp"": 1694472532.0, ""content"": ""Okay, lets clarify your connectivity real quick because it is kind of confusing reading it. \n\n\""OOB management interface\"" -> is this the management ethernet on the Palo?\n\nIf it is, is that connected to the ASA which is the L3 gateway?\n\nFrom there, the ASA has a route to say...Eth1/2 as an \""inside\"" interface on the palo?\n\nThen out to the internet? \n\n\nIf that is all correct are you logging dropped packets and have the management IP subject to any NAT policies that may be required? \n\nDoes the ASA have another path out where it may be having traffic able to return to the ASA and skip the palo?""}, {""user"": ""2veaua92"", ""timestamp"": 1694530141.0, ""content"": ""Nothing anywhere on any zone""}, {""user"": ""412mcpi6"", ""timestamp"": 1694531816.0, ""content"": ""You must be hitting the default policy which doesn't log by default. Try temporarily overriding the behaviour of the default interzone policy so we can verify, most likely the traffic is not matching the policies you defined for it.""}, {""user"": ""2veaua92"", ""timestamp"": 1694533097.0, ""content"": ""I already have logging setup on it and there is nothing hitting it, also, I have a custom default block all traffic and block all webports traffic rule above this anyway, that logs everything that is outright blocked. None of them are being hit""}, {""user"": ""412mcpi6"", ""timestamp"": 1694533407.0, ""content"": ""Then most likely the traffic is being lost before it reaches the PA dataplane IF in the first place, a quick packet capture should confirm this.""}, {""user"": ""2veaua92"", ""timestamp"": 1694535448.0, ""content"": ""I've set up captures on the ASA (the Palos mgmt int next hop ip) and nothing there. Its almost as if nothing leaves the PA on any interface. \nThis has worked before though, I migrated the mgmt network across to the Palos last week, everything works on that network expect for the Palos updates.\nIt's as if it doesn't route off the control plane""}, {""user"": ""412mcpi6"", ""timestamp"": 1694537040.0, ""content"": ""Do a capture on the mgmt IF with tcpdump to verify this. Might be the service route is not configured correctly. Can you ping the ASA from the PA mgmt?""}, {""user"": ""2veaua92"", ""timestamp"": 1694592218.0, ""content"": ""Thanks for the help so far, so i did a tcpdump and checked the pcap, showed traffic pinging the HA interface fine and apparently some traffic for public ip's that mapped to google, but nothing else as far as update traffic from the looks of it""}, {""user"": ""412mcpi6"", ""timestamp"": 1694651810.0, ""content"": ""Try to ping the updates server from your mgmt IF.\n\nping host updates.paloaltonetworks.com\n\n** double-check that url before, I'm not at the office atm.""}]" +paloaltonetworks-53,"[{""user"": ""3wjdaezo"", ""timestamp"": 1694433216.0, ""content"": ""Title: Too late for SE Academy?\n Body: I graduated 4 years ago and have been working in Enterprise Presales ever since. I ended up replacing one of the Senior SE's at my company. We sell mainly on-prem servers, storage arrays, networking equipment, services, etc.\n\nI was thinking of transitioning to an SE role in Cyber Security.\n\nIs SE Academy too fundamental for me now? Given that I'm already trained in presales. Or is it more of a focus on the technology?\n\nAlso worried about being bumped off a Mid-Senior salary back to Associate.""}, {""user"": ""ao50hldk"", ""timestamp"": 1694446361.0, ""content"": ""If you\u2019re as skilled as you say you are, you should be fine going to for regular SE role, associate SE might be a step down, so corporate SE is also the base role, maybe for for an SE1 or SE2 role. Check jobs.paloaltonetworks.com and see if the pay for these roles are actually a step down/up from what you are""}, {""user"": ""suz08"", ""timestamp"": 1694434820.0, ""content"": ""I think the best way is to work out the best way you would be attractive to Palo.with your skillset. \n\nIf you have a good fundamental knowledge of a sector of business (e.g. airlines and transportation) and they have a vacancy in that or a related area then that would be attractive to them and you could largely be dropped into an SE role and learn Cyber on the job during the onboarding.\n\nIf however you don't have that vertical knowledge then the SE Academy may be the best way to get your baseline knowledge to the right level.""}, {""user"": ""c8iwwydk"", ""timestamp"": 1694447774.0, ""content"": ""You have the most important SE skills that simply come with time and experience: how to sell.\n\nPalo will teach you the rest when it comes to their technology. Go for it!""}, {""user"": ""3up2qoit"", ""timestamp"": 1694469487.0, ""content"": ""I am a pre-sales SE at a partner. I didn\u2019t do the SE academy. I learned everything from training classes as well as beacon. I have 3 PSE Profession certs as well as a few PCxxx certs. I didn\u2019t get them until after I started. But if you have a good foundation in networking, I\u2019d say check out SE positions at resellers or distributors.""}, {""user"": ""suz08"", ""timestamp"": 1694435022.0, ""content"": ""Regarding salary, that's something to speak to recruitment about. However Cyber is a very dynamic industry that requires you to learn new skills every 2 years. I'd always recommend people to consider a move into the sector and into any top tier vendor in the area.""}, {""user"": ""3wjdaezo"", ""timestamp"": 1694438338.0, ""content"": ""After more research, an Associate role really does look like a step backwards. I know I'm more than capable of learning Cyber on the job (I already have a couple certs) but there are no SE roles available in my city. I guess it's just not meant to be for now.\n\nThanks for the insights!""}]" +paloaltonetworks-54,"[{""user"": ""mozcvrcs"", ""timestamp"": 1694447130.0, ""content"": ""Title: Directory Sync association for Prisma Access is missing or incomplete.\n Body: Hi, I tried to add a new device, and I received this error on my Panorama 10.1.10-h2 in cloud\n\nPlugin VM-Seriesvm\\_series-2.1.11\n\nPlugin GlobalProtect Cloud Servicecloud\\_services-4.1.0-h20 \n\nI cannot find a solution, I already reboot it \n \n\n* Directory Sync association for Prisma Access is missing or incomplete.\n* Failed plugin validation\n\nThanks who could help me""}, {""user"": ""ao50hldk"", ""timestamp"": 1694479878.0, ""content"": ""Is directory sync association actually missing? Check the cloud services plugin >> configure >> Mobile Users (Then Remite networks if you\u2019re using it at all) >> I think onboarding? >> directory sync maybe??? And see if it\u2019s enabled\n\nGoing off memory here so the location names might be off but you get the jist if it""}, {""user"": ""mozcvrcs"", ""timestamp"": 1694507756.0, ""content"": ""Hi, I discussed with my senior colleagues and this is a temporary situation of Prisma.\n\n After going out for dinner, we returned, and the issues had disappeared""}]" +paloaltonetworks-55,"[{""user"": ""a0uw90njj"", ""timestamp"": 1694442087.0, ""content"": ""Title: GlobalProtect VPN won\u2019t load website on Google Chrome\n Body: Hello all, My company I work for uses Palo Altos GlobalProtect VPN which has been working fine since i\u2019ve been here until now. Pretty much one by one every day of the week another person working remote can\u2019t load websites on Chrome but it works fine on Edge. I\u2019ve had them delete cookies and cache, delete and reinstall Chrome and nothing has worked. Some people couldn\u2019t connect to sharepoint.com while connected to the vpn but when they disconnected it would work perfectly fine, which leads me to believe this is a firewall issue, but we haven\u2019t changed anything recently? Has anyone experienced this and does anyone have recommendations to fix?\n\nAlso to note i\u2019ve tried replicating this on my laptop by connecting to my hotspot and then connecting to the vpn and it works fine for me, so this is only happening to a select few.\n\nand i meant websites* the main problem is some of our internal sites won\u2019t load but some can\u2019t even get sharepoint to load""}, {""user"": ""8b4de"", ""timestamp"": 1694443721.0, ""content"": ""Usually when Edge works but Chrome doesn't, it's the quic app-ID. I think the browser is supposed to fall back to TLS, but if you can validate the traffic logs for a session where a user tried to hit a site in Chrome and can't get to it, see if the app is quic. The action may be deny / drop in a policy it's hitting for that App-ID.""}, {""user"": ""4h80c"", ""timestamp"": 1694442512.0, ""content"": ""Seems strange to me that Edge works as it's a Chromium-based browser. If you are not using split tunnel, have you ruled out DNS? It could be possible that Chrome is trying to do DNS over HTTPS and that might be getting blocked.""}, {""user"": ""8qk1un9z"", ""timestamp"": 1694446239.0, ""content"": ""I'll try to guess, maaaaybe a problem with the certificate? But it would be strange too because I think they have the same policy for it, if Firefox is the only one that doesn't work so it can be.\n\nIt would be usefull to have a packet capture from the computer when he try to open the portal from both Chrome and Edge, so you can check when it get stuck.""}, {""user"": ""vhclcucd"", ""timestamp"": 1694444612.0, ""content"": ""QUIC was my guess too. Guessing this is one of those times that desktop guys and the network guys are not on the same page. The network/infosec guys are probably not going to allow quic so it will be on the software/desktop guys to turn it off. Google can take it's quic and eff right off.""}, {""user"": ""11qli9"", ""timestamp"": 1694452829.0, ""content"": ""It\u2019s this I\u2019ve been seeing an uptick in these types of issues. The Palos are classifying quic as a threat and blocking it. We have a whitelist setup under URL to address it.""}, {""user"": ""zps23"", ""timestamp"": 1694484577.0, ""content"": ""Blocking it should be fine as long as you're Denying it and not Dropping it. Deny will tell the browser which should then fall back to normal.""}]" +paloaltonetworks-56,"[{""user"": ""jh6qu642o"", ""timestamp"": 1694418244.0, ""content"": ""Title: I would like to understand the difference between Advanced threat prevention and Threat prevention Licenses\n Body: I have **'advanced threat prevention'** and **'threat prevention'** licenses on my firewall. Renewal date is around the corner and I have a feeling that the two mentioned licenses are redundant. ""}, {""user"": ""x04u8"", ""timestamp"": 1694426218.0, ""content"": ""The simplified answer is that Advanced Threat Prevention includes regular Threat Prevention and provides the Inline Cloud Analysis.""}, {""user"": ""i5gzh"", ""timestamp"": 1694427819.0, ""content"": ""The one costs twice as much as the other""}, {""user"": ""1j514bjk"", ""timestamp"": 1694543359.0, ""content"": ""TP is based on signatures generated from collected malicious traffic from various Palo alto network services it provides signatures for known malware vulnerabilities C2 APP-id and User-id\n\nATP has the features of TP with the additional cloud service that uses deep learning and machine learning to provide enforcement for evasive first-time-seen vulnerabilities and C2 threats\n\n​\n\nI was just studying this, this morning from the official PCNA study guide good i remembered whats writen""}, {""user"": ""7yor6"", ""timestamp"": 1694478062.0, ""content"": ""The advanced licenses are designed to extract more money from the customer.""}, {""user"": ""nycni"", ""timestamp"": 1694429550.0, ""content"": ""Having the ATP license grants you the rights to TP, so you\u2019ll see both licenses downloaded. Also, they are phasing out the TP SKUs.""}, {""user"": ""jh6qu642o"", ""timestamp"": 1694430146.0, ""content"": ""makes sense""}, {""user"": ""8e8pvsdc"", ""timestamp"": 1694438573.0, ""content"": ""Thought that was wildfire?\nI will have to look that up. Thank you.""}, {""user"": ""bf73y"", ""timestamp"": 1694490266.0, ""content"": ""Sounds like what an old Cisco diehard would have said when NGFWs came out... Do you think capabilities/protections don't need to evolve?""}, {""user"": ""jh6qu642o"", ""timestamp"": 1694507720.0, ""content"": ""I always feel like TP & wild fire have similar service offerings.""}, {""user"": ""atjmo"", ""timestamp"": 1694497486.0, ""content"": ""They have advanced WF now too IG""}, {""user"": ""7yor6"", ""timestamp"": 1694533425.0, ""content"": ""I'm all for new features but I feel like these should be included in the product I'm already paying for. Instead they've added cloud features to it, called it a new product and doubled the price.""}, {""user"": ""8e8pvsdc"", ""timestamp"": 1694524164.0, ""content"": ""Yeah I saw that and have no idea what the difference is.""}]" +paloaltonetworks-57,"[{""user"": ""7kj334b3f"", ""timestamp"": 1694411259.0, ""content"": ""Title: Pcnsa; which Beacon path did you guys study ?\n Body: I see a few ones is it just the edu 210? Do I need a voucher for full access?""}]" +paloaltonetworks-58,"[{""user"": ""ua88e460"", ""timestamp"": 1694396161.0, ""content"": ""Title: SDWAN planning, would Palo Support be able to help\n Body: Dear Friends,\n\nSeems all of our Pano managed firewalls are ready to move SDWAN planning, would Palo Support be able to help to plan and do the initial steps? \n\nThanks\nLarry""}, {""user"": ""4fpau"", ""timestamp"": 1694396425.0, ""content"": ""That's pro services typically.""}, {""user"": ""ntqtdiz9"", ""timestamp"": 1694398322.0, ""content"": ""Which SD-WAN? I\u2019m assuming PAN-OS SD-WAN based on the context, but just confirming.""}, {""user"": ""2iok9w7f"", ""timestamp"": 1694461034.0, ""content"": ""Agree. Find yourself a good Palo Alto partner. It will be cheaper than going PAN pro services.""}, {""user"": ""ua88e460"", ""timestamp"": 1694398556.0, ""content"": ""Yeah on-prem SDWAN over MPLS and Public IP etc, not the one with Prisima..""}]" +paloaltonetworks-59,"[{""user"": ""5pz4hc3j"", ""timestamp"": 1694358946.0, ""content"": ""Title: what material study do in need to ace PCCET ?\n Body: on palo site there is a pdf study guide of 268 pages is this enought ? ""}, {""user"": ""j43jipd0r"", ""timestamp"": 1694444961.0, ""content"": ""I think if you have hands on with Palo Alto firewalls then the study guide is enough. The bulk of the PCCET, for me, was knowledge of the different offerings from Palo Alto, what each is used for, and some basic networking questions. I used the study guide and CBT Nuggets but keep in mind that I'm in a Palo every day.""}, {""user"": ""144wwl"", ""timestamp"": 1694374475.0, ""content"": ""I took the PCCET about a month ago just to get in the testing mode for PCNSE.. honestly there isn\u2019t a lot of palo it\u2019s most general security if I remember correctly.""}, {""user"": ""5pz4hc3j"", ""timestamp"": 1694375978.0, ""content"": ""How was the exam for you? Was it easy?""}, {""user"": ""144wwl"", ""timestamp"": 1694376008.0, ""content"": ""Yeah, I didn\u2019t study but I\u2019ve also been working on Palo for about 10 years""}, {""user"": ""5pz4hc3j"", ""timestamp"": 1694379309.0, ""content"": ""well no wonder""}]" +paloaltonetworks-60,"[{""user"": ""7kj334b3f"", ""timestamp"": 1694300237.0, ""content"": ""Title: Pcnsa cert\n Body: What did you guys use to study for the PCNSA, I don\u2019t want to buy the instructor based 3000 dollar course. I did find this: link https://beacon.paloaltonetworks.com/student/path/642692-firewall-9-1-essentials-configuration-and-management?sid=88f82d65-6005-47e4-9446-c33fc5ab56fc&sid_i=4\n\nAnd the study guide. Is that good enough to pass? What materials do you guys recommend? They do not make it easy finding a good path to prepare.""}, {""user"": ""x48k1"", ""timestamp"": 1694322026.0, ""content"": ""I took the edu 200 training (free), worked the study guide, and had limited hands on experience.""}, {""user"": ""7kj334b3f"", ""timestamp"": 1694724154.0, ""content"": ""Found the cbt nugs torrent hit me up for link bitches \ud83e\udd19""}, {""user"": ""h8dz466w"", ""timestamp"": 1694343515.0, ""content"": ""Beacon is a great aide and free. I recommend starting there.""}, {""user"": ""b9jdun9zk"", ""timestamp"": 1694350801.0, ""content"": ""Beacon, study guide and i recommended Keith Barker videos for PCNSA(cbt Nuggets).""}, {""user"": ""7kj334b3f"", ""timestamp"": 1694356948.0, ""content"": ""How did you take the edu 200 training free?""}, {""user"": ""7kj334b3f"", ""timestamp"": 1694361768.0, ""content"": ""Is that link above what you used from Beacon? I wonder if there is a torrent for those cbt nugs""}]" +paloaltonetworks-61,"[{""user"": ""63zl7"", ""timestamp"": 1694278386.0, ""content"": ""Title: PA-220 seems to slow down but is then fine on reboot\n Body: I'm a bit stumped on how to troubleshoot this since when logging in the management plane seem to be responding fine and doesn't show any issues with CPU or memory use. But traffic will keep slowing down till speedtest will report it's in the 0.01mbps range.. (from 250mbps) But after a reboot it's back to normal. \n\nI suspect the issue is heat related since it started after relocating the device into our network rack. (and it's either passive or has a VERY quiet fan).\n\nSuggestions on what to check or try? I've got a 440 proposed for next year but need to wait till Jan1 to make the order.""}, {""user"": ""briif"", ""timestamp"": 1694282087.0, ""content"": ""I am willing to make a guess you are not running on 9.x and skipped the parts about 10.x being significantly slower in every conceivable way""}, {""user"": ""iqi7f"", ""timestamp"": 1694282086.0, ""content"": ""Have you opened a supoort case? Could be hardware issue""}, {""user"": ""kevpn"", ""timestamp"": 1694284564.0, ""content"": ""Knowing PAN-OS version is usually a requirement for this kinda stuff""}, {""user"": ""63zl7"", ""timestamp"": 1694449321.0, ""content"": ""What is this stack exchange? I'm on 9.1.16. Not leaving 9.1 till I get different hardware.\nhttps://imgur.com/a/0n9jgAm""}, {""user"": ""63zl7"", ""timestamp"": 1694449427.0, ""content"": ""That's likely to be my next move. Unfortunately it's been sporadic so I'm not sure if I should open one when it's working or, or try to time it for when the internet is out. (it's also only happened 3 times in the last 6 months, which is WAY more than acceptable, but pretty hard to \""catch\"")""}, {""user"": ""63zl7"", ""timestamp"": 1694305146.0, ""content"": ""Oh right. Most current 9.1 version.""}, {""user"": ""8qk1un9z"", ""timestamp"": 1694440960.0, ""content"": ""Do you upgrade it recently? Try to downgrade to the precedent version""}]" +paloaltonetworks-62,"[{""user"": ""1erblxul"", ""timestamp"": 1694259179.0, ""content"": ""Title: Endpoint HIP logs\n Body: Is there a way to disable or hide the HIP parts in PanGPS log? We don't want our \""creative\"" employees to be able to see what we are trying to capture.""}, {""user"": ""ao50hldk"", ""timestamp"": 1694282752.0, ""content"": ""No""}]" +paloaltonetworks-63,"[{""user"": ""7gfh1mxh"", ""timestamp"": 1694244097.0, ""content"": ""Title: Cortex XDR Install during SCCM OSD\n Body: Hello, \n\n​\n\nI am running into a bit of a snag here - We are in the process of a POC for Cortex XDR and testing integrations into our normal workflows. One of the things we do is install all security software during a SCCM OSD task sequence. This just makes it easier to get a system up and running quickly. I followed the guide Palo Alto has on their site to get XDR added in as an application and when I test the OSD deployments out on my VM, it fails every time as it installs Cortex XDR with an error code that states the log file location could not be accessed, but I don't have logging enabled for the install. I tested with it again with verbose logging and still was receiving the same error. Has anyone been able to get it to install during an OSD or is this something we should have as a post image task? ""}]" +paloaltonetworks-64,"[{""user"": ""jb3o0ts8w"", ""timestamp"": 1694203563.0, ""content"": ""Title: Best way to bulk move DG objects to Shared when some of them already exist?\n Body: Hi all,\n\n I have a situation where I need to move nearly 4000 objects from a device group to shared. The problem is that nearly 50% of them are duplicated both in the device group and the cloned group, so I can't just highlight the entire list and move them to shared (it will say \""This address is already in use\"").\n\nDoes anyone have any ideas on how to speed this process up? Maybe a way to do this faster via CLI? Going one by one on each object and trying to move it will take a very long time. I wish there was a way to move all of the objects into the shared group but just ignore the ones that already exist in there. ""}, {""user"": ""zlbzd"", ""timestamp"": 1694212612.0, ""content"": ""Expedition is the way.""}, {""user"": ""jb3o0ts8w"", ""timestamp"": 1694438558.0, ""content"": ""Ty all, so it sounds like I have multiple options - Expedition, CLI, and PHP scripting. I will try CLI for now.""}, {""user"": ""7ucaq"", ""timestamp"": 1694204739.0, ""content"": ""CLI is the way. make sure you do a \""cli scripting-mode on\"" to let putty do its thing with that many commands.\n\nset cli config-output-format show\n\nshow\n\n*find relevant section*\n\nCopy into Notepad++, Ctrl+H for proper commands\n\ncopy and paste back into CLI""}, {""user"": ""shq4z6me"", ""timestamp"": 1694213481.0, ""content"": ""#pan-os-php""}, {""user"": ""gpf65"", ""timestamp"": 1694206458.0, ""content"": ""I would think that should read\n\nset cli config-output-format set\n\nconfigure\n\nshow\n\n​\n\nYou probably need to make some bulk changes to move from a DG into Shared. I love using notepad++. You can hold the alt button and select by column and then just change the highlighted text all at once to Shared\n\n​\n\nAlso if you are trying to find a specific area from the cli you can do show | match 'match term'\n\nOnce you find the area you are interested in then just run the show command with more specific section listed\n\nie.\n\nshow device-group 'DG name'""}, {""user"": ""29l079c7"", ""timestamp"": 1694222191.0, ""content"": ""THIS! \n\n\nI use this ALOT and it's great. You want to use the address-merge function /u/Fungman1 .""}, {""user"": ""jb3o0ts8w"", ""timestamp"": 1694440237.0, ""content"": ""Hey - couple questions - does\n\n*set cli config-output-format set*\n\naccomplish the same thing as\n\n*cli scripting-mode on*\n\nThey both seem to bring me from xml format to set format?\n\n​\n\nAlso one other thing, the syntax of the shared addresses and device group addresses is a little different -\n\n\""set shared address *address*\""\n\nvs\n\n\""set device-group *device-group* address *address*\""\n\nI don't want to clone everything from the DG to shared, I just want it moved. Will I have to do the set shared address command on all of my addresses first, and then \""no set device-group\"" command afterwards on those addresses?""}]" +paloaltonetworks-65,"[{""user"": ""3ja98pd6"", ""timestamp"": 1694215175.0, ""content"": ""Title: PA-410 vs Fortinet 40F\n Body: What would you say are the main differentiators to the 2 products? How do the specs compare?""}, {""user"": ""eq4blh7ao"", ""timestamp"": 1694258660.0, ""content"": ""Fortinet is straight trash compared to Palo, from an interface to CLI perspective. Get the company onboard with Palo.""}, {""user"": ""8k029"", ""timestamp"": 1694223728.0, ""content"": ""Just an FYI, the PA-410 is the ONLY PA firewall that doesn\u2019t do on-box logging. Zero onboard log storage, so you need to have something else to log to (Panorama, SIEM, Cortex Data lake, syslogd, etc).\n\nIf you are a cafe and want one firewall, you should go PA-440.\n\nIf you have 1,000 retail branches, you should have the supporting infra so the 410 would be fine.""}, {""user"": ""3ehm8kce"", ""timestamp"": 1694329932.0, ""content"": ""you should ask the same question in the Fortinet reddit sub to get a full picture :-)""}, {""user"": ""4gigy"", ""timestamp"": 1694361751.0, ""content"": ""So is the only worthwhile firewall Palo then? If Fortigate is trash then checkpoint must be sewage and firepower nuclear waste. If the only firewall worth using is Palo we have a monopoly and should be concerned.""}, {""user"": ""5uekzbgu"", ""timestamp"": 1694417702.0, ""content"": ""Really? From interface and GUI? Really?""}, {""user"": ""3ja98pd6"", ""timestamp"": 1694224210.0, ""content"": ""It\u2019s for multiple retail stores. Debating between the 410s and the Fortinet 40F. Franchise so price will play a part although Palo is competing price wise. Just curious what the pros cons of each are.""}, {""user"": ""i5gzh"", ""timestamp"": 1694237374.0, ""content"": ""This isn\u2019t 100% accurate. There is logs for everything not from the data plane so: Configuration, System, Alarms logs are there.""}, {""user"": ""3ja98pd6"", ""timestamp"": 1694350891.0, ""content"": ""Good idea!""}, {""user"": ""eq4blh7ao"", ""timestamp"": 1694378075.0, ""content"": ""We should be concerned, Firepower is equally as shitty, addons are expensive and cumbersome, CLi is fine. Checkpoint is decent at best for small business or bottom of the barrel decent UI/CLI.""}, {""user"": ""eq4blh7ao"", ""timestamp"": 1694459449.0, ""content"": ""Absolutely, it\u2019s god awful to work with, poorly laid out, I could go on.""}, {""user"": ""8k029"", ""timestamp"": 1694224611.0, ""content"": ""If you have 4 or fewer APs/PoE devices, a PA-415 is the same performance as the 410 but has on box logging, 4 PoE ports, dual power supplies, and an SFP port (which I have tested with the Proscend 180-T VDSL SFP and seems to work fine).\n\nSo may save you the cost and management overhead of a PoE switch.\n\nI prefer Palos over Fortinet, I find that if you\u2019re turning on lots of the security features then the performance on Palo isn\u2019t impacted as much as Forti.\n\nIf you\u2019re just doing straight FW, then probably not much in it.""}, {""user"": ""2z38uxaj"", ""timestamp"": 1694225653.0, ""content"": ""Do you know where cost of the 415 falls? More or less than a 440?""}, {""user"": ""37ve4gbk"", ""timestamp"": 1694234101.0, ""content"": ""415 was overpriced last time we quoted this out for my customer. Not worth the premium for the single SFP port.""}, {""user"": ""37ve4gbk"", ""timestamp"": 1694234470.0, ""content"": ""It costs \\~$200 list more with the specs of a 410. The premium also extends to the subs too.""}, {""user"": ""e6qh3"", ""timestamp"": 1694262195.0, ""content"": ""The 415 is more than a 440.""}, {""user"": ""2z38uxaj"", ""timestamp"": 1694270541.0, ""content"": ""Thank you""}, {""user"": ""2z38uxaj"", ""timestamp"": 1694270598.0, ""content"": ""Thank you""}, {""user"": ""2z38uxaj"", ""timestamp"": 1694270304.0, ""content"": ""Thank you""}]" +paloaltonetworks-66,"[{""user"": ""cb6pttw0g"", ""timestamp"": 1694186912.0, ""content"": ""Title: PCNSE PAN-OS Version\n Body: Hello guys, \n\nMy question is if the PCNSE is already for PAN-OS 11 or it is still about 10.x?""}, {""user"": ""p1pda"", ""timestamp"": 1694201520.0, ""content"": ""11.0. Lots of questions on new stuff.""}, {""user"": ""j43jipd0r"", ""timestamp"": 1694203930.0, ""content"": ""Took it last week, there was some 11 on it.""}, {""user"": ""6gexp"", ""timestamp"": 1694262850.0, ""content"": ""Mostly 10.2 with a bit of 11 new features mixed in.""}, {""user"": ""4va2fgn7"", ""timestamp"": 1694345085.0, ""content"": ""Was it difficult?""}, {""user"": ""j43jipd0r"", ""timestamp"": 1694345482.0, ""content"": ""I found it very difficult. Our FWs are on 10.x and I feel pretty confident there. But there were a lot of questions on web portal, NAT questions that I felt could go multiple ways, and quite a few of those where they show a screenshot of the GUI and you have to figure out which answer it\u2019s correct. I usually can\u2019t even make out the screen on those. Too blurry and the entire screen never fits on the monitor at the test site. Also, feel like there were a lot of questions for the time allotted.""}]" +paloaltonetworks-67,"[{""user"": ""a0tw8eaf"", ""timestamp"": 1694189989.0, ""content"": ""Title: URL category being skipped\n Body: We just setup kerberos sso auth, that\u2019s working good. we have a pre rule for zoom, source is all users, application is ssl, zoom and zoom-info, URL category is *.zoom.us and *.zoomgov.com. \n\nWhen we try to use zoom phone or just connecting to zoom it\u2019s skipping this rule and going to our post rule explicit deny rule. \n\nIt hits the zoom rule for ssl 443 just fine for some of the same URLs as below. \n\nIt shows up as zoom-meeting 8801 which is within the zoom application and the URLs come across as .zoomgov.com URLs\n\nI have tested this and if I remove the URL category it will work no problem. \n\nWe also have another post rule for YouTube and it\u2019s doing the same thing. If I keep just my URL category it doesn\u2019t work, if I add palo\u2019s predefined \u201cstreaming media\u201d then it works. \n\nAny ideas? I have had a ticket with Palo and they can\u2019t figure it out either yet.""}, {""user"": ""47db6"", ""timestamp"": 1694204638.0, ""content"": ""One thing to try:\n\n\\-Separate the zoom app rule from the ssl rule, placing the zoom rule above the ssl rule and keeping your custom URL category in the ssl rule, but the zoom rule set to 'Any' (no URL category)\n\nI think the way it works is, the palo will initially see the traffic as ssl and allow it based on your url category, then once it has seen a few packets it can identify the app as zoom and do the 'app shift', re-evaluate the traffic against the zoom rule, which should let it continue.\n\nThe only other thing i can think of is that custom URL categories do not work with the zoom applications.""}, {""user"": ""ao50hldk"", ""timestamp"": 1694202547.0, ""content"": ""Take pcaps, find the SSL handshakes for each session, find the SNI value in each client hello.\n\nIs it *zoom.com or *.zoomgov.com?\n\nIf yes then there\u2019s a deeper issue, if not, then there\u2019s your issue.""}, {""user"": ""474w3zgp"", ""timestamp"": 1694444181.0, ""content"": ""I see all my zoom-base application traffic with destination-port 443. It is not resolving the destination URL, but shows IP address 170.114.15.x. Have you tried a security policy based on application?""}, {""user"": ""1oj2b1xo"", ""timestamp"": 1694321469.0, ""content"": ""Couple of extra checks:\n\n to see if you have any ports configured under Service. We\u2019ve had a few where the firewall team keep selecting the https-443 port object under service so the match fails when the application try\u2019s to use another port even though it\u2019s part of the app-ID profile.\n\nAlso check the URL filter profile you have assigned to the policy too. Again people selecting url profiles in override policies that block say \u201cshareware and freeware\u201d while trying to match a URL Category list with giphy.com/ (need to do this for customers using Teams)""}, {""user"": ""a0tw8eaf"", ""timestamp"": 1694445610.0, ""content"": ""Mine resolves the URLs normally to something like x-x-x-x-zoomgov.com where x is the ip address. Or it resolves to zoomsva3zc.zoomgov.com has no issue with the SSL application I\u2019m allowing but always skips the rule for zoom application that uses 8801, I also have another rule below this one that is using the same URL category but using the ports udp 8801 instead of application and it\u2019s skipping that one as well.""}]" +paloaltonetworks-68,"[{""user"": ""gfle6x2w"", ""timestamp"": 1694181798.0, ""content"": ""Title: IP Sec Tunnel - having to add irrelevent Proxy IDs to keep the tunnel up\n Body: Hello, we have noticed that if we don't add Proxy IDs to an IP Sec Tunnel for all of our VPN Subnets, then we have issues down the line. For example, let's say we have just setup a new VLAN with the subnet of [10.113.1.0/24](https://10.113.1.0/24) and we want to add it to our Palo VPN (which has a subnet of 192.168.96.0/24), we find that we can't just get away with adding one proxy ID from the site to the Palo, but we have to add one for all our other VPN locations. Is anyone able to clarify this?""}, {""user"": ""5u04b"", ""timestamp"": 1694184039.0, ""content"": ""Without knowing what's on the other end of the tunnel it's impossible to say. Route based VPNs do not need Proxy IDs""}, {""user"": ""16p19w"", ""timestamp"": 1694220738.0, ""content"": ""It\u2019s purely a compatibility thing, if the other end is a Palo you should be able to get rid of them on both sides as they support route based. The use of proxy IDs is smoke and mirrors to appease policy based VPN appliances on other end or systems that may require specific non-wildcard proxy IDs.""}, {""user"": ""h8df04r1"", ""timestamp"": 1694184630.0, ""content"": ""You either run dynamic routing protocol over it or you add proxyid .... It needs traffic to keep tunnel up ...otherwise its on demand .. the proxy id is used to create phase 2 if no routing is there ...""}, {""user"": ""ao50hldk"", ""timestamp"": 1694202358.0, ""content"": ""If there\u2019s proxy IDs, (aka route based in the other side) it has to match both ends to negotiate properly. If you really don\u2019t want those proxy IDs, remove them from both sides of the tunnel.""}, {""user"": ""iwlnp"", ""timestamp"": 1694386054.0, ""content"": ""There is a lot of info in this thread, and there are some that are more correct than other bits.\n\nProxy ID serves a few puposes:\n\n\\- If you want multiple VPNs with the same remote IKE peer then proxy ID is needed.\n\n\\- If you have a peer that requires a proxy ID to be given (wether correct or not that is needed), then you need to be able to match it.\n\n\\- Per the Rf>cs the proxy ID is only used during the establishmen of the tunnel (IPsec/phase 2), but if it is present it has to match the peer. Not all other firewalls allows you to omit the proxy ID and it will supply at minimum a \""0/0\"", then you need to match it.\n\n\\- A lot of people mix up proxy ID with traffic selectors. This can also bite.""}, {""user"": ""y7eds"", ""timestamp"": 1694319952.0, ""content"": ""Why not. Just cause the Palo doc says that. If you have no proxy id you leave yourself open to any traffic coming down the VPN""}, {""user"": ""y7eds"", ""timestamp"": 1694320026.0, ""content"": ""I'm not sure that's 100% true we use proxy id to filter what traffic is allowed over there""}, {""user"": ""nycni"", ""timestamp"": 1694227103.0, ""content"": ""Either way, it needs a route in the forwarding table. Also, it works with static routes.""}, {""user"": ""16p19w"", ""timestamp"": 1694377858.0, ""content"": ""It will still route traffic through the tunnel regardless of the proxy id, I just went through an issue around this causing issues.""}, {""user"": ""16p19w"", ""timestamp"": 1694378312.0, ""content"": ""I do think you can use policy based forwarding along with proxy ids to make it work but if you are just using regular routing tables it will not. I would validate if I was you to make sure. You could easily test with just some ICMP to an address that doesn\u2019t have a Proxy ID.""}]" +paloaltonetworks-69,"[{""user"": ""1yymo6u8"", ""timestamp"": 1694168711.0, ""content"": ""Title: Disable port 80 on Global Protect interface\n Body: Hello,\n\nAs post title says, I'm trying to gracefully disable GP portal service listening on port 80 on the outside interface for Global Protect termination. I know it gets redirected to HTTPS, but vulnerability scanners are failing me in the report due to redirect manipulation possibility.\n\nIs there any way to do it system wide, or do I have to go caveman and just filter it out in FW policy rules?""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1694176218.0, ""content"": ""The correct and only way to deal with this is security policy. You should have a rule that explicitly allows access for SSLVPN using the necessary apps, and anything else should hit an implicit deny at the bottom of your rule base. \n\nIf you don\u2019t need to have the portal page, you can disable it.""}, {""user"": ""104io1"", ""timestamp"": 1694186053.0, ""content"": ""We put the GlobalProtect Gateways on a Loopback interface. We control access to the loopback via NAT rules and security policies. \n\nThe added benefit is that it make deployment via a template a bit easier.""}, {""user"": ""1yymo6u8"", ""timestamp"": 1694178130.0, ""content"": ""Thanks for the input. I can disable portal page, but the web service listening on port 80 will still be up, just show 404 instead of landing page and that won't cut for scanner.\n\nI do have exclusive implicit deny configured in the end between all to all, but it does not apply to GP portal. Connections opened to its 80/443 port do not show up in standard traffic logs either. I can see successful GP client connections in GlobalProtect log page though.\n\nSeems like connections destined to the firewall itself are not evaluated by security policy, only forwarding plane \""through it\"" gets there.""}, {""user"": ""3uqxds9f"", ""timestamp"": 1694190306.0, ""content"": ""Every packet to and across the firewall must match a security policy. Packets to port 80/443 of the firewall are matching the intra zone allow and you're not seeing it in your Iogs because the default intra zone doesn't have logging enabled. \n\nAdd a specific intra-zone rule blocking port 80 and it will fix your issue""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1694189109.0, ""content"": ""Not sure why you would be seeing the 404 for traffic going to port 80. That isn't needed for GlobalProtect, so I would review the rule you have allowing GP access, or create a supersceding rule to explicitly block the port 80 traffic to you GP portal IP.\n\n​\n\nThis situation is a bit of a pain in the ass. I have gone through this excercise about 5 times this year with various clients and different auditors.\n\nConversation generally goes like this...\n\nThey ask why that IP is responding on 443 fom any internet IP.\n\nI explain how it would be impossible to know the IPs our users will connect to VPN from, and this is only for portal access which is to download app settings, blah blah blah.\n\nThis goes back and forth a few times and eventually we get through it.\n\n​\n\nHere is what you should do for the auditors and best practice:\n\n* Use SAML with an IdP. This is a hard fail if you're not doing it.\n* Unless you have a need for using the GP portal such as clientless VPN, disable it. Doesn't do much for an audit, but it's slightly more secure.\n* Provide screenshots showing how going to the portal web page redirects to your IdP where authentication is enforced and MFA is mandatory. This generally satisifes most auditors.\n* If you can lock down the access to the portal by country, that is a big help to show them. If you are a US based company only expecting employees connecting from the US, only add that as a source country. You could also approach it from the other direction where you block access from countries like North Korea, Russh, China, etc. but you should already be doing that, and it's better to explicitly allow from a source rather than to block specific sources.\n\nIf you really need to secure the hell out of the portal, spin up a FW in AWS, Azure, GCP, etc. and dedicate it to your portal. You can explain what the portal does in the GlobalProtect architecture and how it is 100% air gapped from your company resources.""}, {""user"": ""8e8pvsdc"", ""timestamp"": 1694179809.0, ""content"": ""I would love to know as well. A couple versions ago they removed the ability to fully disable the portal page and now the pci scanners all flag it. I end up putting in an exception but that gets annoying after a few submissions.""}, {""user"": ""bf73y"", ""timestamp"": 1694191871.0, ""content"": ""If you go to your session browser (not the logs) and filter on the Portal IP, it should show the rule it is using. I see it all the time where someone doesn't realize their GP traffic is hitting the \""intrazone-default\"" because the IP lives on the public facing interface/zone and so it is Untrust/outside to Untrust/outside. And the default rules do not have logging enabled by default.""}, {""user"": ""g0057"", ""timestamp"": 1694195434.0, ""content"": ""There are other ways of allow listing mobile VPN connections, one such way is if you're using a tool such as NinjaRMM Agent which reports back the public IP of a system. You can then have a scheduled task that runs a powershell script that enumerates a security group in AD for computer account names and then query the Ninja API for them and pulls out the public IP.\n\nYou then dump those into a text file and upload to a locally hosted gitlab server, have the file address used as an EDL on the firewall and apply that as the source address.\n\nIf your scheduled task runs every 5 min and your EDL is set to 5 min updates, you'll basically need to wait a max of 10 mins after getting a new public IP before you can connect through.\n\nYour MFA provider can help to protect the auth, on a successful auth you can then have your HIP profiles on your security rules to ensure those systems are what they should be.""}, {""user"": ""1yymo6u8"", ""timestamp"": 1694180144.0, ""content"": ""I'm also undergoing PCI certification and external scanner just fails the vuln. assessment scan, because of this pseudo redirect, which will never manipulate anything in principal, as there is no user content anyway.""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1694197257.0, ""content"": ""Of course you could do something like that, but that is a cluster fuck to deal with unless you hate your help desk. The expectation of a user understanding that sometimes they will try to connect to vpn, but it won\u2019t work for up to 10 minutes, and that is expected is a pipe dream in my opinion. Security is always a balancing act and IMO that is going way too far. If you\u2019re doing that, get rid of VPN and use Citrix or something similar.""}, {""user"": ""g0057"", ""timestamp"": 1694207306.0, ""content"": ""It's really simple, the powershell script outputs logging info and helpdesk only need to look in the security groups for both the allow list and for permission to even auth (you're not using All on your GP portal/gateway for auth, are you?) in AD to make sure they have their user and computer accounts in the right place.\n\nIf the groups are fine, then it's a case of telling the user to wait harder. I can imagine it would be a bit of a nightmare if you're dealing with thousands of users, but a few hundred? It's not an issue.""}]" +paloaltonetworks-70,"[{""user"": ""3ngl1xj6"", ""timestamp"": 1694193291.0, ""content"": ""Title: Anyway to Turn Off Configuration Validation?\n Body: I am failing commits on my firewalls because of some overrides that are needed on one of our clusters. When trying to make changes, the changes fail because of IP addresses being \""invalid\"". Long story short, we are trying to migrate from one backup ISP to another. The interface that it comes in on is overridden and it can't be reverted to Panorama. Now, trying to restore values to previous values and commits fail due to \""invalid\"" IP addresses.\n\nI'm incredibly frustrated with Palo Alto's firewalls. Cisco I could build NAT rules or IPSec tunnels using IP addresses that don't exist on the firewalls in preparation. With PAN, if the IP isn't configured on an interface, you can't use the config. Its the dumbest thing I've ever had to deal with. Let ME, the engineer, tell YOU what IPs are being peered with or used...I don't care if they don't exist on an interface...they will eventually. There is no reason these configurations shouldn't be valid. It seems in PAN's infinite attempt to dumb down firewalls and make them idiot proof, they've taken the ability for engineers to build things on the fly and in preparation. \n\nSo, orignal question...can I turn off configuration validation and FORCE values to be put on IPSec tunnels and NAT rules without them existing on interfaces?""}, {""user"": ""ao50hldk"", ""timestamp"": 1694202272.0, ""content"": ""no\n\nIt makes to me, but I guess I\u2019ve been using Palo for a while, and \u201csafety\u201d features like this makes sense. logically this configuration CANT work if it\u2019s referencing a non existent piece. The running config won\u2019t be able to perform its actions specific, \n\nThis is actually put in to make it idiot proof, to avoid people using config that doesn\u2019t exist, then complaining why it doesn\u2019t work if it\u2019s put in there (let\u2019s say NAT or IPSEC). \n\nWhy can\u2019t the config be reverted? or better yet, why not just make all of the template config local? It\u2019s a click of a button and no impact some to production as it\u2019s just pulling the config and making it local.""}]" +paloaltonetworks-71,"[{""user"": ""j8q7q81mp"", ""timestamp"": 1694121026.0, ""content"": ""Title: Authentication Failed\n Body: After going through the whole process of entering the portal, going through logging on and the authentication process, the screen pops up that says \"" When you see the dialog on the browser, click **Open GlobalProtect**. If the dialog does not appear, click here to launch GlobalProtect.\"" and GlobalProtect starts saying \""Connecting\"" and that goes on for a while (5-10 minutes maybe) until finally the browser opens back up and says \""Authentication Failed\""\n\nMy login for GlobalProtect works on other user profiles, and on my personal pc, but not my user profile on my work pc. I sat with our IT department for hours today troubleshooting and have come up with nothing other than it has to be something on my user profile's setting.\n\nWas hoping to get SOME direction here. Anything is helpful! Thank you in advance. ""}, {""user"": ""shq4z6me"", ""timestamp"": 1694135934.0, ""content"": ""There a particular reason you have GP set to use \u201cdefault browser\u201d versus the native GP browser found on the agent?\n\nOtherwise this is a browser issue. I would clear/reset your default browser so you get the notification to open GP and also the little check box to always trust/open GP on following conditions. But I still recommend not using default browser and use native GP browser.""}, {""user"": ""91wqd"", ""timestamp"": 1694129678.0, ""content"": ""If you can post an error message from your PanGPS.log on your device, that might be helpful in understanding what is happening. \n\nHow is your authentication configured for the portal and gateway? What type of authentication profiles do you have set up? You can authenticate users multiple ways. For example you can use SAML, LDAP, Kerberos or certificate based authentication.""}, {""user"": ""ss7ye"", ""timestamp"": 1694199011.0, ""content"": ""When it gets stuck, have you clicked on the \""Click Here\"" link to manually send the SAML response back to the GP client? If you have and it's still not authenticating, then the GP logs are your friend. Or just get your IT folks to blow away your profile on that machine and start over. Might be a whole lot faster than spending hours tracking down an obscure issue.""}, {""user"": ""j8q7q81mp"", ""timestamp"": 1694174312.0, ""content"": ""It's how my company has it set up unfortunately so I'm not 100% sure what their reasoning is""}, {""user"": ""j8q7q81mp"", ""timestamp"": 1694175514.0, ""content"": ""I can't access the PanGPS.log file. It says \""Windows cannot find 'C:\\\\Program Files\\\\Palo Alto Networks\\\\GlobalProtect\\\\PanGPS.log'. Make sure you typed the name correctly, and then try again.\"" When I click on the file and when I right click and go through the open with option.""}, {""user"": ""shq4z6me"", ""timestamp"": 1694135658.0, ""content"": ""It\u2019s obvious he\u2019s using SAML and GP is set to use default browser since he\u2019s getting a browser prompt to launch GP.""}]" +paloaltonetworks-72,"[{""user"": ""eo1zs"", ""timestamp"": 1694103512.0, ""content"": ""Title: Deleting or cleaning up pending \""Push to Devices\""\n Body: I'm involved in a project that includes a handful of firewalls managed by Panorama. There are lingering changes made by other admins (no longer with the company) that seem to have already been committed to Panorama a while back.\n\n I don't know what those pending pushes include, there are changes to Device Groups and Template Stacks but not able to see the specifics. My thought process to clean up those pending pushes is to make the pushes and revert to a named snapshot of the current running config. Open to suggestions or other factors to consider.""}, {""user"": ""91wqd"", ""timestamp"": 1694130371.0, ""content"": ""I wouldn't perform the push to the devices if you're not sure what they will do or the settings that will change. If you know the settings you need to have, you can create new device templates and device groups and reassign the firewalls to the new templates/template stacks and device groups. Its basically rebuilding everything in Panorama from scratch but its the cleanest way to do it if you're not sure.\n\nYou could also look at the previous commits in Panorama and restore the running candidate configuration to back before each of the commits your not sure of took place and verify the settings in the template/device group. Then when you are sure that everything in the existing template/device group is set correctly, do a full push to the firewall and you'll be back in sync.""}, {""user"": ""nuvdltb"", ""timestamp"": 1694132218.0, ""content"": ""You can't see the changes by doing a diff in panorama of the pending configuration vs the existing deployed configuration?""}, {""user"": ""eo1zs"", ""timestamp"": 1694633205.0, ""content"": ""Update: I was able to view the changes in the GUI, found them to be harmless or not applicable (different lines in the XML file and such), and did a full push.\n\nThere were still some lingering changes in the push under the \""share-object\"" Push Scope which I found to be an existing cosmetic bug: [https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGhiCAE](https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGhiCAE)\n\nAlready got approval to do a quick OS update to 10.2.5""}, {""user"": ""80fgg321"", ""timestamp"": 1694132438.0, ""content"": ""You can preview what it wants to push down from panorama. Are the devices out of sync with panorama when you look at the firewalls under managed devices?""}, {""user"": ""eo1zs"", ""timestamp"": 1694136094.0, ""content"": ""Too much was done after his commit, unfortunately. His were just ignored as others made changes, committed and pushed without his changes selected. And rebuilding is going to be a hard sell for this client.\n\nIf I save the current running config that exists in Panorama which is apparently working for the client, I can't use that to commit and push after pushing this ex-employee's changes? The current state of what we see in Panorama (Templates, TStacks and Device Group settings) are fine atm.""}, {""user"": ""eo1zs"", ""timestamp"": 1694134972.0, ""content"": ""It's already been committed by the past employee but for some reason wasn't pushed. The most I can see is the push scope and object type that's ready to be pushed to the specific devices.""}, {""user"": ""eo1zs"", ""timestamp"": 1694135621.0, ""content"": ""Devices look to be in sync with Panorama atm. At best I can look at the Logs > Configuration with a filter for his specific username. I can view his history, full path of the config, and a simple before/after change in the logs but I can't tell which of these commits are part of the push in question.""}, {""user"": ""nuvdltb"", ""timestamp"": 1694136097.0, ""content"": ""You can try logging into panorama via the cli and doing:\n\n​\n\n~~show config push-scope device-group ~~\n\n~~and/or~~\n\n~~show config push-scope template-stack ~~\n\n​\n\n~~and then see what is pending on panorama to be deployed to the devices (I believe) It's been a minute since I've done this via CLI.~~\n\nThe above is not correct. I'll keep digging but it may be easier just to export the config of panorama and look at what is setup for that device and compare.""}, {""user"": ""80fgg321"", ""timestamp"": 1694194585.0, ""content"": ""So when you click push to devices, then select the devices under either device config or template, then click preview changes, or shows a blank screen with no proposed changes?""}, {""user"": ""eo1zs"", ""timestamp"": 1694192701.0, ""content"": ""Honestly, that helps quite a bit. I can instead use\n\nshow config push scope admin \n\nThis displays what I believe to be the lingering configs waiting to be pushed. It's not incredibly descriptive but gives me a clearer picture on what is being changed (log settings, objects, etc).""}, {""user"": ""eo1zs"", ""timestamp"": 1694207167.0, ""content"": ""And just like that, I learned something that seems simple...yes when looking at the individual device groups and templates, I see the icon to preview the changes. Now I can see the line diff related to Device Groups and Templates. There is a Template and Device Group Pair (same vsys in the firewall) that is out off sync.\n\nGoing to go through this and see what the client want to do with this pending push. Greatly appreciated!""}, {""user"": ""nuvdltb"", ""timestamp"": 1694603546.0, ""content"": ""I wonder if also these would help.\n\nshow config list changes partial device-group \\[device-group-for-that-fw\\]\n\nand\n\nshow config list changs partial template-stack \\[template-stack-for-that-fw\\]""}]" +paloaltonetworks-73,"[{""user"": ""vcyenh35"", ""timestamp"": 1694118825.0, ""content"": ""Title: Expedition tool export to Panorama\n Body: Hello,\n\nhave you ever succesfully exported config to Panorama from expedition tool? \n\n\nWe have 2 configs from Cisco in expedition tool and each config needs to be exported to a different template/device group in Panorama. \n\n\nI can succesfully connect expedition tool to Panorama (pan os 11.0.2), but I am not able to drag and drop vsys from expedition to Panorama. Only zones are shown as merged in Panorama.\n\nI did not try to connect expedition to FW, as FWs are already managed by panorama and I am afraid of current existing config on FWs. I am not sure, if I will be able to merge config on FW with panorama in case I will upload the xml file to FW directly. \n\n\nI would rather fix importing config to panorama from expedition tool.\n\nAnyone has any kind of experience?\n\n \nThank you!\n\n​""}]" +paloaltonetworks-74,"[{""user"": ""7m4fg2wbv"", ""timestamp"": 1694100359.0, ""content"": ""Title: Firewall not Forwarding Logs to Panorama\n Body: Dear all,\n\nI have configured log forwarding on the firewall and a log collector on the PN. The PA NGFW only sends traffic, threat, and system log to the PN.\n\nThe connection status between NGFW and PN is normal, and the ports are not restricted.\n\nFW&PN Version: 10.2.4-h4\n\nI refer to kb for equipment and still haven't solved the problem, If anyone has experienced any of the above symptoms or knows a solution, please share with me. Thanks!\n\n[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFCCA0](https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFCCA0)\n\ntom@PA-3220-1> debug management-server log-collector-agent-status\n\n​\n\nLogcollector agent status\n\n\\-------------------------------------------------------------------------------\n\nSerial IP Address Connected Last Disconn Time Failed conns\n\n\\-------------------------------------------------------------------------------""}, {""user"": ""7m4fg2wbv"", ""timestamp"": 1694100839.0, ""content"": ""PN cannot obtain traffic and threat log, but system log can be obtained.""}, {""user"": ""7m4fg2wbv"", ""timestamp"": 1694102120.0, ""content"": ""I reconfigured the PN log collector group, the traffic log can be seen, but the threat log is still not visible""}, {""user"": ""6gexp"", ""timestamp"": 1694102309.0, ""content"": ""Fixed in 10.2.5\n\nPAN-221881\n\nFixed an issue where log ingestion to Panorama failed, which resulted in missing logs under the Monitor tab.\n\nCould be your issue.""}, {""user"": ""10ceo3"", ""timestamp"": 1694101382.0, ""content"": ""Are your rules configured to log, and using the right log forwarding profile?""}, {""user"": ""29l079c7"", ""timestamp"": 1694104098.0, ""content"": ""Do you have a threat policy on the rule(s)?""}, {""user"": ""7m4fg2wbv"", ""timestamp"": 1694102557.0, ""content"": "">PAN-221881\n\nHI friend, you can't make fun of me, I can't believe what you said, oh no...""}, {""user"": ""7m4fg2wbv"", ""timestamp"": 1694101553.0, ""content"": ""yes, The NGFW is connected to the PN through the mgt interface, and there is no policy control and the rule associates the log forwarding configuration to the PN.""}, {""user"": ""7m4fg2wbv"", ""timestamp"": 1694141398.0, ""content"": ""yes, I'm going to upgrade to the next version and see the effect.""}]" +paloaltonetworks-75,"[{""user"": ""c5mjna3"", ""timestamp"": 1694113000.0, ""content"": ""Title: Global Protect Gateway IP Question\n Body: I've got a question about the IP of the default gateway when connected to Global Protect. I am getting [0.0.0.0](https://0.0.0.0) as the default gateway and [255.255.255.255](https://255.255.255.255) as the subnet mask and wanted to see if that was normal?\n\nUnder Network -> GlobalProtect -> Gateways -> Gateway Name -> Agent -> Client Settings -> Configs -> IP Pools. I've got an IP Pool for VPN Users that pulls from Addresses under Objects and it is set as IP Netmask of [10.10.253.0/24](https://10.10.253.0/24)\n\nWe were troubleshooting a VPN issue and the user had [10.10.253.1](https://10.10.253.1) as an IP and .1 is usually the gateway for everything here but I can't find a gateway set anywhere for Global Protect users and when I connected I got the [0.0.0.0](https://0.0.0.0) and wanted to make sure that was all correct.\n\nThanks for any help.""}, {""user"": ""3uqxds9f"", ""timestamp"": 1694116241.0, ""content"": ""There\u2019s no default GW concept with GP. The IP you're getting is fine. \n\nUnder the Split Tunnel tab, have you included any prefixes that need to route across the tunnel? That is how you define what needs to come across it. If you want all traffic to come over the tunnel then add 0.0.0.0/0 in the Include section.\n\nMake sure you refresh client settings on the GP client after making any changes on the firewall""}, {""user"": ""czvic3dk"", ""timestamp"": 1694120515.0, ""content"": ""I put the .1 of the GP subnet on the tunnel interface. It is not required but it gives you a pingable IP within the same zone so you can at least tell if you are getting to the firewall. It also gives you a first hop in traceroutes which I find useful for troubleshooting.""}, {""user"": ""c5mjna3"", ""timestamp"": 1694116759.0, ""content"": ""No, we don't have anything listed in the include only the exclude, I've gathered all the Office 365 IPs and put them in a group, mainly because we don't want Teams going through the VPN and causing issues for meetings and calls.""}, {""user"": ""3uqxds9f"", ""timestamp"": 1694117030.0, ""content"": ""Why not try to just add prefixes in the include section rather than exclude. You also definitely need something in Include if you want traffic to come across the tunnel.\n\nIf you add your private ranges to Include, that should be enough. All internet traffic will break out locally on the client.""}, {""user"": ""czvic3dk"", ""timestamp"": 1694120567.0, ""content"": ""I am on Teams calls all day long with it all going through the tunnel out the firewall at our datacenter without issues.""}, {""user"": ""c5mjna3"", ""timestamp"": 1694117407.0, ""content"": ""I guess I am not sure what you mean by prefixes?\n\nEverything seems to be coming across just fine and this is the first time we have heard of this problem (mapped drive not connecting) in trying to figure out why the one user couldn't get to the file server we noticed the IP of the gateway. We do have all the IPs of the internal networks we can add to the include section though.""}, {""user"": ""3uqxds9f"", ""timestamp"": 1694117661.0, ""content"": ""Yeah a prefix is nothing but an IP subnet. Like 10.10.253.0/24 is a prefix. \n\nSo if all user and server IPs fall under 10.10.0.0/16, just add this prefix to the include section and it will all come through the tunnel. This will include all local Teams traffic too.""}, {""user"": ""c5mjna3"", ""timestamp"": 1694117889.0, ""content"": ""Ah, got it, thanks.\n\nBut with the exclude of the 365 IPs that traffic will still use the local/home internet connection and not go over the VPN correct?""}, {""user"": ""3uqxds9f"", ""timestamp"": 1694118096.0, ""content"": ""Yeah it will. It's just simpler to use positive enforcement by only including your private ranges to Include. \n\nEverything else will break out locally. You can test that with a traceroute. Or you can see the route table in the GP client under Troubleshooting""}, {""user"": ""c5mjna3"", ""timestamp"": 1694118176.0, ""content"": ""Sounds, good. Appreciate the help.""}, {""user"": ""shq4z6me"", ""timestamp"": 1694136183.0, ""content"": ""If you leave include BLANK it will include all traffic. Ignore the fool that is telling you to do so. Excluding the teams IPs only excludes those, everything else gets included automatically.""}]" +paloaltonetworks-76,"[{""user"": ""11o6u1"", ""timestamp"": 1694092130.0, ""content"": ""Title: What is best way separate HIP users/ profile on rule?\n Body: I have 5 different types of users, each of them is part of the Office 365 group, and each has a different subnet.\n\n​\n\n4 types of users use company computers and are members of the domain (with company antivirus, DLP, etc. installed).\n\nThe 5th type consists of consultants whose computers are not related to the company.\n\nI've created a HIP profile for company employees and assigned it to a WAN rule. Now, how should I handle consultants? I don't want to apply HIP to them, but how can I implement HIP based on groups? What is recommended in this regard?\n\nSecond a wan rule? Or second public and a new address? consultant.vpn....com? or a new GP GW?\n\nIf an employee's computer is not HIP-compliant and they want to connect to the VPN, I want to prevent them from doing so.""}, {""user"": ""briif"", ""timestamp"": 1694093197.0, ""content"": ""Separate gateway in different zone with it's own HIP profile for consultants is my vote.""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1694135997.0, ""content"": ""The only time you have to separate gateways is if you want to provide different alert messages for passing or failing a HIP profile. Assuming that is not an issue here, \n\nIt's important to understand that a HIP profile is just another item being matched on a rule. So, if you have one rule allowing internet access with a source group containing employees and the HIP profile, and a rule below it contains a source user/group for consultants, but no HIP profile, it works fine.""}, {""user"": ""147byj"", ""timestamp"": 1694183341.0, ""content"": ""I'm going through something similar right now where I'm migrating a large AnyConnect deployment to GP. I was fortunate enough to have a large number of unused IPs in the BGP range so I strictly used loopbacks for portals and gateways. I ended up deploying an employee portal and gateway (actually on separate IPs due to a SAML caveat). This also requires a machine certificate, hence why vendors can't connect to it. The vendor portal/gateway lives on a different IP and requires just SAML authentication with 2FA. These are all in the same \""remote\\_vpn\"" zone but using different subnets and intra-zone traffic is blocked. Rather than reference HIP in firewall rules we went the quarantine route via log forwarding. We have a \""NONCOMPLIANT\\_VENDOR\"" HIP profile. If it gets triggered and the source IP is in the vendor VPN subnet, it quarantines the device, sends an email and alerts the SOC. We're using HIP profiles to ensure vendors are using either MacOS, Win10, Win11 and we're also checking that they have anti-malware installed with real-time protection enabled. If you didn't want to actually enforce HIP and instead just send an alert if a vendor fails HIP, you could setup log forwarding to do just that, just forego the actual quarantine part of that setup. I should note we only have a few dozen users using GP right now as we're still in the testing phase, so my dataset is rather small but this has been effective in my testing.""}, {""user"": ""bf73y"", ""timestamp"": 1694201653.0, ""content"": ""HIP is for devices, not for Users. You should be using a combination of User-ID and HIP/Device-ID in your rules. \n\nIf the devices aren't compliant then let them connect and block them from doing anything, have them hit a block rule. You can modify your URL Filtering response page to display a message to users who hit that rule so it says hey you're not compliant blah blah. Would you rather they don't connect at all and have 0 protections?""}]" +paloaltonetworks-77,"[{""user"": ""j5th8"", ""timestamp"": 1694105089.0, ""content"": ""Title: Testing bad sites\n Body: I am setting up polices to block \""bad sites\"". Are there any known URL's that simulate a site hosting malware, C&C etc. so I can show that the PAN is blocking the sites?""}, {""user"": ""qnvd8"", ""timestamp"": 1694106647.0, ""content"": ""Palo alto networks have a few setup for testing. https://docs.paloaltonetworks.com/dns-security/administration/configure-dns-security/dns-security-test-domains""}, {""user"": ""9udzipdy"", ""timestamp"": 1694110360.0, ""content"": ""I have two rules setup both for ingress and egress that drop connections to all of the built-in Palo \""bad sites\"" - Bulletproof IP Addresses, High Risk IP Addresses, Known Malicious IP Addresses and TOR Exit IP Addresses. If you create rules to drop traffic destined to/from there, give it a day or so and you'll probably have some traffic you can look at.""}, {""user"": ""ibia0"", ""timestamp"": 1694116560.0, ""content"": ""https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaDCAS""}, {""user"": ""vrvsa7l"", ""timestamp"": 1694133054.0, ""content"": ""I use zscaler and checkpoints firewall test sites also, along with banging on gruyere from google with a vuln scanner""}, {""user"": ""oevnopy5"", ""timestamp"": 1694550378.0, ""content"": ""Eicar. \nAnd there is a kb from Paloalto for the same""}]" +paloaltonetworks-78,"[{""user"": ""h2vjrskd"", ""timestamp"": 1694082959.0, ""content"": ""Title: Question: How to automatically authenticate on a shared device that uses a random guest account\n Body: Hi everybody,\n\nI've been doubting if this is more a question for Intune or PaloAlto, but I'll take my chance here. \n\n\nWe have an Intune Autopilot Windows 11 notebook that's set up to be used as a shared device, and where Windows automatically creates a new passwordless local guest account, every time the notebook reboots.\n\nThe resource the notebooks needs to reach, can only be reached in our domain -and that's also the only thing the device should be able reach-, so we've installed and configured GlobalProtect.\n\nNow I'm kind of stuck on how to 'automate' the authentication part. \nBecause a new local user is created every time, SSO with that user's credentials isn't possible and there is no user certificate. \nI was thinking about creating a domain user and tought it would be possible to push the credentials via Intune, like how it can be done on Android and iOS devices, but I can't find any option to do this for Windows.\n\nIs there a way to do this? (did I miss something in Intune? A registry setting containing credentials that GP can read? Or something like a custom profile i can create that contains the credentials and put in a specific folder? A script that runs at Windows logon that somehow can fill in the credentials?)\n\nThanks!""}, {""user"": ""57bwa"", ""timestamp"": 1694085720.0, ""content"": ""Machine certificate?\n\nhttps://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/authentication/set-up-client-certificate-authentication/deploy-machine-certificates-for-authentication""}, {""user"": ""h2vjrskd"", ""timestamp"": 1694096861.0, ""content"": ""Thanks for the suggestion. I've read the info from the link you've posted, but Step 5 \""Create a client certificate profile\"" poses a problem.\n\nWe've tried with only a Machine certificate, and that seems to work but we see all kinds of warning and the message that no user information was found -\n\nI'm surprised it works, but pretty sure it's not going to be a stable solution.""}, {""user"": ""57bwa"", ""timestamp"": 1694117845.0, ""content"": ""Where do you see that warning? The \""user\"" information comes from the CN of the certificate, which I usually make to be the machine name""}]" +paloaltonetworks-79,"[{""user"": ""hs93d"", ""timestamp"": 1694093098.0, ""content"": ""Title: How are routing protocols handled during failover of an A/S HA-Pair\n Body: When an A/S HA-Pair is configured to use dynamic routing with the upstream and downstream routers, how is routing protocol state handled? Is routing state fully preserved and the failover is fully hitless, or do routing peers need to be re-established after failover?\n\nIs this behavior the same for different routing protocols (OSPF, BGP, etc)?""}, {""user"": ""gbsuzxah"", ""timestamp"": 1694100054.0, ""content"": ""Seamless failover for dynamic routing protocol is dependent on graceful restart of them. So make sure it is enabled on both sides before testing the failover.""}, {""user"": ""briif"", ""timestamp"": 1694093697.0, ""content"": ""I can speak for bgp and ospf, the transition is seamless and invisible in every manually forced fail over I have seen. It really only comes up during software upgrades.""}, {""user"": ""8qk1un9z"", ""timestamp"": 1694095241.0, ""content"": ""The routing state should be synced between the pair, the same for the sessions, so it can failover without terminate the active connections.\n\nIf you go to the standby member and check the routing table you should see all the dynamic routes that the active member created.""}, {""user"": ""unknown"", ""timestamp"": 1694099842.0, ""content"": ""[deleted]""}, {""user"": ""8qk1un9z"", ""timestamp"": 1694100465.0, ""content"": ""In every case, when you have an HA the standby one has to take the role of the active one when there is a problem without any downtime, so it has all the session and routes of the first one, if the first one update a route or a session it will update the standby one too. You have to see the HA as a single device, if the working one broke down the other one replace it without the need to remove the old one and install the new one, and it is alredy turn on and ready to operate in any moment.""}, {""user"": ""3hczxhat"", ""timestamp"": 1694133541.0, ""content"": ""I don\u2019t see this on my passive fw. I wanted to ask about this as my active has all the routes but the passive does not. Is this normal?""}, {""user"": ""unknown"", ""timestamp"": 1694100740.0, ""content"": ""[deleted]""}, {""user"": ""8qk1un9z"", ""timestamp"": 1694100965.0, ""content"": "">You might was to read up on that. Under Active/Active yes\n\nThe network design doesn't matter on the A/S mode. One is working, the other one is waiting to take that place in the architecture, ignoring what architecture it is.\n\nA/A mode is really discouraged, I never try it and I wouldn't ever try it.""}]" +paloaltonetworks-80,"[{""user"": ""ajcthz98"", ""timestamp"": 1694036795.0, ""content"": ""Title: URL Category for Google Maps shows not-resolved\n Body: We have several reports from users getting a \""continue\"" page for Google Maps ([https://www.google.com/maps](https://www.google.com/maps)) with category of \""not-resolved\"". Both of our PA firewalls seem to be experiencing this same issue. I have used the following commands, but have not helped...\n\nIs anyone else having this issue right now, or in the past? Any ideas on how to fix it?\n\n\\> show url-cloud status \nLicense : valid \nCloud connection : connected \nURL database version - device : 20230906.20320 \nURL database version - cloud : 20230906.20320 ( last update time 2023/09/06 16:16:38 ) \nURL database status : good \n(I purposely left out some details...)\n\n\\> test url [www.google.com/maps](https://www.google.com/maps) \n[www.google.com/maps](https://www.google.com/maps) not-resolved (Base db) mlav\\_flag=0 expires in 5 seconds \n[www.google.com/maps](https://www.google.com/maps) reference-and-research low-risk (Cloud db)\n\n\\> delete url-database all \nURL database was deleted successfully.\n\n\\> clear url-cache all \nAll entries in URL cache removed!\n\n\\> test url [www.google.com/maps](https://www.google.com/maps) \n[www.google.com/maps](https://www.google.com/maps) not-resolved (Base db) mlav\\_flag=0 expires in 5 seconds \n[www.google.com/maps](https://www.google.com/maps) reference-and-research low-risk (Cloud db)\n\nGoing to [https://urlfiltering.paloaltonetworks.com/](https://urlfiltering.paloaltonetworks.com/) shows the correct category of \""reference-and-research\"".""}, {""user"": ""d7nx2"", ""timestamp"": 1694047198.0, ""content"": ""> Upon conducting internal checks, it has come to our attention that several cases of Google search issues have been reported, all attributed to PAN-DB Cloud's inability to categorize certain URLs. I'd like to reassure you that our Cloud team is actively investigating this matter.\n\n> In the interim, we have devised a workaround to mitigate this issue effectively. The workaround involves creating a custom URL category and associating the Google domain with it. By doing so, the categorization process will occur locally, bypassing the need for queries to the URL cloud.\n\n[Here is a step-by-step guide that you can follow to create the custom URL category](https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH5CAK)\n\n> To address this issue, kindly add the following domains to the custom URL category to exempt Google URLs: \""google.com, *google.com, and google.com/\""""}, {""user"": ""d7nx2"", ""timestamp"": 1694037562.0, ""content"": ""Same thing happening for us, and at least one other org I know. Also affecting search. We've had to 'allow' *.google.com to restore service""}, {""user"": ""ajcthz98"", ""timestamp"": 1694102250.0, ""content"": ""This problem seems to be fixed from my perspective with no action taken by me.""}, {""user"": ""akz30b6zk"", ""timestamp"": 1694037590.0, ""content"": ""Same issue for my environment, we\u2019ve been troubleshooting with TAC and haven\u2019t been able to figure it out so far.""}, {""user"": ""56xat75a"", ""timestamp"": 1694037668.0, ""content"": ""bumping for visiblity""}, {""user"": ""9yefj6ba"", ""timestamp"": 1694037692.0, ""content"": ""Same issue here, but we are also getting not-resolved messages for regular Google searches. It started around 4:30 pm ET.""}, {""user"": ""124bcn"", ""timestamp"": 1694038511.0, ""content"": ""Same thing here as well. Attempted to increase the category lookup timeout helped some sites but not all. Seems there is an extended wait time in checking URL against any source (base DB or Cloud)""}, {""user"": ""1jye2l88"", ""timestamp"": 1694106406.0, ""content"": ""Increased the category lookup, but still having the issue. Can\u2019t create a custom url category either because that would open up the floodgates to other issues in my organization.""}, {""user"": ""ghuzleij"", ""timestamp"": 1694197489.0, ""content"": ""Has this been resolved yet?""}, {""user"": ""odjep3mn"", ""timestamp"": 1694294250.0, ""content"": ""increasing the lookup timeout fixed the issue for us""}, {""user"": ""ajcthz98"", ""timestamp"": 1694049658.0, ""content"": ""Thanks! I\u2019m hoping a fix will be in place by tomorrow morning. If not, then I\u2019ll put the workaround in place.\n\nAlso, not to nitpick, but shouldn\u2019t you only add the following to a custom URL category with a \u201c / \u201c at the end?\ngoogle.com/ , *.google.com/""}, {""user"": ""1sqos3dh"", ""timestamp"": 1694048233.0, ""content"": ""Thanks for that, everyone can do this work around until the fix is in place.""}, {""user"": ""d7nx2"", ""timestamp"": 1694117847.0, ""content"": ""I'm still seeing www.google.com/search?q=etc categorised as 'not-resolved'""}, {""user"": ""56xat75a"", ""timestamp"": 1694038348.0, ""content"": ""Have also been seeing the exact same issue since ~4:30. is anyone else connecting to the \""serverlist2.urlcloud.paloaltonetworks.com\"" server?""}, {""user"": ""ajcthz98"", ""timestamp"": 1694263665.0, ""content"": ""From our environment\u2019s standpoint, yes it was resolved the next morning.""}, {""user"": ""d7nx2"", ""timestamp"": 1694050214.0, ""content"": ""That was cut-n-paste from my TAC ticket. I've just added *.google.com/ and haven't had any further issues here""}, {""user"": ""ajcthz98"", ""timestamp"": 1694038545.0, ""content"": ""Yes, \""[serverlist2.urlcloud.paloaltonetworks.com](https://serverlist2.urlcloud.paloaltonetworks.com)\"" is our current cloud server as well.""}, {""user"": ""4govu0cj"", ""timestamp"": 1694088572.0, ""content"": ""100% correct here. I'd avoid adding the exact phrasing they suggested unless you want every spoofer in the planet to bypass URL protect with notgoogle.com/mybadsite or roflpwngoogle.comet.com etc \n\n\n \\*.google.com/ would add google.com and its sub domains and thats it. \nI'd and specific byname entries if you run into oddities with \\*.google.com/ not being enough to bandaid the issue while palo sorts out the queries..""}, {""user"": ""ghuzleij"", ""timestamp"": 1694040980.0, ""content"": ""Experiencing same issue and connected to \""serverlist**3**.urlcloud.paloaltonetworks.com\""""}, {""user"": ""2i700l9z"", ""timestamp"": 1694046203.0, ""content"": ""Same, we are using 3""}]" +paloaltonetworks-81,"[{""user"": ""dqlcisgg0"", ""timestamp"": 1694083583.0, ""content"": ""Title: Objects not pushed to local device\n Body: \n\nHi All\n\nI m trying to create new objects from Panorama and push them into a multi vsys managed firewall . The commit to Panorama and push to the target firewall ( on the specific vsys ) are showing as successful but the objects are not updated on the local firewall .\n\nWhat s interesting is that I m able to create policies which are visible on the local firewall ( for the same device group I m looking to create the objects on ) \n\nAny assistance would be much appreciated\n\nThanks in advance ""}, {""user"": ""5px01zdt"", ""timestamp"": 1694086725.0, ""content"": ""There is an option that only used objects are pushed to the devices. Maybe that is activated?""}, {""user"": ""dqlcisgg0"", ""timestamp"": 1694087319.0, ""content"": ""I have figured it out , the objects won t show on the local device until they are referenced into a policy\u00a0""}]" +paloaltonetworks-82,"[{""user"": ""dca8h9uln"", ""timestamp"": 1694066782.0, ""content"": ""Title: Pre-Populate Portal Addresses/Gateways?\n Body: Our org has multiple gateways available to connect to at a given time. I am wondering if there is a way to push a configuration profile or adjust the plist to macOS devices so as to have both addresses listed automatically without a user having to manually enter in the portal address for the first time? ""}, {""user"": ""ibia0"", ""timestamp"": 1694079421.0, ""content"": ""Your mdm provider should be able to do this. You'll only need to push portal address as gateways as pulled from the portal config.""}, {""user"": ""285j5oxy"", ""timestamp"": 1694151827.0, ""content"": ""Windows and not macOS :( I came across that same doc while researching, but unable to find something equivalent for macOS. Thanks for your help.""}, {""user"": ""dca8h9uln"", ""timestamp"": 1694101315.0, ""content"": ""Thanks for your reply. I am deploying GP via our MDM, but am not currently leveraging a portal config profile (which would probably explain why we are having to manually enter both portals upon a new device setup). I have been unsuccessful in finding how to build the portal config within Palo Alto's documentation - any possible additional help/ideas there?""}, {""user"": ""ibia0"", ""timestamp"": 1694118641.0, ""content"": ""[https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-apps/deploy-app-settings-transparently/deploy-app-settings-to-windows-endpoints/deploy-app-settings-in-the-windows-regsitry](https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-apps/deploy-app-settings-transparently/deploy-app-settings-to-windows-endpoints/deploy-app-settings-in-the-windows-regsitry)""}]" +paloaltonetworks-83,"[{""user"": ""vcyenh35"", ""timestamp"": 1694072333.0, ""content"": ""Title: Show routing table - advanced routing enabled ?\n Body: Hello,\n\nLegacy setup with Virtual Router - it shows OSPF routing table in Virtual Router -> more runtime stats\n\nBut with Logical Router, I am not able to see the full OSPF routing table.\n\n\\> show advanced-routing route \n\n\\- shows only few routes, which we have on the FW, but not the full OSPF routing table and I did not find whare I can display the full OSPF routing table?\n\n​""}, {""user"": ""24fhbr1e"", ""timestamp"": 1694093093.0, ""content"": ""[https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking) \n\n show routing route also see show routing protocol ospf neighbor \n\n[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLhnCAG](https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLhnCAG)""}]" +paloaltonetworks-84,"[{""user"": ""amt4zejv"", ""timestamp"": 1694053751.0, ""content"": ""Title: Question on firewall rules with on prem server reaching out to Azure AD\n Body: I\u2019m fairly new to Palo Alto. I\u2019m trying to setup rules for a Virtual server we host on prem that is behind a Palo Alto and needs to have access to Azure AD traffic must be allowed bidirectionally. I\u2019ve been given a ton of IP addresses that we need to whitelist. What\u2019s the best way to implement this policy? I\u2019ve looked at FQDN objects but read that there are still limitations with this approach. Any suggestions is appreciated!\n\nEdit: Thanks all! Will look into EDL.""}, {""user"": ""2yas21f0"", ""timestamp"": 1694072270.0, ""content"": ""Without doubt the only managable way of dealing with Azure and 365 is to use an EDL. Manually entering and maintaining the objects yourself is not worth attempting.\n\nFortunately Palo Ato host free EDLs for this purpose:\n\nhttps://docs.paloaltonetworks.com/resources/edl-hosting-service\n\nThere is a bit of work to do to get the firewall to connect to a https source but in the end, it's totally worth the effort. Once you crack the EDL config you should look for more that you can use to enhance your blocking rules.\n\nFinally, you mention that there should be comms bidirectionaly. Most of Azure-onprem connected services work with some service agent on prem that calls out to Azure, then Azure uses that open connection to pass data back to on prem. Azure doesn't initiate to on prem, ie, no external IPs and NAT needed. Perhaps you know this already, but worth checking that you don't end up doing more config than you need to.""}, {""user"": ""azicu"", ""timestamp"": 1694059153.0, ""content"": ""For Microsoft address I use the edl list . I have a web server internally that just server out different text files for edl lists . \nIf you have a threat intel system you can use that to make lists .""}, {""user"": ""11o6u1"", ""timestamp"": 1694067274.0, ""content"": ""EDL is good idea as alternative you can create a url category and you can add if have a lot of domain address.""}, {""user"": ""nozkjoy3"", ""timestamp"": 1694072772.0, ""content"": ""Servers are now \""reaching out\""? \ud83d\ude44\ud83e\udd14""}, {""user"": ""fzqpxmssv"", ""timestamp"": 1694211134.0, ""content"": ""Sad that the trend of being a complete asshole on Reddit has spread to IT subs""}, {""user"": ""nozkjoy3"", ""timestamp"": 1694513393.0, ""content"": ""How am I being a complete asshole? This modern butchery of language is a slippery slope downhill, where it will eventually cease to make any sense. Servers do not \""reach out\""; they connect. When I talk to or email someone, I am not \""reaching out to them\"". Only time you'll find me reaching out is if I'm trying, with extended arms, to grab hold of someone or something.""}]" +paloaltonetworks-85,"[{""user"": ""4rk029eu"", ""timestamp"": 1694011735.0, ""content"": ""Title: Dataplane Crashed both HA Firewalls\n Body: Has anyone ever had the Dataplane crash on both PA 5220 in HA Active/Passive?\n\nThe whole HA thing doesn't work when both firewalls crash at the same time. I have never seen anything like this. PA Tech Support just sort of shrugged and asked for a \""Show Tech\"" which I provided. They said, \""we have seen this before...\""\n\n​\n\nEDIT Status Update Sept 8\n\n​\n\n**Any fix??? This is from PA TAC Case:**\n\n \nI analyzed the tech support file and I could see these findings: \n\n\nmp ha\\_agent.log 2023-09-05 07:30:51 2023-09-05 07:30:51.262 -0400 Going to non-functional for reason Waiting for policy push to dataplane \nmp ha\\_agent.log 2023-09-05 07:30:51 2023-09-05 07:30:51.262 -0400 debug: ha\\_state\\_config\\_change(src/ha\\_state.c:587): Group 2: Config change request to move group to Non-Functional state \nmp ha\\_agent.log 2023-09-05 07:30:51 2023-09-05 07:30:51.262 -0400 debug: ha\\_state\\_transition(src/ha\\_state.c:1430): Group 2: transition to state Non-Functional \nmp ha\\_agent.log 2023-09-05 07:30:51 2023-09-05 07:30:51.262 -0400 debug: ha\\_state\\_start\\_initial\\_hold(src/ha\\_state.c:1979): Group 2: delayed starting initial hold \nmp ha\\_agent.log 2023-09-05 07:30:51 2023-09-05 07:30:51.262 -0400 debug: ha\\_dpmon\\_cfg\\_check(src/ha\\_dpmon.c:390): Setting local keep-alive setting to off \nResolution: \n1. The HA FW rebooted (non-functional) because a policy push was not able to be forwarded to the data plane. \n2. This is an internal process when a pushed commit is unable to parse on DP, \n3. The firewall performs a reset of the data plane in order to delete any zombie processes. \n4. The process got detained and filled up the cache from MP to DP. \n5. The firewall performs the reboot to erase any background process and the policy push to the data plane is completed then the firewall came up again. \n\n\nPlease let me know how to proceed with the case. \n\n​\n\nhttps://preview.redd.it/jpix4w7kenmb1.jpg?width=564&format=pjpg&auto=webp&s=aa16fb3fe67ecd9fbb45aa781e87f703f6857273""}, {""user"": ""4njik"", ""timestamp"": 1694021944.0, ""content"": ""There IS a bug on <10.2.4 for this. It's fixed in 10.2.5\n\nPAN-215317: Fixed an issue where the dataplane stopped responding unexpectedly with the error message comm exited with signal of 10\n\nPAN-211398 Fixed an issue where dataplane processes stopped responding when handling HTTP/2 streams.""}, {""user"": ""746jy"", ""timestamp"": 1694012584.0, ""content"": ""I haven't run into this on a 5220, but the screenshot doesn't seem to indicate the dataplane crashed. Path monitor failure suggests that there was a path monitoring condition in the HA config that told both HA nodes to shut themselves down. Obviously I haven't seen your logs so if you have some other reason to know that it did crash this may not be applicable. \n\nI've certainly seen this happen on other models with an error or otherwise unexpected condition happens that causes HA to detect a failure condition in both firewall nodes. The first thing I would check is your HA configuration - specifically what path monitoring conditions you have set on both nodes.""}, {""user"": ""8uthr"", ""timestamp"": 1694016684.0, ""content"": ""Update to the latest version of 10.1 We had something similar happen with 10.1.10h1 and had to downgrade back to 10.1.9\n\nIt looks like you are on 10.1.8 so I would suggest going to 10.1.10h2 or 10.1.9 and seeing how it works.""}, {""user"": ""tr82k"", ""timestamp"": 1694028785.0, ""content"": ""It\u2019s nothing related to that. I had the exact same issue with two 5220 too. We end up issuing a RMA, since the path monitor it refers is an internal interface that connects different internal components. The support engineer told us is an issue the haven\u2019t been able to squash yet, most likely a hardware issue. It happens randomly, it could be months before it happens again and it\u2019s not related to workload nor anything we could identify. It took months and issue escalation with our SE to solve it.""}, {""user"": ""s06pf1z"", ""timestamp"": 1694048523.0, ""content"": ""I have seen this before back in version 8 code. As other ps said go to 10.2.5. Let\u2019s hope you did not discovery some new bugs\u2026.""}, {""user"": ""8qk1un9z"", ""timestamp"": 1694014566.0, ""content"": ""It doesn't seem a crash to me, but a problem with path monitoring. Have you try to disable path monitor and commit?""}, {""user"": ""e6qh3"", ""timestamp"": 1694012477.0, ""content"": ""Very rare, but I have seen it. \n\nI would consider disabling session synchronization until you get this sorted out. See if that is the cause.""}, {""user"": ""3uqxds9f"", ""timestamp"": 1694028263.0, ""content"": ""Do you have path monitoring enabled on the passive firewall? I wouldn\u2019t enable it on the passive if you have preemption enabled.""}, {""user"": ""4rk029eu"", ""timestamp"": 1694027442.0, ""content"": ""PAN 215317 was already patched in 10.2.4-h2 (I am rubbing h4)\n\nLooks like I need to upgrade to 10.2.5 to patch PAN-211398""}, {""user"": ""twkui26"", ""timestamp"": 1694036389.0, ""content"": ""The screenshot shows \""dataplane down\"" - I haven't used 10.2 yet, but through 10.1 I have never seen that message caused by HA path monitoring. In my experience, HA path monitoring will only cause the firewall to go non-functional if the HA peer is in a functional state. I believe this message is referring to the internal path monitoring that occurs between the management plane and the dataplane (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCcXCAW)""}, {""user"": ""4rk029eu"", ""timestamp"": 1694017779.0, ""content"": ""Running 10.2.4-h4 already.""}, {""user"": ""2z38uxaj"", ""timestamp"": 1694018320.0, ""content"": ""Agreed as there has been some fixes with path monitoring in recent code versions.""}, {""user"": ""n3camsm"", ""timestamp"": 1694523791.0, ""content"": ""Would you mind sharing the something similar you saw? On 10.1.10-h1 we had our pair of 5220s experience a very strange traffic stop. The dataplane didn't crash but all traffic ceases for about 2-3 minutes. We rebooted both 5220s and upgraded to 10.1.10-h2. TAC couldn't explain why it happened. Also uptime was 64 days on both firewalls. When I failed over to the standby the same issue happened within minutes.""}, {""user"": ""4rk029eu"", ""timestamp"": 1694052631.0, ""content"": ""I will take a look \u2026 the maintenance fellas were messing with the power and UPS bypass. Tons of devices in the Datacenter show the uptime was reset, so this may be a factor.""}, {""user"": ""4njik"", ""timestamp"": 1694021965.0, ""content"": ""upgrade to 10.2.5 there is a known bug for this. I had this problem.""}, {""user"": ""4rk029eu"", ""timestamp"": 1694025603.0, ""content"": ""I have an open ticket. Hopefully they tell me the same""}]" +paloaltonetworks-86,"[{""user"": ""6wbl7"", ""timestamp"": 1694024871.0, ""content"": ""Title: is it possible to restore Panorama from a veeam backup\n Body: is it possible to restore Panorama from a veeam backup. any fallout from doing so?""}, {""user"": ""pddpnfq"", ""timestamp"": 1694032680.0, ""content"": ""I've tested this on Veeam v12 and it worked fine.""}]" +paloaltonetworks-87,"[{""user"": ""apxdtk2s"", ""timestamp"": 1694032162.0, ""content"": ""Title: SMTP application\n Body: Randomly right around 8/30/23 our 3020 (9.0.x) stopped properly identifying SMTP application traffic. We are automatically installing dynamic updates, but haven't seen any recent releases related to smtp. Switching to tcp:25 service until we can sort it out with support. Anyone else seeing this?""}]" +paloaltonetworks-88,"[{""user"": ""da5f3fdc1"", ""timestamp"": 1694026957.0, ""content"": ""Title: Lots of OCSP/CRL check failure in decryption log\n Body: Hello,\n\nI'm on 10.2.5 and I'm seeing a lot of OCSP/CRL check failure in the decryption logs. \nIf I enable debugging on sslmgr log that's what I see:\n\n2023-09-06 20:44:13.879 +0200 debug: pan\\_ocsp\\_verify\\_response(pan\\_crl.c:2982): OCSP verification errors:\n\n2023-09-06 20:44:13.879 +0200 debug: pan\\_ocsp\\_verify\\_response(pan\\_crl.c:2986): error:27069076:OCSP routines:OCSP\\_basic\\_verify:signer certificate not found\n\n2023-09-06 20:44:13.879 +0200 debug: pan\\_ocsp\\_verify\\_response(pan\\_crl.c:2986): error:27069076:OCSP routines:OCSP\\_basic\\_verify:signer certificate not found\n\n2023-09-06 20:44:13.879 +0200 Error: pan\\_ocsp\\_verify\\_response(pan\\_crl.c:2997): OCSP\\_basic\\_verify() failed\n\n2023-09-06 20:44:13.879 +0200 Error: pan\\_ocsp\\_fetch\\_ocsp(pan\\_crl.c:3286): pan\\_ocsp\\_verify\\_response() failed\n\n2023-09-06 20:44:13.879 +0200 debug: sslmgr\\_check\\_ocsp\\_status(sslmgr\\_main.c:1603): ocsp status is unavailable\n\n2023-09-06 20:44:13.879 +0200 debug: sslmgr\\_check\\_status(sslmgr\\_main.c:1733): ocsp is unavailable, try crl\n\n2023-09-06 20:44:13.879 +0200 debug: sslmgr\\_check\\_crl\\_status(sslmgr\\_main.c:1644): crl status is valid\n\n2023-09-06 20:44:13.879 +0200 debug: sslmgr\\_check\\_status(sslmgr\\_main.c:1760): \\[01ADA48920EAC2E36C64165651E813DA\\]\n\ncert status: valid; cert\\_reason: ; cert\\_valid\\_period: 544886\n\ncert method: crl; cert depth: 0\n\n2023-09-06 20:44:13.879 +0200 debug: sslmgr\\_check\\_status(sslmgr\\_main.c:1807): chain method update from ocsp to crl\n\n2023-09-06 20:44:13.879 +0200 debug: sslmgr\\_check\\_status(sslmgr\\_main.c:1820): sslmgr\\_check\\_status() finish\n\n​\n\nOK, so this time it failed the OCSP method but was available to verify via CRL so the session went through (I have block if you can't verify revocation in decryption policy). \nBut I've seen times when it consistently fail both, the workaround was to add the certificate signing the OCSP response to the device but it's incosistent AND the root signing the response is in the default trusted roots so it should be no use.\n\nI've see sites fail so I added the cert to the trusted roots -> sites get working again -> remove the trusted root / flush everthing (CRL/OCSP/decryption sessions) -> the site continue working.\n\nSo there's something I'm missing here, and I already checked the obvious (eg. the management interface can reach the OCSP/CRL). Why the firewall should not -intermittently- trust the certificated used by the OCSP responder? Can anyone help me figure out what I'm missing?""}]" +paloaltonetworks-89,"[{""user"": ""vcyenh35"", ""timestamp"": 1694025482.0, ""content"": ""Title: OSPF Loopback propagation\n Body: Hello,\n\nhas anyone tested to have working loopback propagation in OSPF? \n\nWe are not able to set it up. It is quite easy and normal in Cisco, but I did not find any note, if it is also possible in PAN.\n\nThank you!""}, {""user"": ""dlz8m"", ""timestamp"": 1694028110.0, ""content"": ""Yep, I used it all the time. Under the legacy model with vRouters and not the Advanced Routing Model, I enable OSPF on the loopback, tick the passive button, and then watch it propagate after performing a commit.""}, {""user"": ""vcyenh35"", ""timestamp"": 1694028567.0, ""content"": ""hmm, we are using the advanced routing and Logical routers.\n\nBut I guess it should be working there also?""}, {""user"": ""3hczxhat"", ""timestamp"": 1694032281.0, ""content"": ""Should be yes. You have to tick passive in Pan otherwise it will not advertise.""}, {""user"": ""vcyenh35"", ""timestamp"": 1694069259.0, ""content"": ""thank you!""}, {""user"": ""ko79fwmf"", ""timestamp"": 1694069276.0, ""content"": "">thank you!\n\nYou're welcome!""}]" +paloaltonetworks-90,"[{""user"": ""vcyenh35"", ""timestamp"": 1694025155.0, ""content"": ""Title: BGP breaks down when committing to FW\n Body: Below is one of many commits and each one resets BGP due to BFD. This does not happen on OSPF, although it also relies on BFD. The changes for the commit did not affect BGP. You can see from the log that the counterparty (PAN) sends a reset (Notification received), but it probably shouldn't. ?\n\nCan anyone explain me, why it happens and how we can avoid to this?Thank you!\n\n​\n\n %BGP-3-NOTIFICATION: received from neighbor XX.XX.XXX.XX 6/6 (Other Configuration Change) 0 bytes\n %BGP-5-NBR_RESET: Neighbor XX.XX.XX.XX reset (BGP Notification received)\n %BGP-5-ADJCHANGE: neighbor XX.XX.XX.XX vpn vrf PROD Down BGP Notification received\n %BGP_SESSION-5-ADJCHANGE: neighbor XX.XX.XX.XX IPv4 Unicast vpn vrf PROD topology base removed from session\u00a0 BGP Notification received\n %BFD-6-BFD_SESS_DESTROYED: BFD-SYSLOG: bfd_session_destroyed,\u00a0 ld:4516 neigh proc:BGP, handle:21 active\n %BFD-6-BFD_SESS_CREATED: BFD-SYSLOG: bfd_session_created, neigh XX.XX.XX.XX proc:BGP, idb:GigabitEthernet0/0/2.75 handle:21 act\n %BGP-5-ADJCHANGE: neighbor XX.XX.XX.XX vpn vrf PROD Up\n\n​""}, {""user"": ""29l079c7"", ""timestamp"": 1694028349.0, ""content"": ""You need to look a the logs on the Palo side.\n\n​\n\ntail follow yes mp-log routed.log\n\n​\n\nor\n\n​\n\ngrep mp-log routed.log pattern BGP (maybe)\n\n​\n\nThis would be a good start.""}, {""user"": ""vcyenh35"", ""timestamp"": 1694069591.0, ""content"": ""We have tried to shutdown graceful restart - no luck, still same. Now, we are testing to shutdown BFD and try it without. BFD time on both sides tested for 300 and 500ms.\n\nPer logs, you can see that OSPF uptime is OK, but BGP not and BFD sends session restart.\n\n%BGP-5-ADJCHANGE: neighbor 10.69.194.97 vpn vrf ISIM\\_PROD Down BGP Notification received\r \n%BGP\\_SESSION-5-ADJCHANGE: neighbor XX.XX.XX.XX IPv4 Unicast vpn vrf PROD topology base removed from session BGP Notification received\r \nSession Client Count: 2, Active count: 2, BFD Internal client count: 0, BFD Reclaim external client count:0\r \nBFD-DEBUG EVENT: bfd\\_session\\_destroyed, proc:BGP, handle:21 act\r \n%BFD-6-BFD\\_SESS\\_DESTROYED: BFD-SYSLOG: bfd\\_session\\_destroyed, ld:4516 neigh proc:BGP, handle:21 active\r \nBGP: XX.XX.XX.XX passive open to XX.XX.XX.XX\r \nBGP: Fetched peer XX.XX.XX.XX from tcb\r \nbfd session create request from the client:BGP with idb:GigabitEthernet0/0/2.75\r \nSession Client Count: 3, Active count: 3, BFD Internal client count: 0, BFD Reclaim external client count:0\r \nBFD-DEBUG EVENT: bfd\\_session\\_created, XX.XX.XX.XX proc:BGP, idb:GigabitEthernet0/0/2.75 handle:21 act\r \nBFD-6-BFD\\_SESS\\_CREATED: BFD-SYSLOG: bfd\\_session\\_created, neigh XX.XX.XX.XX proc:BGP, idb:GigabitEthernet0/0/2.75 handle:21 act\r \nBGP: nopeerup-delay post-boot, set to default, 60s\r \nBGP-5-ADJCHANGE: neighbor XX.XX.XX.XX vpn vrf PROD Up""}, {""user"": ""vcyenh35"", ""timestamp"": 1694503569.0, ""content"": ""so guys...\n\n​\n\nI was working and checking your logs and files, the issue is matching on a 90% with the Bug-id: PAN-221112\r \n\r \nThe fix of the BUG is on discussion, let me confirm this and back with you with a resolution for the issue.""}, {""user"": ""czvic3dk"", ""timestamp"": 1694031064.0, ""content"": ""On the BGP Peer Group config, do you have Soft Reset with Stored Info checked? \nAlso BFD interval settings need to match on both sides. This is sometimes hard to figure out if it is going to a service provider.""}, {""user"": ""s06pf1z"", ""timestamp"": 1694048276.0, ""content"": ""Which PANOS releases are you running? It looks like you are using advanced routing (FRR).""}, {""user"": ""9u4hlj83"", ""timestamp"": 1694106982.0, ""content"": ""We had an issue with BFD where it kept bouncing and ended up being a Cisco nexus switch that was breaking the multicast.""}, {""user"": ""bfsp8s9v"", ""timestamp"": 1694213333.0, ""content"": ""This looks to me like the BGP session is restarting and BFD is logging that the client session was destroyed and recreated, not that BFD is *causing* the reset. \n\nIf BFD was the cause, it would (should? I don't put anything with logic past Palo nor Cisco these days) take OSPF down too.""}, {""user"": ""vcyenh35"", ""timestamp"": 1694029213.0, ""content"": "">tail follow yes mp-log routed.log\n\nI have checked todays logs on PAN and there is something what seems mi like an issue, but I am not really BGP geek :) \n\n\n\r \n2023-09-06 12:03:44.345 +0200 rip node is not enabled\r \n2023-09-06 12:03:44.774 +0200 Advanced routing enabled, skip further parsing.\r \n2023-09-06 12:03:44.774 +0200 FRR IFM: shutdown fd 25 on default ns\r \n2023-09-06 12:03:44.774 +0200 FRR IFM: close fd 25 on default ns\r \n2023-09-06 12:03:44.884 +0200 phase1 completed\r \n2023-09-06 12:04:01.860 +0200 Phase-2, Advanced Routing enabled.\r \n2023-09-06 12:04:01.861 +0200 Advanced Routing phase2 started - incremental 1\r \n2023-09-06 12:04:01.861 +0200 NTDB-install VIF command: update\r \n2023-09-06 12:04:02.004 +0200 NTDB-VIF command update finished in 1 seconds\r \n2023-09-06 12:04:02.004 +0200 Finished vif commit.\r \n2023-09-06 12:04:02.005 +0200 lr Logical\\_Router bgp action UNSET\\_NOCHANGE - changed 0\r \n2023-09-06 12:04:02.005 +0200 lr Logical\\_Router bgp action DIFF - changed 0\r \n2023-09-06 12:04:02.005 +0200 lr Logical\\_Router bgp action UNINSTALL - changed 0\r \n2023-09-06 12:04:02.005 +0200 Run Uninstall phase-2-frr\\_stop.sh script\r \n2023-09-06 12:04:03.226 +0200 Error: pan\\_if\\_name\\_decompose(pan\\_if.c:2090): unknown interface type\r \n2023-09-06 12:04:03.226 +0200 Error: pan\\_ifhw\\_get\\_mac\\_addr\\_by\\_id\\_ex(pan\\_if.c:2960): unable to get interface id from name <90>W\\\\\\^?\r \n2023-09-06 12:04:03.226 +0200 FRR IFM: - Unable to fetch Interface(130)-ae1.830 MAC Address\r \n2023-09-06 12:04:03.226 +0200 lr Logical\\_Router bgp action INSTALL - changed 0\r \n2023-09-06 12:04:03.226 +0200 FRR Peer Installation done.\r \n2023-09-06 12:04:03.226 +0200 sw.routed.vif has been updated. Listeners should be notified.\r \n2023-09-06 12:04:03.236 +0200 Error: pan\\_routed\\_frr\\_ifm\\_process\\_recv(pan\\_routed\\_frr\\_ifm.c:3761): FRR IFM: IFM FRR unsupported UNKNOWN(104)!\r \n2023-09-06 12:04:05.217 +0200 Refresh HA virtual addresses\r \n2023-09-06 12:04:05.217 +0200 lr Logical\\_Router bgp action DESTRUCT - changed 0\r \n2023-09-06 12:04:05.217 +0200 phase2 completed\r \n2023-09-06 12:04:05.220 +0200 Routed HA Passive Link State updated to Auto""}, {""user"": ""5u04b"", ""timestamp"": 1694039233.0, ""content"": "">Also BFD interval settings need to match on both sides\n\nI mean, sort of. BFD negotiates timers. The devices will compare \""Required Min RX Interval\"" and \""Desired Min TX Interval\"" and pick the slower of the two.""}, {""user"": ""czvic3dk"", ""timestamp"": 1694043841.0, ""content"": ""Another thing to consider is BGP Advanced tab Graceful Restart. I have it disabled currently on most BGP connections as I have not had good luck with it enabled. I need to spend some time testing that to find timers that work.""}, {""user"": ""vcyenh35"", ""timestamp"": 1694065568.0, ""content"": ""10.2.4h3. and yes, using advanced routing and logical routers.""}, {""user"": ""czvic3dk"", ""timestamp"": 1694043751.0, ""content"": ""I know I had to tweak timers on nexus and IOS to get BFD to function correctly for both BGP and OSPF. I don't currently use BFD except on 1 connection that I just found from looking at settings for the comment above. It always drops if I commit any change to that VR regardless of BGP change or not, so I plan to disable BFD as I don't control the other side, its an ISP.""}, {""user"": ""s06pf1z"", ""timestamp"": 1694089546.0, ""content"": ""Thanks for the info. I am just too chicken to run advanced routing on 10.2 in a production environment yet.""}, {""user"": ""vcyenh35"", ""timestamp"": 1694067035.0, ""content"": ""BGP intervals are 500ms, I will check the rest. \nWe have enabled Graceful restart, I will try to disable and try once again.""}]" +paloaltonetworks-91,"[{""user"": ""9rbbn5x1"", ""timestamp"": 1694016820.0, ""content"": ""Title: Template Stack For HA Pair (Active/Passive) - Template Variables or Not?\n Body: I'm considering deploying our initial Palo Alto HA pair in our network and would appreciate hearing about your approaches to managing template stacks in Panorama. \n\nI'm contemplating two options:\n\n1. Utilizing a single template stack for both members of the HA setup, incorporating template variables to define parameters like HA priority, peer IP address, and more.\n2. Creating separate template stacks for each HA member, incorporating an inherited global template along with a unique template that specifies HA priority, peer IP address, etc.\n\nHow do you handle this situation in your setup? Your insights and experiences are valuable.""}, {""user"": ""151ozs"", ""timestamp"": 1694017735.0, ""content"": ""We do a template stack for HA pairs, but we define HA parameters locally on each device.""}, {""user"": ""4ruzz"", ""timestamp"": 1694018560.0, ""content"": ""If you have to ever RMA then variables are more of a pain vs just using two templates and stacks (one for each HA member). I recommend to clients option 2, and would *not* keep any HA config local to either HA member put that in Panorama - *much* easier for scalability, ease of use and again for device RMA. I find that with most clients Panorama variables are more of a headache than a time saver and generally I don't recommend them without a good reason.\n\nCommon_tpl -> Datacenter_tpl -> SiteX_tpl -> SiteX-FW1_tpl / SiteX-FW2_tpl. SiteX-FW1_stack / SiteX-FW2_stack.""}]" +paloaltonetworks-92,"[{""user"": ""ua88e460"", ""timestamp"": 1694002518.0, ""content"": ""Title: PA Decryption policy with Wildcard Certificate\n Body: Dear Friends,\n\nI defined a decryption policy to inspect traffic going through our wap server in DMZ to get to internal exchange server webmail access by its URL... \n\nNow once I applied decryption policy with wildcard and decryption profile etc...Mail web access will be blocked for all users from external..internal working fine of course, Wildcard cer is installed on both Palo and Wap server, all working fine without this Decryption policy..And then I checked decryption logs, can see two sets of logs for for every different IP, first one is it has root states: uninspected..and the second log is saying trusted with issuer name showing wildcard certificate signing party TrustSSL co etc.. Would wildcard certificate in Decryption policy actually work? Any cipher settings I shouldn't select? \n\nThanks a lot for help\nLarry""}, {""user"": ""6epgk"", ""timestamp"": 1694003494.0, ""content"": ""If you look at your certificate is the entire chain uploaded to the firewall? Is your Forward trust certificate valid and possesses a key and is marked certificate authority? I've seen people try to use public trust certs with wild card signed by global root for Forward proxy but that won't work because they aren't CA s\n\nYou can use the wild card cert if you are doing inbound decryption not Forward proxy.\n\nEdits spelling errors on phone""}, {""user"": ""4x424rcw"", ""timestamp"": 1694008063.0, ""content"": ""Yes we're using wild card certificate for inbound decryption. It was setup long time ago so I can't remember exactly what we did, but I remember setting url category and use it together with the decryption policy. Maybe search it up in google.""}, {""user"": ""unknown"", ""timestamp"": 1694003589.0, ""content"": ""[deleted]""}, {""user"": ""ua88e460"", ""timestamp"": 1694003616.0, ""content"": ""The whole chain is up there, it is used by VPN gateway as well..""}, {""user"": ""ua88e460"", ""timestamp"": 1694052115.0, ""content"": ""Thanks where in computer store should I install wildcard cert wap server? I can only see it on personal certificate store, not in trusted root ca store...""}, {""user"": ""ua88e460"", ""timestamp"": 1694078661.0, ""content"": ""Also, would I need a security policy to match decryption policy as well? \n\nThanks""}, {""user"": ""6epgk"", ""timestamp"": 1694003959.0, ""content"": ""For Forward proxy yes the cert needs to be marked forward trust cert and signed by trusted PKI (enterprise CA). The key and CA boxes need to be checked for a forward trust cert.\n\nThere's no way to MITM the proxy without installing a personal root CA on each device. If you have PKI your machines should be automatically trusting the root cert for decryption.""}, {""user"": ""6epgk"", ""timestamp"": 1694004071.0, ""content"": ""Ah sounds like that's your tls wildcard cert. Typically I use a different cert for SSL decrypt versus tls profiles. Less browser issues if you use dedicated certs for dedicated tasks.""}, {""user"": ""4x424rcw"", ""timestamp"": 1694090830.0, ""content"": ""It should be in the personal store. And make sure to pick the right one when you publish applications in your WAP server.""}, {""user"": ""4x424rcw"", ""timestamp"": 1694090876.0, ""content"": "">No you don't need security policy to match decryption policy.""}, {""user"": ""ua88e460"", ""timestamp"": 1694004167.0, ""content"": ""The wap server is actually not domain joined, does it mean I need to install CA certificate on WAP server? \n\nThanks,""}, {""user"": ""ua88e460"", ""timestamp"": 1694004258.0, ""content"": ""Dedicated? Did you mean CA certificate or forward trusted? Thanks""}, {""user"": ""6epgk"", ""timestamp"": 1694004404.0, ""content"": ""You will need to add the root cert that signs the forward trust cert to the WAP trusted root cert store""}, {""user"": ""6epgk"", ""timestamp"": 1694004494.0, ""content"": ""I mean I typical use a different cert for my TLS server profile versus my forward decryption policies.""}, {""user"": ""ua88e460"", ""timestamp"": 1694004764.0, ""content"": ""Actually I remember we need to use SSL inbound inspection for Webmail access from Public to wap servers I DMZ zone, Not SSL forward trust, would I still need Forward trust? Thanks a lot""}, {""user"": ""ua88e460"", ""timestamp"": 1694004611.0, ""content"": ""Another wildcard or you will generate one root certificate from Palo? Sorry can you be more specific? Thanks""}, {""user"": ""6epgk"", ""timestamp"": 1694005015.0, ""content"": ""No you want to use an inbound policy here and select the wildcard cert not forward proxy.""}, {""user"": ""6epgk"", ""timestamp"": 1694004907.0, ""content"": ""Lol I mean I don't know how I can be more specific. \n\n\nThe cert I use for forward proxy is not used as the cert for the VPN gateway or management GUI (as defined by TLS server profile) UNLESS in cases of if I'm doing *inbound* decryption (which is NOT forward proxy)\n\nAre you trying to do forward or inbound decryption here? If it's an inbound policy then assign the wildcard cert and it should work.""}, {""user"": ""ua88e460"", ""timestamp"": 1694005088.0, ""content"": ""Yeah I selected inbound inspection with wildcard, still does not work...""}, {""user"": ""6epgk"", ""timestamp"": 1694009801.0, ""content"": ""The wildcard will work if it's the same one being presented to the WAP. Are you sure the resource you are trying to decrypt is using the same wildcard cert?""}, {""user"": ""ua88e460"", ""timestamp"": 1694078949.0, ""content"": ""Checked again, still not working, Wildcard is definitely correct. Would I need another security policy to match the decryption policy somehow? Thanks""}, {""user"": ""6epgk"", ""timestamp"": 1694081821.0, ""content"": ""Nope because it works when the decryption policy is disabled. \n\nEither you are using the wrong cert or there is an application level issue. Go look at your decryption logs to find out why it's failing.""}, {""user"": ""ua88e460"", ""timestamp"": 1694083848.0, ""content"": ""I will log a support job.. decryption logs only telling me status is good and then uninspected...very strange...""}, {""user"": ""6epgk"", ""timestamp"": 1694084032.0, ""content"": ""Hmm maybe the decryption is working and you need to allow web-browsing or some other app id between dmz and internal for your wap. Without decryption the app with be SSL, with decryption you will see web-browsing or some other app underneath the SSL session. So if decryption is working then you may need another security policy now that I think about it after a coffee. \n\nIf you go into monitor log and look for the src IP of the WAP do you see the connections to the internal server?""}, {""user"": ""ua88e460"", ""timestamp"": 1694084858.0, ""content"": ""Yes i can see the decryption log to wap server. But it says application is incomplete, and also allowed..... it always using a security rule A that is somehow pointing to the different URL category not the ones (webmail and autodiscover ) I specified in Decryption rules.., that is the reason why I asked if we need another security rule above A, and allow it to WAP maybe?""}, {""user"": ""6epgk"", ""timestamp"": 1694084995.0, ""content"": ""It's impossible for me to understand what security policies you need without looking at your config.\n\nLook at the traffic log. Was it allowed? Was the URL action alert or allow? Incomplete infers one way communication.""}, {""user"": ""ua88e460"", ""timestamp"": 1694085214.0, ""content"": ""I think with a particular decryption log, there are two security logs within it, one says alert, would that be the reason why? The wrong Url category somehow be used in that security rule A? \n\nThanks""}, {""user"": ""6epgk"", ""timestamp"": 1694085361.0, ""content"": ""Alert means the traffic is allowed. Go look at the traffic log bytes sent and bytes received. Do you see bytes received higher than zero? Sounds like the firewall is allowing everything""}, {""user"": ""ua88e460"", ""timestamp"": 1694086543.0, ""content"": ""Would you think packet capture will tell me more?""}, {""user"": ""6epgk"", ""timestamp"": 1694086830.0, ""content"": ""Do you see you bytes sent and received""}, {""user"": ""ua88e460"", ""timestamp"": 1694135366.0, ""content"": ""Bytes sent: 1588, Bytes received: 325, something dropped...security policies problems?""}]" +paloaltonetworks-93,"[{""user"": ""j43jipd0r"", ""timestamp"": 1693958839.0, ""content"": ""Title: PCNSE\n Body: Failed my PCNSE today. I\u2019m in a Palo everyday but we\u2019re on 10 and seemed there were a lot of questions on 11. I primarily used the official study guide and CBTNuggets to train, on top of experience. Not interested in dumps but is there material that might give my some exposure to 11 until I can get in one of the official courses? I feel like I was close.""}, {""user"": ""x9wez"", ""timestamp"": 1693961251.0, ""content"": ""There's specific courses about what's new on 10.x and 11.x on beacon.paloaltonetworks.com""}, {""user"": ""j43jipd0r"", ""timestamp"": 1693964728.0, ""content"": ""I do! Hadn\u2019t thought of that. Thank you guys.""}, {""user"": ""p1pda"", ""timestamp"": 1693963339.0, ""content"": ""This, if you have access to the Beacon classes then 11.0 and panorama ones were useful for me. Otherwise the release notes are fun reading.""}, {""user"": ""3up2qoit"", ""timestamp"": 1693965914.0, ""content"": ""What sections were you struggling on? \n\nAnd seriously, don\u2019t feel bad. That exam is a bitch and with the exception of one person I know, everyone has had to take it 2-3 times to pass it. The one person I know that passed it the first try is one of those outlier type people.""}, {""user"": ""j43jipd0r"", ""timestamp"": 1693966136.0, ""content"": "" Deploy and Configure Core Components, troubleshooting, and Manage and operate were my lowest. Specifically, Panorama, NAT, and Web Proxy""}, {""user"": ""3up2qoit"", ""timestamp"": 1693966716.0, ""content"": ""So essentially you need both the EDU-220 and EDU-330. \n\nAs for a place to play, some resellers and distributors offer sandboxes that you can mess around in. If you are a reseller and don\u2019t offer that, check with the presales team from you distributors. If you aren\u2019t a reseller or distributor, ask your reseller if they have one or access to one. Palo Alto also has demos that if you have next wave access you can check out and go over settings and placement of things. You can also check out Palo Alto\u2019s Ultimate Test Drive options. That will give you a temporary lab environment with a lot of the newest features being focused on. \n\nThe NAT questions suck and they are going to be the worst ones of all of them because of how the are formatted. Do all the rest of the questions first and go back to the NAT ones last.""}, {""user"": ""10ob38"", ""timestamp"": 1694003277.0, ""content"": ""Don't let the NAT questions fool you, spend 15 min of your time looking at [https://www.youtube.com/watch?v=Ahrao6kBg8w](https://www.youtube.com/watch?v=Ahrao6kBg8w) and never mess it up again.""}, {""user"": ""j43jipd0r"", ""timestamp"": 1693999270.0, ""content"": ""Appreciate that. I do have access to some sandbox environments and pushing my manager for a couple 400 series so I don\u2019t have to test out ideas in my production environment. Also pushing for 220 and 330 training but until we buy more hardware, I\u2019m not sure that\u2019s going to happen. I don\u2019t understand Beacon. I don\u2019t see courses. Everything leads back to links to partners who offer \u201cfor pay\u201d courses like you\u2019d get at global knowledge.""}, {""user"": ""3up2qoit"", ""timestamp"": 1694005326.0, ""content"": ""My issue with them was the way they formatted the questions. It was just a wall of text so it wasn\u2019t as easy to read.""}]" +paloaltonetworks-94,"[{""user"": ""vcyenh35"", ""timestamp"": 1693945085.0, ""content"": ""Title: Panorama - Sometimes we can use commit & push and sometimes commit to panorama and then push to devices... why?\n Body: Hi,\n\naccording to subject - why we are able sometimes to commit and push from panorama to devices and sometimes we have to firstly do commit to panorama and then push to devices? I tried to find some info about that, but without success.\n\n​\n\nThank you""}, {""user"": ""d54x7"", ""timestamp"": 1693945560.0, ""content"": ""It's not normal. You used to be able to commit & push for any change on Panorama. Now if it falls under Templates you have to commit and then push. Any change in Device Groups and you can commit & push. At least that is what I have noticed on mine.\n\nI assume some update broke it. I'm sure they will fix it eventually like how they fixed being able to hop locally to any firewall instead of having to go back to Panorama first.""}, {""user"": ""10qe8s12"", ""timestamp"": 1693953576.0, ""content"": ""There might be other reasons for it, but if you make a change just on a Shared object, you'll need to Commit and Push as two separate tasks. For example, if you create a Shared address object that's tagged for inclusion in a dynamic address group, but you don't change any policy that uses that DAG.""}, {""user"": ""x04u8"", ""timestamp"": 1693953965.0, ""content"": ""This is actually addressed as an issue in one of the recent patch notes.""}, {""user"": ""6gexp"", ""timestamp"": 1693962790.0, ""content"": ""10.2.5 has it as an addressed issue where you can't commit and push template changes""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1693947075.0, ""content"": ""I commit and push my changes all day every day. The only time you can\u2019t do that is if you also made a change on the panorama tab, because you can\u2019t push to panorama.""}, {""user"": ""vcyenh35"", ""timestamp"": 1693946559.0, ""content"": ""I thought so also! :) But i did not find it under known issues, so... thats why.""}, {""user"": ""vcyenh35"", ""timestamp"": 1693948113.0, ""content"": ""Nope, I dont think this is the case. I am pretty much sure that even if you dont do any changes in PN tab, then you have to do commit first and then commit and push.""}, {""user"": ""zps23"", ""timestamp"": 1693947738.0, ""content"": ""Something I've seen is a push and commit says complete after the commit stage (it's still doing the push in the background). So if you test once it says complete then that may be why.\n\nAt the same time, I never use Push and Commit anymore""}, {""user"": ""d54x7"", ""timestamp"": 1694023414.0, ""content"": ""Confirmed that 10.2.5 fixed the issue for me.""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1693957626.0, ""content"": ""Our Pano is on 10.1.8-h2 and I do commit and push multiple times every day without issue.""}, {""user"": ""vcyenh35"", ""timestamp"": 1693948403.0, ""content"": ""Well, even if it is a bug, I take it as a kind of improvement, as it is safer to do the commit to panorama and then push:)""}, {""user"": ""d54x7"", ""timestamp"": 1694023520.0, ""content"": ""It may just be on the 10.2 versions.""}]" +paloaltonetworks-95,"[{""user"": ""j46kmxkj0"", ""timestamp"": 1693961383.0, ""content"": ""Title: Undocumented global interface counters\n Body: Hey all, we've recently deployed two PA-1420's in the wild (wooo, spooky, v11 in production). We're seeing a couple of interface counters increment at a rate of around 3-5 per second, but they seem to be completely undocumented. We've had tickets open with Palo Alto for weeks on this, but their senior engineers seem to be using the same documentation as us, unfortunately.\n\n\nThe only advice PA support could provide was that they'd get back to us in 24-48 hours, several times. Does anyone know what the below counter is actually meant to track? They're at the parse stage of the firewall, so they appear to be contributing to our receive interface errors.\n\nCommand:\n\n>show counter global filter severity drop delta yes\n\nCounter name:\n\n>flow_ingress_ifp_lookup_ifmap_fail\n\nDescription:\n\n>Packets dropped: unable to lookup main interface\n\n\n\n\nBonus, if you can track down any documentation for this counter too:\n\nname:\n\n>flow_ingress_ifp_lookup_invalid_mode\n\ndesc:\n\n>packets dropped: invalid port mode""}, {""user"": ""4azj7"", ""timestamp"": 1693965322.0, ""content"": ""Can\u2019t answer your question, but have you tried capturing dropped packets?""}, {""user"": ""j46kmxkj0"", ""timestamp"": 1693974374.0, ""content"": ""Yep - but the drop stage has a fair amount of other \""expected\"" drops. There is a whole lot of NBNS (netbios), MDNS, DNS drops. There are some HSRP drops, which are expected (HSRP hits a broadcast address but we're not running HSRP or VRRP on the firewalls obviously).\n\n\nI suppose the crux of the problem is, these drops weren't present on our PA-3060's, which the 1420's are replacing. I can't identify a change in functionality that would cause these drops.""}]" +paloaltonetworks-96,"[{""user"": ""avy1turd"", ""timestamp"": 1693930655.0, ""content"": ""Title: Oh, snap! (Palo GUI browser crashing)\n Body: For the past week or so, I'm getting browser crashes when logged in to the GUI of my various Palo firewalls. I have several different models, many of which are on slightly different software versions. I primarily use Google Chrome as my browser, so I probably need to try Edge to see if it makes a difference, but I can say my Chrome is fully updated.\n\nBasically, I'm just working away in the GUI, or even just staring at it, doing nothing, and the screen goes white, and it says, \""Aw, snap!\"" (sorry, I mistyped in the title), and then gives me a Reload button.\n\nIs anybody else experiencing this? Is the GUI web server crashing, or maybe it just doesn't like Chrome anymore?\n\nhttps://preview.redd.it/iro6jquupgmb1.png?width=979&format=png&auto=webp&s=4e0ad1f10c20307a097dc3d06b577ecf44aa7431""}, {""user"": ""2z38uxaj"", ""timestamp"": 1693941689.0, ""content"": ""Try it with incognito and don't allow any extensions to run from incognito. I am in PANOS all day everyday using Chrome and it haven't had this issue. Good luck.""}, {""user"": ""n3camsm"", ""timestamp"": 1693947962.0, ""content"": ""Had to use Firefox - incognito didn't work in Chrome.""}, {""user"": ""3cntn"", ""timestamp"": 1693931951.0, ""content"": ""I too get this, the error states:\n\nError code: STATUS_BREAKPOINT""}, {""user"": ""xels6"", ""timestamp"": 1693968910.0, ""content"": ""Did you flush your cookies, I had this issue after one of the recent builds of Chromium.""}, {""user"": ""3abnp"", ""timestamp"": 1693972784.0, ""content"": ""Yes. Started happening to me late last week primarily on the monitor tan when I would change search criteria. I haven\u2019t noticed as much this week. I changed to Firefox some and it never did it in there.""}, {""user"": ""3b04ti1j"", ""timestamp"": 1693988253.0, ""content"": ""It happened to us after upgrading to 10.1.10, never a problem in 10.1.9. Tried to clear cache and cookies in Chrome, nothing helped. Changed to Firefox and haven't seen it since.""}, {""user"": ""avy1turd"", ""timestamp"": 1693932168.0, ""content"": ""I just read that disabling hardware acceleration in the Chrome settings MIGHT help. I gave that a shot, and I shall report back.\n\nUPDATE - No such luck. It still crashes. Back to the drawing board!""}]" +paloaltonetworks-97,"[{""user"": ""odjep3mn"", ""timestamp"": 1693948000.0, ""content"": ""Title: Enterprise DLP\n Body: Anyone use the Enterprise DLP option?\n\nJust curious if it could label files as sensitive like MS Purview can.\n\nWould like to block files based off of sensitivity. ""}, {""user"": ""4d2e2"", ""timestamp"": 1693966504.0, ""content"": ""Enterprise DLP can\u2019t label files, but it can detect files labeled by Purview.""}, {""user"": ""odjep3mn"", ""timestamp"": 1694008009.0, ""content"": ""can't the PAN firewall detect the Purview labels already?\n\nIt lists sensitivity as a file property under data patterns, at least.""}, {""user"": ""nqh6ed9"", ""timestamp"": 1694053391.0, ""content"": ""Is this true? Is there a tie in with Microsoft on that?""}, {""user"": ""odjep3mn"", ""timestamp"": 1694055266.0, ""content"": ""I might be wrong about that.\n\nIt does list sensitivity but online the only reference to it is with Enterprise DLP.\n\nI have a call with PAN tech support tomorrow. I'll find out for sure at that time.""}, {""user"": ""nqh6ed9"", ""timestamp"": 1694100402.0, ""content"": ""Very interested to hear back on this one!!""}, {""user"": ""odjep3mn"", ""timestamp"": 1694106564.0, ""content"": ""asked two questions on call\n\nany difference between firewall and enterprise dlp if using custom data patterns and not pre-defined filters. \n\nThey said not really. \n\nasked if files were labeled with MS Purview for sensitivity, would the firewall and/or Enterprise DLP be able to detect and potentially block based off of it. \n\nThey said...they would have to get back to me.""}, {""user"": ""nqh6ed9"", ""timestamp"": 1694109305.0, ""content"": ""Haven\u2019t been that impressed with there dlp solutions honestly""}, {""user"": ""odjep3mn"", ""timestamp"": 1694111865.0, ""content"": ""from PAN admin guide (fwiw):\n\nCustom Data Patterns for Data Loss Prevention (DLP) Solutions\u2014If you\u2019re using a third-party, endpoint DLP solution that populates file properties to indicate sensitive content, you can create a custom data pattern to identify the file properties and values tagged by your DLP solution and then log or block the files that your Data Filtering profile detects based on that pattern.""}, {""user"": ""nqh6ed9"", ""timestamp"": 1694114475.0, ""content"": ""So can u pull that in from azure? Those tags?""}]" +paloaltonetworks-98,"[{""user"": ""vcyenh35"", ""timestamp"": 1693945212.0, ""content"": ""Title: Standby IP/MAC settings in active/standby mode vs Cisco\n Body: Hello, standby IP/MAC settings in active/standby mode - on Cisco we always set main IP/MAC + standby for PTP towards Cisco. Is it PAN supported? Or maybe the OSPF graceful restart is a solution which should be supported by both vendors? \nWhat is a best practice by you?\n\n \nThank you!""}, {""user"": ""vcyenh35"", ""timestamp"": 1693950066.0, ""content"": ""ok, so I found it! \nThe mac adres moves over to the other firewall. It will send a graticious arp also, just to make sure the mac adres table on the switch is updated properly, but the arp table doesn\u2019t need updating because the ip/mac combination does not change.""}]" +paloaltonetworks-99,"[{""user"": ""5vzlhaol"", ""timestamp"": 1693910451.0, ""content"": ""Title: Does XDR PRo Per GB require a Data Lake License ? online docs are confusing\n Body: Hi everyone,\n\nJust as the title says, this have been very confusing for me. We have PA and Fortinet Firewalls and XDR Pro Endpoints. We've been sold on the 3rd party integration features, stitching logs from other vendors and integrating our PAs with Cortex and such. \n\nInitially we were told that we needed XDR Pro Per TB and CDL for that, and to use this calculator : [Hub - Palo Alto Networks](https://apps.paloaltonetworks.com/cortex-sizing-estimator) , but then XDR Pro Per GB came and i've been wondering if we still need a CDL license ?\n\nFor instance [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Setup-Overview) it says i can directly \"" configure Cortex XDR to stream data from other Palo Alto Networks products directly to your tenant or via Cortex Data Lake. To stream data directly, you need to first [deploy your network devices](https://docs-cortex.paloaltonetworks.com/r/MextAZMZR16wpui1aRGiDQ/34uvel3Cj7LCbgRvCcdHYw) and then set up your [Palo Alto Networks Integrations](https://docs-cortex.paloaltonetworks.com/r/MextAZMZR16wpui1aRGiDQ/tdhHgPdjDPQgSQqDz~jdpQ). \"" ""}, {""user"": ""6epgk"", ""timestamp"": 1693911335.0, ""content"": ""No you don't need a separate data lake for xdr pro per TB. You used to get one for free but they changed their licensing. You don't need a data lake by itself.""}, {""user"": ""6em3n"", ""timestamp"": 1693913411.0, ""content"": ""Get used to confusing XDR documentation.""}, {""user"": ""517yy"", ""timestamp"": 1694011641.0, ""content"": ""So lets call it Cortex Data Lake & XDR Data Lake ... you used to get both ... now this has been separated from a SKU point of view...\n\nIf you dont have anything running on the firewall like IOT Security, AI-Ops or something then you dont need Cortex Data Lake ... if you have something like this running you will need CDL ... Otherwise for 3rd Party ingestion or just Palo Alto Networks Firewall logs into Cortex XDR ( XDR Data lake) you dont need CDL.""}, {""user"": ""5vzlhaol"", ""timestamp"": 1693921569.0, ""content"": ""So i just need to use the sizing calculator and get the corresponding Per GB license ? I got 6 Tb, how may GB does it make ?""}, {""user"": ""5vzlhaol"", ""timestamp"": 1693921430.0, ""content"": ""haha that and not many videos/demos, but just recently discovered UTDs, i have signed up for some, hope to learn something""}, {""user"": ""66ovb"", ""timestamp"": 1693960191.0, ""content"": ""I would recommend working with your rep on a PoC. The calculation for sizing is off and is more based on Datalake (which retains more logs for NGFW) XDR logging was using about 1/5th the log storage compared to DL for the same period of time during our PoC. I think they are still getting their calculators dialed for the new licensing.""}]" +paloaltonetworks-100,"[{""user"": ""11o6u1"", ""timestamp"": 1693906629.0, ""content"": ""Title: Global Protect HIP Profile settings\n Body: Hello guys, \n\n\nI have 2 SSL VPN rules assigned to my username in Palo Alto firewall. For testing purposes, I added a HIP profile to only one of them. The device I tested does not comply with the HIP profile.\n\n​\n\nThe VPN connection is notifyed as failed. The rule to which I applied the HIP Profile is not working because the computer I'm using does not comply with the HIP profile.\n\n​\n\nI believe that the VPN connection should not be established since the computer does not comply with the HIP profile. Is there a setting I might have missed?\n\n​\n\nThanks""}, {""user"": ""bwz0h"", ""timestamp"": 1693913965.0, ""content"": ""I typically create VPN in it's own zone (i.e. vpn). Wherever you have policies between the zone containing the VPN and Inside is where I would attach the HIP profile. The logic can be weird. For blocking non-compliant devices I typically create a HIP match policy with a DENY action, then an allow all.\n\nEDIT: The logic can also go the opposite. A \""not match\"" can be trigger an allow. For HIP enforcement I sometimes create a HIP match policy that is allowed and add an implicit deny all.""}, {""user"": ""odjep3mn"", ""timestamp"": 1693918328.0, ""content"": ""I believe HIP profiles apply to security policies and not GP Gateways/Portals so if the HIP profile isn't matched, none of the security polices will be allowed but doesn't deny or drop the vpn connection itself.""}, {""user"": ""4ij1ueme"", ""timestamp"": 1693909762.0, ""content"": ""You need to add the hip profile the security rule that's establishing VPN connection""}, {""user"": ""briif"", ""timestamp"": 1693919383.0, ""content"": ""Yup, this is how we do it as well. HIP profile is not part of whether the VPN connection is allowed or not. It is used in traffic policies and either allowed or denied based on HIP profile status. If a match, it is allowed, after that a rule that denies all (we still allow dns). \n\nIn the rule it will be like zone: GP, and in source device: HIP profile. action allow""}, {""user"": ""11o6u1"", ""timestamp"": 1693909921.0, ""content"": ""I'm asking to confirm, should the rule with the public IP coming from the WAN be added? If we do it this way, won't we be applying the same profile to everyone?""}, {""user"": ""4ij1ueme"", ""timestamp"": 1693910247.0, ""content"": ""Yes, we will be applying the same profile to everyone.""}, {""user"": ""11o6u1"", ""timestamp"": 1693910727.0, ""content"": ""But external user/ consultant? How i can permit?""}, {""user"": ""4ij1ueme"", ""timestamp"": 1693910765.0, ""content"": ""Always maintain/create a different gateway for the external users.""}, {""user"": ""11o6u1"", ""timestamp"": 1693911144.0, ""content"": ""as a different public ip? or clone currently rule but with different hip object?""}]" +paloaltonetworks-101,"[{""user"": ""ce2uwknl"", ""timestamp"": 1693903773.0, ""content"": ""Title: API Methods\n Body: Hey Everyone. Is there any api method specifically to onboard users or create users on GlobalProtect ? I am seeing the methods to list out the users but not creating any user.\nThank you in advance.""}, {""user"": ""15jrca"", ""timestamp"": 1693908177.0, ""content"": ""My first question is why?""}, {""user"": ""ibia0"", ""timestamp"": 1693906750.0, ""content"": ""While I initially question the use of local versus directory based users, you do you.\n\n> debug cli on\n\nRun that on cli. Create your user. It'll spit out the API command for you\n\n> debug cli off\n\nDon't forget to turn it off after""}, {""user"": ""ce2uwknl"", ""timestamp"": 1693908579.0, ""content"": ""Wondering the possibilty of automating this process. \nWorkflow wud be to the details which will be fetched by some other service and then make it available for these PanOs create user api.""}, {""user"": ""ce2uwknl"", ""timestamp"": 1693907218.0, ""content"": ""Where is this debug cli ? Is there any reference link ?\nIs this a part of the panorama dashboard ?""}, {""user"": ""ibia0"", ""timestamp"": 1693913760.0, ""content"": ""Ssh to panorama""}]" +paloaltonetworks-102,"[{""user"": ""o8iurn3c"", ""timestamp"": 1693900081.0, ""content"": ""Title: Deploy a PA Firewall VM at Huawei Cloud\n Body: Dear experts,\n\nAny chance if I can deploy a PA Firewall VM at Huawei Cloud? \n\nGone through the document but did not see this Huawei Cloud is supported. \n\nSeeking your advise. Thanks. ""}, {""user"": ""51x0a"", ""timestamp"": 1693929236.0, ""content"": ""I've never heard of anybody deploying a PA-VM in the Huawei public cloud space, but then again I'd expect any VM that's built right and of the correct file type to be deployable in any public cloud space. What specific kinds of problems are you having with deploying and spinning up your VM, or are you still in the preliminary stages and concerned that you can't find any documented compatibility?""}, {""user"": ""o8iurn3c"", ""timestamp"": 1693964479.0, ""content"": ""I am looking if there is any possibility that I can deploy it on the Huawei Cloud. As I did not see Huawei Cloud is supported listed in the PA official document. Just wondering if we deploy it on the Huawei Cloud, will the PA TAC still support us if any issue?""}, {""user"": ""51x0a"", ""timestamp"": 1693970875.0, ""content"": ""That's actually a good question. If you have a Palo sales rep that your company works with, I'd ask them about it. If they don't know off the top of their head, I'm sure they know who could find out for sure.""}, {""user"": ""o8iurn3c"", ""timestamp"": 1693972226.0, ""content"": ""hmm okay. I will drop the question to them. Thank you for your reply.""}]" +paloaltonetworks-103,"[{""user"": ""14v8bw"", ""timestamp"": 1693881270.0, ""content"": ""Title: Global Protect SAML login + LDAP User Identification\n Body: I feel like I saw a solution to this a year or so ago but my google skills must be failing me in my old age. I spun up a new Global Protect platform with Client SAML authentication. I'd like to allocate connected users VPN IP space based on their user identity and role. An example would look like this. \n\nPrivileged users - [10.0.200.0/24](https://10.0.200.0/24)\n\nAccounting - [10.0.201.0/24](https://10.0.201.0/24)\n\nTestingTeam - [10.0.202.0/24](https://10.0.202.0/24)\n\nSo essentially I log into global protect with SAML and based on my identity, I am allocated an address in the correct block based on my role. \n\nFrom here I can create policy from an address group perspective instead of having to perform LDAP dips constantly to allow my users to access resources. \n\nAlternatively, I have created groups in my LDAP group policy that I can reference, however it seems that SAML authentication, doesn't play nice with LDAP from a user identification perspective. I almost feel like this could be as simple as changing a group mapping attribute but if that's the case, I'm missing the critical piece. \n\nIs what I'm describing feasible and/or common? Am I clear with my idea?""}, {""user"": ""4ij1ueme"", ""timestamp"": 1693891373.0, ""content"": ""Use portal authentication as SAML and gateway authentication as LDAP.\nWorks perfectly fine for me""}, {""user"": ""ox0u8"", ""timestamp"": 1693886274.0, ""content"": ""yes you can absolutely do what you\u2019re asking for in your first couple paragraphs. \n\nJust create multiple client configurations under GP gateway , assign each LDAP group to its own client config, along with the IP pool you want them to utilize.\n\nNot sure I\u2019m fully understanding your SAML question, can you re-word it? What are you trying to do?""}, {""user"": ""14v8bw"", ""timestamp"": 1693926490.0, ""content"": ""Good morning everyone. Testing all the suggested solutions now. Will report back.""}, {""user"": ""167r57"", ""timestamp"": 1693892124.0, ""content"": ""This feels like something where you'd want to have your LDAP groups and memberships mirrored in your SAML provider directory to be sending over. If you're using delegation against LDAP for your SAML auth I'd have to start Googling to see if you could pass those attributes in the assertion somehow. Depending on the provider it might be something simple you can configure in the SAML provider UI.""}, {""user"": ""e6qh3"", ""timestamp"": 1693948556.0, ""content"": ""I banged my head on this a while back with no resolution. With SAML auth, I didn't see a way to feed group information into the Gateway agent config selection. \n\nI like /u/Scorpio__1104 suggestion. I wonder if setting the auth cookie would work so you don't prompt twice but still use LDAP auth to check group membership.""}, {""user"": ""9u4hlj83"", ""timestamp"": 1694014249.0, ""content"": ""Maybe something like this?\n\n[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZaHCAU](https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZaHCAU)""}, {""user"": ""nqh6ed9"", ""timestamp"": 1694054296.0, ""content"": ""You have to get your identity provider to feed back a Saml response with the username that matches your ldap user, not something like a upn. If the username getting sent back matches, it will work. If you use internal gateways and internal gp, your internal users will have to use Saml to sign in internally. Use ldap on portal and Saml on gateways.""}, {""user"": ""14v8bw"", ""timestamp"": 1693886622.0, ""content"": ""Stand by. I'll test it. I think I tried that last week and ran into an issue that I should have documented better.""}, {""user"": ""3qehsocn"", ""timestamp"": 1694081079.0, ""content"": ""This is right\u2026need to transform the SAML response. We send ours back in NETBIOS domain format, e.g. DOMAIN\\john.doe""}, {""user"": ""14v8bw"", ""timestamp"": 1693890396.0, ""content"": ""Yeah. No dice. It seems that if I can authenticate with SAML, it doesn't invoke the LDAP group or user when defined in the source user field. \n\n\nI created two Client configs. The first one (higher priority) I set with my ldap user and an address of [10.0.200.0/24](https://10.0.200.0/24). Then I made a second one and set the user to any and an address of 10.0.300.0/24. Connections establish and are assigned the lower priority, but matching config of 10.0.300.0/24. \n\n​\n\nThis is a tricky one.""}, {""user"": ""nqh6ed9"", ""timestamp"": 1694097881.0, ""content"": ""They have a multi username format but we could never get that to work right. Has anyone gotten that to successfully work?""}, {""user"": ""x04u8"", ""timestamp"": 1693894631.0, ""content"": ""Thet LDAP group has to be synced to Entra and applied to the appropriate GP Enterprise App""}, {""user"": ""7zg68sfx"", ""timestamp"": 1693958017.0, ""content"": ""Hello OP. Yes it does work this way. As long as the username that the IDP is passing on when the GP does it\u2019s get-config lookup , matches the username format that is in the config deletion criteria, it will match the way you would expect this to.""}]" +paloaltonetworks-104,"[{""user"": ""4x424rcw"", ""timestamp"": 1693837541.0, ""content"": ""Title: Forward DoS threshold violation events directly to the administrators via email\n Body: Hi guys, I've setup DDOS protection on the firewall and would like to get email notification if the DoS thresholds are violated. I know how to setup email notifications in the log forward section but can't figure how to filter the DoS threshold violations. If you've done this can you point me to the right direction? Thanks.""}, {""user"": ""3usub8o9"", ""timestamp"": 1693879637.0, ""content"": ""I believe threat IDs for \u201cTCP Flood\u201d and \u201cUDP Flood\u201d are 8501 and 8502, respectively. You could setup the log forwarding profile to forward threat logs to SMTP when the filter matches ((threatid eq 8501) or (threatid eq 8502))""}, {""user"": ""4x424rcw"", ""timestamp"": 1693916577.0, ""content"": ""Thanks, I'll give it a try.""}]" +paloaltonetworks-105,"[{""user"": ""j9z1hkcu"", ""timestamp"": 1693825830.0, ""content"": ""Title: Do i get access to support portal after getting PA trial ?\n Body: Just got hands on my first PA trial, can i use it to register support account? Here: [https://support.paloaltonetworks.com/UserAccount/PreRegister](https://support.paloaltonetworks.com/UserAccount/PreRegister) \n\n\nI am asking that question because i filled all registration forms, but having problems with Sales Order Number \u00a0\u00a0*or*\u00a0\u00a0 Customer Id form, like what am i supposed to put there, if i got my PA from link email from PaloaltoNetworks \n\n\nhttps://preview.redd.it/8h080tkp18mb1.png?width=668&format=png&auto=webp&s=41bcd1c5496ba31a214901302fb40d4054e5d997\n\nThank you""}, {""user"": ""10ob38"", ""timestamp"": 1693948025.0, ""content"": ""As far as I know the trial license won't get you access to the support portal, unless an SE specifically grants it.""}, {""user"": ""j9z1hkcu"", ""timestamp"": 1693950862.0, ""content"": ""Oh, okay. Thank you for reply though""}]" +paloaltonetworks-106,"[{""user"": ""3usub8o9"", ""timestamp"": 1693776243.0, ""content"": ""Title: EDL Management Tools?\n Body: Wondering what everyone is using for EDL management? We are currently using Minemeld, but it relies on Python 2.x and seems efforts to migrate it to Python 3 have largely been abandoned. Will probably need to start moving away from it, plus it\u2019s difficult to get running on new Ubuntu releases. \n\nI know PANW has a SaaS EDL service which can replace common miners/EDLs like those O365 and AWS, and will look to leverage those where I can. \n\nHowever, we have a lot of basic EDLs (not necessarily dynamic), but it\u2019s just nice to have a comments field to see who added indicators to an EDL and why, as Minemeld does currently. \n\nAnyone using any good EDL management tools out there that support adding indicators and comments? \n\nThanks in advance!""}, {""user"": ""5kgkt"", ""timestamp"": 1693779705.0, ""content"": ""https://www.edlmanager.com/""}, {""user"": ""56dcd86r"", ""timestamp"": 1693825552.0, ""content"": ""You can always use the one I did myself \ud83d\ude09, requires python 3.10. https://github.com/michaelvandycke/mikemeld""}, {""user"": ""2tqa4rla"", ""timestamp"": 1693781596.0, ""content"": ""Just put them on a web server. Use CURL to parse them from the source however you\u2019d like.""}, {""user"": ""x9wez"", ""timestamp"": 1693828904.0, ""content"": ""You can try the free version of XSOAR""}, {""user"": ""i5gzh"", ""timestamp"": 1693818906.0, ""content"": ""Busy creating a EDL Management tool. Will post here once its in free BETA""}, {""user"": ""ibia0"", ""timestamp"": 1693869688.0, ""content"": ""> Mikemeld\n\nThat's awesome""}, {""user"": ""3usub8o9"", ""timestamp"": 1693782162.0, ""content"": ""The challenge is for EDLs we manually maintain such as static whitelists or blacklists\u2026stuff that\u2019s not dynamically fetched and parsed. When someone adds something to a whitelist or blacklist feed in Minemeld, they also add a comment with an incident number. That\u2019s been super helpful for historical tracking of whitelist/blacklist changes. If a webserver more or less serves a text file (that someone updates manually) as an EDL, there\u2019s still unfortunately the predicament of not knowing why that indicator is in the EDL""}, {""user"": ""2tqa4rla"", ""timestamp"": 1693782306.0, ""content"": ""The EDL lists can contain comments after the entries. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/formatting-guidelines-for-an-external-dynamic-list/ip-address-list#idd44a975a-a94a-4398-864e-5cf223f1d351""}, {""user"": ""3usub8o9"", ""timestamp"": 1693782576.0, ""content"": ""This is great to know, thank you! I will have to test if EDLs containing URLs support the same syntax as IP address EDLs:\n\n[IP address, IP/Mask, or IP start range-IP end range] [space] [comment]""}, {""user"": ""nuvdltb"", ""timestamp"": 1693841063.0, ""content"": ""They do as I use this for my URL and IP lists. We also have a list on the webserver that is fed via some programming through email alerts and we append the # comment here after every entry. It helps when reviewing months down the road. I religiously use them on our allow lists as I want to see if I can remove them (usually when a site is coming up in one of the high risk categories because it's new and palo is slow to recategorize it, so I want to check if it still needs to be bypassed in a week or so.)""}]" +paloaltonetworks-107,"[{""user"": ""4bzzarp8"", ""timestamp"": 1693765387.0, ""content"": ""Title: State of Identity Firewalling 2023\n Body: Hi guys, \nSo I've been trying to leverage firewalling based on identities rather than IP addresses for almost a year now. My initial thought was firewalling based on DAGs filled with IPs from RADIUS server for Users/Devices and DAGs filled with IPs from VMWare NSX (servers). \nI wanted it to be agentless on the clientside, accurate at all times and robust as well so there would be no need for permissive emergency rules. I wanted the solution to work 24/7 but it should be able to recover from missed events/outage by performing full synchronization with the remote Source of Truth IPDB (ISE/NSX). \nReality began to set in pretty soon when I first started because I realized that Panorama and two plugins aren't the best idea as they won't provide the redundancy and reliability that I need. \nI ended up with a solution that is not as robust (pretty accurate and fast though) as I wanted. \nIt works, but I don't trust it enough because it has some quirks. Mainly because of PAN buggy software which I didn't account for... \nI still use the Trustsec and NSX plugin for Panorama but I also collect syslog from SXP reflectors (WAN Routers) and am really considering developing something myself that would do the only thing I want... \nI didn't figure out how to resolve \""split brain\"" scenarios... I didn't figure out how to make it \""immortal\"" so I can go on vacation without fear. \nThe only thing I realize that I need to make it more modular. \nI already use it for about 7k devices such as Printers, IP Phones, Cameras, ... That works pretty well as these are mostly stationary. \nFew months ago, I started to enforce firewalling from Inside networks to Internet for regular users on Wired/Wireless/VPN, but there's no way in hell I'd start doing that for the traffic that's destined to our on-prem DCs... \nThere's still a few incidents every week and I've been feeling a bit hopeless... \nIs there someone who is doing simillar thing and who could give me some advice in that matter?\n\nThanks in advance.""}, {""user"": ""3usub8o9"", ""timestamp"": 1693777247.0, ""content"": ""Having been through some user-id struggles of my own, I\u2019ve found the best architecture to use the Windows-based UID agents which are downloadable from the support portal. These agents gather event logs from domain controllers using RPC, which should encompass user authentications (via Kerberos) to both servers and workstations\u2026.Kerberos events logged on the domain controller contain both a username and the IP attempting to authenticate, so PAN will learn that using AD as the source of truth. You can deploy multiple Windows-based agents for redundancy. \n\nIf you have servers used by multiple users, best approach would likely be PAN\u2019s TS agent (terminal services agent). For non-terminal servers that aren\u2019t specifically intended for end user computing, I think enforcing user-based connectivity will be a challenge and in those cases I typically create IP-based rules. With the exception of terminal servers, a server\u2019s need for network access shouldn\u2019t really change based on who\u2019s logged in. The server should have consistent connectivity based on its function, and remote access to the server should by controlled in the OS itself (ie only allow expected sysadmins to login to the server). \n\nTo catch straggling end-user events that may have been missed by AD/Kerberos logging, I also have ISE syslog authentication/accounting events to the Windows-based agents, as those can parse syslog as well. IMO, user-id is intended to map IP addresses directly to users, and adding something like DAGs into the mix adds some unnecessary complexity. \n\nI am not 100% sure what you mean by split-brain, but without a TS agent, an IP can only be mapped to one user at a time. The mapping with the latest time stamp wins. \n\nIf you can accurately capture initial events and have redundant agents, there shouldn\u2019t be a need to have to do a full sync with a source of truth. I\u2019ve found the Windows agents work much better than those built into PAN-OS""}]" +paloaltonetworks-108,"[{""user"": ""da5f3fdc1"", ""timestamp"": 1693723717.0, ""content"": ""Title: What are your recommended block rules?\n Body: Hello folks,\n\nI already followed what Palo Alto suggests in term of inspecting, decrypting and blocking for a typical internet gateway. What I'm asking is what YOU are blocking in addition to Palo Alto suggestions (QUIC, bulletproof IPs, various EDLs, URL Filtering, File Blocking, Wildifire, yadda yadda...).\n\nWhat I do block, in addition to the above, is the remote-access app category from inside to outside.""}, {""user"": ""s9hdizof"", ""timestamp"": 1693723781.0, ""content"": ""ok so from my side, something i definitely recommend blocking are cryptocurrency miners, which can be a sneaky risk. i'd also suggest adding some geolocation-based rules to block traffic from regions known for initiating cyber attacks. \n\nremoving unused application entries and tightening up security profiles can also be beneficial. and hey - while almost all \""on-risk\"" categories should be blocked, low and medium-risk applications can be an overlooked threat, so take a closer look at those. \nhope this helps! lmk if you have more queries.""}, {""user"": ""i5gzh"", ""timestamp"": 1693725093.0, ""content"": ""Unknown apps, Encrypted DNS, Tunnel apps to the internet""}, {""user"": ""fov3e"", ""timestamp"": 1693757792.0, ""content"": ""It appears you have most things covered. One additional thing that might be a good idea is to create an app-filter for high risk score apps and app categories and use the filter for an app block rule. Using an app filter can be useful, because it scales automatically as new app-ids are created, if they fall into the right criteria, they'll automatically get added to that app filter.""}, {""user"": ""azicu"", ""timestamp"": 1693751480.0, ""content"": ""I block all Microsoft network ports no matter what the apps at the top for internet bound traffic . \n\nMake and edl for ip\u2019s you see doing bad stuff and block that. \n\nBlock all ssh on any port unless you allow it . If your uses need ssh for a transfer then make a rule . \n\nIf your clients should be using internal dns servers enforce that and block dns for all your clients and have a policy at the top for your approved dns forwards like domain controllers or dns servers . \n\nIf your not getting blocked traffic logs if you be a good thing to enable those .""}, {""user"": ""55q0sjmx"", ""timestamp"": 1693875821.0, ""content"": ""You should think about it in reverse. What do I Allow? You should Allow what you want-know and Block everything else.""}, {""user"": ""da5f3fdc1"", ""timestamp"": 1693775782.0, ""content"": ""Thanks for all the replies, \nsome of them have really good suggestions.\n\nWhat I failed to mention in the original post is that nothing except port 80 and 443 are allowed to go outbound from the \""Clients\"" zone, and everything is decrypted and has security profiles assigned.\n\nWhen some specific protocols are allowed they are allowed via specific rules only for the egress IP (like some SMTP/IMAP traffic to specific servers, for example).\n\nAll the other zones (DMZs, Servers, Mgmt networks) have way more restrictive policies applied.""}, {""user"": ""iuanxhj57"", ""timestamp"": 1693755335.0, ""content"": ""Can anyone point me to the docs on pa support for this please""}, {""user"": ""odjep3mn"", ""timestamp"": 1693755837.0, ""content"": ""outgoing geo location blocking can be tricky because websites can be hosted pretty much anywhere\n\nI have rule for ip exceptions for the geo location blocking rule""}, {""user"": ""8e8pvsdc"", ""timestamp"": 1693766551.0, ""content"": ""Inbound, anything outside the US.\n\nInbound/outbound \nQuic\nSMB""}, {""user"": ""2yas21f0"", ""timestamp"": 1693734973.0, ""content"": ""Good idea on the crypto miners - not something I had considered. Do you do this via apps? If so, which apps?\n\nWe also use geo locations. At the top of our rule base we drop anything from Russia, China and a few others. Interestingly, we manage PAN devices in UK, EU and Africa.\nThe quantity of hits on the \""drop from Russia\"" rule for the UK firewalls is significantly higher than the other regions... The amount of noise that Russia spews onto the UK Internet is crazy.""}, {""user"": ""da5f3fdc1"", ""timestamp"": 1693775548.0, ""content"": ""Thanks,\n\nthat's what I use for blocking the Remote Access Tools category.""}, {""user"": ""iwlnp"", ""timestamp"": 1693752606.0, ""content"": ""I've made some posts in here a while back how to use the internal log forwarding, IP tags and dynamicv groups to automate that you can blacklist all inbound traffic hitting the threat logs. Might be worth searching up.""}, {""user"": ""bf73y"", ""timestamp"": 1693758320.0, ""content"": ""https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/define-the-initial-internet-gateway-security-policy""}, {""user"": ""s9hdizof"", ""timestamp"": 1693735047.0, ""content"": ""it's a browser extension and basically, what it does is it uses two different approaches to block miners. \n\nfirst, it's updated to block requests to domains that are linked to crypto mining scripts. second, it looks for suspicious scripts running in the browser and it'll stop them. so for this approach, even if miners are hosted elsewhere or their server changes, the script would still be blocked because it\u2019s behaving like a miner. \n\nand that's really fascinating about the geo-locations. the differences in traffic from russia are quite surprising! it's like you've gotta stay one step ahead all the time, right?""}, {""user"": ""2yas21f0"", ""timestamp"": 1693735732.0, ""content"": ""That's interesting, I wonder if anyone produces and EDL with known miner IPs...""}, {""user"": ""s9hdizof"", ""timestamp"": 1693736004.0, ""content"": ""but threat intel providers like abuse.ch provide an ssl blacklist that can be useful for blocking connections to known malicious hosts, including miners. \nkeep in mind though, script-based miners that run on websites just use normal server ips, so an ip-based blocklist might not catch everything. you really have to combine methods to get the best results.""}, {""user"": ""azicu"", ""timestamp"": 1693750973.0, ""content"": ""These is a url category and there are a bunch of apps Palo Alto has already""}]" +paloaltonetworks-109,"[{""user"": ""322wvqjf"", ""timestamp"": 1693702082.0, ""content"": ""Title: Unable to connect to management interface\n Body: I recently made a change to allow 10.10.25.11/32 and 10.10.24/24 as permitted ip to the management interface. I made an error with the IP as that ip is for my Apple TV not my laptop which actually has 10.10.25.4, so I\u2019m unable to connect but I had connected to the 10.10.24/24 network and still unable to connect. Any solid suggestions?""}, {""user"": ""167r57"", ""timestamp"": 1693702610.0, ""content"": ""Maybe a typo in the 10.10.24.0/24 network? \n\nI would serial in or try assuming your Apple TVs IP.""}, {""user"": ""irru7"", ""timestamp"": 1693702668.0, ""content"": ""Sounds like it\u2019s time to grab the old trusty console cable out. There is a way to edit that access list through the CLI.""}, {""user"": ""iwlnp"", ""timestamp"": 1693795025.0, ""content"": ""\\- You forgot to add the new subnet to permitted IPs \n\\- You somehow have a missing/non-working default route on the PA's management \n\\- There is a duplicate IP \n\\- Time to find a serial cable""}, {""user"": ""322wvqjf"", ""timestamp"": 1693703054.0, ""content"": ""Could be not ruling out that possibility""}, {""user"": ""322wvqjf"", ""timestamp"": 1693703030.0, ""content"": ""Would you be referring to this https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLqCAK""}, {""user"": ""3ho57"", ""timestamp"": 1693749770.0, ""content"": ""Been there \ud83d\ude01""}, {""user"": ""irru7"", ""timestamp"": 1693703597.0, ""content"": ""That should fix your issue.""}, {""user"": ""322wvqjf"", ""timestamp"": 1693743806.0, ""content"": ""all good now""}]" +paloaltonetworks-110,"[{""user"": ""ua88e460"", ""timestamp"": 1693619892.0, ""content"": ""Title: PA high availability re design\n Body: Dear Friends,\n\nNow our head office is having a pair of HA Active-Passive doing High Availability over two ISP. Now, due to site has two buildings, each building has layer 3 its own layer 3 switches, and two windows hyper V clusters that we can move around windows guest machines...we want to redesign the whole infrastructure so we can have high availability for different buildings etc..is it possible to HA Palo to be become Active and Active, one going out one ISP A, the other going out by ISP B. If not, What would be a feasible way to implement this to achieve high availability between buildings?""}, {""user"": ""briif"", ""timestamp"": 1693623022.0, ""content"": ""Yes, that's possible. \n\nI like PA's HA Active Passive Design. Use layer2 switches that span the ISP's to each firewall with one in each building. provide the ISP's to both PA's in an identical fashion. Physically land ISP and PA in each building. If you want building A to use ISP1, and B to use ISP2, pbr it that way. \n\nIf you still absolutely do not want layer2 spans, drop HA active active, and go two standalones. Use local static with path monitoring to remove local default on ISP failure. Have each PA use a /30 iBGP path and use Weight (local significance) to set each default. If you have an existing good L3 network between the buildings, might need iBGP with multihop and set the expected hops. If an ISP goes offline, ie, PA1 will take the iBGP route via PA2.""}, {""user"": ""151ozs"", ""timestamp"": 1693658948.0, ""content"": ""We need more information. Do the buildings have layer 2 connectivity between them, or only Internet connectivity?\n\nIf they have layer 2 connectivity, what's the bandwidth?\n\nDo you need to transparently move virtuals between Hyper-V hosts in different buildings?\n\nNext, let's review the three rules of Palo active/active deployment.\n\n1. Don't do it.\n2. Serious, don't. It isn't going to do what you think it will do.\n3. If you have one of the specific scenarios documented by Palo where active/active makes sense, go ahead, but expect pain.""}, {""user"": ""x04u8"", ""timestamp"": 1693628985.0, ""content"": ""If you are going to do Active / Active you should run Panorams for central logging and diagnostics at least. Otherwise A/A will work fine in your scenario. You will have to setup symmetric return and ensure the inside of your network routes non-asymmetrically.""}, {""user"": ""w9hmrujl"", ""timestamp"": 1693631048.0, ""content"": ""SDWAN are always a better option to go for.""}, {""user"": ""w9hmrujl"", ""timestamp"": 1693631782.0, ""content"": ""If both Buildings have separate ISPs coming and may be no direct link between two buildings then yes have one SDWAN in each or pair of sdwan in each. \n\nWe use Silverpeak SDWANs and these are very good.""}, {""user"": ""y7eds"", ""timestamp"": 1693696394.0, ""content"": ""I would stay away from active active initially setup in my network and after spending nearly 12 months talking to Palo Alto support and then telling me that it's not worth doing I would never ever touch it again\n\nI think people have pointed out a stretch feel and between your sites that way you can share your isp's probably better way to go with active passive""}, {""user"": ""y7eds"", ""timestamp"": 1693815450.0, ""content"": ""No we have ha .. just in 2 DC's using stretch vlans""}, {""user"": ""8qk1un9z"", ""timestamp"": 1693815571.0, ""content"": ""Don't do active/active, keep is as active/passive and let the firewall in a building manage the other one or go with 2 PA without HA enabled but with path monitoring.""}, {""user"": ""ua88e460"", ""timestamp"": 1693630484.0, ""content"": ""We do have two WAN switches to connected to Two ISP separately. And also, we were planning to move to SDWAN among head office and remote offices. Not sure if I should really get SDWAN to handle the traffic and HA among two PAs?""}, {""user"": ""ua88e460"", ""timestamp"": 1693663171.0, ""content"": ""Two buildings have two layer 3 switches, connected by fibre, they can communicate, each vlans have different gateway IPs..two ISP links coming to different buildings...what would be the best scenario? Suggestions? Thanks""}, {""user"": ""ua88e460"", ""timestamp"": 1693630349.0, ""content"": ""Yeah, we do have Panorama internally, now we were planning to move to SDWAN, now I am thinking if I should get rid of HA, and separate the whole site to two different sites. Let SDWAN communicate two PAs over two different ISP links..any better suggestions? \n\nThanks""}, {""user"": ""ua88e460"", ""timestamp"": 1693631149.0, ""content"": ""Would you think I can separate the sites into two and have SDWAN linking two? Clearly I need to add public IPs to public DNS service so email and adfs traffic can still get in.""}, {""user"": ""unknown"", ""timestamp"": 1693646632.0, ""content"": ""[deleted]""}, {""user"": ""ua88e460"", ""timestamp"": 1693700249.0, ""content"": ""Thanks for that. If we keep HA Active and passive, somehow connected by WAN switches, would HA links be able to connect via internal layer 3 switches, instead of connected directly? Would we need to add new vlan etc? \n\nThanks\nLarry""}, {""user"": ""ua88e460"", ""timestamp"": 1693830503.0, ""content"": ""Hi I am thinking to do path monitoring within HA, the only thing is that two connections (data and control link will be over another two wan switches, two wan switches will be at different buildings, they are connected by a fiber link. What if the fibre link failed? We ended up having Two active PAs..and split Brian error..am I correct? What if we try internal dynamic routing? Having two PAs totally like two routers without HA at all..would that work better? \n\nThanks""}, {""user"": ""w9hmrujl"", ""timestamp"": 1693646998.0, ""content"": ""Then you already have p2p connection.""}, {""user"": ""y7eds"", ""timestamp"": 1693777182.0, ""content"": ""So the way that I have it \n\nI have 2 DC's . 1 PA in each and I stretch vlans between the 2 DC\n\n1 vlan for Internet - but I terminate my ISP on external routers and have a shared vlan with the routers and the PA's and use BGP from the PA to the routers and routers to ISP with full BGP feed.\n\n​\n\nSo this way DC PA A can talk to ISP in DC B and vis versa\n\nI have a VLAN specifically for the heartbeat traffic and the backup link on different switches and connections\n\n​\n\non top of the BGP between the PA and the rtr I also have a de prioritised dgw to one of a VIP on the routers during that period of convergence \n\n​\n\nso its possible to do""}, {""user"": ""8qk1un9z"", ""timestamp"": 1693831503.0, ""content"": ""If you have 2 building and each of them have a ISP it will split brain and both building will still have access to internet and the VM will be accessibile, the problem is if the VM will be relaunch again on the other hypervisor, but this isn't a firewall problem. Keep a domain controller in each building or you will lose the possibility to login using AD in other services.\n\nWhen the split brain will end they will resume the HA, if something change in the configure in the meantime you will be able to push one to the other and realign them again without any downtime or problem.\n\nIf you have 2 separated Palo Alto you have to pay more for the license, manage 2 different device and configure the routing, it's usefull if the security policy will be different and the local traffic has to stay in the same building, otherwise I would go with the HA solution, but the traffic between vlan will always go to the same PA, so for a building it will go back and forth to the other building every time.""}, {""user"": ""ua88e460"", ""timestamp"": 1693784069.0, ""content"": ""Thanks for the info. So there is no HA happening, just two PAs doing BGP, right? \n\nThanks""}, {""user"": ""ua88e460"", ""timestamp"": 1693832010.0, ""content"": ""I was thinking Active and Active..but they would have the same issue if the fibre link between them is broke. Or sth.... I don't know how I can set up, once the fibre link is down, PA will accurately change the role etc..""}, {""user"": ""y7eds"", ""timestamp"": 1694251056.0, ""content"": ""No I'm doing ha over 2 DC with stretch vlans""}, {""user"": ""8qk1un9z"", ""timestamp"": 1693832211.0, ""content"": ""I wouldn't go with active/active in any case, at that point keep them separated and manage them indipendently or with Panorama, it would be way easier and more performant than have an active/active HA.""}, {""user"": ""ua88e460"", ""timestamp"": 1694251141.0, ""content"": ""2 Domain controllers with VxLan? Can you explain more? What is stretch vlan? Thanks""}, {""user"": ""ua88e460"", ""timestamp"": 1693833843.0, ""content"": ""Yeah I do have Panorama, planning to move to SDWAN, but exploring this high availability on different buildings option now. Would you think active and passive HA can work on two wan switches connected by fiber link?""}, {""user"": ""8qk1un9z"", ""timestamp"": 1693835500.0, ""content"": ""I have 2 HA cluster with a fiber link in two different datacenter, the same fiber is also used for traffic and backup, and I never had a problem with it.""}, {""user"": ""ua88e460"", ""timestamp"": 1693891717.0, ""content"": ""Thanks, so both data and control links can be put in that fiber link with two different vlans? Do you need to configure jumbo frame?\n\nThanks""}, {""user"": ""8qk1un9z"", ""timestamp"": 1693915707.0, ""content"": ""Exactly, even without jumbo frame it works flawless.""}, {""user"": ""ua88e460"", ""timestamp"": 1693916856.0, ""content"": ""I will put two links into two vlans and do LAG over two WAN switch, do monitoring for both, sounds about right?""}, {""user"": ""8qk1un9z"", ""timestamp"": 1693922832.0, ""content"": ""In my experience it's fine. I have connected 2 HA pair using a single 10G connection and there is like 200km between them, with other traffic in the same connection.""}]" +paloaltonetworks-111,"[{""user"": ""5gpis"", ""timestamp"": 1693588973.0, ""content"": ""Title: What to do with a retired PA-220?\n Body: Is it possible to boot any non PA OS on this box? Could one run an open-source OS like pfsense, or one of the \\*WRT distros, or maybe just some version of Linux?\n\n​""}, {""user"": ""133vwp"", ""timestamp"": 1693594902.0, ""content"": ""I chucked my into the e-waste bin.""}, {""user"": ""8k029"", ""timestamp"": 1693618449.0, ""content"": ""Try and do a commit and see if it finishes before YOU retire!""}, {""user"": ""a6sdwo87"", ""timestamp"": 1693659923.0, ""content"": ""Reboot it and use it as an hour glass.""}, {""user"": ""5amdbun2"", ""timestamp"": 1693607682.0, ""content"": ""\ud83d\uddd1\ufe0f""}, {""user"": ""ra02d"", ""timestamp"": 1693591839.0, ""content"": ""Is there any difference in PA's capabilities without license and those you mentioned? I'm wondering because aside from real-time stuff and subscription stuff that needs updates, you can use pretty much everything.""}, {""user"": ""2c207fsg"", ""timestamp"": 1693611410.0, ""content"": ""We go full Office Space on them.""}, {""user"": ""51x0a"", ""timestamp"": 1693621614.0, ""content"": ""Shit I'll take it off your hands for shipping and a few bucks if you're down.""}, {""user"": ""6kmv9vv6"", ""timestamp"": 1693590314.0, ""content"": ""I remember a similar question was asked and answer was no. Not sure if someone managed to break the BIOs on it etc I may have outdated information""}, {""user"": ""8e8pvsdc"", ""timestamp"": 1693613052.0, ""content"": ""It\u2019s a generic router and works fine as one. No licenses needed. Hopefully though you have a few old PanOS installed so you can find the best performing one. \nOtherwise recycle please. Not interchangeable parts and though it does run on centos (I think) you likely won\u2019t be able to get it to run properly because of firmware restrictions and lack of proprietary drivers.""}, {""user"": ""j8azq"", ""timestamp"": 1693659804.0, ""content"": ""We donated all ours to the local community college, they use them in some labs for students.""}, {""user"": ""2yas21f0"", ""timestamp"": 1693596769.0, ""content"": ""Correct answer. \ud83d\ude02\n\nThere are surely way more fun things to play with than an old 220!""}, {""user"": ""967pai8e"", ""timestamp"": 1693629023.0, ""content"": ""As bad as the 220s were the 200s were even **slower**.""}, {""user"": ""9twqtwg1"", ""timestamp"": 1693623400.0, ""content"": ""That\u2019s what I was thinking""}, {""user"": ""8qk1un9z"", ""timestamp"": 1693820901.0, ""content"": ""Upgrade every night and set an allarm when it come back online, you can use it as an allarm to wake you up.""}, {""user"": ""ygz0o"", ""timestamp"": 1693592910.0, ""content"": ""as you said a subscription is needed for pattern & Software Updates, for global protect, url Filtering, DNS sinkhole, Antivirus etc.\n\nThe Basic Like routing or simple networking will work without a license or device certificate. That's my latest Info about this ;)""}, {""user"": ""4gigy"", ""timestamp"": 1693618605.0, ""content"": ""*cries* while deploying 220r's for an industrial environment because they still haven't come out with a ruggedized 400 series unit.""}, {""user"": ""mnt6suvq"", ""timestamp"": 1693651227.0, ""content"": ""Yep we have 4 of these being decommed soon. Commits were like come back in 15 mins and see if you can move on yet.""}, {""user"": ""910ih044"", ""timestamp"": 1693742988.0, ""content"": ""Haha, I remember the 2020 with 30 minute commit times :). I was so happy when the super fast 3020 resesed.""}, {""user"": ""ra02d"", ""timestamp"": 1693595561.0, ""content"": ""Yeah, but what does pfsense or some \\*wrt have that is not available in PanOS without license? You still have EDLs, you still have URL and DNS blocking/filtering, you can still make a black hole, GlobalProtect works unless you want to connect with Linux (but I think you can bypass that as well). Also the way you phrased it as \""retired\"" PA-200, I assume you probably have newer ones in your environment and with them an access to support which means you can download software updates for PA220 manually (at least while it's still supported) and also content updates manually.""}, {""user"": ""3ho5uhxb"", ""timestamp"": 1693660249.0, ""content"": ""You\u2019re in for a pleasant surprise then. \ud83d\ude09""}, {""user"": ""2s33j5pb"", ""timestamp"": 1694004889.0, ""content"": ""coming soon :)""}, {""user"": ""ik2wj"", ""timestamp"": 1693679081.0, ""content"": ""Shit, and I thought the 500\u2019s were slow.""}, {""user"": ""967pai8e"", ""timestamp"": 1693938454.0, ""content"": ""I remember using some 2020s and those were pretty slow as well.""}, {""user"": ""5gpis"", ""timestamp"": 1693596720.0, ""content"": ""This is really helpful, thanks I was thinking I\u2019d use it as a wireguard or OpenVPN server. I\u2019m not a huge fan of the global protect clients. \n\nAnd the idea of using it with an open source OS is more appealing than hoping I\u2019ll always have access to PA\u2019s updates. And even then those will only last for a few more years. \n\nBut at least it\u2019s good to know I don\u2019t have to toss it in the e-waste dumpster just yet.""}, {""user"": ""910ih044"", ""timestamp"": 1693742907.0, ""content"": ""I\u2019m curious why? Is it not as bad as a normal 220? I\u2019ve refained from buying the 220r\u2019s because the 220 is rather old and slow.""}, {""user"": ""kevpn"", ""timestamp"": 1693599652.0, ""content"": ""GP clients aren't mandatory though, no?""}, {""user"": ""ra02d"", ""timestamp"": 1693606118.0, ""content"": ""Yeah, you can just enable IPSec mode for GP and use built-in client on Linux (OpenConnect with globalprotect addon).""}, {""user"": ""4gigy"", ""timestamp"": 1693775700.0, ""content"": ""They're saying a ruggedized 400 series is coming out soon.""}]" +paloaltonetworks-112,"[{""user"": ""8hvrewqp"", ""timestamp"": 1693592890.0, ""content"": ""Title: Setting up palo but my outbound traffic cannot return\n Body: Setting up palo for my small network. Internal appears to be working fine. I can ping my test servers and such inside the lan. The outbound NAT policy is working/hitting as well. I can\u2019t ping outbound however. My pings to 8.8.8.8 and any traffic shows aged out in the logs. I don\u2019t see anything dropped or blocked, it\u2019s just not returning to the Palo. Sounds like a static route issue at this point. I only have a default route 0.0.0.0/0 to the wan interface and next hop ip (isp router). Why won\u2019t the traffic come back?""}, {""user"": ""5u04b"", ""timestamp"": 1693593565.0, ""content"": ""What's the WAN config? If you plug your laptop in the same IP info does it work? Are you sure your NAT rule is correct?\n\n​\n\n>I only have a default route 0.0.0.0/0 to the wan interface. \n\nYou typically don't set an egress interface, especially for a default route. You give it the nexthop and let the system figure out the correct interface.""}, {""user"": ""t4ewrjqa"", ""timestamp"": 1693595807.0, ""content"": ""It does sound like either a virtual router issue or the NAT issue.\n\n1 check your source zones and your destination zones.\n\n2 look at the next hop on the virtual router. A /29 should have documentation listing a gateway address that will be different than your public facing IP. Usually the first IP address in the block. Make sure you have the right gateway listed. \n\n3 make sure your virtual router has the correct interfaces listed. Both trust and untrusted. \n\nHope this helps.""}, {""user"": ""10ceo3"", ""timestamp"": 1693612779.0, ""content"": ""Do your logs show that the traffic has source Nat applied?""}, {""user"": ""iuanxhj57"", ""timestamp"": 1693614705.0, ""content"": ""Did you enter a virtual router entry?""}, {""user"": ""k4r0k"", ""timestamp"": 1693620651.0, ""content"": ""To me this screams NAT. But you say that's working, so I'll focus on the less likely stuff. Others have convered the virtual-routers so I'll skip that too.\n\nWhat is your source NAT IP and can you see that in the ARP table of your upstream router or just a laptop/device plugged into the WAN interface. Maybe something like your old firewall is holding on to that IP?\n\nCan you ping your default gateway or is it just stuff beyond it? Hopefully you can't ping your default gateway, otherwise you'll probably have to contact your provider. If you're doing a cut-over it's conceivably possible they're not listening to your gARPs, in which case you probably need to wait for the timeout (probably 5 or 20 minutes).\n\nCan you see the default gateway in your ARP table? I think that's \""show arp\"" on the CLI, but it's easy to find with \""?\"" and tab-completion.\n\nIf you run a packet capture, can you see the traffic leaving your firewall with a destination MAC address matching your default gateway? Do you see the traffic coming back in the capture? Do you at least see random port scanning of your firewall's IP? If you don't even see that, I don't think you're on the Internet.""}, {""user"": ""w9hmrujl"", ""timestamp"": 1693700744.0, ""content"": ""Check the basic stuff first, ssh to the device and run show arp all command and see if you can see an ARP entry for your Default gateway IP, if you can't then your ISP could be down or could be other things\n\nIf you can see the arp entry do a ping test with\n\nPing source as your outside interface IP and host as the default gateway to make sure you can ping the DG, If this is successful then do the same ping source as your outside interface and host 8.8.8.8 to see if you can go out from your outside interface. \n\nOnce these confirm please update.""}, {""user"": ""8hvrewqp"", ""timestamp"": 1693593878.0, ""content"": ""I have a Static /29. I have wan interface configured the same way as my Juniper that I\u2019m replacing. What do you mean by plugging my laptop in with the same IP info""}, {""user"": ""5u04b"", ""timestamp"": 1693594531.0, ""content"": ""Plug whatever is going to the WAN port on the palo into your laptop, configure the laptop with the IP/subnet/gateway you're using and validate that you can get to the internet.\n\n​\n\nIs this a /29 with the gateway inside of it, or a routed /29 over a transit network? Is this DOCSIS? Have you rebooted your ISP device after moving to the PAN to clear any ARP cache issues? Is there a switch between the PAN's WAN interface and the ISP device?""}, {""user"": ""8hvrewqp"", ""timestamp"": 1693594994.0, ""content"": ""I have an att gateway outside in passthru . Not sure why I didn\u2019t think about this before but I think AT&T is restricting my router by MAC address.\nWAN port is plugged directly into this gateway. I did not reboot the ISP Gateway. Good point.""}]" +paloaltonetworks-113,"[{""user"": ""5weaas12"", ""timestamp"": 1693534775.0, ""content"": ""Title: What are some of the more obscure but useful NGFW troubleshooting commands/steps you have come across?\n Body: I keep an ever growing command reference that I add to when I come across commands not readily obvious (e.g. not the basic 'show' style commands, or which are show commands that are buried deep into the hierarchy). It helps out a lot without having to google for a command which might only be used every now, but is hard to remember. A few of the ones that I've come across that some people may not know include:\n\n tail mp-log [LOG_FILE_NAME]\n Useful for looking at log files related to specific PAN processes\n \n show running resource-monitor ingress-backlogs\n Super helpful for seeing sessions that might be causing high DP utilization\n \n show system state\n A huge amount of information relating to the device and various state/status information. Use the 'filter' option to narrow it down for your use-case\n \n show counter global\n I find this most useful if you have set a filter in the UI (Monitor > Packet Capture), or via the CLI, so that you can see exactly which counters are incrementing as a result of the traffic that matches your filter. Can help in identifying if an issue a session is experiencing is related to something odd\n\nWhat commands do other people use that might not be so obvious?""}, {""user"": ""ibia0"", ""timestamp"": 1693535430.0, ""content"": ""The best cli for your arsenal:\n\n> find command keyword [type stuff here]\n\nUseful for 'im troubleshooting something related to [stuff here] and wonder what commands I can use to diagnose stuff without using Google or TAC'\n\nFor the API gurus:\n\n> debug cli on\n> [insert other command here]\n> debug cli off\n\nUseful to find the full API command for what you're trying to automate, when the API browser is being a pain to find""}, {""user"": ""zlbzd"", ""timestamp"": 1693547290.0, ""content"": ""Show counter global delta yes packet filter yes is all you need for everything""}, {""user"": ""gpf65"", ""timestamp"": 1693540861.0, ""content"": ""Tail follow yes mp-log (hit tab to see all log choices for your device)\n\nThis will show you the log in real time with updates printed as they occur. So you leave this open while you open another cli or gui to run things.""}, {""user"": ""m6i3n"", ""timestamp"": 1693854502.0, ""content"": ""Debug dataplane pow performance, for seeing what functions actually consume DP CPU\n\n\n\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmV2CAK#:~:text=The%20output%20of%20%22debug%20dataplane,default%20when%20dp%2Dmonitor%20runs.""}, {""user"": ""4fxf88os"", ""timestamp"": 1693667401.0, ""content"": ""There was one in particular that I cannot remember but I used last week and it was very useful, it was basically viewing the logs for Globalprotect connections with details on their auth and session flow""}, {""user"": ""5jh7pojzs"", ""timestamp"": 1693729448.0, ""content"": ""find command keyword \n\nOutputs every single command in that CLI mode that includes that keyword.""}, {""user"": ""zlbzd"", ""timestamp"": 1693547325.0, ""content"": ""always works 40% of the time\n\n/s""}, {""user"": ""5weaas12"", ""timestamp"": 1693865611.0, ""content"": ""Very cool! I'll be adding this one to my list""}]" +paloaltonetworks-114,"[{""user"": ""14qf15"", ""timestamp"": 1693538467.0, ""content"": ""Title: FireWire Port Label\n Body: Just unboxing a new PA-1410\nTook me a min or two to work out the mgmt port is the one with the FireWire symbol. Any ideas why they chose that graphic?""}, {""user"": ""9twqtwg1"", ""timestamp"": 1693541703.0, ""content"": ""They got a deal on some 2001 netgear routers so they just recycled the case to save money because they spend so much on their tier1 support staff. /s""}, {""user"": ""dzsmj"", ""timestamp"": 1693577533.0, ""content"": ""Nooo. That's the flux-capacitor""}, {""user"": ""nycni"", ""timestamp"": 1693621791.0, ""content"": ""It\u2019s like FireWire is so old that the copyright on the logo has gone public domain. \ud83d\ude02""}, {""user"": ""e6qh3"", ""timestamp"": 1693545534.0, ""content"": ""Using leftover stencils?""}, {""user"": ""1512xx"", ""timestamp"": 1693607041.0, ""content"": ""Wait... wut????""}, {""user"": ""153r79"", ""timestamp"": 1693703053.0, ""content"": ""I just look for the one with the link lights. The others are HA and console.""}, {""user"": ""32qh1jlo"", ""timestamp"": 1693542435.0, ""content"": ""Lol""}, {""user"": ""967pai8e"", ""timestamp"": 1693630873.0, ""content"": ""There were Netgear routers with Firewire?""}, {""user"": ""967pai8e"", ""timestamp"": 1693629357.0, ""content"": ""Technically it isn't, but the website for the trade association for IEEE1394 is gone so I would assume that there is nobody that would really try and stop them from using it.""}, {""user"": ""14qf15"", ""timestamp"": 1693607274.0, ""content"": ""Yeah that was my reaction as soon as I saw it. I googled and it's even like that on the documentation...""}, {""user"": ""9twqtwg1"", ""timestamp"": 1693667405.0, ""content"": ""Lol I don\u2019t know, I was just taking shit""}, {""user"": ""nycni"", ""timestamp"": 1693629999.0, ""content"": ""I think FireWire was Apple\u2019s trademark for 1394. I wonder if Apple is gonna go after PAN on this.""}, {""user"": ""967pai8e"", ""timestamp"": 1693630847.0, ""content"": ""Seeing as Apple hasn't sold a Mac with Firewire in a while I doubt that they would care either. That being said there is some confusion using that logo. I'm surprised that the product designers at PAN would use that.""}]" +paloaltonetworks-115,"[{""user"": ""95uho2gn"", ""timestamp"": 1693555656.0, ""content"": ""Title: Prisma Access , Internet Outbreak\n Body: Our company is thinking of moving to prisma access cloud. But 1 of the concerns is that we will propably break out with another public IP , this change will have a huge impact on our environment. for hosted services and so on .So i was wondering if someone also experienced this move and if they had a solution to this issue?\n\nPerhaps the internet outbreak can be rerouted to your local ISP again so that you can maintain the public ip's, from within prisma access? ""}, {""user"": ""7n1ler6y"", ""timestamp"": 1693568421.0, ""content"": ""Assuming you mean egress point, I don't believe it's possible. With Prisma Access, all Internet bound traffic egress directly from PANs GCP environment, and internal communications are routed across the appropriate service connection. \n\nEven if it was possible, I'm not sure it would be a good idea considering the latency that would be introduced.""}, {""user"": ""mga4i"", ""timestamp"": 1693570784.0, ""content"": ""You can inject a default route to Prisma Access, but at least on our case, what we did was basically gather all public IPs Prisma is using and whitelist them on our SaaS applications.\n\nThese public IPs are unique for each Prisma Access tenant and won\u2019t change unless we perform infrastructure changes (eg. deploy a new Mobile User SPN)\n\nI think that was the cleanest way of approaching this and gives the best user experience without back hauling all or part of the traffic that is intended to the internet\n\nEdit 1: Grammar""}, {""user"": ""6qgsi"", ""timestamp"": 1693571704.0, ""content"": ""Either whitelist your prisma egress IPs (there is an API to pull them and notifications for them)\n\nOr\n\nUse traffic steering rules to forward specific destinations down through your data center to maintain the egress ip.\n\nDo not advertise a default into Prisma""}, {""user"": ""ibia0"", ""timestamp"": 1693571947.0, ""content"": ""Traffic steering\n\nhttps://docs.paloaltonetworks.com/prisma/prisma-access/3-2/prisma-access-panorama-admin/prisma-access-advanced-deployments/service-connection-advanced-deployments/use-traffic-forwarding-rules-with-service-connections/configure-traffic-steering""}, {""user"": ""3hczxhat"", ""timestamp"": 1693560565.0, ""content"": ""We were told this wasn\u2019t possible. Had to add on prem firewalls to the mix to do this.""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1693608765.0, ""content"": ""If this is that important, you should own your own address space and traffic that checks for a source IP should egress there only. \n\nHere\u2019s the deal with Prisma Access. Can you be guaranteed your egress IP(s) will never change, no. \n\nBut, assuming there aren\u2019t significant changes on your side, it\u2019s not likely to change often, if at all.""}, {""user"": ""e4rkt7gq"", ""timestamp"": 1693618311.0, ""content"": ""Besides traffic-steering, we advertise some small routes from on-prem over the service-connection into prisma to bring some traffic back to our on-prem, where it then egresses to the Internet where we can NAT to Public IPs that some of our counter-parties already have permissioned. We also leverage a few on-prem physical firewalls as external GP gateways which they call the \""hybrid\"" model. This allows certain users to select our physical GP GWs instead of a cloud GW which full-tunnels their traffic back to on-prem so we can NAT it. Overall, we're happy with Prisma Access. Oh, we also use the API to pull the list of Prisma Public IPs. Good Luck!""}, {""user"": ""59p7b"", ""timestamp"": 1693629653.0, ""content"": ""There are three methods of dealing with saas providers in order of what is most preferred to least. \n\n1. Allow list the IPs. Prisma now has a feature that will prevent it from scaling into IPs you haven\u2019t already confirmed to have allow listed. \n\n2. Perform traffic steering to selectively target destinations or domains to route through an onprem service connect \n\n3. Allow Prisma to accept a default route and inject one via BGP on the service connect.""}]" +paloaltonetworks-116,"[{""user"": ""gu9jy4we"", ""timestamp"": 1693555530.0, ""content"": ""Title: DNS Proxy Any Good? Am Abit Sceptical!\n Body: Hi, \n\nThought I would ask this question, so I am thinking of setting up DNS proxy on our standalone firewalls in the cloud (only got 2). Would give me greater flexibility on DNS forwarding given our hybrid cloud architecture - allow me to forward to on-premise resolvers (org domains), forward to Azure internal DNS (Azure local domains), and internet resolvers (general internet domains). \n\nI know NGFW is a very intelligent and highly capable device but was wondering if anyone has used DNS Proxy? Is it any good? Works out the box like a dream? As its very much more networking rather than WAF functionality. Unfortunately, dont have a test environment to try it out myself, all changes are in production haha! \n\nThanks!""}, {""user"": ""vrvsa7l"", ""timestamp"": 1693572220.0, ""content"": ""It's ok, work for guest networks quite well as we can point it at any resolver. Otherwise if hosting internal dns on AD Servers or other let those do the work...""}, {""user"": ""fh8kg"", ""timestamp"": 1693622801.0, ""content"": ""The main benefit is if any devices are making malicious DNS calls, it\u2019ll show up as their IP instead of the normal DNS server. \n\nI\u2019ve used it on Guest WiFi networks and smaller networks to direct and re-write DNS queries with split horizon. \n\nIt works. I generally try to put it on its own loop back interface to keep my life simple. \n\nBe careful with your security profiles you apply the the DNS Proxy otherwise you might block the traffic if anyone goes rogue.""}]" +paloaltonetworks-117,"[{""user"": ""w9hmrujl"", ""timestamp"": 1693500738.0, ""content"": ""Title: Best Naming Conventions for the rules\n Body: Hello guys\n\nWhat is the best Naming Conventions you would say for the security rules?\n\n\nThanks.""}, {""user"": ""da5f3fdc1"", ""timestamp"": 1693506156.0, ""content"": ""I use flow direction:\n\nAction - Ingress Zone - Protocol/App/Intent - Egress Zone\n\neg:\n\nDeny - Any - Malicious - Untrust\n\nDeny - Untrust - Malicious - Any\n\nAllow - Clients - Name Resolution - Untrust\n\nAllow - Clients - InternetFiltered - Untrust\n\nAllow - Management - TimeService - Untrust\n\n​\n\nSimilar for decryption policies:\n\nNoDecrypt - Clients - Financial\\_HealthCare - Untrust\n\nDecrypt - Clients - Any - Untrust""}, {""user"": ""5jtg7okq"", ""timestamp"": 1693514949.0, ""content"": ""There's good stuff in this thread but whatever you do, NO ~~CAPES~~ SPACES! Not even in the descriptions!\n\nIt'll be hell if you ever need to run batch modifications from the CLI.""}, {""user"": ""w9hmrujl"", ""timestamp"": 1693507593.0, ""content"": ""Thanks all,\n\nI need to work on our rules cleanup and convert the general naming rules to meaningful names. \n\nI normally use Source Zone_App_To_Destinatio Zone, however your feedback will help Greatly. \n\nThank you very much.""}, {""user"": ""nvfabfv"", ""timestamp"": 1693509489.0, ""content"": ""I use source system\\_destination\\_system\\_app or purpose based( Internet\\_access) (Block\\_all\\_malicius for eg)""}, {""user"": ""ry84esm"", ""timestamp"": 1693511860.0, ""content"": ""Thanks for asking this. I've been thinking about this for many years and never even occurred to me to ask reddit. What a fool I am.""}, {""user"": ""w9hmrujl"", ""timestamp"": 1693506394.0, ""content"": ""This is great. Thanks""}, {""user"": ""1qankke"", ""timestamp"": 1693512216.0, ""content"": ""I've been using: WHAT/SERVICE\\_FROM/SOURCE to TO/DESTINATION\\_ACTION\n\nThe from and to fields can be system names, broad descriptions or IP addresses. It really depends what information I have available for the policy that I am asked to implement. The underscores seperate the different logical parts of the name, this helps my eye to quickly find something because I know exactly where in the name I will find it. It also help when you are searching for something if you have the SERVICE/WHAT in the name.\n\nfor example \n\n* NTP\\_CORPORATE to 192.168.1.2\\_ALLOW\n* AD SERVICES\\_DMZ to AD SERVERS\\_ALLOW \n* SQL\\_172.16.0.2 to 192.168.1.2\\_ALLOW\n\nI do the same thing for my NAT rules, the action will then just be SRC NAT or DST NAT.\n\nFor objects my personal preference is when I'm creating an object for something is to use the IP as part of the name like SERVER NAME\\_IP. The reason for this is it's easier to search for stuff in the policy list. If you just use a name, then you can't filter the policies for that IP by just typing the IP in the filter box, the firewall won't do the lookup on the object to show the rule with the IP (unless this has changed without me knowing). You need to use the global search feature if you want to do that which is fine, I like to just quickly filter my policies in the list.\n\nAlso, tags are your friends. Think of using tags to mark service categories like EMAIL which lets you quickly find all policies that have something to do with EMAIL. Also handy if you maybe host different customers, you can create a tag with their name to find all their rules.""}, {""user"": ""9pjxy"", ""timestamp"": 1693506152.0, ""content"": ""Not sure if it's the best way, but we use:\n\nsource-system--destination-system application-name""}, {""user"": ""quitq"", ""timestamp"": 1693523398.0, ""content"": ""I use a similar type :\n\nALLOW-INSIDE_to_DMZ-SERVERS_to_CLIENTS\nDENY-OUT_to_IN-EXTERNAL_to_DMZ\n\nI try to leave out spaces so I don't have to call quotes in the cli. I'll also tag things with an inside-out, outside-in or deny tag. \n\nHonestly, it's up to you with how your flow works.""}, {""user"": ""gu9jy4we"", ""timestamp"": 1693557777.0, ""content"": ""I follow similar to above but different as we have 400+ rules. \n\n\nIngressZone-ServerName/Intent-to-EgressZone-ServerName/Intent-Application/Port-Action (only when denied otherwise implied allowed) \n\nExample: Server to MailChimp API for HTTPS\n\nDMZ\\_Prod-Srv1-to-Public\\_Internet-MailChimp-HTTPS or DMZ\\_Prod-Srv1-to-Public\\_Internet-MailChimp-HTTPS-DENY \n\n\nExample: Clients to Microsoft for HTTPS\n\nInternal-ALL-to-Internet-Microsoft-HTTPS \n\nSo when my colleagues read the rule, they can follow the flow of what its meant to do when it was created. Might seem complicated but when you have 400+ rules on your firewall, is it ever that easy haha!\n\nWhen I started working on Palo Alto NGFW I would read rule names that did not make sense. Some tried to bind the rule name to a server or application but I would look at the flow and not necessarily understand. Also over the years when you have environments where 400+ rules decommissioning legacy rules become difficult as its static policy entries.\n\nYou may say my naming convention is pointless as one could just read the rule itself which is true but my rule naming convention is structured around packet flow.\n\nGoodluck.""}, {""user"": ""8qk1un9z"", ""timestamp"": 1693567922.0, ""content"": ""I have 1000+ rules, I use --\\[-\\]--.""}, {""user"": ""60u62"", ""timestamp"": 1693578940.0, ""content"": ""We basically use something like Sourcezone\\_DestZone\\_SmallName \n\n\nEx : TRT\\_UNTRT\\_CommonWebApp \n\n\nTags are added to help readability""}, {""user"": ""iwlnp"", ""timestamp"": 1693694108.0, ""content"": ""Lots of good input on how to name your rules here. Lets extend the question one dimension further:\n\nHow do you group and order your groups of rules?""}, {""user"": ""51x0a"", ""timestamp"": 1693518472.0, ""content"": ""Shit now I'm legit mad at you (ok more at myself) for never having thought of such an elegant solution on my own. This is perfect.""}, {""user"": ""w9hmrujl"", ""timestamp"": 1693514982.0, ""content"": ""Oh yes no spaces lol.""}, {""user"": ""iwlnp"", ""timestamp"": 1693694019.0, ""content"": ""Underscore is evil. Hyphen is safer when processing rules in code.""}, {""user"": ""1qankke"", ""timestamp"": 1693512701.0, ""content"": ""Oh wanted to add, create coloured tags for your zones. RED for external stuff, GREEN for inside and maybe ORANGE for DMZ.\n\nThis helps you quickly see the direction of the policy without even having to read anything. \n\nYou can take it a step further and color your objects using the same colour logic. This can help you to spot misconfigurations quickly because the object colour should match the zone colour where that object resides. If it doesnt then you likely have made a mistake in your policy. Maybe a tech accidentally swopped the zones around cause they were tired or something""}, {""user"": ""w9hmrujl"", ""timestamp"": 1693512398.0, ""content"": ""Thanks""}, {""user"": ""r5dwp"", ""timestamp"": 1693506577.0, ""content"": ""Very similar to yours except I like to do Source Zone / Dest Zone instead of specific systems!\n\nEx. DMZ to Public SFTP Cloud Service Access\n\nThen I do tags on each policy for which Zones and traiffc direction\n\nEx. Internal Zone // External Outbound\n\nGroup by Zone tag""}, {""user"": ""da5f3fdc1"", ""timestamp"": 1693551521.0, ""content"": ""Thank you very much, I'm honored by such a comment. \nI'm a Windows guy so networking for me is more than a passion than a job.\n\nJust to hijack your comment, I was wondering about getting a certification, since you are certified maybe you can help me. The base one how hard it is? Provided you have a decade of experience in IT and decent networking knowledge.""}, {""user"": ""w9hmrujl"", ""timestamp"": 1693506828.0, ""content"": ""Do you tag the source zone?""}, {""user"": ""9pjxy"", ""timestamp"": 1693506744.0, ""content"": ""For general rules we do use something like that too, like deny anything from outside/Internet zone to the user zone, but most of our rules are between specific systems.""}, {""user"": ""51x0a"", ""timestamp"": 1693577712.0, ""content"": ""None of PA's exams have any prerequisites, but I can tell you that the PCNSE is a real bitch to pass. You can start closer to the beginning and earn your PCNSA which is a hell of a lot easier and will take less studying. There used to be PCNSE boot camp videos on YouTube, but it seems that channel's been removed as I can't find it anymore. That being said, if you have access to Palo Alto's Beacon website, use that as well as any CURRENT videos on YouTube (studying for the PCNSE 7 won't help you pass the PCNSE 11).""}, {""user"": ""r5dwp"", ""timestamp"": 1693506972.0, ""content"": ""It depends really. I try not to clutter with tags, so if its public (external outbound) like my example, I only tag the affected internal zone. I find having more than 2 tags gets messy pretty fast.\n\nIts hard to create a single way to do policies when the policies themselves can be very diverse so I just use best judgement or what makes the most sense individually when I create them.""}, {""user"": ""12vv4o"", ""timestamp"": 1693512052.0, ""content"": ""I recommend creating a tag for Source-Destination zone combinations with _G to differentiate from regular tags. If you create a grouptag for every unique source-destination zone combo and organize your ruleset into these groups while coloring the zones with tags, it will get easy to navigate rulebases with 10000+ rules. \n\nSo: Trust_Untrust_G\n\nTrust gets the green color.\n\nAll group-tags with the source zone Trust get green.\n\nI recommend using this for your name convention as well:\n\nTrust-_Untrust-APP/Port\n\nFor tags I like to use them to mark rules that use more special features: \""Inter-VSYS\"" , \""EDL\"", \""Deny\"", \""Drop\"" etc""}]" +paloaltonetworks-118,"[{""user"": ""bcv6r"", ""timestamp"": 1693523716.0, ""content"": ""Title: GP Welcome Page on macOS\n Body: I've created a basic html page to serve as the GlobalProtect welcome page, which of course pops up after the GP client connects to a gateway. It looks as expected on Windows but is all jacked up, with the text duplicated and many of the HTML tags visible, on mac Safari and Chrome browsers.\n\nSo far PA TAC has been unhelpful. Anyone know what is going on here and how to correct it?\n\nOriginal HTML\n\n

Acceptable Use Policy

\n \n

This system is for authorized users only. No other use is permitted. All network traffic is subject to applicable policies. By proceeding you assert that you are an authorized user and will abide by all policies hosted in Corporate Policies.

\n

Co monitors, logs, and records all network traffic, and decrypts in certain cases. Illegal activity will be reported to applicable authorities and law enforcement.

\n\nHTML source on macs\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

<h1>Acceptable Use Policy</h1>

\n \n

<p>This system is for authorized users only. No other use is permitted. All network traffic is subject to applicable policies. By proceeding you assert that you are an authorized user and will abide by all policies hosted in Corporate Policies.</p>

\n \n

<p>Co monitors, logs, and records all network traffic, and decrypts in certain cases. Illegal activity will be reported to applicable authorities and law enforcement.</p>

\n \n


\n \n \n \n \n \n rities and law enforcement.\n \n \n \n \n \n \n\n​""}]" +paloaltonetworks-119,"[{""user"": ""h4fj3"", ""timestamp"": 1693520550.0, ""content"": ""Title: DNS not populating when using DHCP server on PAN\n Body: We are using the PAN's DHCP server for some of our sites and for some reason its only pushing static entries to our Windows DNS. We need host names to resolve for all IPs at these sites. Was wondering if there is something we need to do on either side to get DNS to populate properly.""}, {""user"": ""2tqa4rla"", ""timestamp"": 1693529846.0, ""content"": ""I don\u2019t believe Palo has any way of updating Windows DNS. That is a windows dhcp function. Workstations will register themselves in DNS if they are joined to the domain, others devices will not.\n\nThis is how it functions at our smaller sites with Meraki. Haven\u2019t using anything other than relay on the Palos.""}, {""user"": ""bitc9"", ""timestamp"": 1693539202.0, ""content"": ""You will be using secure DNS updates on your DNS server most likely. Use Windows DHCP server to update records properly.""}, {""user"": ""8qk1un9z"", ""timestamp"": 1693555928.0, ""content"": ""You can switch to DHCP relay instead of DHCP server. \nBut in case of disconnection of the site you are without DHCP for that site.""}, {""user"": ""azicu"", ""timestamp"": 1693577518.0, ""content"": ""I\u2019m a Palo Alto admin and a domain admin . Make sure you are allowing dns traffic to your windows dns servers . The firewall and server dns proxy and dhcp . There is an event log In system events on the windows client that talks about dns registration \nAlso make sure sites and services has a subnet for your new site setup .""}, {""user"": ""910ih044"", ""timestamp"": 1693744540.0, ""content"": ""Normally the clients update DNS themselve unless you use the dhcp option 81 options to let the DHCP server do it. I am pretty sure PA does not support that. If the clients update DNS themselves they first request the SOA record of the domain they are joined in and then send the updates to the primary server for that domain. Normally PA dhcp should have no impact on that. Clients will need to get a DNS server assigned where they can resolve their own domain and get the proper SOA record.""}, {""user"": ""h4fj3"", ""timestamp"": 1693532252.0, ""content"": ""Hmmmm that\u2019s odd than because our workstations are all domain joined. Might be something else to look into lol""}, {""user"": ""3b04ti1j"", ""timestamp"": 1693560761.0, ""content"": ""Same with our domain clients. The A and PTR records are updated when they are in the office and use our Windows DHCP servers, but when they are at home and connect using GlobalProtect there is of course no DHCP and the clients cannot update their DNS records from VPN. We have not found a solution yet, but it started when we enabled secure updates on the DNS servers.""}]" +paloaltonetworks-120,"[{""user"": ""azicu"", ""timestamp"": 1693520421.0, ""content"": ""Title: API babysitter script for new firewalls anyone have one?\n Body: If no one has one I\u2019m going to write one\nWhat I\u2019m looking to do is just get the firewall panorama ready. I know panorama tried to do this now if you tell it the version you want it to go up to \nBut does it the long way . 9.1, 10.0, 10.1,10.2 10.2.latest\n\nI want to:\n\nlicense refresh\nDownload and install latest apps-threats\nDownload latest os for current os and install and reboot\nWait for firewall \nDownload and install latest antivirus \nDownload next base os\nDownload next latest os and reboot\nWait for firewall\nRepeat that until it\u2019s up to what level you want""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1693522860.0, ""content"": ""I do this with Ansible and it works great. I modified these a bit but you can use these easily. \n\n\nhttps://github.com/PaloAltoNetworks/ansible-playbooks""}, {""user"": ""azicu"", ""timestamp"": 1693546686.0, ""content"": ""Cool, thanks for the link. I have heard about this but have never used it. I think the cisco guys have ansible instance I\u2019ll check it out . \nI was probably going to write this in vbscript anyways . Maybe I should get with modern times .""}, {""user"": ""2t3tuwtc"", ""timestamp"": 1693552824.0, ""content"": ""I don't use the API, but I do similar with a CLI script. Goes hand and hand with Expedition, which will push a base config via API too, if you want it to, but I generally use set commands and load config partials. Could be interesting to play around with Expedition and proxy the API calls and build from that.""}]" +paloaltonetworks-121,"[{""user"": ""68xt3"", ""timestamp"": 1693489520.0, ""content"": ""Title: ZOOM issues\n Body: We are seeing issues with ZOOM meetings reporting low bandwidth alerts. When looking into it we don't see anything that would cause it. Circuits are clean, switch ports not dropping packets, low usage across the board. So the only thing I can think is the PAN is doing something to that ZOOM traffic even though we are allowing all of it. We aren't doing decryption.\n\nIts almost impossible to catch but I did run into an issue just last week which forced me to create an application override for some other traffic. So I figured I might as well do that for ZOOM but can someone tell me how to do that and be able to specify all the ports that ZOOM uses?\n\nIf I create a custom application and add the ports there it seems to me that I still need to the add the ports in the application override rule? And if it uses both TCP/UDP do I need 2 x application override rules for this traffic? 1 for the TCP ports and 1 for the UDP ports?""}, {""user"": ""7q4gc1fp"", ""timestamp"": 1693490745.0, ""content"": ""Could it be being misidentified as SSL traffic possibly?\n\nThe Latest Content Update (8750) says they are going to be making changes to the Zoom App soon to keep it from being mistaken for SSL traffic""}, {""user"": ""twkui26"", ""timestamp"": 1693500240.0, ""content"": ""Do you have QoS configured? I'd recommend classifying zoom (and any other audio/video conferencing apps you use) as class 1 or 2. Make sure QoS profiles are applied to both your internal and external interfaces. Even if overall utilization is low, you'll want to make sure these packets are processed ahead of other, non-latency-sensitive packets.""}, {""user"": ""3usub8o9"", ""timestamp"": 1693790882.0, ""content"": ""Had an issue with similar symptoms, and I was able to catch it on occasion. I setup a pcap filter, using a user\u2019s internal IP, and was monitoring global counters using the below CLI command: \n\n> show counter global filter packet-filter yes delta yes\n\nWhich would show the nat_dynamic_port_xlat_private_pool_full error counter incrementing when the users had issues\n\nWe have a /24 on the Untrust interface, and NATting traffic toward Zoom to a dedicated IP helped (versus using our \u201ccatch all\u201d NAT policy). I am using the Zoom EDL from PANW\u2019s SaaS EDL hosting service for this. Unfortunately never could get an answer from support about root cause. They wanted to run a flow basic which could be adversely impact FW performance, so we opted not to proceed with further root cause investigation. We still just use a dedicated IP for sNATting Zoom traffic""}, {""user"": ""2z38uxaj"", ""timestamp"": 1693502851.0, ""content"": ""Zoom has an awesome IP list on their website that you can make into and edl and then just add the ports for zoom which is also nicely documented into a rule without layer 7 apps and see how it works. \nOne thing I did notice myself in my firewall is 8802 going to Zoom ips is not being flagged as the L7zoom app instead it is unknown-tcp. Not sure if that would cause your issue or not but check your logs for drops on that.""}, {""user"": ""68xt3"", ""timestamp"": 1693492600.0, ""content"": ""Yeah that is exactly what seems to be happening. I see traffic from the ZOOM client going to the same destination IPs being classified as both SSL and zoom-base. But we allow both SSL and ZOOM outbound so not sure that applies here? \n\nI don't want ZOOM traffic inspected at all because I want to see if that fixes the problem. I believe I can use an application override but I need to know the best way to do that when the application is using both TCP/UDP and the destination for ZOOM traffic is a long list of CIDRs. Would I also need to override SSL for ZOOM traffic as well?""}, {""user"": ""68xt3"", ""timestamp"": 1693511742.0, ""content"": ""No I don't, but never had to before. Certainly looking at all options now that we are having issues.\n\n​\n\nI went ahead and created the app-id overrides for zoom using both TCP/UDP and locked it down to ZOOM destination IPs that I gleaned from their website. I don't need or want to inspect ZOOM traffic and I can see hits on both of those rules so that part is taken out of the equation. I still have some other issues to iron out but will certainly look at all avenues.""}, {""user"": ""68xt3"", ""timestamp"": 1693842939.0, ""content"": ""Goddamn if for all the things PANs can do why must they have so many things that you can't see from the GUI? And how did you catch it? Was it happening to every meeting? My problem is it seems to be sporadic so unless we capture all of them or just get lucky we may never catch it. Simply no way to recreate the issue we are seeing.\n\nWe NAT to single outside IP although we have a /24. So you are NAT'ing all ZOOM destination traffic to a different untrust IP and that somehow doesn't fill up the NAT xlate pool?""}, {""user"": ""68xt3"", ""timestamp"": 1693511776.0, ""content"": ""Yeah I am using it, tried to glean it using mindmeld but always struggle with that thing.""}, {""user"": ""7q4gc1fp"", ""timestamp"": 1693494915.0, ""content"": ""Check and see if you are doing SSL Decryption first? If so, try bypass traffic going to those destinations.\n\nI would be concerned about doing an App-Override for SSL as something might be missed or classified incorrectly. Just IMHO""}, {""user"": ""3usub8o9"", ""timestamp"": 1693853192.0, ""content"": ""It wasn\u2019t happening to every meeting or call, but could somewhat reliably reproduce it if we had the same user make meetings in rapid succession. Or we also use Zoom soft phone, so could have the user repeat dial out in rapid succession and eventually the person on the other end couldn\u2019t hear. And yeah exactly, we are NATting all Zoom traffic to a dedicated Untrust IP. It really doesn\u2019t make sense because our primary NAT IP is definitely not at capacity, and especially not since PANW uses NAT oversubscription to allow beyond ~65k translations with a single IP. Zoom was the only app impacted by that nat_dynamic_port_xlat_private_pool_full error oddly enough. I tried the dedicated NAT policy per a suggestion from support, and it fixed it so it\u2019s one of the bugs I\u2019ve just learned to live with now lol. Kinda a waste of a public IP though\u2026""}, {""user"": ""dlz8m"", ""timestamp"": 1693624759.0, ""content"": ""Palo Alto has Zoom EDLs now.""}, {""user"": ""68xt3"", ""timestamp"": 1693495071.0, ""content"": ""We aren't doing decryption at all. I just don't want to inspect zoom traffic at L7 but if its getting classified as SSL traffic I would have to override that as well? I can keep it specific to certain source networks on my side and only to ZOOM destination IPs to ensure only traffic to those IPs is getting overridden. \n\nI believe that should work even if I am including SSL in that set of override policies because its only going to override traffic to the list of IPs in the destination. \n\nI just need to know what is causing the problems we are seeing and all the monitoring/tools at my disposal simply haven't been able to do that. If I don't inspect this traffic and just let it through and the problem goes away then I know it is the PANs.""}]" +paloaltonetworks-122,"[{""user"": ""r5kte"", ""timestamp"": 1693509435.0, ""content"": ""Title: Custom App for web-browsing traffic on port 8080\n Body: So I'm cleaning up some rules in my PA firewall and I found some of my traffic hitting a catch-all rule that should be hitting a rule higher up. Come to find out, because I'm using \""Application-Default\"" under the services of that rule, it's not hitting because this traffic is identified as \""web-browsing\"" but it's using port 8080. I've created a custom app matching tcp port 8080 using a custom signature Pattern Match on http-req-host-header matching \""domainname\\\\.com\"" but the traffic is still being marked as \""web-browsing\"".\n\nAnyone have suggestions on what I can look at or is what I'm trying to do not possible?""}, {""user"": ""ibia0"", ""timestamp"": 1693515835.0, ""content"": ""Why not just make a rule like this\n\n\n* Source: xyz\n* Destination: abc\n* App: web-browsing\n* Service: tcp-8080\n\nCustom app id is a lot of work for not a lot of gain""}, {""user"": ""r5kte"", ""timestamp"": 1693515909.0, ""content"": ""Because that's easy and I'm stubborn.""}, {""user"": ""ibia0"", ""timestamp"": 1693515997.0, ""content"": ""Ha. Okay. I've made a couple custom app id in the past and it's def a game of whack a mole.\n\nHave you seen the appid 'build' guide, or is this your first foray? You'll want a Wireshark capture of the packets to help build as well\n\nEdit: Adding PA Link. Use this with the specific pieces to craft AppID. sublinks have other qualifiers you can use as well.\nhttps://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/custom-signature-contexts/string-contexts/http-req-headers""}, {""user"": ""r5kte"", ""timestamp"": 1693516215.0, ""content"": ""Yeah, I grabbed a capture from the firewall and looked at it and tried to follow the guide but it's not working. One thing I did notice is that I used the http-req-host-header option, but I just now noticed that it's a Request URI in the header. I just updated it to http-req-uri so I'm hoping that does the trick.\n\nI know I can make it easier on myself by just doing a port-based rule, but if I ever want to start using custom apps then I need to make sure I understand it.""}, {""user"": ""ibia0"", ""timestamp"": 1693516393.0, ""content"": ""I think you're on the right path. I added the link to the post above, but it's a LOT of 'find in the capture what's specific' and easy to get caught in 'what you think it is' versus 'what PA calls it' when making them. \n\n​\n\nSpecific http-req-uri link here - https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/custom-signature-contexts/string-contexts/http-req-uri\n\n​\n\nFor what it's worth, it's fun to make them RIGHT via signatures, which it sounds like you're working on doing.""}, {""user"": ""r5kte"", ""timestamp"": 1693516610.0, ""content"": ""Wow, this is a great listing of what it's looking for - this is going to be what I needed to understand what I'm looking at. Thank you!""}, {""user"": ""r5kte"", ""timestamp"": 1693519540.0, ""content"": ""After looking, I actually have it working, it\u2019s only the first packet that\u2019s being matched as web-browsing, everything after that is identified correctly. Now to figure out why that first packet is not hitting that ID.""}, {""user"": ""ibia0"", ""timestamp"": 1693516984.0, ""content"": ""[https://knowledgebase.paloaltonetworks.com/servlet/fileField?entityId=ka14u000000c6ZVAAY&field=Attachment\\_1\\_\\_Body\\_\\_s](https://knowledgebase.paloaltonetworks.com/servlet/fileField?entityId=ka14u000000c6ZVAAY&field=Attachment_1__Body__s)\n\nThat's the one i was looking for originally. PDF version you can download versus link and sublink and sublink (ctrl F friendlier and offline capable then). I don't think it's been updated for panos 10+ new signatures (but, some document title googling can get you to a Rev F if one exists)\n\n​\n\nGoogle friendly doc title \""Creating Custom Signatures Tech Note\""""}]" +paloaltonetworks-123,"[{""user"": ""8ged9k81"", ""timestamp"": 1693501650.0, ""content"": ""Title: Create a Cortex exception for single Kali Linux host by IP address?\n Body: This may be a boneheaded question but I am VERY new to Cortex administration. We've deployed a virtual Kali Linux host in our environment for internal penetration testing and monthly vulnerability scanning. Cortex is not allowing any traffic from the IP of the Kali Linux box to hit any node on the subnet it is trying to scan. This is understandable behavior from Cortex but I need to allow the modules being used in Kali, at minimum Nessus scans, to do their thing. I am reading KBs, I am poking around in the portal, but I am having trouble finding how to add just a basic IP exception that tells hosts to ignore issues associated with traffic from the Kali IP address. \n\nWould appreciate if someone could point me in the right direction. Thanks! ""}]" +paloaltonetworks-124,"[{""user"": ""5vzlhaol"", ""timestamp"": 1693499979.0, ""content"": ""Title: What's the use/impact of adding the XTH module to my XDR Pro tenant ?\n Body: We were reviewing our licenses for potential addons and we're considering adding Host Insights and also getting XDR Pro Per GB to integrate our PA firewalls. But I noticed that we got the XTH module, but i don't see its impact in how XDR Pro works. \n\nI have asked our VAR and been looking around online but can't find any documentation on XTH, so i'm considering not renewing it. \n\nIn its datasheet it says it enhances telemetry, incident details and threath hunting capability, but what does it really add to our base XDR Pro license ? What do i see or can do with it, that I wouldn't be able to see or do with just XDR Pro ?""}, {""user"": ""kevpn"", ""timestamp"": 1693536308.0, ""content"": ""[https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Endpoint-Data-Collection](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Endpoint-Data-Collection)\n\nNote \""Requires XTH add-on\"" - I'm not gonna say whether it's worth it (no idea, I'm a dumb eng) but they're certainly categories that make a difference\n\nTl;dr it adds coverage through additional sources""}, {""user"": ""mz9mz0n5"", ""timestamp"": 1693968898.0, ""content"": ""Hi! I'm a Customer Success Architect for Cortex XDR. The Pro per Endpoint license will collect certain events from your endpoints where the XDR agent is installed including network, file, process, and registry events. The XTH license allows you to add collection for Windows Events, Syscall, and RPC. These events are still processed by the agent locally and detections will still fire locally (medium and high severity BIOCs are sent to the endpoint for evaluation and all existing BTP rules are still in place) the data for these events are simply not forwarded to the console.""}]" +paloaltonetworks-125,"[{""user"": ""b75zaghi"", ""timestamp"": 1693497693.0, ""content"": ""Title: Is there a guide on how to setup Linux machine to recive TLS encrypted logs\n Body: I have configured the Palo Alto firewall to send logs, created a certificate and signed it with our CA -\n\nI have followed \n\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCLCCA4&lang=en_US%E2%80%A9\n\nI am now unsure on the rest of the puzzle as to what I need to do on the Linux syslog machine""}, {""user"": ""2t3tuwtc"", ""timestamp"": 1693552447.0, ""content"": ""If you have the PAN side set, then you probably have the wrong subreddit. Lots diverse skill sets here but not a Linux forum. I would guess you will need to configure syslog-ng and there are tons of docs on that. It's a long standing standard. I have done plenty of basic logging with syslog-ng but not the encrypted method you are asking about. Good luck! If you find a good resource that gets you what you need, post here so the community can learn from it.""}, {""user"": ""b75zaghi"", ""timestamp"": 1693556832.0, ""content"": ""Thank you appreciate that - the encrypted method I believe is a speclist skill set""}]" +paloaltonetworks-126,"[{""user"": ""4mmxjpgj"", ""timestamp"": 1693483553.0, ""content"": ""Title: Associate Systems Engineer (SE Academy EMEA)\n Body: Hi! I would like and advice/things to know before continue with this process. I've been offered this position at Palo Alto: Associate Systems Engineer (SE Academy EMEA). In a couple of days I will have the first contact with the recruiter but I would like to know which things are essential to ask. My big dudes are around of the tasks of the position: I will be more doing sales or could i be focused on cybersecurity? The offer also says that when the 'training' ends I could be positionated at SE department (engineering) or in another role depending of the necessities... Can anyone tell me if I can be sure that because I like the field of cybersecurity I will be placed there or will it depend on what they decide?\n\n​\n\nI have a previous experience of two years, in a small company as network technician and now working in a medium company as network and security engineer, but this offer catches my attention....\n\n​\n\nThank you!""}, {""user"": ""ndc30r1r"", ""timestamp"": 1693490305.0, ""content"": ""SE academy prepares you to be an SE, which is customer focused pre-sales for cybersecurity customers.""}, {""user"": ""fhkyp"", ""timestamp"": 1693491312.0, ""content"": ""PM me, I went through the SE academy and can tell you anything you need to know.""}, {""user"": ""j06rw84dt"", ""timestamp"": 1693821505.0, ""content"": ""It sounds like an exciting opportunity. Systems Engineering aligns with pre-sales technical roles within the realm of Cybersecurity. Out of curiosity, could you share which country you're applying from? Knowing the location might help provide more context. Good luck with your interview.""}, {""user"": ""4mmxjpgj"", ""timestamp"": 1693496003.0, ""content"": ""Didnt have any idea, thanks""}, {""user"": ""4mmxjpgj"", ""timestamp"": 1693836087.0, ""content"": ""The job is for Spain! Hope it helps for more info! thank you :)""}]" +paloaltonetworks-127,"[{""user"": ""ijjkkluzl"", ""timestamp"": 1693480484.0, ""content"": ""Title: Does TUFIN support any of the following SASE solutions: 1) Palo Alto Prisma SASE ( Prisma SSE + Prisma SD-WAN ) ?\n Body: Does TUFIN support any of the following SASE solutions: 1) Palo Alto Prisma SASE ( Prisma SSE + Prisma SD-WAN ) ? \nEDIT : I am posting here as tufin forum looks dead to me. !!""}]" +paloaltonetworks-128,"[{""user"": ""ua88e460"", ""timestamp"": 1693463845.0, ""content"": ""Title: Palo SDWAN with current MPLS for remote offices etc\n Body: Dear Friends,\n\nI am planning to roll out SDWAN settings for my organisation. Now we mainly use ISP A MPLS WAn for head office and remote offices, and getting a broadband service from ISP B.. I will use top down traffic distribution: broadband ISP b and then ISP A MPLS. \n\nWith our MPLS, it does have several public IPs that pointing to internal mail server, ADFS and VPN etc..with broadband, it only has single public IP addresses for different offices, it isn't pointing to any internal resources....\n\n\nIf I roll out SDWAN settings from Panorama with AutoVPN, it shouldn't affect how external staff get through by ISP B MPLS public IPs right?\n\nThanks\nLarry""}, {""user"": ""v7o149dc"", ""timestamp"": 1693466715.0, ""content"": ""No, based on what you're describing, it shouldn't affect anything at all. PANOS SDWAN just builds tunnels between firewalls.\n\nExternal staff connecting through public IPs is just NAT. These features will not interfere with each other.""}, {""user"": ""rjjeu"", ""timestamp"": 1693476768.0, ""content"": ""You need understand the routing with panos sdwan. Default route is going to DIA, local Internet, most cases interface sdwan.901\nPrivate traffic is going to the hub. Every subnet you want to be reachable using the vpn/mpls needs to be sent to hub. Either using BGP or static routes. You can define that in the plug-in sdwan device settings""}, {""user"": ""ua88e460"", ""timestamp"": 1693469936.0, ""content"": ""thanks for that..you are correct, for ISP B, I guess I need to configure NAT on Palo since it is only a public IP? So this NaT policy will not affect ISPs traffic flow right?\n\nThanks""}, {""user"": ""ua88e460"", ""timestamp"": 1693470021.0, ""content"": ""Also, where do we actually configure Public IP on SDWAN ? Next hope gateway on Traffic distribution profile or VPN cluster? I cannot understand how branch reach to hub? Thanks""}, {""user"": ""v7o149dc"", ""timestamp"": 1693487579.0, ""content"": ""Yes, this is correct.\n\nSDWAN will add BGP routes that affect the tunnel traffic. You can add static routes and assign priority as well. It's very flexible.""}, {""user"": ""rjjeu"", ""timestamp"": 1693477323.0, ""content"": ""Public IP of what site?\nBranch -> on the interface, if you have a private transfer subnet then not needed\nHUB -> on the Interface, the plug-in will add the vpn destination IP to branch config, if you have a private IP as transfer then you need to configure upstream nat on the hub to allow the plug-in to create the von tunnel.\nPlease remember the tunnels are always opened from branch to hub, hub is just passive.""}, {""user"": ""v7o149dc"", ""timestamp"": 1693487682.0, ""content"": ""You configure this normally. SDWAN doesn't care about your interface IPs. It just cares about the interface. You define your SDWAN interface using the SDWAN Interface Profile.""}, {""user"": ""ua88e460"", ""timestamp"": 1693481420.0, ""content"": ""No on ISP A, we have Public IPs matching with sub domain names on public domain services for internal services, even Adfs Farm etc. etc..so there is no way SDWAN will change any of those services?""}, {""user"": ""ua88e460"", ""timestamp"": 1693489542.0, ""content"": ""What if the other side does not have a static public IP? Can set up with Passive mode?\n\nThanks""}, {""user"": ""v7o149dc"", ""timestamp"": 1693489608.0, ""content"": ""Yes. This feature wasn't available on initial release, but was added later.""}]" +paloaltonetworks-129,"[{""user"": ""4fxf88os"", ""timestamp"": 1693444625.0, ""content"": ""Title: SAML and LDAP Authentication on Prisma Access\n Body: I have a Prisma Access global globalprotect portal set up with authentication using LDAP on port 443 and authentication using SAML on port 8443. The user who connect to 8443 where SAML is configured is prompted and redirected to Azure SAML page and then they are connected with no issues. I now have a branch that has its own gateway that uses LDAP for its authentication and it is part of the dropdown list of the gateways that Global portal users can choose to connect to.\n\nToday, on the branch firewall, I have set up SAML profile with the needed configuration and then added a new row for the gateway configuration on the branch to accept SAML right under the LDAP authentication.\n\nAfter testing, it appears to allow user to login fine on the Global portal but when he selects the branch gateway from dropdown menu, he is prompted for his LDAP credentials. I have two questions:\n\n1- How do I test SAML authentication while still having LDAP configured on the branch ? Should I just bump up the SAML profile to the top so that it is checked first, would it impact users who currently connect using LDAP.\n\n2- In general, does the branch gateway require user to authenticate again using SAML knowing that the branch gateway Identifier and login URLs are all part of the Global portal globalprotect App, so it is the same Azure app, in other words, will it just use the same session cookie generated when he logged on to the Global portal ?\n\n​""}, {""user"": ""ibia0"", ""timestamp"": 1693446726.0, ""content"": ""You cannot use SAML in an auth sequence. It's all or none. That's why PA offered the secondary portal auth you're using for Prisma on 8443.\n\nCheck out the use of auth cookies on the branch gateway. You can generate on Prisma, and use for auth on the gateway, 'solving' for one auth method against another. If the auth cookies fails, then whatever auth method you have will be required, LDAP or SAML as that SAML token from the portal won't be valid for the other device (unless you've manipulated the responses to be accepted for other devices....not a SAML expert though by any means)""}]" +paloaltonetworks-130,"[{""user"": ""p1pda"", ""timestamp"": 1693417824.0, ""content"": ""Title: Software downloads (from Device - Software) seem flakey today\n Body: Trying to pre stage images for the weekend in various countries and getting a 50% failed download rate.""}]" +paloaltonetworks-131,"[{""user"": ""ulzldmai"", ""timestamp"": 1693437265.0, ""content"": ""Title: sales experience - Palo Alto\n Body: Help needed. Is anyone familiar with Palo Alto products, from a sales or engineering perspective, particularly working for channel partner organizations in the US? Please pm me.""}, {""user"": ""8kn86xyrw"", ""timestamp"": 1693438646.0, ""content"": ""Up until last week I was a post-sales engineer working for CDW. Maybe I can be helpful?""}, {""user"": ""b63pw"", ""timestamp"": 1693442275.0, ""content"": ""currently work for a large palo reseller/var.""}, {""user"": ""ulzldmai"", ""timestamp"": 1693439210.0, ""content"": ""yes, please. I will contact you.""}]" +paloaltonetworks-132,"[{""user"": ""7avrz31l"", ""timestamp"": 1693422287.0, ""content"": ""Title: PA LDAP Settings\n Body: I'm trying to add AD authentication to my PA for admin login. Getting a \""strong(er) authentication required\"" error message. The below KB fixed my issue and I now get a good LDAP connection to my 2016 Windows AD. Security however does not approve of the change to allow simple binds. Is there another fix for this besides going to TACACS? I opened a TAC case with PA but haven't had much success. Thanks All\n\n [UserID Group Mapping with Windows 2008 Server - Knowledge Base - Palo Alto Networks](https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbqCAC) \n\n​""}, {""user"": ""s14mv"", ""timestamp"": 1693449566.0, ""content"": ""Security are right not to allow simple binds.\n\nKerberos authentication is the way.""}, {""user"": ""nycni"", ""timestamp"": 1693436605.0, ""content"": ""Have you validated that LDAP works at all?\n\nOne option is to install NPS on the server and use RADIUS from PAN to AD.""}, {""user"": ""54xffrv"", ""timestamp"": 1693440305.0, ""content"": ""Have you tried setting up and using LDAPS?""}, {""user"": ""3ga29xuh"", ""timestamp"": 1693448219.0, ""content"": ""I know you asked for LDAP advice, however I suggest you lookup Kerbrose configuration. Might seem bit overwhelming at first to generate kyab, but you avoid needing a bind account for LDAP configuration""}, {""user"": ""384u79ao"", ""timestamp"": 1693459716.0, ""content"": ""Whatever you do, do not go TACACS, lol. Limited in its deployment and requires separate user accounts created.""}, {""user"": ""8qk1un9z"", ""timestamp"": 1693466517.0, ""content"": ""If I'm not remembering wrong, you cannot use LDAP for admin login and if you put in in a Authentication Sequence it won't work either, you have to use RADIUS.""}, {""user"": ""nhe9j"", ""timestamp"": 1693469115.0, ""content"": ""Make sure you are using LDAPS not just LDAP""}, {""user"": ""1t5mtxmu"", ""timestamp"": 1693478335.0, ""content"": ""I have a few duo auth gateway VMs, this gives me 2FA admin login capability, I could also setup adfs or azure ad sso to serve up saml with conditional access to require mfa""}, {""user"": ""gu9jy4we"", ""timestamp"": 1693558099.0, ""content"": ""We had LDAP/S for admin authentication, but we skipped it and went to SAML. You get MFA and you can enforce Conditional Access Policies. We force prompt all admins upon login for MFA as an added measure. Down side is that SAML doesnt work with CLI login. There you would need LDAP/Radius/TACACS/etc or local accounts (which we do). Most times our interactions are through the GUI but those who manage the firewall have their own local accounts as a back door incase we lose authentication so we can access the firewall via GUI or CLI.""}, {""user"": ""x04u8"", ""timestamp"": 1693455405.0, ""content"": ""This is the way.""}, {""user"": ""3rufgo3u"", ""timestamp"": 1693475349.0, ""content"": ""you can use LDAP for admin login for sure""}, {""user"": ""azicu"", ""timestamp"": 1693520879.0, ""content"": ""I have ldap setup with ldap 636 cert chain is in firewalls \nKerbros makes me nervous because of pass the hash . Pentester get the hashes but have not turned those into passwords so the firewalls are safer with ldap""}]" +paloaltonetworks-133,"[{""user"": ""84pn5hdu"", ""timestamp"": 1693432484.0, ""content"": ""Title: Hotspot & Global Protect\n Body: I have Global Protect on my work PC and use TMo Home Internet without issue, however if I disconnect from TMHI and try to use my TMo hotspot on my cell, my connection seems non existent. If I connect to the hotspot using my personal PC (without Global Protect), I have no issues. Seems to me that Global Protect doesn't like hotspot for some reason, even though it like home Internet from the same ISP.\n\nThoughts on how to resolve this?""}, {""user"": ""6areflvk"", ""timestamp"": 1693435660.0, ""content"": ""IPv6 may be your culprit.""}, {""user"": ""61dg2"", ""timestamp"": 1693439422.0, ""content"": ""Are you able to reach the GlobalProtect portal address from your phone? You can also try checking the GP logs for any helpful info in settings - troubleshooting - collect logs.""}, {""user"": ""ibia0"", ""timestamp"": 1693440860.0, ""content"": ""This\n\n\nIn the global protect app, enable 'connect over ssl' to 'self resolve' isp ipv6 issues (assuming it's been enabled for users to self configure)""}]" +paloaltonetworks-134,"[{""user"": ""5q6x5r4v"", ""timestamp"": 1693406111.0, ""content"": ""Title: Migrate Panorama VM to AWS\n Body: I am trying to migrate a Panorama VM into a New AWS Instance and I have a couple of questions.\n\n The old Panorama VM is in Panorama Mode and I want to keep the new one in management mode only, If I import the configuration snapshot from the old Panorama will I get the chance to change the mode or not?\n\nLicense-wise, I want to use the old license in the Panorama new instance, can I have both Panorama on the same license temporarily so I can make sure I have something to fall back on if the migration does not go as planned?\n\nThanks in advance\n\n​""}]" +paloaltonetworks-135,"[{""user"": ""dyg3iuty"", ""timestamp"": 1693412574.0, ""content"": ""Title: Is this possible? New building and setup configuration\n Body: I would like to know whether this topology on the edge firewall to the internet is applicable. Assuming the firewall is HA Active Passive Mode. My boss wants to make the firewall we're gonna purchase as cheap as possible even though I recommend an NGFW that will handle 10G up to the firewall from the ISP handover speed, but he just wants to LACP 2GB from 2 ports from DMZ switch to utilized 1G ISP Bandwidth since the subscription of internet speed is only 1G but the ISP is upgrading their equipment to 10G Capable. \n\n​\n\n​\n\nhttps://preview.redd.it/uj50fzfkw9lb1.png?width=1396&format=png&auto=webp&s=1394a8a6878307522856f6ccbefbdd1dcde78a0a\n\n​\n\n​""}, {""user"": ""i5gzh"", ""timestamp"": 1693413931.0, ""content"": ""Yeap it will work. Are you just gonna L2 vlans on the DMZ and carry them to the PA and put the L3 there. Seems legit.""}, {""user"": ""10ob38"", ""timestamp"": 1693421155.0, ""content"": ""Fine for as long 1G(/2G) is sufficient.""}, {""user"": ""7fxl8oud"", ""timestamp"": 1693425953.0, ""content"": ""That's exactly how we have ours built. We call them border switches though. Their only purpose is to split the circuits from each carrier to both firewalls. Our DMZ is still behind the firewall.""}, {""user"": ""w9hmrujl"", ""timestamp"": 1693429175.0, ""content"": ""Oh yes definitely go for NGFW, recommended Palo Alto :)""}, {""user"": ""7oss5ff4"", ""timestamp"": 1693451365.0, ""content"": ""It\u2019ll work but keep in mind you\u2019ll never see more than a 1Gbps stream. The 2 LACP connections are for bandwidth, not added speed. I\u2019d make sure your boss is aware of that and recommend future proofing with 10G capable firewall. Not sure what your internet needs are but if you guys ever host / WFH VPN internet backhaul architecture; it could be worth the upgrade.""}, {""user"": ""4ruzz"", ""timestamp"": 1694014815.0, ""content"": ""If you get the ISPs to create SVIs for their gateway IPs you can drop the DMZ switches entirely and have both ISPs downlink directly to each Palo - assuming that the ISPs have multiple ethernet ports for customer downlink. Maybe put some of that cost savings into provisioning firewalls with 10G capabilities.""}, {""user"": ""dyg3iuty"", ""timestamp"": 1693425310.0, ""content"": ""Thank you""}, {""user"": ""dyg3iuty"", ""timestamp"": 1693425342.0, ""content"": ""Yes, they're just L2 on DMZ and L3 on the NGFW.""}, {""user"": ""dyg3iuty"", ""timestamp"": 1693425315.0, ""content"": ""Thank you""}, {""user"": ""dyg3iuty"", ""timestamp"": 1693584650.0, ""content"": ""Thank you, I've been calling those switch outisde dmz switch since then(own wordings) lmao.""}]" +paloaltonetworks-136,"[{""user"": ""b8ecz"", ""timestamp"": 1693416520.0, ""content"": ""Title: GP pools on VMC\n Body: We have a palo VM which is only going to be used for providing remote workers a VPN connection point. \n\nThis VM is running along side the rest of our infrastructure (AD, DNS, file servers)\n\nI\u2019ve been told to connect the vpn pools as segments within VMC. I have done so. How do these get configured with the GP gateways on the palo?\n\nI\u2019ve never set up a vpn appliance in this a manner.""}]" +paloaltonetworks-137,"[{""user"": ""7ulrjq8ff"", ""timestamp"": 1693408021.0, ""content"": ""Title: Limiting access to GP portal\n Body: I have a client who has several GP VPN Portals/Gateways set up. All of them require 2-Factor using Okta, and the portals use client-side certificates as well\n\nI noticed that from a non-company laptop, I can resolve the name of the VPN portal (which matches the certificate on the firewall)\n\nexample: [vpncorp.acme.com](https://vpncorp.acme.com)\n\nbut if I try to connect to that portal using a web-browser, I get a 404 every time. No login prompt.\n\nPeople who have the GP client installed have no issues\n\nWhen could be configured on the firewall to do this? I am not sure where to look ""}, {""user"": ""xu02r"", ""timestamp"": 1693410658.0, ""content"": ""Connecting with the GP client is most likely ensuring that the proper client cert gets installed via SCEP . Just trying to connect to the web , you don't have that cert so it is blocking you. Just my quick guess without more details""}, {""user"": ""xbtmk"", ""timestamp"": 1693441183.0, ""content"": ""portal login page is probably disabled""}, {""user"": ""7ulrjq8ff"", ""timestamp"": 1693410858.0, ""content"": ""That is what I was thinking, but there is also the \n\n\""Portal login page\"" option that is set to \""disable\""\n\nso maybe it is that as well?""}, {""user"": ""9sedgy5e"", ""timestamp"": 1693419216.0, ""content"": ""Yes. You can rule it out by trying/connecting to Portal using GP. If successful, that\u2019s your culprit.""}]" +paloaltonetworks-138,"[{""user"": ""da5f3fdc1"", ""timestamp"": 1693370098.0, ""content"": ""Title: Decryption log showing wrong Rule\n Body: Hello,\n\nI have a PA-440 running 10.2.5 in my lab environment, I'm fairly new to Palo Alto.\n\nThis unit makes decryption of outbound traffic in a specific Zone, in total there are three rules for decrytion:\n\n1. One that exempts banks and hospitals\n2. One that exempts Microsoft 365 traffic (by using EDL)\n3. One that decrypts everything on port 443\n\nNow for the Security Policies there are numerous but the ones involved with Internet access from the Zone I'm concerned are three:\n\n1. One that allows IMAPS and SMTPS to specific servers only (and this get decrypted)\n2. One that allows Microsoft 365 traffic (by using the same EDL as before) - This should not get decrypted.\n3. One that allows internet traffic to port 80 and 443 only - This traffic does get decrypted.\n\nEverything appears to be working as expected and I have 0 issues, the platform is fantastic (even if sometimes it has its own quirks, especially with the applications matching in the rulebase).\n\nI've exported the Decryption log and imported into Excel to validate what I see and to have more insights into the situation and there is a thing I can't wrap my head around: there is a substantial amount of traffic that matched a Security \""Rule\"" that is not supposed to match (example: Reddit traffic matching the Security Policy number 2).\n\nIf I use the \""troubleshooting\"" facility with same source, destination and application it tells it match Security Rule 3 (as I expect) but in the decryption log that's not what I see.\n\nAnyone can help me shine a light?\n\nThanks, Luca.""}, {""user"": ""da5f3fdc1"", ""timestamp"": 1693397379.0, ""content"": ""I'll share with you my thoughts after digging a little on the issue.\n\nLong story short I think it's a correlation bug of the platform: because decryptions happens before security policy processing some information have to be scavenged from the traffic logs to be rewritten into the decryption log (this it is the case for the application ID, as per Palo Alto documentation this may not happen and the app will show as incomplete).\n\nWhat I think is happening is that this correlation process is flawed because for the same traffic flow I can see in the traffic log that the selected security policy was correct.""}, {""user"": ""nvfabfv"", ""timestamp"": 1693381761.0, ""content"": ""Which O365 EDL are you using?""}, {""user"": ""9twqtwg1"", ""timestamp"": 1693442538.0, ""content"": ""I also have this issue.""}, {""user"": ""da5f3fdc1"", ""timestamp"": 1693384814.0, ""content"": ""https://saasedl.paloaltonetworks.com/feeds/**m365/worldwide**/any/all/url \nand \nhttps://saasedl.paloaltonetworks.com/feeds/**msintune**/all/url""}, {""user"": ""g0nix"", ""timestamp"": 1693525882.0, ""content"": ""Would love to know this also.""}]" +paloaltonetworks-139,"[{""user"": ""qhovu5o"", ""timestamp"": 1693376264.0, ""content"": ""Title: Panorama with Cortex Data Lake\n Body: Hello,\n\nWe have Panorama in AWS, running in Panorama mode, therefore collecting logs & managing firewalls.\n\nIt works ok, but a bit slow especially when using the Application Command Center (*ACC*) environment.\n\nWhich brings me to Cortex Data Lake.\n\nAm I better off sending logs to Cortext Data Lake, and using Panorama to pull data from it? Is that even possible and if so should performance be better?\n\nSorry if im going the wrong way about this as I I know very little of Data Lake integration.\n\nOur environment comprises of around 24 firewalls globally.""}, {""user"": ""8jhssb02"", ""timestamp"": 1693395932.0, ""content"": ""Well, it\u2019s usually a cost discussion. You need to weigh between CDL fee and running your own infra. But yes, Panorama can pull from CDL, that is how it works in Management-only mode.""}, {""user"": ""ijjkkluzl"", ""timestamp"": 1693505984.0, ""content"": ""I think its best to keep Panorama as a log collector, like the other comment mentioned, the cost factor on CDL will surely be higher for the same amount of storage on the log collector. However if you want u can choose to use the threat intelligence available on the CDL and also I think you would want to look at the amount of logs you want to store, redundancy of logs and scalability which is all managed by PA if you choose CDL but in Log collector you have that responsibility to make sure logs are being collected and redundancy enabled.""}]" +paloaltonetworks-140,"[{""user"": ""167mgr"", ""timestamp"": 1693352760.0, ""content"": ""Title: Docker utilizing internal VPN\n Body: Has anyone been able to get a Docker / Container to utilize the internal tunnel leg of the endpoint running Global Protect?""}]" +paloaltonetworks-141,"[{""user"": ""6pio408q"", ""timestamp"": 1693314219.0, ""content"": ""Title: ATT Fiber and PAN440\n Body: Apologies if this is a dumb question, but a bit of a newbie here. I am looking to bring ATT fiber into my place of business. I currently own a PAN440, but it's my understanding that the PAN440 only supports RJ45 ports. If ATT is bringing a fiber handoff, will I need to replace 440 with a model that supports SFP, or do I have other options?\n\n​\n\n​\n\nThanks!""}, {""user"": ""46u4de9n"", ""timestamp"": 1693315845.0, ""content"": ""We have AT&T fiber and 440s. AT&T is fiber to their edge router and we receive a copper/electrical (RJ45) handoff from that piece of equipment. It is not fiber to the firewall (or ISP switch if you have one)""}, {""user"": ""6qgsi"", ""timestamp"": 1693322048.0, ""content"": ""Worst case you could get a media converter, but more than likely ATT will provide a copper handoff.\n\nAssuming <=1G service, anything above that you will need to get creative to support on the PA-440. \n\nI do wish PAN would have included mgig interfaces on the PA-400s, but oh well.""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1693345553.0, ""content"": ""If you have a switch with an SFP port, create a new VLAN and put the SFP port in it and put the wan interfaces from the 440 into a copper port in the same VLAN. Grab a transceiver from fs.com and you\u2019re on your way.""}, {""user"": ""17mqm4"", ""timestamp"": 1693317440.0, ""content"": ""What speed is your circuit? We get a copper hand-off for our 1Gb IPFlex service.""}, {""user"": ""bknba"", ""timestamp"": 1693327173.0, ""content"": ""Agreed with everyone else, it'll probably be a copper handoff, and you can usually request that too. \n\nIf they do need to hand off on fiber for some reason, just get yourself a little switch with SFP ports or a media converter, that'll be much more cost-effective than replacing your firewall.""}, {""user"": ""3x22n1t"", ""timestamp"": 1693345356.0, ""content"": ""AT&T should be asking you what handoff you would like during the ordering process. From my experience they install Ciena routers that have the capability to support a RJ-45 sfp that they can install.""}, {""user"": ""4h80c"", ""timestamp"": 1693333204.0, ""content"": ""FWIW, I have the same crappy Arris AT&T modem both at work and home. Not sure why they can\u2019t hand off service directly from the ONT like Verizon can.""}, {""user"": ""121tzw"", ""timestamp"": 1693327396.0, ""content"": ""The 1GbE only is a disappointment for sure. I have a 440 available to me, but currently using virtual because I have 2Gb fiber. I\u2019m considering LACP to an external switch.""}, {""user"": ""2t3tuwtc"", ""timestamp"": 1693431829.0, ""content"": ""Keep in mind, 400 series was replacement for the PA-250. In that regard they killed it. They would never sell another 800 series if the 400s had fiber and multi gig.""}, {""user"": ""miez5"", ""timestamp"": 1693406616.0, ""content"": ""They have a certificate on the device, it\u2019s how they control it being authorized service or not. They have chosen that as a hard line and do not flex on it.""}, {""user"": ""6qgsi"", ""timestamp"": 1693327634.0, ""content"": ""Yeah, I'm currently using a 460 but plan to utilize a switch with LACP once >1G fiber becomes available in my area.""}, {""user"": ""4h80c"", ""timestamp"": 1693414831.0, ""content"": ""Yeah I get why they do it but I wish they would at least give you the option to pay more for a fiber handoff as an add-on. There are ways around it, obviously I wouldn't do this on a business connection though.\n\nhttps://github.com/MonkWho/pfatt""}]" +paloaltonetworks-142,"[{""user"": ""hpugw4vgr"", ""timestamp"": 1693344018.0, ""content"": ""Title: Docusign - SSO troubleshooting\n Body: Random users at random times are affected by the following behavior. \n\nuser opens browser to [https://account.docusign.com/oauth](https://account.docusign.com/oauth).\n\nuser enters [username@Acompany.com](mailto:username@Acompany.com)\n\nuser redirected to Acompany SSO page.\n\nuser submits credentials.\n\nuser is redirected back to docusign\n\npage does not render/spinning circle of death.\n\n​\n\nFirewall has no logged drops involving user IP address.\n\nPcap from firewall shows resets from user to docusign after SSO auth.\n\n​\n\nIdeas?\n\nPossibly there is a conversation between SSO and docusign that is failing?""}, {""user"": ""167r57"", ""timestamp"": 1693347109.0, ""content"": ""I would be looking at the redirect URI or equivalent in SSO provider and confirming it's correct before ever suspecting anything with the firewall.""}, {""user"": ""2i7kmz3r"", ""timestamp"": 1693362544.0, ""content"": ""Yeah it sounds like you have a saml issue between docusign and your idp. I would do a saml trace and see that all the required info is there. There are browser extensions you can install for that.""}]" +paloaltonetworks-143,"[{""user"": ""hpugw4vgr"", ""timestamp"": 1693343166.0, ""content"": ""Title: Where to put/use group of strings for regex/text matching of HTTP inspection (looking at the requested URL).\n Body: I know how to filter via address-group consisting of various domains.\n\nI want to filter via HTTP inspection (looking at the requested URL) involving regex/text matching of various strings.\n\nWhat type of group do I create to contain the strings?\n\nWhere do I use this group?\n\nIt just doesn't seem to make sense putting them in an address-group and putting that group in Source/Destination.\n\n​""}]" +paloaltonetworks-144,"[{""user"": ""3rp2v24"", ""timestamp"": 1693340056.0, ""content"": ""Title: Does anyone know if the question on the Pcnsa are going off the latest study ?\n Body: Studying know but I have no idea what or where to get an accurate account of what the questions are like ?""}, {""user"": ""3up2qoit"", ""timestamp"": 1693345391.0, ""content"": ""If you can, try and take a class. There are some companies that teach the EDU-210. It covers what you need to know for the exam. Until November, it also comes with a voucher to take the PCNSA.""}, {""user"": ""e4ukft51"", ""timestamp"": 1693411493.0, ""content"": ""Yes. 10.2 and 11. \n\nLots of proxy (the types of proxy\u2019s, what certificates are needed for each, which certs require keys, etc.), panorama, and user-id. There were a couple of Nat questions \u2014 one was unturn Nat. Had a few on DOS, zone, and packet buffer protection. It\u2019s good to know which events are logged to traffic, threat, or system. \n\nNo sdwan or global protect. I took it twice the last month or so (failed the first time) and both times were pretty identical. \n\nI\u2019ve heard some people get sdwan and GP. \n\nI\u2019m a partner so I\u2019m not sure if everyone has access to Beacon, but there are lots of free training on Palos Beacon site. \n\nHave fun and best of luck!""}, {""user"": ""3rp2v24"", ""timestamp"": 1693346788.0, ""content"": ""What about November?""}, {""user"": ""3rp2v24"", ""timestamp"": 1693412021.0, ""content"": ""Can you link the info for proxies cause I have not seen it in the 11.0 study guide.""}, {""user"": ""3up2qoit"", ""timestamp"": 1693348584.0, ""content"": ""In November, you will not get a PCNSA testing voucher with the EDU-210 anymore.""}, {""user"": ""e4ukft51"", ""timestamp"": 1693412829.0, ""content"": ""Here's the study guide: \n\n\n[https://www.paloaltonetworks.com/content/dam/pan/en\\_US/assets/pdf/datasheets/education/pcnse-study-guide.pdf](https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnse-study-guide.pdf)\n\nProxy will be in sections 3.3, 6.3, 6.8., and anything else covering \""decryption.\""\n\n​\n\nHere's the online documentation:\n\n[https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/dns/configure-a-web-proxy](https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/dns/configure-a-web-proxy)\n\nYou'll want to start here and drill through all the links/pages related to proxy and decryption. It's a lot to cover and remember, but it's all in there. \n\n​\n\nI Highly recommend seeing about getting some demo gear if you can. All of this can be practiced on VMs. If you're not a partner, your's may grant you a 60 day demo of panorama and the vm series firewall. If you don't have access to that, no worries... passing the exam is very doable without them... I'm just a hands on type of guy.""}]" +paloaltonetworks-145,"[{""user"": ""odjep3mn"", ""timestamp"": 1693333073.0, ""content"": ""Title: Per App VPN connections\n Body: We are trying to test per app VPN connections using InTunes and the PAN firewall.\n\nI found the following but it is for the Intunes side of things:\n\n[https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/mobile-endpoint-management/manage-the-globalprotect-app-using-microsoft-intune/configure-microsoft-intune-for-ios-endpoints/configure-a-per-app-vpn-configuration-for-ios-endpoints-using-microsoft-intune](https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/mobile-endpoint-management/manage-the-globalprotect-app-using-microsoft-intune/configure-microsoft-intune-for-ios-endpoints/configure-a-per-app-vpn-configuration-for-ios-endpoints-using-microsoft-intune)\n\nHow do you set up an per app certificate based vpn connection within the PAN firewall?\n\nThe PAN firewall has a root ca. I can generate a cert for the iOS device and import the cert and ca cert into the iOS device.\n\nWhat else do I need to do on the firewall? cert profiles? portal/gateway? authentication profile?\n\nnote: we already use the firewall for vpn connections. I am going to create a different portal/gateway for iOS devices.""}, {""user"": ""2z38uxaj"", ""timestamp"": 1693336564.0, ""content"": ""You have to setup a SCEP server to hand out the certs and it has to be done with Intune to the IOS devices specifically otherwise IOS will not recognize them.\n\nThe Portal and GW need to be a very generic config. Just use the cert profile for authentication on both. Nothing more.""}]" +paloaltonetworks-146,"[{""user"": ""1yfrdxp"", ""timestamp"": 1693336377.0, ""content"": ""Title: Connection Failed, MAC OS 13.4.1, Global Protect agent\n Body: Hey, i'm using GlobalProtect vpn for work, since a few days i'm unable to connect to it, it keep saying connection failed, I tried solutions I find on internet : \n\n\\- Reinstall GlobalProtext \n\\- Restart my mac in recovery mode and type : spctl kext-consent add PXPZ95SK77 in the terminal \n\\- Allow third party apps\n\nIt was working fine for months. \nMy version of GlobalProtect his : 6.1.1-5 \n\n\nDoes anybody has the same problem ? Or another solutions ? \n\n\nThanks \n""}, {""user"": ""baajd"", ""timestamp"": 1693339389.0, ""content"": ""You should contact your company\u2019s help desk""}, {""user"": ""5jh7pojzs"", ""timestamp"": 1693351035.0, ""content"": ""Unless there is an unknown config change on the firewall side, this is usually a version bug. Try different feature release versions.""}, {""user"": ""1yfrdxp"", ""timestamp"": 1693384248.0, ""content"": ""I tried but they don't have any solution""}, {""user"": ""1yfrdxp"", ""timestamp"": 1693384281.0, ""content"": ""Where can I find older version of GlobalProtect ?""}, {""user"": ""5jh7pojzs"", ""timestamp"": 1693391621.0, ""content"": ""You can either download these from the CSP or select the default client version in the firewall and have that pushed down to clients based on the GP agent config settings.""}]" +paloaltonetworks-147,"[{""user"": ""7m4fg2wbv"", ""timestamp"": 1693306953.0, ""content"": ""Title: New Logging disk added in Panorama VM is Unavailable\n Body: We deployed the PN VM and added two disks. The first disk is the system disk, and the second disk is used for log collection. After we completed the official document, when configuring the log collector, it was prompted that the disk could not be found.\n\nThe TS process is as follows\uff1a\n\ntom@Panorama> show system disk details\n\nName : sdb\n\nState : Present\n\nSize : 2097152 MB\n\nStatus : Unavailable\n\nReason : Admin disabled\n\nxiahba@Panorama> show system state | match cfg.cms\n\ncfg.cms-logtype-mapping: { '3p-external': \\[ \\], 'detailed': \\[ traffic, threat, event, alarm, hipmatch, iptag, mdm, extpcap, gtp, \\], 'infra-audit': \\[ config, system, userid, auth, \\], 'pan-platform': \\[ trapsesm, aperture, \\], 'summary': \\[ trsum, thsum, urlsum, gtpsum, \\], }\n\ncfg.cms.active-operations: \\[ \\]\n\ncfg.cms.buildinfo: { 'branch': panos/release/10.2.3, 'changenum': 4sdcf5bfb12346b98910323cde428253456d50, }\n\ncfg.cms.migration-disks: \\[ \\]\n\ncfg.cms.mode: panorama\n\ncfg.cms.panorama-allow-multiple-disks: unknown\n\ncfg.cms.panorama-resource-check: fail\n\ncfg.cms.reserve: True\n\ncfg.cms.version: 10.2.3\n\n\\-----\n\n If anyone has experienced any of the above symptoms or knows a solution, please share with me. Thanks!""}, {""user"": ""2acnv929"", ""timestamp"": 1693310134.0, ""content"": ""Try this one;\n\nrequest system disk add sdb""}, {""user"": ""7m4fg2wbv"", ""timestamp"": 1693307067.0, ""content"": ""I still haven't solved it by referring to the following KB, and the operating mode in my environment is panorama, which is different from the one in KB\n\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLwxCAG""}, {""user"": ""171ur7"", ""timestamp"": 1693315550.0, ""content"": ""Try restarting the management plane""}, {""user"": ""7m4fg2wbv"", ""timestamp"": 1693311053.0, ""content"": ""Thank you very much. The problem has been solved.""}, {""user"": ""2acnv929"", ""timestamp"": 1693317218.0, ""content"": ""Happy to help.\n\nI\u2019ve built more Panoramas in log collector mode than i care to remember and Palo\u2019s documentation is a little lacking to say the least.""}]" +paloaltonetworks-148,"[{""user"": ""3bjb7atd"", ""timestamp"": 1693277238.0, ""content"": ""Title: Migrating from two to three dedicated Loggers?\n Body: Hey guys,\nIs there an easy way to migrate from a pair of Pano Loggers to three Pano Loggers whilst still retaining the logs in the cluster?\nNeed to upgrade from Panorama v9.x to v10.x but need to migrate from two to three Loggers.\nAdvice appreciated \ud83d\udc4d\ud83c\udffd""}, {""user"": ""ss7ye"", ""timestamp"": 1693303703.0, ""content"": ""Are you required to have three loggers in a group when you go to v10.x? We're about to move from 9 to 10 and only have two M600s, so this would definitely impact our upgrade plans.""}, {""user"": ""3bjb7atd"", ""timestamp"": 1693307178.0, ""content"": ""Yeah, v10.x requires minimum 3 loggers in the group.""}, {""user"": ""ss7ye"", ""timestamp"": 1693322426.0, ""content"": ""Got a reference for this anywhere? I can find all sorts of info about needing three for redundancy, but nothing that says three are required for 10.x. My Google-fu is failing me.""}, {""user"": ""3bjb7atd"", ""timestamp"": 1693350283.0, ""content"": ""I'll have to dig up the link, however, Palo Alto Networks \""recommends\"" adding at least three Log Collectors to a Collector Group to avoid split brain and log ingestion issues should one Log Collector go down. Two Log Collectors in a Collector Group is supported but the Collector Group becomes non-operational if one Log Collector goes down.\n\nSo, I guess technically two will work, but if you're running a mission critical service and need maximum resiliency, then a minimum of 3 is required.""}, {""user"": ""gpf65"", ""timestamp"": 1693367727.0, ""content"": ""https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-release-notes/pan-os-10-0-release-information/changes-to-default-behavior\n\nThe minimum number of Log Collectors required for a Collector Group to be operational is based on the following formula where n equals the total number of Log Collectors in the Collector Group:\nn/2+1\nFor example, if you configure a Collector Group with six Log Collectors, a minimum of four Log Collectors are required for the Collector Group to be operational.\nAdditionally, you should round down the minimum number of Log Collectors required if you have an odd number of Log Collectors in a Collector Group. For example, if you have three Log Collectors in a Collector Group, you need at least two Log Collectors for the Collector Group to remain operational.""}, {""user"": ""ss7ye"", ""timestamp"": 1693350503.0, ""content"": ""Yeah, I inherited this config with two collectors and no real redundancy, but just need to be sure we won't be blocked from upgrading to 10.x with only two. There are plans to add more, just don't think that will happen before we upgrade.""}, {""user"": ""ss7ye"", ""timestamp"": 1693396475.0, ""content"": ""Thanks for the link, and yes, with two you definitely are out of luck if one goes down, but the key part of that section in the Release Noted was the last line: \""Two Log Collectors in a Collector Group is supported but the Collector Group becomes non-operational if one Log Collector goes down.\"" So it looks like we're good to upgrade, with the same limitations we currently have.""}, {""user"": ""3bjb7atd"", ""timestamp"": 1693350729.0, ""content"": ""Cool, fair enough. I'm sure you can augment your existing Log Collector Group with additional Log Collectors once upgraded to 10.x.\n\nMy issue is we're shifting the entire deployment from one private cloud environment to another private cloud environment, so whilst we're at it, we'll migrate from two to three Log Collectors in each group. Just don't want to lose any customer logs in the process.""}, {""user"": ""gpf65"", ""timestamp"": 1693421303.0, ""content"": ""If 1 goes down then you lose elastic search. This is a change in behavior from previous versions where the connector group would stay operational.""}, {""user"": ""ss7ye"", ""timestamp"": 1693355311.0, ""content"": ""Thanks. As to your original question, I saw a post asking about LC expansion (https://live.paloaltonetworks.com/t5/panorama-discussions/want-to-add-third-panorama-in-collector-group-for-logging/td-p/472190) and it looks like it's as simple as adding more LCs (of the same type) to the group and then patiently waiting for the logs to be redistributed to the new member.""}, {""user"": ""3bjb7atd"", ""timestamp"": 1693355445.0, ""content"": ""Cool thanks for this.""}]" +paloaltonetworks-149,"[{""user"": ""qjqj027n"", ""timestamp"": 1693264984.0, ""content"": ""Title: Data cap limits for specific network on open access point\n Body: Hi, I'm looking to do this: [https://github.com/hiep4hiep/PANW-Bandwidth-quota](https://github.com/hiep4hiep/PANW-Bandwidth-quota)\n\nBut without having to use scripts, is there a way to do something similar inside the PA firewall?""}]" +paloaltonetworks-150,"[{""user"": ""16lz1k"", ""timestamp"": 1693248351.0, ""content"": ""Title: Decryption - banking sites?\n Body: We are planning to implement SSL decryption. I have read up on the procedure and understand the basic implementation steps. In our discussions on how when to implement we are concerned about sites that break and also sites with personal info such as banking sites. From what I read there is a default exclusion list, enabled by default for sites that are known to break, but what is the best practice to exclude sites that may contain confidential info, such as banking or government sites? Is it up to us to exclude them or is there a built in list? thanks.""}, {""user"": ""144wwl"", ""timestamp"": 1693253784.0, ""content"": ""You do what I\u2019ve done for 8 years and have an ever growing list of \u201cdo not decrypt\u201d URLs\u2026""}, {""user"": ""8wpxm"", ""timestamp"": 1693248546.0, ""content"": ""There is an exclusion list. But from my recent experience you must add \""financial services\"" to NOT decrypt for you to not have any issues. I had issues with various banks with the default exclusion list. \n\nExclusion list obviously doesnt add them all.""}, {""user"": ""p1pda"", ""timestamp"": 1693248725.0, ""content"": ""Financial, government and medical need to be excluded. They\u2019re gradually adding other major sites that use pinned certs to the list too.""}, {""user"": ""5u04b"", ""timestamp"": 1693249094.0, ""content"": ""We decrypt everything, banking/healthcare are the two things most targeted by phishing/etc so they're the ones you want to protect. As always, talk to your legal council before making these types of decisions.\n\n​\n\nIf you're in the US, there is no expectation of privacy on a company device. As long as you're not storing data (PCAPs) there isn't an issue.""}, {""user"": ""1t5mtxmu"", ""timestamp"": 1693313099.0, ""content"": ""You can leverage fqdns and formats such as wildcards in the same exclusion list palo uses Device/Certificate management/SSL Decryption Exclusion, I find this doesn\u2019t always work reliably but is the fastest processing method so it\u2019s worth trying first, or you can use security policies/decryption/pre rules and utilize source exceptions for server workflows that rely heavily on mutual authentication (certificate auth) which this always breaks, or destination exceptions based on fqdn (this works well), and you can also leverage destination by url category by creating a custom url category object, this should work but is the most processing/slowest method.""}, {""user"": ""51x0a"", ""timestamp"": 1693314249.0, ""content"": ""This is a great (and honestly IMO, mandatory) idea, but I also think it's secondary to configuring your SSL decryption to exclude certain categories such as banking, healthcare, etc.""}, {""user"": ""16lz1k"", ""timestamp"": 1693248904.0, ""content"": ""So I have to create my own exclusion list, or PA provides one? Or do I just put in those categories somewhere? It seems like a lot of work to provide an extensive list, even for just your country. Thanks.""}, {""user"": ""11fzl4hw"", ""timestamp"": 1693254528.0, ""content"": ""But phishing victims wont be sent to the legit bank site, at least not directly? \n\nRe pcaps assuming you do SSL decrypt would that be best served by having a separate security policy and profile just for finance / medical and govt with pcaps disabled ?""}, {""user"": ""7ucaq"", ""timestamp"": 1693257356.0, ""content"": ""> As long as you're not storing data (PCAPs) there isn't an issue.\n\nThis is actually why Palo doesn't allow this by default, and you need a no cost license to be applied to your device in order to even capture them. Basically Palo doesn't want random people storing SSL decrypted traffic unless they have a massive business need for it.""}, {""user"": ""3ho57"", ""timestamp"": 1693259964.0, ""content"": ""Interesting. I'll have a chat with HR in this. I've always said this is a huge hole and currently don't decrypt these, but they are heavily targeted and I worry that we're seeing stuff get through. At least we're blocking domain creds on these sites, but now I wonder if that's even working correctly, because we don't decrypt them first.""}, {""user"": ""s4nv6b5"", ""timestamp"": 1693283690.0, ""content"": ""Terrible ideas you shouldn\u2019t follow""}, {""user"": ""16lz1k"", ""timestamp"": 1693250871.0, ""content"": ""Canada. It's probably the same, I'll let the security manager make the call. Thanks.""}, {""user"": ""xbtmk"", ""timestamp"": 1693447176.0, ""content"": ""> We decrypt everything, banking/healthcare are the two things most targeted by phishing/etc so they're the ones you want to protect.\n\nthis makes absolutely zero sense, sorry.\n\n> As always, talk to your legal council before making these types of decisions.\n\nthis absolutely makes sense.""}, {""user"": ""xbtmk"", ""timestamp"": 1693360087.0, ""content"": ""no idea why you got downvoted, but this is the way.""}, {""user"": ""8wpxm"", ""timestamp"": 1693249061.0, ""content"": ""In the Decryption Policies, make a policy that you move at the top, select destination url categories, add the cateogies, put action NOT-DECRYPT""}, {""user"": ""2z38uxaj"", ""timestamp"": 1693251582.0, ""content"": ""If you want one off sites beside the ones mentioned create a do no decrypt URL Category and add it also. You will need it as some sites just plain old break when you try to decrypt them and Palo Alto does have them all by any means.""}, {""user"": ""zps23"", ""timestamp"": 1693268589.0, ""content"": ""Phishing wouldn't be going ot the real sites, so any phishing sites would still be decrypted (assuming you didn't block them outright with the web filter.\n\nAs long as you trust the actual banks to keep control of their domains there should be no security risk from not decrypting that traffic.""}, {""user"": ""16lz1k"", ""timestamp"": 1693250890.0, ""content"": ""Thanks!""}, {""user"": ""16lz1k"", ""timestamp"": 1693425326.0, ""content"": ""Struggling with this part. Under Objects->Custom Objects>URL Categories I created a category called 'do not decrypt list', I created a new policy under policies->decryption called 'no decrypt', moved it to the top. I set this to 'do not decrypt' and under service/url category I added my custom URL Category list. When I hit my test site it still decrypts it. I added financial services to that rule as well and it no longer blocks bank sites that I had tested before, so I know the rule works, it just doesn't seem to work with my custom list. I am using https://fast.com as a test site and I tried adding it to the list in various formats (https://fast.com, *.fast.com, etc)...just doesn't seem to pick up. Also monitoring the hit's on the no decrypt rule, which doesn't increase if I go to fast.com but does if I go to a banking site.""}, {""user"": ""2yb1e6au"", ""timestamp"": 1693272201.0, ""content"": ""This does work for *most* sites. The firewall will look at the SNI of the client cert, check that against the URL category, then decrypt/not decrypt based on that. If the client doesn't include the SNI, or if it is using TLS 1.3, then it will still decrypt the site.""}, {""user"": ""3ho57"", ""timestamp"": 1693298851.0, ""content"": ""Great points.""}, {""user"": ""16lz1k"", ""timestamp"": 1693426280.0, ""content"": ""Never mind I got it working, I entered *.fast.com in my list. We also use file blocking and that was limited without decryption. I was playing around with this and now common downloads like putty.exe or winscp.exe are indeed blocked, which I know is something we will have complaints about. At least I know now to create the exceptions. One thing I noticed, when I added winscp to the exclusions list mentioned above, it is no longer decrypted so I was able to download the exe, but the certificate still shows my forward proxy cert. When I got the fast.com site working with no decryption the cert is back to the proper Digicert site. Not sure what this.""}]" +paloaltonetworks-151,"[{""user"": ""cxemp9lwg"", ""timestamp"": 1693245985.0, ""content"": ""Title: Basic questions regarding App-id application\n Body: When I create a firewall rule, for instance, Zoom. I created the rule and added the Zoom-Base app within the application option. I see the depends on adding SSL, rtcp, and stun. If I add SSL are there implications for allowing SSL? By allowing SSL does it only affect that specific Zoom rule or does it allow all SSL traffic? Thanks""}, {""user"": ""7k29i"", ""timestamp"": 1693249058.0, ""content"": ""Short answer is No. \n\nIf you have no destination IP in the rule (set to any), then any SSL-based traffic will use that rule to go out to the internet.\n\n\n\nWhen it comes to internet-based traffic for your user base, unless you're in a crazy restrictive environment, you're not going to create individual app-specific rules for each department, user, or use case. \n\nYou're going to make one outbound internet rule and add all allowed outbound app IDs to that one rule.""}, {""user"": ""oiu1w"", ""timestamp"": 1693248917.0, ""content"": ""This will only apply to the security policy in question. For example, I have a deny rule at the top of my security rules that blocks Facebook and TikTok. SSL is listed in Depends on. This will not affect using SSL in any way like browsing the internet. Does this answer your question?""}, {""user"": ""x4xwb"", ""timestamp"": 1693252115.0, ""content"": ""If you add ssl application to that rule, it will allow SSL altogether. It makes sense in terms of application recognition, but that is downside of adding all the dependencies that may be required - you will have ssl & web-browsing there for many web apps and that means that unnecessary traffic will be allowed through.\n\nIf I need, I'm trying to add just application I need without adding dependencies - and it works well most of the time, but it will depend (hehe) on the app, have to test.""}, {""user"": ""odjep3mn"", ""timestamp"": 1693262730.0, ""content"": ""I think all SSL traffic unless you restrict it by URL category""}, {""user"": ""dm71j"", ""timestamp"": 1693275479.0, ""content"": ""Yes, all ssl traffic that reaches the rule would be allowed.\n\nI recommend never adding the application dependencies when you create the rule. When you create the rule, it isn't part of the rulebase so it only evaluates that rule. Click OK and close the new rule. Reopen the rule and check the dependencies, because the rule is now part of the rulebase the dependency check will include every rule (broken in 11.0.x). You may find that ssl is already allowed in another rule.""}, {""user"": ""15q3ae"", ""timestamp"": 1693295054.0, ""content"": ""If you're going to enable access to zoom, I'd recommend leveraging external dynamic lists for your destination addresses ( so you don't end up with an 'Any' rule.\nPalo manage an ever increasing list of cloud hosted services.\n\nhttps://docs.paloaltonetworks.com/resources/edl-hosting-service""}, {""user"": ""8wpxm"", ""timestamp"": 1693248346.0, ""content"": ""It sorta does a mix and match AFAIK, like it says you need to add the rest, but it still only allows Zoom.\n\n\nNow from my experience i found that if the app is very complicated (like skype was) its never an accurate match, BUT it will never let anything extra run""}]" +paloaltonetworks-152,"[{""user"": ""28uwmj7w"", ""timestamp"": 1693231378.0, ""content"": ""Title: Is Decryption of HTTP/3 Supported?\n Body: Is it possible in PAN-OS to decrypt HTTP/3 traffic? Or do we still have to block QUIC to force clients to revert to HTTP/2 or HTTP/1 on standard TCP and TLS?\n\nIf it's not possible at this point in time, does anyone know if it's on the roadmap?\n\nI've heard some people claim that decrypting QUIC is impossible, but Fortinet added support for it last year: [https://docs.fortinet.com/document/fortigate/7.2.0/new-features/4/change-log](https://docs.fortinet.com/document/fortigate/7.2.0/new-features/4/change-log) \n\n\nI think the bigger problem historically was that QUIC was in use for a long time but not standardized (and thus still changing) until 2021. But now that QUIC is standardized, it should be possible to add support for decrypting it.""}, {""user"": ""unknown"", ""timestamp"": 1693244677.0, ""content"": ""[deleted]""}, {""user"": ""28uwmj7w"", ""timestamp"": 1693252566.0, ""content"": ""So sounds like the answer to the first question (is it currently supported?) is \""no.\"" Is that correct?""}]" +paloaltonetworks-153,"[{""user"": ""eq4blh7ao"", ""timestamp"": 1693266034.0, ""content"": ""Title: Palo Alto Reporting\n Body: For the life of me, can\u2019t find a decent report on ports outbound being used. We are about to shut down all ports outbound that are needed to start enforcing zero trust.\n\nHalp.""}, {""user"": ""9uqez280w"", ""timestamp"": 1693266928.0, ""content"": ""There is no dedicated \""outbound\"" port. Because every Port needs inbound traffic as well.\n\nIf you just want to know your path to the internet, check the virtual Router. \nInside the virtual router you will most likely have a default route (0.0.0.0 /0 next hop XYZ)\n\nNote down this next hop IP Address and now check your interfaces. You will have one Interface which is in the same subnet as the next hop IP. Thats your egress interface for internet traffic.\n\nYou can also simply check the traffic monitor. Ping [8.8.8.8](https://8.8.8.8) from your computer, search your ping in the traffic monitor (with source IP and dest ip) and than toggle the column \""egress I/F\"". That will show you the interface where your ping left the firewall on its way to the internet.\n\nYou can also take a guess depending on your Zone names. Most customers i know call the Internet Zone something like \""untrust, Internet, WAN\"" and so on. Every interface in this zone is probably a way out.""}, {""user"": ""dgldc0heo"", ""timestamp"": 1693270445.0, ""content"": ""When you say outbound ports are you saying you don't know because you have an allow any rule rn and you're planning on ratcheting it down? This doesn't make sense to me. You can see all the traffic if you want to. What version are you running and what are you starting with? Like an any/any trust/untrust? Give some more info and I can help.\n\nBasically, if you have ANY rule configured other than the default rules, you can set logging on the rules and you should not only see the ports but the applications as well, then you can figure out how you want to proceed. Sounds like you don't maybe have a great handle on the traffic flows yet?\n\nLmk, I can maybe steer you in the right direction without too much trouble and you won't be getting chased by people bc you shut down their access.\n\nAlso, this is a layer 7 firewall, why are you making port based rules i.e. layer 4? \n\nlmk if you need any guidance""}, {""user"": ""gcc16"", ""timestamp"": 1693274352.0, ""content"": ""There is a \u201creport\u201d for each policy you have that shows applications seen (ssl, web browsing, etc. I want to say it shows ports also, but it\u2019s not in front of me atm.""}, {""user"": ""eq4blh7ao"", ""timestamp"": 1693267028.0, ""content"": ""Makes perfect sense, absolute perfect sense, thank you, I\u2019ll give that a shot tomorrow.""}, {""user"": ""dgldc0heo"", ""timestamp"": 1693282271.0, ""content"": ""If you mean when you are looking at the live traffic then yes it can show ports as well as apps.""}, {""user"": ""gcc16"", ""timestamp"": 1693308213.0, ""content"": ""When you're in the policy view, select a random rule, and as you scroll to the right of the display, There's the 'rule usage' section. One of the subsections there is 'apps seen' which is clickable. This will bring up a display of all the apps this rule has triggered on since the last clearing of the counters. But it doesn't unfortunately show the port used. If the rule is set to 'application default' then ssl will be under tcp/443 obviously, but that isn't always the case if you allow by any port, so you'd have to filter it in the traffic log. This probably requires 9.1 or higher? I don't remember when it was introduced.""}]" +paloaltonetworks-154,"[{""user"": ""jc7yiryk"", ""timestamp"": 1693231836.0, ""content"": ""Title: Internally hosted dynamic url EDL not working\n Body: I am trying to leverage an internally hosted EDL for URL's as a blocklist, however it is not actually pulling in any of the URL's and I don't know why. This is also the case for an EDL hosted externally on the web ([https://saasedl.paloaltonetworks.com/feeds/m365/worldwide/any/all/url](https://saasedl.paloaltonetworks.com/feeds/m365/worldwide/any/all/url)). Going directly to either URL shows the addresses so whats the deal? See attached screenshot.\n\nFYI URL's in screenshot are known malicious domains DO NOT GO TO THEM.""}, {""user"": ""746jy"", ""timestamp"": 1693233305.0, ""content"": ""Have you added the EDL to a policy? The firewall won't actually pull down the contents of the EDL until it's referenced in policy.""}, {""user"": ""ty28h"", ""timestamp"": 1693234197.0, ""content"": ""u/ibor132 had a good suggestion.\n\nI'd also like to add: Start with the basics. Does your management interface have valid DNS servers defined?""}, {""user"": ""1a5x25yf"", ""timestamp"": 1693234716.0, ""content"": ""this got me the first time""}, {""user"": ""jc7yiryk"", ""timestamp"": 1693234781.0, ""content"": ""Whoops, that is good to know I did not apply it to any policy yet!""}, {""user"": ""jc7yiryk"", ""timestamp"": 1693235253.0, ""content"": ""Yeah thats all it was thank you so much! After applying it to a policy and committing it, the EDL got populated.""}]" +paloaltonetworks-155,"[{""user"": ""11o6u1"", ""timestamp"": 1693229291.0, ""content"": ""Title: How to restrict multiple login on GB\n Body: Hello folks, edit: GB-> GP\n\nI'm searching for a way to disable \""multiple user login\"" on version 11 of GB. If there's a way to do this or if there's a clear document related to it, I would be really thankful. We don't want another device to connect at the same time.\n\nThanks""}, {""user"": ""8wpxm"", ""timestamp"": 1693245457.0, ""content"": ""You cannot, it's a feature request for years. Alternatively you could reinforce HIP to single out one user.""}, {""user"": ""x04u8"", ""timestamp"": 1693249883.0, ""content"": ""With FreeRadius you can pass the machine ID to the radius server, run a script to validate if there is a current login, then deny the request if the machine ID dosen't match. \n\nOtherwise, I don't know of another option.""}, {""user"": ""x04u8"", ""timestamp"": 1693242870.0, ""content"": ""What is GB?""}, {""user"": ""11o6u1"", ""timestamp"": 1693253193.0, ""content"": ""We are using for login Office 365 + AD maybe have we a chance?""}, {""user"": ""11o6u1"", ""timestamp"": 1693253232.0, ""content"": ""We are using for login Office 365 + AD i guess i can't use radius""}, {""user"": ""8wpxm"", ""timestamp"": 1693245361.0, ""content"": ""GlobalBrotect, its like GlobalProtect but for bros!""}, {""user"": ""8wpxm"", ""timestamp"": 1693253749.0, ""content"": ""So azure. \n\nTehnically you could. But the Azure should deny any other logins, the PAN cannot.\n\nAgain, if you have a GP license, think about HIP.""}, {""user"": ""3xue21l8"", ""timestamp"": 1693251382.0, ""content"": ""Man I came here to make that exact joke. Good work.""}]" +paloaltonetworks-156,"[{""user"": ""jtswei"", ""timestamp"": 1693228414.0, ""content"": ""Title: DUO MFA for admin login?\n Body: I'm in the process of switching from some old ASAs to PA-440 units. I'd like to secure the admin login via DUO MFA if possible.\n\nI've reached out to support, however I was just being sent articles for all other kinds of MFA (OpenProtect, SSL VPN, etc), and the stuff I've found on my own seems overly complex (redirecting to a captive portal, etc).\n\nI currently have a Windows server running the Duo Authentication Proxy that's acting as RADIUS and is functioning for my Cisco deployment.\n\nOn my own I've been able to configure the PA-440 to query this RADIUS when I log in with an account in my Active Directory (I enter the credentials and get my DUO authentication prompt), but upon approving the authentication request I get a **Not Authorized** error at the PA-440 login screen.\n\nI feel that I'm soooo close. I'm not sure what I need to do to ensure my account can log into the admin panel.""}, {""user"": ""jtswei"", ""timestamp"": 1693231018.0, ""content"": ""Well, apparently this was just me still thinking in Cisco mode.\n\nWith our current deployment, we have an AD security group that users who have access to the firewalls are added to. When those users login the Duo Authentication Proxy confirms the users are in that group, and if so a Duo push auth request occurs. Users not in that group just fail the login.\n\nI was hoping to do the same thing with the PA-440, but I'm guessing that isn't the case. I was able to successfully log in by creating a new superuser account on the PA-440 and setting the authentication profile to my RADIUS server. This authenticated against my AD, and after approving I was taken to the admin panel.""}, {""user"": ""nvfabfv"", ""timestamp"": 1693229543.0, ""content"": ""Hi, you need to configure RADIUS server profile in PA and specify that authentication method for GP. DUO in this case will handle all MFA, password etc authentication process and send Authentication success or failure to PA. in GP portal configure cookie auth so you are not prompted twice for login..\n\nIt should work but if you are getting Not Authorized error I would take a look at DUO configuration. I would also do pcap for that radius traffic from PA MGMT traffic.""}, {""user"": ""91mhu98b"", ""timestamp"": 1693245102.0, ""content"": ""For the DUO DAP make sure you are using a unique port can\u2019t overlap an existing port for another radius service""}, {""user"": ""jtswei"", ""timestamp"": 1693230455.0, ""content"": ""If by GP you mean GlobalProtect, I'm not using that.\n\nDuo seems to be working; it prompted me and I approved it, but the PA did not take me to the admin page. I presume there's something else I need to do in the PA to indicate that the user that just authenticated is allowed to access the admin panel.""}, {""user"": ""jtswei"", ""timestamp"": 1693250814.0, ""content"": ""Yep, we've been doing that. My original problem was that I wasn't aware that DAP existed on the NPS server, so I'd configured the PA to point to the port for DAP (based on the ASA configs), but I was trying to set up the client in NPS.\n\nOnce I added the PA's management IP to the DAP configuration file I then started getting my DUO prompts, but the PA was rejecting the login because there wasn't a user matching what I'd logged into set up on the PA.\n\nPart of me would rather I could just add a user to an AD group and not have to do anything on the firewall, but I understand if that's not supported. There are only a few users who are in the group, so creating accounts for them using the MFA profile isn't a huge thing.""}, {""user"": ""nvfabfv"", ""timestamp"": 1693231601.0, ""content"": ""Hi, srry I miss read your post. Then if you are getting not authorized it means that DUO is not sending correct radius VSA back to PA. Rad more about VSA here:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIxCAK""}, {""user"": ""91mhu98b"", ""timestamp"": 1693251342.0, ""content"": ""Also check the duo logs to see what your user name is showing up as and matching the account in duo. Under the \u201capplication\u201d in Duo there is a \u201cusername normalization\u201d feature that makes \""DOMAIN\\username\"", \""username@example.com\"", and \""username\"" treated as the same user.""}]" +paloaltonetworks-157,"[{""user"": ""ijjkkluzl"", ""timestamp"": 1693240690.0, ""content"": ""Title: Can I upgrade to cloud plugin version 3.1.0-h75 with PanOS 10.2.4-h4\n Body: There is conflicting data on the documentation online. \n\n\\---> This article : [LIVEcommunity - Minimum Required Panorama Software Versions for Panorama Managed Prisma Access 3.2 - LIVEcommunity - 507712 (paloaltonetworks.com)](https://live.paloaltonetworks.com/t5/customer-resources/minimum-required-panorama-software-versions-for-panorama-managed/ta-p/507712) \n\nMentions the following :\n\n​\n\nhttps://preview.redd.it/zjzh06axovkb1.png?width=1279&format=png&auto=webp&s=6f3a3c7d26cf85cb349b1978972c03869fa91849\n\n\\---> This article : [Prisma Access and Panorama Version Compatibility (paloaltonetworks.com)](https://docs.paloaltonetworks.com/compatibility-matrix/prisma-access/prisma-access-and-panorama-version-compatibility) \n\nMentions the following : \n\n​\n\nhttps://preview.redd.it/bhoypvucpvkb1.png?width=1283&format=png&auto=webp&s=4afd07329ac85f73efdb96dc4ce9474f082833e6\n\nThe first article states that any 3.1 plugin does not support 10.2.3 and second article mentions supports OS versions later than 10.2. \n\nSo will cloud plugin version 3.1.0-h75 be compatible with PanOS 10.2.4-h4 or not ?""}]" +paloaltonetworks-158,"[{""user"": ""1ikg6r7"", ""timestamp"": 1693239850.0, ""content"": ""Title: Can company track my activity on personal computer using Global Protect?\n Body: Hi \n\nMy personal device is connected to company vpn (global protect)\n\nI have two screen. \n\none screen uses to remote into workstation in the office while other screen is used for my personal computer. \n\nCan company track what I am browsing on my peroneal computer while company vpn is connected? ""}, {""user"": ""5vesi3qs0"", ""timestamp"": 1693240030.0, ""content"": ""If you are on their network yes. Anything that goes through the firewall can be seen. If it a split tunnel im gonna guess not though. Split tunnel would send any traffic that needs to go back to your work, to there. But anything that doesnt, would just go out your own internet. If that makes sense.""}, {""user"": ""4bubippk"", ""timestamp"": 1693258888.0, ""content"": ""I even decrypt and read your personal email.""}, {""user"": ""mnt6suvq"", ""timestamp"": 1693280229.0, ""content"": ""Personal devices should not have work stuff on it. If it does then treat it like they can see what you have. \nCompany should be supplying you a company laptop to use.""}, {""user"": ""9exs4kh8g"", ""timestamp"": 1693242558.0, ""content"": ""If you disconnect the vpn: no. If you are connected: yes.""}, {""user"": ""15ovn1"", ""timestamp"": 1693242904.0, ""content"": ""If they're split tunneling your DNS and your internet traffic exits your home router - YES they will see all your DNS activity meaning they'll be able to see what sites you're going to. \n\n\nIf they're full tunneling your internet traffic with something like Prisma Access they'll be intercepting all your traffic with a certificate and actually see specifically what sites you're going to so YES!""}, {""user"": ""gpf65"", ""timestamp"": 1693254602.0, ""content"": ""Palo Alto now does split tunneling for DNS as well.""}, {""user"": ""4e5qd4lt"", ""timestamp"": 1693254638.0, ""content"": ""Pro tip, get a mini kvm switch, and use your own computer for personal browsing.""}, {""user"": ""l250m"", ""timestamp"": 1693282964.0, ""content"": ""I can only see what's going on if you are connected to the vpn. If it's split tunnel I'd have to snoop DNS.\n\nJust don't make me look at the logs. I have no reason to be looking at what you do.""}, {""user"": ""4toethie"", ""timestamp"": 1693311531.0, ""content"": ""A couple of things with this..if you\u2019re connected to VPN then yes, they can see it. One version of GP doesn\u2019t disconnect properly so, even when you think it\u2019s disabled, it\u2019s still connected. Google \u201cwhat is my IP\u201d when you\u2019re disconnected just to be sure..""}, {""user"": ""3kx8u"", ""timestamp"": 1693240379.0, ""content"": ""Yes, but all DNS would be forwarded to the company's DNS servers, so they will be able to see what sites you're visiting by inspecting DNS traffic, even if the connections themselves aren't getting sent across the VPN""}, {""user"": ""1ikg6r7"", ""timestamp"": 1693240322.0, ""content"": ""I am using home wifi. Will that make any difference?""}, {""user"": ""3hm7h765"", ""timestamp"": 1693273334.0, ""content"": ""Is this a gateway setting?""}, {""user"": ""5vesi3qs0"", ""timestamp"": 1693243097.0, ""content"": ""true true""}, {""user"": ""9b88h"", ""timestamp"": 1693240444.0, ""content"": ""No. Just assume they can see everything you're doing while connected to VPN.""}, {""user"": ""5vesi3qs0"", ""timestamp"": 1693243142.0, ""content"": ""The other user is right, they can still see DNS as that is likely pointing to their DNS server. \n\n​\n\nWhat are you doing anyway that you are so worried about...""}, {""user"": ""gpf65"", ""timestamp"": 1693278453.0, ""content"": ""https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new-features-released-in-gp-app/split-dns\n\nIt's configured in the app section of the portal.""}, {""user"": ""suz08"", ""timestamp"": 1693251193.0, ""content"": ""This conversation summarises the situation well. VPN on, they will see your DNS traffic and MAY see your personal Web traffic (they will need to have purchased a URL subscription from Palo to get URL categorisation and enforcement)\n\n(FYI DNS logs are normally a bit of bitch to search through for data, URL logs are generally where most companies search for browsing behaviour)\n\nAt this stage I'd ask the HR team what the formal policy on web browsing is. Suggest a scenario where you forget to disconnect the VPN out of hours, what will they enforce and monitor?\nURL filtering and blocking of dubious content is generally an HR issue, not an IT issue. It's an IT issue with regards to infosec. Please ask them, a policy should be available for all to read and understand!\n\nYou could test, to see if you are being inspected. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaDCAS\nPut the test page for say \""malware\"" into the web browser whilst on VPN and if you get the block page your standard web browsing traffic is being inspected, if you see a test page it most likely isn't. \n(This is assuming that malware URLs are being blocked which it typically is if they have a URL subscription)\nHOWEVER, this might earn you a phone call from IT or HR so I'd only do it if you have a pretty good alibi for your actions.""}, {""user"": ""42wqjgl1"", ""timestamp"": 1693367527.0, ""content"": ""Could be a million things, gambling, looking at other jobs, gaming, netflix?""}, {""user"": ""3hm7h765"", ""timestamp"": 1693280773.0, ""content"": ""Thanks""}]" +paloaltonetworks-159,"[{""user"": ""7o7nfug4"", ""timestamp"": 1693218311.0, ""content"": ""Title: How to connect PA-220R to AC power\n Body: Does anyone have experience connecting the PA-220R to normal AC power? This version of the PA-220 requires DC power. Palo Alto lists a separate product: PAN-PWR-60W-AC but there isn't any information on what it looks like or exactly how it would connect to the PA-220R whose power receptacle requires custom wiring. For redundant power, do I need two PAN-PWR-60W-AC units? Searching suppliers for the PAN-PWR-60W-AC shows widely varying prices from $269 at CDW [https://www.cdw.ca/product/palo-alto-power-adapter-60-watt/5809604](https://www.cdw.ca/product/palo-alto-power-adapter-60-watt/5809604) to $480 at Xpert [https://www.xpert.com/pan-pwr-60w-ac.html](https://www.xpert.com/pan-pwr-60w-ac.html) . Xpert is the only source that lists the product as in stock and everyone else states that it is back-ordered. A photo would be helpful.""}, {""user"": ""5u04b"", ""timestamp"": 1693228906.0, ""content"": ""Unless you're using this for a very rugged application where you already have DIN mounting and/or DC power available I'd suggest getting not the 220R.\n\n​\n\nIn any case, you buy the PAN-PWR-60W-AC power supply if you want to feed it AC power, palo specifically lists the 220R as the compatible firewall with that PSU.""}, {""user"": ""e6qh3"", ""timestamp"": 1693230275.0, ""content"": ""Fill us in here, why did you buy a 220R? That is an odd choice. \n\nThe power brick is just like a laptop power brick and it end with two, tinned wires. Those go into the screw terminals. \n\nFor redundant power there are A and B connector labeled right on the power terminal block. Two adapter would work.\n\nNo reseller will list them as in stock. Palo uses a 3 tier distribution model so the resellers get their stuff from a big distributor like Synexx or Westconn.""}, {""user"": ""7o7nfug4"", ""timestamp"": 1693234272.0, ""content"": ""Thank you. That is very helpful. You ask a great question and the only answer is that I did not intentionally buy the PA-220R. I only wanted an additional PA-220 for a new small office location, which I did not know was End of Sale. It seemed like a good idea at the time. :)""}, {""user"": ""7o7nfug4"", ""timestamp"": 1693234277.0, ""content"": ""Thank you. That is very helpful. You ask a great question and the only answer is that I did not intentionally buy the PA-220R. I only wanted an additional PA-220 for a new small office location, which I did not know was End of Sale. It seemed like a good idea at the time. :)""}, {""user"": ""e6qh3"", ""timestamp"": 1693234939.0, ""content"": ""My advice, which you didn't ask for, but here it is. Return it if you can. Sell it on eBay and take the loss if you can't. \n\nThe 220 series is very old and out of date. It still does exactly what it say it will do on the datasheet. But, it takes probably 10 minutes to boot. Saving (applying the config takes 5 minutes or more. It is miserable box to live with if you have to make changes very often. \n\nThe 220R, being fanless, might even be slower than the regular 220. \n\nsince the base hardware cost on a 220R is more than a 220 the subscriptions are super expensive. If you aren't running security features, URL filtering and such, there are MUCH cheaper firewalls available. \n\nWhat did pay for it? List on a 220R is over $3k\n\nThe 220R is still current product. The regular 220 is end of sale, but the 220R is not. It just for a very niche market.""}, {""user"": ""7o7nfug4"", ""timestamp"": 1693237132.0, ""content"": ""Thank you.""}]" +paloaltonetworks-160,"[{""user"": ""b42upey"", ""timestamp"": 1693209889.0, ""content"": ""Title: Load balancing between IPSEC\n Body: Hello, \nI wonder if it is possible to load balance traffic to N IPsec from trusted zone to IPsec zone.\nI've read that ECMP can help me with this but I wonder if you guys already done that and if there is any other solutions.\nHaving a load balancer in front of the IPsec like a F5 can be an option also.""}, {""user"": ""nwe85e06"", ""timestamp"": 1693210588.0, ""content"": ""You can use BGP for that or PBR. ECMP is also valid option.""}, {""user"": ""3uqxds9f"", ""timestamp"": 1693212003.0, ""content"": ""Run Ospf across both ends. Set the Ospf cost for each tunnel the same. Ospf load balances by default.""}, {""user"": ""b42upey"", ""timestamp"": 1693211853.0, ""content"": ""The thing is I can't use PBR since I can't split manually the subnet on the ingress interface. Let's say I have 10.10.0.0/16 subnet to be load balanced, I can't split it in four subnets because some subnet will generate more traffic and IPsec will be congestionned to my mind""}, {""user"": ""b42upey"", ""timestamp"": 1693212322.0, ""content"": ""I do not have the hand on the other side of the IPsec, it's a SaaS solution..""}, {""user"": ""i5gzh"", ""timestamp"": 1693212638.0, ""content"": ""What\u2019s on the other end? Azure? AWS? Giving us context should be able to assist you better""}, {""user"": ""3uqxds9f"", ""timestamp"": 1693212952.0, ""content"": ""Then it\u2019s not really load balancing as the other end won\u2019t do the same and will return traffic down a single link for all you know. That in itself could potentially break the connection on the Palo due to asymmetric routing. \n\nMultiple tunnels is an option if you have multiple DIA links but if they\u2019re all going out a single DIA line, it\u2019s not really beneficial under the hood. \n\nAlso you got to look at your source prefix for all this traffic, is it\u2019s the same, then traffic will not return back across the multiple links. \n\nAnother way to do this is add separate tunnel IPs (/30s) to the tunnel endpoints - provided the other end let\u2019s you. Then use ECMP and do a source nat - by translating all source traffic to the tunnel interface IP - so traffic always returns back over the same link.""}, {""user"": ""b42upey"", ""timestamp"": 1693213568.0, ""content"": ""So let me elaborate:\n\nEach IPsec is connected to a different data center (owned by the SaaS) separated physically and by IP \n\nEach IPsec have NAT transversal option enable in order to the packet to come back to the right client.\n\nEach IPsec is mounted on the same ISP interface \n\n\nThe IPsec have a capacity of 500Mbits/s (threshold by the SaaS vendor)\nIn my traffic, if 100 users are watching Netflix at the same time in the same subnet that going only in one IPsec, I will have congestion.\n\nThat is why I wanted to find a solution to load balance traffic to several IPsec""}, {""user"": ""3uqxds9f"", ""timestamp"": 1693214155.0, ""content"": ""NAT-T doesn\u2019t do anything to route traffic back the same tunnel. It\u2019s only there to bring up tunnels behind a NAT device. \n\nYou can still do what I suggested of doing S-nat and ecmp to route across multiple tunnels.""}, {""user"": ""b42upey"", ""timestamp"": 1693214255.0, ""content"": ""I'll configure this in UAT and let you know then.\nThank you for the tips, appreciate it""}, {""user"": ""nvfabfv"", ""timestamp"": 1693223203.0, ""content"": ""Hey, enable ECMP and enable symmetric return so that each traffic that enters the tunnel int also exits there, no need to do s-nat. If you mentioned 500 Mb/s limit on SaaS my guess that its Azure. Having 2 ipsec to the same public ip on saas end wont achive higher throuput becausw its still the same VPN gtw on saas end. They need to have 2 public IPs which are 2 vpn gtw then you can achive higher throuput.""}, {""user"": ""b42upey"", ""timestamp"": 1693223430.0, ""content"": ""Hello, it's not Azure really it's Netskope (SSE stack). Each VPN is connected to one unique public IP""}, {""user"": ""nvfabfv"", ""timestamp"": 1693226078.0, ""content"": ""I am not aware of Netskope SSE but I think you won't achieve anything if you use 2 tunnels between your PA and SSE if both are using one public IP each. Is your Internet link even capable of achiving 500Mb/s?""}, {""user"": ""b42upey"", ""timestamp"": 1693226452.0, ""content"": ""IPsec1 --isp--> public IP 1 (SSE)\nIPsec2 --isp--> public IP 2 (SSE)\n\nIpsec are mounted and they are fine. I can go through one or the other using PBF. \nInternet link is way more than 500Mbps""}, {""user"": ""nvfabfv"", ""timestamp"": 1693226842.0, ""content"": ""Why PBF, it adds unwanted complexity. Just enable ECMP+Symmetric return+ 2 static routes for example [10.0.0.0/24](https://10.0.0.0/24) to go through tunnel.1 and [10.0.0.0/24](https://10.0.0.0/24) to go through tunnel.2. PA will take care of everything else it will load balance based on IP modulo or ip hash. This will work perfectly if you only want to achieve load balancing across IPsec tunnels.""}, {""user"": ""b42upey"", ""timestamp"": 1693227152.0, ""content"": ""PBF was one way to redirect the traffic whiteout touching the vr in a first place but also PBF are in place for the IPsec failover \nI need to tackle some subjects first and I'll try both recommendations.""}]" +paloaltonetworks-161,"[{""user"": ""p8myn"", ""timestamp"": 1693125197.0, ""content"": ""Title: DHCP client cleared IP due to due to internal error, check for duplicate IPs or overlapping Subnets\n Body: I attached a Netgear LM1200 LTE modem (with an active subscription) to my PA-440 on eth 1/3. \nLM1200 is in bridge mode, the PA-440 gets a public IP address in the subnet 100.80.129.0/24\n\nMy primary ISP is connected to eth 1/1 with an ip address in subnet 94.110.32.0/19\n\nIn the logs I see: if-release-trigger then if-update-ok with an if-clear immediately after:\n\n>DHCP client cleared IP address on interface:ethernet1/3 due to: Release initiated due to internal error. Please check for duplicate IPs or overlapping Subnets. \n\nFrom time to time, the link goes down and up again some seconds later, followed by a if-clear due to NAK from server.\n\nA test with the LM1200 modem directly connected to my laptop shows no issues with a stable internet connection.\n\nThe PA-440 is constantly clearing the IP on eth 1/3. I'm running 10.2.5. \nI don't have overlapping subnets, my local subnets are in 192.168.0.0/16 and 10.0.0.0/8.\n\nAny ideas on this? ""}, {""user"": ""l9fr0"", ""timestamp"": 1693131668.0, ""content"": ""I would first check your Netgear and see what DHCP it\u2019s handing out. If it\u2019s overlapping with your Palo, you\u2019ll have issues. You say bridge mode which is a L2 issue. So something is conflicting between your Netgear and Palo. \n\nWhat device is handing out DHCP? Both?\n\nCan you provide a diagram or drawing of your setup?""}, {""user"": ""twkui26"", ""timestamp"": 1693336437.0, ""content"": ""Just in case there's some obscure bug at play here, it's worth noting that your IP 100.80.129.0/24 is not a normal public IP. It's part of the 100.64.0.0/10 address block reserved in RFC6598 for carrier grade NAT. Perhaps you can grab PCAPs of the DHCP packets with the LTE modem in bridge mode vs routed mode and see if there are any unexpected differences in the traffic.""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1693141089.0, ""content"": ""Are both internet connections on the same VR?""}, {""user"": ""p8myn"", ""timestamp"": 1693143995.0, ""content"": ""The Netgear is in bridge mode, so it doesn't provide DHCP itself. \nInterface eth1/3 receives DHCP from the LTE provider.\n\nI want the public IP on the PA-440 interface. \nIf i would set the Netgear to routing instead of bridge, it would use subnet [192.168.5.1](https://192.168.5.1) by default, which is also not conflicting (but not used in my case).\n\nNetwork setup is very simple, the netgear is directly connected to interface eth1/3. \nDHCP works for some time, then i see a correct IP address on eth 1/3.""}, {""user"": ""p8myn"", ""timestamp"": 1693143719.0, ""content"": ""Yes""}, {""user"": ""p8myn"", ""timestamp"": 1693211773.0, ""content"": ""Well, i added the interface to a new VR and the issues are popping up again:\n\n\""DHCP client cleared IP address on interface:ethernet1/3 due to: Release initiated due to internal error. Please check for duplicate IPs or overlapping Subnets.\""""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1693150663.0, ""content"": ""That is probably your problem. It\u2019s always better to put ISPs in their own VR, especially if dealing with DHCP where you creat the route automatically. \nPut your backup ISP in a VR with internal stuff, put the primary ISP in its own VR, create a PBF for all traffic from your internal zones to untrust for the primary ISP and put a monitor profile on it.""}, {""user"": ""p8myn"", ""timestamp"": 1693151337.0, ""content"": ""Thx, i will give this a try.""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1693155389.0, ""content"": ""Just remember you need routes for internal networks in the primary isp vr with next-vr as destination. GL""}, {""user"": ""p8myn"", ""timestamp"": 1693158642.0, ""content"": ""I added the routes in the isp-vr to my internal clients with next-vr: default-vr \nI added a NAT rule \nI created a PBF for my client to [8.8.8.8](https://8.8.8.8).\n\nIn the logs i see outgoing traffic, Egress if is correct, NAT is applied, but no answer is coming back.\n\nI checked the drop counters to find the drop reason: \""Packets dropped: no ARP\""\n\nI tested PING, https and DNS. \nInternet is working on both internet connections when i test without PBF.\n\nAny ideas?""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1693163090.0, ""content"": ""Can you send me screenshot of your PBF? \nDo your NAT policies have destination interfaces specified for each one?""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1693163104.0, ""content"": ""Can you send me screenshot of your PBF? \nDo your NAT policies have destination interfaces specified for each one?""}, {""user"": ""p8myn"", ""timestamp"": 1693165184.0, ""content"": ""Testing scanario is a PBF rule that matches traffic from my laptop to [8.8.8.8](https://8.8.8.8), with source zones defined (no interfaces).The forwarding part of my PBF rule: [https://i.imgur.com/w8TbUqt.png](https://i.imgur.com/w8TbUqt.png)\n\nI have the interfaces defined for both NAT policies, according to the traffic logs, NAT is working correctly. I also see the NAT source address changing when i enable/disable the PBF rule.\n\nMy LAN interfaces are Layer2 with VLAN interfaces attached to them, since i'm getting packets dropped because no ARP, i'm thinking it could have something to do with them.""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1693165339.0, ""content"": ""On your PBF, next hop needs to be the default gateway for the respective ISP. Put 8.8.8.8 as the IP under your monitor.""}, {""user"": ""p8myn"", ""timestamp"": 1693166236.0, ""content"": ""ISP is only DHCP with dynamic ip, the default gw can change.... That's why i've put none.\n\nEDIT: as a test i've put the current def. gw as the next hop and now it's working. Any chance to make this dynamic as i'm stuck to a dynamic IP?""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1693166892.0, ""content"": ""Unfortunately not. Not a big deal to do this though as long as you verify failover works. Set an email alert for the PBF down log entry so you\u2019ll know if your gateway changes""}, {""user"": ""p8myn"", ""timestamp"": 1693167294.0, ""content"": "" Problem is the backup ISP is LTE/4G with data limit. Any other way to make this work, maybe without PBF but with routing prefs?""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1693167605.0, ""content"": ""The great thing about PBFs is their flexibility. \nWhat ISP you want to be primary, make that a PBF in position 1 with a monitor pinging 8s or 1s or 9s. Then make a PBF in position 2 with no monitor. \n\nSo ISP 1 is used until the corresponding PBF goes down, then everything goes through ISP 2. Also allows you to have traffic from certain hosts or zones or whatever use one ISP or the other.""}]" +paloaltonetworks-162,"[{""user"": ""3ga29xuh"", ""timestamp"": 1693064325.0, ""content"": ""Title: Blocking Advertisements\n Body: On home lab pa-440 blocking web-advertisements, yet ads are still making its way through on YouTube. Thoughts on what else to block ? Any relevant EDL that can help?\nTIA\n\nEdit: time for SSL Decrypt. Thanks""}, {""user"": ""3rufgo3u"", ""timestamp"": 1693067192.0, ""content"": ""Try looking into PiHole""}, {""user"": ""d953k"", ""timestamp"": 1693065749.0, ""content"": ""I\u2019m trying to do the same at home with a pa-220 lab device, at the office we achieved this by using URL filtering on category. No EDLs are involved. The only difference is we bust SSL in the office and I haven\u2019t implemented that yet in my lab. I think that might be what we\u2019re both missing.""}, {""user"": ""dlz8m"", ""timestamp"": 1693065580.0, ""content"": ""Look at logs and leverage EDLs""}, {""user"": ""3ho57"", ""timestamp"": 1693066828.0, ""content"": ""I doubt you'll be able to block without TLS decrypt. I do this at home with a few devices and it works, but I'm decrypting.""}, {""user"": ""2z38uxaj"", ""timestamp"": 1693078245.0, ""content"": ""Pihole is about as good as you are going to get. Also if you are not blocking the Quic (sp) protocol your URL filtering will be impacted.""}, {""user"": ""fh8kg"", ""timestamp"": 1693075191.0, ""content"": ""You\u2019re probably not you going to have a whole lot of luck. I went down this road with my 440 and an AppleTV. The ads originate from the same source as the video itself, and use client certificates in the app. Even tried with a PiHole and had very little luck.""}, {""user"": ""khbu0ty9"", ""timestamp"": 1693070994.0, ""content"": ""How are you going to load a cert on a TV? Assuming that\u2019s also where you watch YouTube? Wouldn\u2019t it just be far easier to get YouTube premium""}, {""user"": ""13qr9k"", ""timestamp"": 1693064983.0, ""content"": ""What do the logs say?\n\nIf traffic is making it through, you have to find it, analyze it, and adjust your policies. \n\nIf you expect PA to do all the work via category, you\u2019re never going to get the full result you\u2019re looking for.\n\nAt the end of the day, you have to look at the logs.""}, {""user"": ""x5baa"", ""timestamp"": 1693086527.0, ""content"": ""Can you DM me the reseller you used for the 440 lab unit? I've had zero luck. I have a business and LLC I've used in the past for 220 lab units, but PA doesn't seem too interested in selling 440 lab units.""}, {""user"": ""ra02d"", ""timestamp"": 1693096062.0, ""content"": ""I added adware to anti-spyware object with action drop and few EDLs found from pihole github or something like that to DNS policies with action block and I also created custom URL category with \""web-advertisements\"" category and added it to a URL filtering. Blocks pretty much anything.""}, {""user"": ""1t5mtxmu"", ""timestamp"": 1693137050.0, ""content"": ""YouTube wised up to ad blocking and the ads don\u2019t come from ads.YouTube.com or YouTube.com/ads anymore, or really a different place than the content. You may have to PCAP the ads and make a custom vulnerability signature for the content that makes the ads unique.""}, {""user"": ""iwlnp"", ""timestamp"": 1693209568.0, ""content"": ""The most useful EDL would be this one:\n\n[https://iplists.firehol.org/files/yoyo\\_adservers.ipset](https://iplists.firehol.org/files/yoyo_adservers.ipset)\n\nUse it on a rule for your client traffic, make sure you reject and don't deny, to avoid a lot of hangs.\n\nIt's not perfect, but between that one and blocking web-ad domains with URL filtering life gets a lot better.""}, {""user"": ""883xh"", ""timestamp"": 1693074869.0, ""content"": ""What\u2019s \u201cbust ssl\u201d?""}, {""user"": ""3ga29xuh"", ""timestamp"": 1693075928.0, ""content"": ""Thank you for such detailed feedback.""}, {""user"": ""3ga29xuh"", ""timestamp"": 1693071094.0, ""content"": ""Exploring all options. YouTube was just one example. But his would for multiple services.""}, {""user"": ""ibia0"", ""timestamp"": 1693104558.0, ""content"": ""This is the way. \n\n* start with default built in\n* monitor\n* adjust your policy to reflect your scenario""}, {""user"": ""d953k"", ""timestamp"": 1693075566.0, ""content"": ""Decryption""}, {""user"": ""khbu0ty9"", ""timestamp"": 1693071756.0, ""content"": ""But you would still have an issue right? How will you load a cert on IoT devices?""}]" +paloaltonetworks-163,"[{""user"": ""68xt3"", ""timestamp"": 1692972770.0, ""content"": ""Title: Anyone use ECMP for internet access?\n Body: We have 2 x 1gbps circuits via different carriers on an active/passive ha pairs and wondering if the benefits of ECMP warrant enabling it? I am simply looking to enlarge our pipe while we work through upgrading those 1Gbps circuits. \n\nI read somethings about issues asymmetric routing and certain flows breaking due to taking different paths. We don't have any IPSEC tunnels or run global protect on this HA pair so the end goal would be simply to increase our internet pipe by deploying ECMP.\n\nAnyone use it and can share their experience?""}, {""user"": ""nwe85e06"", ""timestamp"": 1692983118.0, ""content"": ""Yes, i have it configured and it works. There are also vpns and gp running as well on the same box on those interfaces with ecmp enabled. It required a little testing and configuration adjustment, but in the end i have no issues with this configuration. It is important to enable symetric return and strict source paths.""}, {""user"": ""i5gzh"", ""timestamp"": 1692988328.0, ""content"": ""Do you own your own IPs? If you do it\u2019s gonna require a bit more thought. Maybe split the /24\u2019s across each ISP with failover to each ISP. \n\nI use ECMP in multiple places and it works as advertised.""}, {""user"": ""68xt3"", ""timestamp"": 1693071270.0, ""content"": ""We don't own the /24s and no BGP, I really just want to utilize both circuits at once. I currently static route monitoring for primary/standby default routes so I assume that has to go away when I enable ECMP as it will use both and whatever one is up correct?""}, {""user"": ""gy9l8fjgg"", ""timestamp"": 1692986218.0, ""content"": ""Instead of ECMP you can play with how you advertise routes on BGP. You can play with prefixes so asymmetric routing issue won\u2019t occur.. for example if you have 2 pools , advertise/23 on one and 24 on another.""}, {""user"": ""azicu"", ""timestamp"": 1693005033.0, ""content"": ""If you are using isp range and it\u2019s not a /24 then you have to make sure your source nat rules are setup so that your nats work because of the egress interface and not just the zone . \nSetup the ecmp algorithm so that it keeps the same session going out the same path . \nYou will only run into a few problems. There are some sites that use the IP as some kind of key for state . Uscourts.gov is one for sure . You might need some policy routes or static routes to keep sites like that using 1 ip path . \nThe majority of sites don\u2019t care if your IP changes right in the middle of the connection . If your cookie match it\u2019s you here is your data ! \n\nCitrix is another picky app \nAnd any vpn going from inside to out might have issues so you just have to see what\u2019s what once you do it unless you have a small setup and can vet almost all traffic .""}, {""user"": ""dlz8m"", ""timestamp"": 1693150424.0, ""content"": ""Yep, have set it up for clients and it works well. I would recommend on figuring so that it maintains the same path for a session. Even with this, you may still need to leverage PBF to ensure that traffic egresses a specific carrier for certain sites and their traffic.""}]" +paloaltonetworks-164,"[{""user"": ""42qihgop"", ""timestamp"": 1692978789.0, ""content"": ""Title: Observed UserID behavior change on any user rules 9.1 -> 11.0\n Body: A couple months ago we transitioned like-for-like from 3020s running 9.1 to 1410s on 11.0.2. The config needed very few changes, probably the biggest one was enabling kerberos for captive portal challenge since NTLM was deprecated in 10.x.\n\nWe have UserID enabled for Windows client subnets within our trust zone. UIA, redirect to captive portal with integrated backed up by forms authentication. Nothing new here beyond the switch from NTLM to Kerberos for captive portal.\n\nPreviously, for anonymous (any user) security rules, the access was allowed even if UserID info wasn't available. Example - an \""any user\"" security rule granting the client subnets access to SentinelOne cloud console. We don't care if it's identified, we just want it to work, even if the computer isn't logged in. We also had some copiers in this client range that could get out with an anonymous rule - no challenge. No way that they would understand the challenge.\n\nNow, none of these \""any user\"" rules in UserID subnets are working for unidentified traffic. Can't exactly tell, but I suspect they're being challenged for UserID.\n\nI went back and re-tested on 9.1 to confirm the previous behavior, compared configs, etc. I'm not seeing anything that would account for this behavior change. Is there a way to get the any user rules working again for unidentified traffic, without also breaking UserID?""}, {""user"": ""t144hhr"", ""timestamp"": 1692991816.0, ""content"": ""Looks like a very strange behaviour.\n\nWhat happens if, for testing purpose, you change the source user of a rule from \""any\"" to \""known-user\"" or \""unknown\""?""}, {""user"": ""42qihgop"", ""timestamp"": 1693253350.0, ""content"": ""Thanks for the suggestion.\n\nTried unknown user and re-tested, no change.""}]" +paloaltonetworks-165,"[{""user"": ""hs93d"", ""timestamp"": 1692991102.0, ""content"": ""Title: Netflow profile on Interface vs subinterface\n Body: Will a netflow profile applied to an AE interface forward the same traffic as the same profile applied to each of the subinterfaces?\n\nWhich is the best approach? Netflow profile on the AE interface, the subinterfaces, or all of the above?""}]" +paloaltonetworks-166,"[{""user"": ""nwt3q"", ""timestamp"": 1692978753.0, ""content"": ""Title: GP Agent 6.2 Portal Selection\n Body: Helloooo fellow PAN'ers!\nI seem to be having an issue with 6.2 (downgraded as test, same behavior) client and the ability to change portal when connecting to an onPrem gateway. The option is grayed out on the main screen as well as no option to add or remove a portal in the settings. I do have teh agent config set to allow portal change and there are multiple portals in the client. \nOddly enough the same agent config works as it should when connecting to Prisma. \nPerhaps a bug with PANOS 10.1.6-h6 ?\n\nAnyone else hit this booger ?\n\nTIA""}]" +paloaltonetworks-167,"[{""user"": ""15x5o8pd"", ""timestamp"": 1692929399.0, ""content"": ""Title: Let's Encrypt and GlobalProtect\n Body: Yeah, I know it has been discussed for a long time but 99% of the tutorials and discussions found on the internet are not updated.\n\nDoes anyone configure Let's Encrypt using a wildcard SSL certificate on Palo Alto with an auto-renew option for the certificates like as mentioned in this article? [https://medium.com/palo-alto-networks-developer-blog/costless-automated-trusted-certificates-on-palo-alto-networks-firewalls-5b2930b2893f](https://medium.com/palo-alto-networks-developer-blog/costless-automated-trusted-certificates-on-palo-alto-networks-firewalls-5b2930b2893f) \n\n\nI was using ZeroSSL but it just stopped working and now I'm receiving an error message about the SSL certificate when connecting to the VPN. \n\n\nCheers!""}, {""user"": ""i5gzh"", ""timestamp"": 1692938681.0, ""content"": ""There\u2019s a feature request for it. Go add your input.""}, {""user"": ""dlz8m"", ""timestamp"": 1692933619.0, ""content"": ""I really wish they would build in LetsEncrypt support so that the firewall can, through a built-in process, get certs.""}, {""user"": ""3hm7h765"", ""timestamp"": 1692930232.0, ""content"": ""You would think that for a security-related company they would make this easier to configure. It's not like they have a financial interest in your paying for SSL certs.""}, {""user"": ""e6qh3"", ""timestamp"": 1692972727.0, ""content"": ""Palo Alto Networks sees themselves as an enterprise networking company. Let's Encrypt is not an enterprise integration. I wouldn't hold your breath. \n\nNo big RFP, no future deal, is going to hinge on Let's Encrypt integration.""}, {""user"": ""57bwa"", ""timestamp"": 1692996543.0, ""content"": ""I do the same in that article but with powershell and Posh-ACME. it then uses the XML to upload the certificate, change the SSL/TLS service profile and commit. Not the best way but it works.""}, {""user"": ""58wl1p9f"", ""timestamp"": 1693051591.0, ""content"": ""If you can afford a Palo Alto Firewall but yet can\u2019t \u201cafford\u201d a cert, I\u2019m worried for you.""}, {""user"": ""xu02r"", ""timestamp"": 1692977820.0, ""content"": ""I do , but I find it is flakey on keeping updated. I run certbot with cloudflare dns mode to get the wildcard and then push it by api. But I have seen it fail to update on more then one expiring cert and then you have to manually remove the expired cert and reinstall the new one""}, {""user"": ""oiu1w"", ""timestamp"": 1692988772.0, ""content"": ""We use [Certify the web](https://certifytheweb.com/) and then import by hand :(""}, {""user"": ""bs3utn"", ""timestamp"": 1693038990.0, ""content"": ""\""it just stopped working\""\n\nThe renewal of the cert with [scme.sh](https://scme.sh), or the deployment to the Palo?""}, {""user"": ""pjst6i0p"", ""timestamp"": 1693088255.0, ""content"": ""I use certbot on a rpi to do my letsencrypt certs and push to the firewall with api calls.\n\nThere was/is a bug in 10.1, 10.2 and 11.0 where you couldn't replace the cert and key, it would complain about cert/key mismatch. Took me far too long to get tac to recognise the bug and raise it.\nIn 10.2.4 and 10.1.12 it's been patched iirc but due to 11.0.3 still.\nSo you need to set certbot to reuse the key on renewal if punting it up with the same name.""}, {""user"": ""66ovb"", ""timestamp"": 1693188397.0, ""content"": ""Question, Do you need a wildcard? \n\nIf not, this can be pretty easily configured with certbot and post and pre-hooks. \n\nThe issue you might be running into is new keys. I have just been reusing my private key on renewals. Lets be honest there is really no risk of key compromise for small home labs. Certbot allows you to renew with the same private key at which point you can just upload via the xml api (and panpython) using the the same certificate name. For simplicity I run a small VM in an isolated vlan for this task in my environment. I have the host firewall blocking incoming connections until I need to renew and have nat and firewall rules in place for port 80 to push acme requests only to that host during renewal. \n\nIf you are interested, I could share more details and some config files for my current process. It is completely automated and happens without any input from me (except when I occasionally rotate private keys about once a year.)""}, {""user"": ""s12dl"", ""timestamp"": 1693263979.0, ""content"": ""I use the [acme.sh](https://acme.sh) setup referenced above and it works HOWEVER I did have an issue after the cert renewal then the API call to update the cert was chocking on the [acme.sh](https://acme.sh) command requiring the --ecc switch (for some reason it would just complain that the firewall already had an ECC cert on it instead of just updating the old cert with the new one). Found this out by running the commands with --debug and then doing a bit of research. Ran the import command manually again with --ecc and it worked so it may have been a bug in the version of [acme.sh](https://acme.sh) I was running so I then updated [acme.sh](https://acme.sh) ([acme.sh](https://acme.sh) \\--upgrade I think). So now it SHOULD work again at next renewal time.\n\n​\n\nI used to use certbot for a couple years but it required a dumb bash script and a bunch of error checks, and XML API calls, and commits to do the full chain of events so I ditched that for acme.""}, {""user"": ""4qvr7"", ""timestamp"": 1692977665.0, ""content"": ""At this point it's annoying that basic standard security features are missing or behind paywalls. I'm already pissed off that half of my online services support SSO (with MFA) and user provisioning at any level, and the rest hide it behind \""enterprise\"" level pricing tiers for no particular reason.""}, {""user"": ""15x5o8pd"", ""timestamp"": 1692935688.0, ""content"": ""Yeah, they will probably not make this easier, but I'm trying to find a solid and updated procedure to make it work without spending much money.""}, {""user"": ""p1pda"", ""timestamp"": 1692984603.0, ""content"": ""Yes two factor is such a mandatory thing these days that all the vendors that stick it only in the top license tier are assholes.""}]" +paloaltonetworks-168,"[{""user"": ""iim0f"", ""timestamp"": 1692951528.0, ""content"": ""Title: Cortex XDR destination domains\n Body: Hey there,\nwe got a bunch of hosts without internet access. Now Cortex XDR is supposed to be setup and we assumed limited access could be realised by allowing only two applications: *cortex-xdr* and *traps-management-service*. However since *cortex-xdr* depends on *ssl* and *web-browsing*, we'd give those systems full access to the internet.\n\nI guess a dedicated *Broker VM* would be the way to go here. But since its only a handful of clients we wondered if it's possible to just restrict the access using destination domains (or IPs). So far we weren't able to find anything in this regard published by PAN.""}, {""user"": ""6bsehino"", ""timestamp"": 1692963574.0, ""content"": ""Here is what is required. \n\nhttps://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Resources-Required-to-Enable-Access""}, {""user"": ""iim0f"", ""timestamp"": 1692965869.0, ""content"": ""Now I just feel dumb.. thank you! :]""}]" +paloaltonetworks-169,"[{""user"": ""hkhrn13o"", ""timestamp"": 1692896024.0, ""content"": ""Title: PA 220 ram upgrade\n Body: Has anyone tried adding ram to a 220? As we all know, it's slow. Just wondering if anyone threw some ram at it to see if the interface responds faster. I don't think anything will speed up commits or booting.\n\nYes, I know opening the box violates the warranty, I don't really care.""}, {""user"": ""p1pda"", ""timestamp"": 1692896931.0, ""content"": ""No there's nothing to be done. I haven't opened one but doubt the RAM is on a DIMM, and also doubt that RAM is the issue, the CPU is just insufficient.""}, {""user"": ""4h80c"", ""timestamp"": 1692897554.0, ""content"": ""Nope, though I do remember upgrading RAM on tons of ASA 5505\u2019s in the past.""}, {""user"": ""gcc16"", ""timestamp"": 1692900286.0, ""content"": ""I've opened one (all the magic blue smoke came out, I was curious). There's nothing to upgrade.""}, {""user"": ""kevpn"", ""timestamp"": 1692901895.0, ""content"": "">Yes, I know opening the box violates the warranty, I don't really care.\n\nDepending on the situation (not like I've read the PAN-OS source code, I just know this is how cloud-delivered stuff works) I'd imagine you can also run into issues with your actual license if you just start beefing out low-end boxes too""}, {""user"": ""883xh"", ""timestamp"": 1692904770.0, ""content"": ""Download some more ram.""}, {""user"": ""14crbcom"", ""timestamp"": 1692922831.0, ""content"": ""Are you serious dude?""}, {""user"": ""fh8kg"", ""timestamp"": 1692908061.0, ""content"": ""I popped one open once and pretty sure it was all soldered down.""}, {""user"": ""8e8pvsdc"", ""timestamp"": 1692923700.0, ""content"": ""That would be cool if you could but no Serviceable parts inside. It\u2019s also likely it wouldn\u2019t use the ram anyways. We have a couple that use the VM version and it\u2019s limited on ram in the OS. The host has lots of ram but it won\u2019t use it. Now the VMs version on a Xeon gold freaking smokes.""}, {""user"": ""3k30dfsq"", ""timestamp"": 1692953098.0, ""content"": ""Opened one recently... nothing can be changed/upgraded in there.\n\nEverything (Processor, RAM, Flash memory) are soldered onto the board inside.""}, {""user"": ""fhynp"", ""timestamp"": 1693006380.0, ""content"": ""PA 400 series is the solution. Night and day. I can\u2019t wait to get rid of the rest of our 220s.""}, {""user"": ""s12dl"", ""timestamp"": 1693263592.0, ""content"": ""The 200 you can upgrade but as many have mentioned already the 220 uses soldered in chips on the board""}, {""user"": ""vilwc60s"", ""timestamp"": 1692935060.0, ""content"": ""The ol unlisted support for 1gb dimms""}, {""user"": ""2z38uxaj"", ""timestamp"": 1692968974.0, ""content"": ""Thanks""}, {""user"": ""hkhrn13o"", ""timestamp"": 1693270631.0, ""content"": ""I've done some upgrades on the 200's in the past. \n\nThe M-100 was another device that benefitted tremendously with another 16 gig and a SSD swap.""}]" +paloaltonetworks-170,"[{""user"": ""5o1o71pv"", ""timestamp"": 1692883947.0, ""content"": ""Title: For those who have Prisma certs, do you think some or all can be conquered by just studying the content from the official pdf study guides on the site?\n Body: I'm referring to the downloadable guides like [this one](https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pccse-study-guide.pdf) for example.""}, {""user"": ""fh8kg"", ""timestamp"": 1693099372.0, ""content"": ""No, you need seat time with the CLI commands.""}, {""user"": ""5o1o71pv"", ""timestamp"": 1693225376.0, ""content"": ""So aside from that, would you say the exam is passable with just the study guide?""}, {""user"": ""fh8kg"", ""timestamp"": 1693330699.0, ""content"": ""Yeah, it\u2019s fairly close. I remember a ton of questions around Twistlock, how the dashboards were structured, and where to look for alerts.""}, {""user"": ""5o1o71pv"", ""timestamp"": 1693473932.0, ""content"": ""Appreciate the insight.""}]" +paloaltonetworks-171,"[{""user"": ""4eo4sqna"", ""timestamp"": 1692911533.0, ""content"": ""Title: Azure Virtual Network Gate and Route Tables\n Body: Hey not sure if someone can help answer this question.\n\nSo currently we have a hub-spoke setup where we have..\n\n1x Palo Alto behind a Load balancer\n\n1x Spoke Vnets Peered to Hub Vnets. We currently do not have the \""use remote networks virtual network gateway configured\"".\n\n2. Route Tables with Next hop being the LB/Palo Alto.\n\n* Gateway Route Table has Azure VNETS Defined\n* Spoke Vnet has Route Table with other VNETS defined and On-Premise Network Defined\n\n​\n\nWhen running a ping from VNET to On-Premise seems to fail so we allowed it on the Firewall but then we werent seeing it coming through as deny or allow but was still not working. When we went from OnPremise ping to VNET Ping the first few failed but then we started getting a response from both sides.\n\nThe only thought I have on how this is working is the route table propagation. is there something I should be adding to our topology? like the enable the \""Use Remote networks virtual Gateway\""? or another route table?\n\n​\n\n​""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1693096482.0, ""content"": ""Is the ping going through the load balancer? Icmp is dropped by azure load balancers.""}, {""user"": ""nvfabfv"", ""timestamp"": 1693229186.0, ""content"": ""Can you share route table of your VM from which you are testing ICMP? \nGO to VM NIC and then to effective routes.""}, {""user"": ""nvfabfv"", ""timestamp"": 1693229154.0, ""content"": ""From my experiance internal LBs unofficially permit ICMP. External LB still dont permit this.""}]" +paloaltonetworks-172,"[{""user"": ""odjep3mn"", ""timestamp"": 1692903095.0, ""content"": ""Title: Global Protect, Local User and Security Policy\n Body: I am trying to connect to VPN using Global Protect and a local user account (local to the firewall).\n\nI was able to connect but the traffic doesn't see the user in the logs.\n\nHow can I get the local user account to show in the traffic logs so I can add that user to the security policy?\n\nI can assign AD users to security policies but that info is coming from the user\\_id agent and not directly from the firewall. ""}]" +paloaltonetworks-173,"[{""user"": ""5vzlhaol"", ""timestamp"": 1692892642.0, ""content"": ""Title: Cortext XDR Pro - How do i proactively stop infected files from being downloaded ?\n Body: Hi all,\n\nWe have recently acquired XDR Pro licenses and just got done deploying on all our devices. But i've been noticing that when i try to download a malicious file (i tried with [eicar.com](https://eicar.com) sample files), it goes through (even though it's always immediately cleaned up). I would like it to block it before it even downloads. Which policy should i configure for this ?""}, {""user"": ""yhgp4"", ""timestamp"": 1692893644.0, ""content"": ""You can\u2019t today. They\u2019re working on it though""}, {""user"": ""px843"", ""timestamp"": 1692900926.0, ""content"": ""that would be the job of the firewall""}, {""user"": ""ncv6r"", ""timestamp"": 1692928089.0, ""content"": ""Eicar also isn't malicious..\n\nBut, as others have said, anything being downloaded like that should be picked up from a Network perspective. On write scanning is massively resource intensive and relies a lot on static hashes (and leads to insecure blanket policies like excluding whole directories or even drives from policies) so modern EDR tools don't use that method anymore.""}, {""user"": ""5vzlhaol"", ""timestamp"": 1692952458.0, ""content"": ""well shouldn't it behave at leat like most competing endpoint protection solutions, and simply prevent you from downloading malicious files ? i'm new to cortex, but i've deployed Kaspersky EDR, Sophos InterceptX and Checkpoint Harmony and they all do that. To me this is a basic feature that all endpoint protection solutions should do""}, {""user"": ""14gkhj"", ""timestamp"": 1692963371.0, ""content"": ""Last time I\u2019ve asked PAN, they said who needs web protection ? That\u2019s fw job.""}]" +paloaltonetworks-174,"[{""user"": ""4utt7nbk"", ""timestamp"": 1692877555.0, ""content"": ""Title: Geo-blocking on Palo Alto, do I need license?\n Body: Hi, All\n\nDo we need license when the requirements are to block some geo locations?\n\nIs it done to Global Protect or just securty policy rule?\n\nMany thanks!""}, {""user"": ""e6qh3"", ""timestamp"": 1692889303.0, ""content"": ""It is part of the content update. You get the content update through the App and Threat update. \n\nYou need a support license. That entitles you access the update. \n\nI wish they would split app and threat. If you don't have a threat license you still use the \""app and threat\"" update, but you don't actually get the threat signatures. \n\nI have a little hint for you, if you don't have a support license, you can try the \""on site spare\"" maintenance method. This should let you get the content update on a box with no license. Note that is has to be a box with no license, if it has an expired license the OSS method won't work.""}, {""user"": ""40rpr529"", ""timestamp"": 1692878740.0, ""content"": ""Just security policy inbound to your global protect IPs, no licence needed. Still can\u2019t make geo location groups which is a pain. Gotta put all the regions you want in the rule.""}, {""user"": ""4utt7nbk"", ""timestamp"": 1692901673.0, ""content"": ""Thanks for your hint!""}, {""user"": ""ibia0"", ""timestamp"": 1692879040.0, ""content"": ""The geo database is part of the threat license if I recall correctly, so that is still needed.\n\nNo GP license needed though, to the OPs question.""}]" +paloaltonetworks-175,"[{""user"": ""4utt7nbk"", ""timestamp"": 1692877532.0, ""content"": ""Title: Geo-blocking on Palo Alto, do I need license?\n Body: Hi, All\n\nDo we need license when the requirements are to block some geo locations?\n\nIs it done to Global Protect or just securty policy rule?\n\nMany thanks!""}, {""user"": ""7uo2ueuk"", ""timestamp"": 1692879368.0, ""content"": ""Geoblock doesn't require a license,\n\nJust create a security policy with source any/any and the destination being the country codes.\n\nProfit.""}, {""user"": ""gcc16"", ""timestamp"": 1692877907.0, ""content"": ""No special license is required beyond being on active support, and having active threat (I'm not sure how the updates are provided)\n\nYou can use geoblocking in a policy (permit or allow), or in global protect (allow, deny by exclusion), just understand that it's far from a foolproof way to actually identify identities from those locales.""}, {""user"": ""ibia0"", ""timestamp"": 1692888559.0, ""content"": ""Requires threat license to get the updated DB. Most people should have that versus a GP/URL/etc, but valid callout""}, {""user"": ""4utt7nbk"", ""timestamp"": 1692878778.0, ""content"": ""I see, thank you so much! I was just little confused about that portion, licences/no license. Thanks, Cheers!""}, {""user"": ""7uo2ueuk"", ""timestamp"": 1692894790.0, ""content"": ""You could always manage your own geo ip db :)""}]" +paloaltonetworks-176,"[{""user"": ""x5baa"", ""timestamp"": 1692832959.0, ""content"": ""Title: All New Content Updating Failing\n Body: All new content update is failing to install, be it Antivirus, Apps and Threats, and Wildfire. I have a VM-50 running 10.0.11-H1 ( I know, EOL).\n\nI have an automatic schedule to install them, and a few weeks back they started failing, specifically on 8/17.\n\nThe errors I see in the Content jobs shows:\n\n \n\n* `Error: failed to handle VIRUS_UPDATE_BLOCK`\n* `(Module: device)`\n* `Failed to commit policy to device`\n* `Failed to commit new content automatically. Please use the commit command to start using the new content.`\n\nWhen I commit through the GUI, I see these errors:\n\n `Details`\n\n* `vsys1`\n* `Warning: EDL ZeusTracker used in policy has no valid entries`\n* `Error: failed to handle WPC_UPDATE`\n* `(Module: device)`\n* `Commit failed`\n\nThe ZuesTracker is among a bunch of old EDLs I need to remove but this never caused issues in the past.\n\nWhen I commit through the CLI, I see this almost the same thing.\n\n`vsys1`\n\n`Warning: EDL ZeusTracker used in policy has no valid entries`\n\n`Error: failed to handle WPC_UPDATE`\n\n`(Module: device)`\n\n`Commit failed`\n\nThis is interesting when showing ctd state:\n\n`Content Allocator Usage : 534784 KB (100% of 534784 KB)`\n\n​\n\n`Current CTD Version : 1 (idx 1, content 8743-8223)`\n\n `TDB Custom(valid)`\n\n `CTD Usage : 234368 KB (Actual 233653 KB)`\n\n `Custom Allocator Usage : 128 KB (Actual 49 KB)`\n\n​\n\n`Alternate CTD Version : 123 (idx 0, content 8743-8223)`\n\n `TDB`\n\n `CTD Usage : 234368 KB (Actual 233653 KB)`\n\n `Virus Allocator Usage : 27776 KB (Actual 27359 KB)`\n\nAND\n\n`debug dataplane show cfg-memstat statistics`\n\n​\n\n`Policy cache usage threshold = 100%`\n\n​\n\n`VSYS Config Allocator Usage : 30208KB (63% of 47616KB)`\n\n​\n\n`Current config memory usage`\n\n`Misc : 5632 KB (Actual 5501 KB)`\n\n`Custom URL : 128 KB (Actual 0 KB)`\n\n`Global : 7808 KB (Actual 7738 KB)`\n\n`vsys1 : 512 KB (Actual 388 KB)`\n\n​\n\n`Last config memory usage`\n\n`Misc : 5632 KB (Actual 5504 KB)`\n\n`Custom URL : 128 KB (Actual 0 KB)`\n\n`Global : 7808 KB (Actual 7738 KB)`\n\n`vsys1 : 512 KB (Actual 388 KB)`\n\n​\n\n`VSYS POLICY CACHE Allocator Usage`\n\n​\n\n`POLICY CACHE (ACTIVE) : 19661KB`\n\n`POLICY CACHE USAGE : 12160KB (61% of 19648KB)`\n\n`alloc size 8190384, max 8190384`\n\n`sz allocator, page size 32760, max alloc 1024 quant 16`\n\n`pool 0 element size 16 avail list 1 full list 31`\n\n`pool 1 element size 32 avail list 1 full list 77`\n\n`pool 2 element size 48 avail list 1 full list 0`\n\n`pool 3 element size 64 avail list 1 full list 25`\n\n`pool 4 element size 80 avail list 1 full list 11`\n\n`pool 5 element size 96 avail list 1 full list 0`\n\n`pool 6 element size 112 avail list 1 full list 7`\n\n`pool 7 element size 128 avail list 1 full list 4`\n\n`pool 8 element size 144 avail list 1 full list 149`\n\n`pool 9 element size 160 avail list 1 full list 4`\n\n`pool 10 element size 176 avail list 1 full list 2`\n\n`pool 11 element size 192 avail list 1 full list 0`\n\n`pool 12 element size 208 avail list 1 full list 2`\n\n`pool 13 element size 224 avail list 1 full list 1`\n\n`pool 15 element size 256 avail list 1 full list 1`\n\n`pool 16 element size 272 avail list 1 full list 1`\n\n`pool 18 element size 304 avail list 1 full list 1`\n\n`pool 19 element size 320 avail list 1 full list 1`\n\n`pool 21 element size 352 avail list 1 full list 1`\n\n`pool 22 element size 368 avail list 1 full list 1`\n\n`pool 24 element size 400 avail list 1 full list 1`\n\n`parent allocator`\n\n`alloc size 11183448, max 11183448`\n\n`sz allocator, page size 262184, max alloc 32768 quant 1024`\n\n`pool 1 element size 2048 avail list 1 full list 0`\n\n`pool 31 element size 32768 avail list 1 full list 42`\n\n`parent allocator`\n\n`alloc size 11536096, max 11536096`\n\n`sz allocator, page size 1081384, max alloc 270336 quant 8192`\n\n`pool 32 element size 270336 avail list 0 full list 11`\n\n`parent allocator`\n\n`alloc size 11903984, max 11903984`\n\n`var chunk allocator, size 20132699 chunk size 32768 number of chunks 614`\n\n​\n\n `POLICY CACHE (PASSIVE) : 19661KB`\n\n`POLICY CACHE USAGE : 12160KB (61% of 19648KB)`\n\n`alloc size 8194536, max 8194552`\n\n`sz allocator, page size 32760, max alloc 1024 quant 16`\n\n`pool 0 element size 16 avail list 1 full list 31`\n\n`pool 1 element size 32 avail list 1 full list 77`\n\n`pool 2 element size 48 avail list 1 full list 0`\n\n`pool 3 element size 64 avail list 1 full list 25`\n\n`pool 4 element size 80 avail list 1 full list 11`\n\n`pool 5 element size 96 avail list 1 full list 0`\n\n`pool 6 element size 112 avail list 1 full list 7`\n\n`pool 7 element size 128 avail list 1 full list 4`\n\n`pool 8 element size 144 avail list 1 full list 149`\n\n`pool 9 element size 160 avail list 1 full list 4`\n\n`pool 10 element size 176 avail list 1 full list 2`\n\n`pool 11 element size 192 avail list 1 full list 0`\n\n`pool 12 element size 208 avail list 1 full list 2`\n\n`pool 13 element size 224 avail list 1 full list 1`\n\n`pool 15 element size 256 avail list 2 full list 0`\n\n`pool 16 element size 272 avail list 2 full list 0`\n\n`pool 18 element size 304 avail list 1 full list 1`\n\n`pool 19 element size 320 avail list 1 full list 1`\n\n`pool 21 element size 352 avail list 1 full list 1`\n\n`pool 22 element size 368 avail list 1 full list 1`\n\n`pool 24 element size 400 avail list 1 full list 1`\n\n`parent allocator`\n\n`alloc size 11183448, max 11206992`\n\n`sz allocator, page size 262184, max alloc 32768 quant 1024`\n\n`pool 1 element size 2048 avail list 1 full list 0`\n\n`pool 31 element size 32768 avail list 1 full list 42`\n\n`parent allocator`\n\n`alloc size 11536096, max 11536096`\n\n`sz allocator, page size 1081384, max alloc 270336 quant 8192`\n\n`pool 32 element size 270336 avail list 0 full list 11`\n\n`parent allocator`\n\n`alloc size 11903984, max 11903984`\n\n`var chunk allocator, size 20132699 chunk size 32768 number of chunks 614`\n\n​\n\nAny ideas?\n\n​""}, {""user"": ""5lged5af"", ""timestamp"": 1692852443.0, ""content"": ""What is the EDL refresh interval? If it is very low try to increase it to hourly and then try to commit. There is/was a bug with failing commits and EDL refresh.\n\nAND I'd prefer to switch to a supported release.""}, {""user"": ""x5baa"", ""timestamp"": 1692902120.0, ""content"": ""Refresh is an hour on all. I have removed them from policy and deleted all the old ones, but the commit fails for the same error. I had to reboot to get autocommit to delete the EDLs, but I am still facing the same issue.\n\nAs for the upgrade, I had a major issue with the upgrade to 10.1 previously. I am using ESXi with PCI Passthrough of two quad port I340s. After the upgrade, the VM no longer recognized the NICs for some reason.""}]" +paloaltonetworks-177,"[{""user"": ""frrs14kyp"", ""timestamp"": 1692854020.0, ""content"": ""Title: Push to firewall failed\n Body: I am receiving the commit failed while pushing to firewall.""}, {""user"": ""72sddezw"", ""timestamp"": 1692923961.0, ""content"": ""that is not reddit worthy, If you push a commit and it does NOT fail... then you can post about it on reddit. This is PAN OS after all. If your using panorama then if you push a commit and it does not break the firewall so bad that you have to perform a factory reset then you have something reddit worthy!\n\nGood Luck :)""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1692879498.0, ""content"": ""https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMb2CAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail""}, {""user"": ""i4b96h0ru"", ""timestamp"": 1692899326.0, ""content"": ""What version of PAN-OS are you running? This is likely caused by PAN-201910, which is fixed in PAN-OS 9.1.16, 10.1.9, and 10.2.4.\n\nI ran into the same issue on a PA-VM 100, and will upgrade to a fixed version of PAN-OS. As a temporary workaround until you can upgrade, please try to downgrade Apps & Threats to an older version, 8735-8187 worked for me.""}, {""user"": ""frrs14kyp"", ""timestamp"": 1692904091.0, ""content"": ""Thanks""}, {""user"": ""frrs14kyp"", ""timestamp"": 1692904157.0, ""content"": ""10.1.8-h2 on both Pano and Fw\n\nIssue is fixed now post resetting the mgmt srvr""}]" +paloaltonetworks-178,"[{""user"": ""b8ecz"", ""timestamp"": 1692824426.0, ""content"": ""Title: Is there a recent guide on how to set GP behind NAT with multiple gateways?\n Body: In short, we're moving from a physical data center to VMC. We decided putting our VM Palo on NSX would be too much a pita since it'll only be used as a VPN Concentrator. \n\nWe normally have 2 vpn gateways. NoSplit and Split (for reasons). \n\nIs there a recent guide to set this up? My config from the on prem isn't working and I'm confident is the methodology I'm using with loopbacks vs the physical eth. ""}, {""user"": ""xbtmk"", ""timestamp"": 1692836277.0, ""content"": ""Haven't done it in the cloud, but i NAT my portals and gateways through the firewall to loopbacks. Nothing fancy, just make sure your untrust-to-trust security policies still reference the \""untrust\"" IP's in the destination field.\n\ni suppose this depends on the cloud platform, my experience is with Azure and i'd expect that your \""untrust\"" IP address is a private one, not the public IP...so keep that in mind for your NAT/security policies.\n\ntough to recommend a solution without knowing what pieces are/arent working.""}, {""user"": ""b8ecz"", ""timestamp"": 1692850784.0, ""content"": ""Yea. Not at the edge, and can\u2019t get a routable public address. So I\u2019m natd to an 10.x.x.x address. Looks like I\u2019ll have to do a 1:1 NAT on the 3 public addresses for the 3 gateways. And put 3 10.x addresses on the internet (natd) facing interface.""}, {""user"": ""4le2ez2s"", ""timestamp"": 1692877689.0, ""content"": ""Loopback IPs are the best practice way if you need to have a properly working multi ISP GP configuration.""}, {""user"": ""b8ecz"", ""timestamp"": 1692879259.0, ""content"": ""Yea, luckily I only have one upstream in VMC. \n\nI think I\u2019m able to wrap my head how and why GP is configured a certain way now.""}]" +paloaltonetworks-179,"[{""user"": ""cqkorcxy"", ""timestamp"": 1692816091.0, ""content"": ""Title: Information on Logical Routers over Virtual Routers?\n Body: Hi all! First time posting, but been searching here for quite some time for help w/ Palo's.\n\nDoes anyone have any experience (and issues) working w/ Logical Routers (Advanced Routing Engine) over Virtual Routers? Debating on going with it on a new deployment instead of the Virtual Routers as I have lots of BGP routes / profiles that could benefit from the new routing profile 'sharing' mechanisms.\n\nI'd really like to know if anyone has had any issues with it, from a performance / technical POV and from a management POV.\n\nThanks in advance!!""}, {""user"": ""144wwl"", ""timestamp"": 1692829623.0, ""content"": ""I had some issues when I switched.. specifically the virtual router config still existed but the virtual router did not.. so I couldn\u2019t push a commit it bricked the box and I had to factory reset.\n\nIf you\u2019re starting fresh you should be fine. It will become mandatory in some PanOS so makes sense to use it now if your using a new deployment.""}, {""user"": ""6epgk"", ""timestamp"": 1692829405.0, ""content"": ""They mostly operate the same conceptually. Under the hood things are a bit more efficient because they are using user namespacing to achieve better resilience on the routing processes. For the most part logical routers and virtual routers differ in how you export and import routes. Advanced routing engine is built on route maps""}, {""user"": ""54xffrv"", ""timestamp"": 1692836921.0, ""content"": ""I started with PA440s and PA3410s using the Advanced Routing Engine in 10.2.\n\nI am using eBGP as my internal routing protocol and find that it works well.""}, {""user"": ""4wsimck3"", ""timestamp"": 1692845761.0, ""content"": ""If I am reading your comment correctly, users will have to migrate to logical routers in order to continue to update their fws? If so - Damn, I did not know this\u2026 is there any support docs on this?""}]" +paloaltonetworks-180,"[{""user"": ""68xt3"", ""timestamp"": 1692816056.0, ""content"": ""Title: TCP retransmits/Out-of-order when/DUP ACK behind PAN, none when in-front of it\n Body: We have an issue with machines behind an HA pair of PAN 3060s and uploading data to a server in our DC. Its all internal traffic so nothing to or from the internet. Source is a zone behind the FW to our DC via a fiber connection. \n\nBasically if a machine attempts to upload data (3GB give or take) from behind the PAN it fails silently (traffic just stops passing) with a ton of TCP retransmissions through the PAN. If we move the job to a machine in-front of the PAN (in the same office taking the same path minus the PAN) then it works without issue. \n\nPacket captures show the TCP retransmits and DUP ACK s but not sure what that is. Interfaces along the path are clean, path is the same in both directions (not asymmetric) and we are allowing all(not using app-ids or application default) traffic in both directions. There is no zone protection profile on the egress interface but there is on the ingress but I don't see anything in the threat logs dropping it. \n\nI suspect the PAN is doing something but I am not sure what.\n\n​""}, {""user"": ""bwz0h"", ""timestamp"": 1692817615.0, ""content"": ""When you saying it's dropping silently, please elaborate? Are you not seeing the session as dropped in monitor?""}, {""user"": ""3rufgo3u"", ""timestamp"": 1692818416.0, ""content"": ""Have you checked for drop counters? How are the files sent over? SFTP?""}, {""user"": ""68xt3"", ""timestamp"": 1692822646.0, ""content"": ""I went ahead and created an application override for port80 and added a rule for the source and destination IPs and it worked. The only difference I see in the flow is the 'layer7 processing' says 'completed' vs 'enabled' without the override.\n\nAnyone know what is going on here?\n\n BEFORE override:\n ......\n session to be logged at end : True\n session in session ager : False\n session updated by HA peer : False\n layer7 processing : enabled\n \n AFTER:\n admin@3020(active)> show session all filter application port80-override\n .....\n 134917 port80-override ACTIVE FLOW 10.99.67.54[51652]/Lab/6 (10.99.67.54[51652]) vsys1 \n \n 10.199.10.49[80]/trust (10.199.10.49[80]) \n \n admin@3020(active)> show session all filter application port80-override\n .......\n application : port80-override\n rule : Engineering-build \n service timeout override(index) : False\n session to be logged at end : True\n session in session ager : True\n session updated by HA peer : False\n layer7 processing : completed""}, {""user"": ""8tmha"", ""timestamp"": 1692825273.0, ""content"": ""What version of panos? I thought i recall seeing something in the patch notes regarding out of order packets?""}, {""user"": ""68xt3"", ""timestamp"": 1692820762.0, ""content"": ""What I mean is all packets stop passing, nothing on the far end and nothing on the firewall. Monitor shows tcp-fin as the session end reason. From end user the session is just dead and hangs for twenty minutes before closing out.\n\nLooking at the CLI I see counters increasing but the only one dropping anything is the one below. Also I was seeing L7 inspection enabled on this specific flow but I don't have any profiles applied to it so not sure if that is the problem? Do PANs do L7 inspection on all flows/sessions? Files are sent over http/80. \n\nBut what setting controls the below?\n\n ctd_exceed_queue_limit_drop 43 22 drop ctd resource The number of packets queued in ctd exceeds per session's limit, action drop""}, {""user"": ""xbtmk"", ""timestamp"": 1692832149.0, ""content"": ""Just a guess, do you have \""Allow HTTP partial responses\"" disabled? it's best practice to do so, but could explain the failure in your HTTP transfers...depends on the application though.\n\n> If you experience HTTP data transfer disruption on a business-critical application, you can create an Application Override policy for that specific application.\n\nhttps://docs.paloaltonetworks.com/advanced-threat-prevention/administration/threat-prevention/best-practices-for-securing-your-network-from-layer-4-and-layer-7-evasions""}, {""user"": ""zlbzd"", ""timestamp"": 1692868277.0, ""content"": ""As others have mentioned, this happens when the PA is asking for god for mercy because is receiving too much traffic and its dropping it due to being unable to analyse it, when you create an app override you basically say dont analyze it, that way no drops.\n\n​\n\nAt least my best opinion without seeing more logs""}, {""user"": ""21mre4vl"", ""timestamp"": 1692848284.0, ""content"": ""Hey bud,\n\n​\n\nPretty sure this is the \""Forward segments exceeding TCP content inspection queue\"" option you can find under Device > Setup > Content-ID > Content-ID Settings. If those boxes are unticked and you're pumping too much traffic through that the firewall can't keep up with, it'll drop the traffic if you don't have that enabled. It's security versus usability in this case.""}, {""user"": ""68xt3"", ""timestamp"": 1692886134.0, ""content"": ""This is exactly what was happening, why this script generates so much traffic I don't know but I will find out.""}, {""user"": ""68xt3"", ""timestamp"": 1692886002.0, ""content"": ""Awesome, that is exactly what I was looking for. They are all unticked except for 'Allow HTTP partial response.' Is there a downside to enabling them?""}]" +paloaltonetworks-181,"[{""user"": ""s06pf1z"", ""timestamp"": 1692833462.0, ""content"": ""Title: 5450 DP line card restart due to internal heartbeat check failed, cannot restart\n Body: Hi,\n\nrunning 10.1.10 on 5450, the DP line card went down, it just stuck in starting.\n\nless mp-log slot4-dp0-console.log has these messages about check media failed.\n\nTry power-down and power-up the card, or reseat it did not help. End up reboot the chassis, bring back the dp line card.\n\nWaiting for 10.1.10-h2 to become preferred release, I will most likely go to 10.1.10-h2 hope it has the fix for it.""}, {""user"": ""1bvg0jmi"", ""timestamp"": 1692836417.0, ""content"": ""There's a bug in 10.1.10 that causes DP crashes for 3200/5200's maybe it affects other models too. I'm in the middle of updating a few 5250 pairs to 10.1.10-h2 right at this very moment because of it.""}, {""user"": ""17vtpz6n"", ""timestamp"": 1692844087.0, ""content"": ""That's just a typical 5450 for you. Bad product, lots of bugs,... so bad that it's even worth an emotional support thread for its owner on this same subreddit.\n\nWe had a chain of incident that caused a DPC and a NC to not work. Seemed to be a chassis issue from TAC's conclusion. The unit was in production. Been waiting for RMA for the whole chassis for nearly 2 months now, while sales rep confirmed it would arrive at most 2 weeks. It has yet arrived. Had to rollback to the older 5250 units.""}, {""user"": ""unknown"", ""timestamp"": 1692837757.0, ""content"": ""[deleted]""}, {""user"": ""nqh6ed9"", ""timestamp"": 1692840681.0, ""content"": ""They have had problems with dp cards in the recent past. This may not be software, but hardware related. Ask for rma on the card""}, {""user"": ""pep40"", ""timestamp"": 1692844521.0, ""content"": ""I did this. It seems to have solved my issues""}, {""user"": ""s06pf1z"", ""timestamp"": 1692844959.0, ""content"": ""I don't know if I will call 5450 as bad product. Bugs are every where with every vendors. 5450 is the first product that moved away from MIPS processors (cavium) to x86 for DP. Also, using dpdk as well. The 4xx series, the 34xx series are all x86 based now. No more cavium chip.\n\nI wish the 5450 has more 40/100Gig interfaces. Not only the first 2 slots for NC. I hope there will be more generation network and data plane card for the 5450 series.\n\nI had an issue with one of the 5450 back in Nov 2022. We had a NC card just go offline and it won't came back online anymore. They replaced that card twice. When that firewall became active firewall (it is a active/passive setup). Some of the traffic won't get passed. TAC sent me a blank chassis to replace as well. I needed to transfer everything (base card,fan tray, ps, and all the front interface cards and management card). That still did not solve the problem. They ended up replace everything. I think the issue maybe the base card which is accessible from the back, but I did not have a chance to test that theory.""}, {""user"": ""s06pf1z"", ""timestamp"": 1692838044.0, ""content"": ""I opened a SR. TAC did not mention about PAN-222712. The main reason for the post is if you are stuck with DP won't start. May want to consider to reboot the chassis.""}, {""user"": ""s06pf1z"", ""timestamp"": 1692840835.0, ""content"": ""I left out some additional testing result. I have access to another pair of 5450. I took the other pair passive unit dp card and swapped with the one that stuck in starting. I got the same console messages as the dp card which stuck in check media fail. I rebooted the chassis. The dp card was able to boot up just fine. I was able to swap back the original dp card as well and put the borrow dp card.""}, {""user"": ""1bvg0jmi"", ""timestamp"": 1692845388.0, ""content"": ""That's good to hear. I had both members of a pair flake out less than a week ago, and one member of a different pair flaked out last night. I'm eager for a resolution.""}, {""user"": ""nqh6ed9"", ""timestamp"": 1692903979.0, ""content"": ""they are saying 10.1.10h2 does have the fix per their recent email. \n\n\nDoes anyone see a reason outside of it not being preferred, to NOT move to that release if your having this issue?""}, {""user"": ""s06pf1z"", ""timestamp"": 1692907013.0, ""content"": ""who knows what broke with 10.1.10-h2?? =) I am waiting for TAC to set 10.1.10-h2 as preferred.. Just a matter of time..""}]" +paloaltonetworks-182,"[{""user"": ""e914docd"", ""timestamp"": 1692817113.0, ""content"": ""Title: Customer Success Engineer at PaloAlto Networks\n Body: Hi\n\nCan some pls help me to understand what is the role of CSE at Palo Alto networks?\n\nThanks""}, {""user"": ""144wwl"", ""timestamp"": 1692825855.0, ""content"": ""We have one.. and no one knows.""}, {""user"": ""qnvd8"", ""timestamp"": 1692826097.0, ""content"": ""We have one for soar and he knows less about the product than us.""}, {""user"": ""kevpn"", ""timestamp"": 1692826782.0, ""content"": ""* [https://www.reddit.com/r/paloaltonetworks/comments/qrr90b/customer\\_success\\_engineers/](https://www.reddit.com/r/paloaltonetworks/comments/qrr90b/customer_success_engineers/)\n* [https://www.reddit.com/r/paloaltonetworks/comments/ogc8e1/palo\\_alto\\_networks\\_customer\\_success\\_engineer/](https://www.reddit.com/r/paloaltonetworks/comments/ogc8e1/palo_alto_networks_customer_success_engineer/)\n* [https://www.reddit.com/r/paloaltonetworks/comments/15711o0/how\\_is\\_working\\_as\\_a\\_cse\\_in\\_palo\\_alto\\_networks/](https://www.reddit.com/r/paloaltonetworks/comments/15711o0/how_is_working_as_a_cse_in_palo_alto_networks/) \n\nFirst two of those threads are old, but the job hasn't changed too much AFAIK""}, {""user"": ""px843"", ""timestamp"": 1692829471.0, ""content"": ""I work with them every day and they are good people but a lot of customers have very deep knowledge of Palo tech so don\u2019t be surprised you know more than them in certain areas. Don\u2019t forget they have access to almost all 10/11k staff at Palo so they can help with many things \n\nIf you\u2019re not happy with your CSE you should speak to your AM""}, {""user"": ""d9eh46ju"", ""timestamp"": 1693157798.0, ""content"": ""So you do not see any value having a Customer success engineer ?""}, {""user"": ""kevpn"", ""timestamp"": 1692841828.0, ""content"": ""This is something I feel like people miss about Palo support staff in general in this sub. It is very easy to hop departments and shoot a message over to someone from another department (now, not everyone *will have the initiative to do that*, but there\u2019s a fixed number of processes to prevent it). Whatever tier of support or situation you\u2019re not just paying for the engineer, you\u2019re paying for their wikis, their team, their internal processes, etc.""}, {""user"": ""144wwl"", ""timestamp"": 1693157931.0, ""content"": ""That\u2019s not what I said.. but we had one assigned to our group and I still have no clue what they do.""}]" +paloaltonetworks-183,"[{""user"": ""55n6827i"", ""timestamp"": 1692803377.0, ""content"": ""Title: How to locate backup device config versions from Panorama\n Body: Hello,\nI have read multiple times that each time a panorama-managed device commits locally, that a copy of the config is sent to panorama, which saves up to 100 versions. \n\nWhat are these device backups called, and how can one view them? I have used \u201cexport device config bundle\u201d and export device state before, but I have never seen the ability to look at the config backup history per device.""}, {""user"": ""4q84py1b"", ""timestamp"": 1692934312.0, ""content"": ""https://imgur.com/a/bXnCtoE""}, {""user"": ""55n6827i"", ""timestamp"": 1693350396.0, ""content"": ""Thanks!""}]" +paloaltonetworks-184,"[{""user"": ""lpjdj4mw"", ""timestamp"": 1692822499.0, ""content"": ""Title: Vrouter two - Palo Alto - Starlink 2 Antennas\n Body: Vrouter two - Palo Alto - Starlink 2 Antennas\n\nHi there, how are you doing, I hope you are doing well.\n\nI have a customer who wants to connect two Starlink antennas to a Palo Alto.\n\nNow the issue is that in Starlink you cannot change the LAN network they give you, and it is always the same. I reiterate this is the worst practice and I know it, do not give moralizing or usual comments but focus on the question and feasibility. \n\nI understand that it is not the best, I do not expect a list of best practices of response because I know it is the worst practice, only those who have done something similar can or can not ?\n\nNow I understand that in Palo Alto, I haven't done it, but I understand it could be done. With two different Vrouters and then forcing with PBF for one and other interface I could connect without issues, because if I use the same addressing in the same vrouter there will be problems in Palo Alto.\n\nThanks for the time, the good vibes and the collaboration.\n\nI remain attentive\n\nRegards""}, {""user"": ""5l7sw3gw1"", ""timestamp"": 1692827179.0, ""content"": ""Why are you using the router they give you? Bypass it. At least that way you'll get two different CGNAT IPs and you can deal with it much easier.\n\nTo echo the other comment, you're not really buying much in the way of redundancy, you'll be in the same cell, serviced by the same beam, etc etc etc. I guess it helps protect against an equipment failure?""}, {""user"": ""zps23"", ""timestamp"": 1692824316.0, ""content"": ""I don't think you can do this with just two virtual routers on the same VSYS. Pretty sure you're going to need two vSYS instances and a virtual router on each. Otherwise you'll be trying to have the same subnet twice in the same instance\n\nPerhaps the better question is what benefit does a second Starlink provide in this instance? Redundancy hardly seems worth it since it's the same backbone and management. If it's hardware redundancy I'd just swap out the failed unit with the new one if it ever failed and remove the complexity""}, {""user"": ""6lriu4sg"", ""timestamp"": 1692828186.0, ""content"": ""You can do this. You just need multiple virtual routers so the routes don\u2019t conflict. Then use PBF to direct to one or the other.\n\nRegarding Starlink, it\u2019s probably not helpful. Using two dishes at the same location just means you\u2019re sharing a satellite and bandwidth.""}]" +paloaltonetworks-185,"[{""user"": ""odjep3mn"", ""timestamp"": 1692799235.0, ""content"": ""Title: Source Geolocation on Global Protect connections\n Body: I would like to restrict global protect to only allow connections from certain countries.\n\nI have read online a couple of ways to do this but I am wondering what is best practice.\n\nPortal->Agent->External Gateway?\n\nGateways->Agent->Client Settings?\n\nCreate a security Policy, select VPN zone, drop all source regions not wanted (negate and select regions you want allowed)?""}, {""user"": ""d8w7y"", ""timestamp"": 1692799375.0, ""content"": ""Do you want to keep them from ever hitting your portal or allow them to access the portal but not login?""}, {""user"": ""odjep3mn"", ""timestamp"": 1692799516.0, ""content"": ""stop them from ever hitting the portal. we don't have a need for vpn access from other countries.""}, {""user"": ""d8w7y"", ""timestamp"": 1692801166.0, ""content"": ""Security policy would be the best then for sure""}]" +paloaltonetworks-186,"[{""user"": ""3jv5nq0c"", ""timestamp"": 1692797794.0, ""content"": ""Title: Prisma Acces - SC Tunnel issues\n Body: Hi everyone,\n\nLooks like we hit a serious issue and PA Support seem to be useless.\n\nWe are deploying the Prisma Access (Panorama managed) and onboarded 3 service connections. Each SC has 2 active IPSec tunnels (primary and secondary) with Cisco SDW Routers at the end.\n\nSo in total we have 6 active tunnels and we have enabled BGP.\n\nHowever there seem to be some issues with the traffic in the tunnels because BGP is establishing only in 2 out of 6 tunnels. Both Peers (Cisco Router and Prisma IP) are directly connected to Internet (Public IP) so no firewall in between. All tunnel configuration is the same.\n\nWhen we have BGP established traffic is flowing in the tunnel as expected, we can ping the 2 peers and the loobpack interfaces used in BGP. In the other tunnels BGP is not establishing and we can't even ping the interfaces.\n\nThis is randomly occuring across all 6 tunnels: for example, today we have BGP established in tunnel 1 and 3 but not in the others. Tomorrow we can see BGP established in tunnel 2 and 6, but not working anymore in tunnel 1 and 3 - not even ping between the interfaces.\n\nIn the PCAPs we see a lot of TCP retransmits from both router and Prisma VM, and also we observed that tunnels go down after lifetime (phase 2) expires. BGP messages (30 seconds) between the peers should keep the tunnels up (lifetime 3600 sec).\n\nI suspect packet drops in the tunnel but unable to find any root cause, maybe we are hitting a bug.\n\nDid you guys ever encounter this situation or do you have any ideas on what to troubleshoot ?\n\nEdit:\nThis is a new deployment for Remote Networks.\nThe issues are happening on the tunnels which are active (phase 2 SA established) and bgp neighboors are establishing through the tunnels. But at some point their BGP keepalives fail to arrive and BGP will have holdtime expired in a tunnel where they previously have been neighbors. So tunnels are fine, otherwise we could not have BGP established. Am i missing something ?\n\nMany thanks !!""}, {""user"": ""55i5p88b"", ""timestamp"": 1692798932.0, ""content"": ""Ensure all version updates are compatible. We once ran a into a problem of flapping on both primary/secondary FWs as their IOS version wasn\u2019t compatible with the Prisma one.""}, {""user"": ""bwz0h"", ""timestamp"": 1692817009.0, ""content"": ""Tunnels going down at rekey doesn't sound like a BGP issue. I would destroy the SC and start again. That will redeploy a new Prisma VM and confirms your tunnel settings. Sounds like a crypto issue to me.""}, {""user"": ""80fgg321"", ""timestamp"": 1692825335.0, ""content"": ""This sounds like a new deployment. Have you gone back to the basics and setup static routing with 1 tunnel between one of your sites and prisma to see if that is stable? Is this for Mobile Users or Remote Networks?""}, {""user"": ""bwz0h"", ""timestamp"": 1692817426.0, ""content"": ""Sounds like you may not have an SA established for the BGP peer either. Debug the tunnel and see if there are active SA's with encaps and decaps for the BGP peer.""}]" +paloaltonetworks-187,"[{""user"": ""o7maeu37"", ""timestamp"": 1692795947.0, ""content"": ""Title: Deploy and install Cortex XDR on MacOS\n Body: Hi all,\n\nI've got a fleet of 40 macs that need Cortex XDR installed. How can I deploy Cortex XDR on these mac using my MDM (Intune in this case). Did someone used some script or other workarounds? \n\n​\n\nThanks in advice.""}]" +paloaltonetworks-188,"[{""user"": ""x04u8"", ""timestamp"": 1692782957.0, ""content"": ""Title: STIX / TAXII Solution\n Body: Does anyone have a solution for authenticated stix / taxii feeds into ngfw appliances?""}, {""user"": ""ibia0"", ""timestamp"": 1692783821.0, ""content"": ""* Minemeld \n* Edlmanager\n* SNOW EDL hosting\n* Linux box running php hosting a script to parse the feeds into an EDL\n\n\n\n*There's a trend of EDL here*""}, {""user"": ""i5gzh"", ""timestamp"": 1692788872.0, ""content"": ""My father and I are busy dev-ing our own app that will handles EDL's kind of like a minemeld and other competition collapse + more features.This is something we're looking at supporting at launch.\n\nUnfortunately we're probably at least a month until launch.\n\nThe best part is as of right now we're planning on running it completely free but with a donation based service.\n\nThe reason I am mentioning this is because I myself a user of Minemeld and other similar products I am finding lack features I want. Stix/taxii feeds being one of them.""}, {""user"": ""x04u8"", ""timestamp"": 1692807117.0, ""content"": ""Minemeld is EOL\n\nEdlmanager doesn't handle stix or taxii\n\nWhat is SNOW EDL hosting?\n\nI need a COTS solution that comes with commercial support.""}, {""user"": ""kevpn"", ""timestamp"": 1692845523.0, ""content"": ""It\u2019s because XSOAR TIM does it and more but going from free to licensing XSOAR TIM is a hell of a jump""}, {""user"": ""kevpn"", ""timestamp"": 1692842360.0, ""content"": ""I am not going to advocate for or against it specifically but the palo purist answer would be to see if XSOAR TIM does what you need it to""}, {""user"": ""1oj2b1xo"", ""timestamp"": 1692873497.0, ""content"": ""I\u2019m looking into a MineMeld replacement now. We\u2019re down to\n- PA TIM although I\u2019d love to push for XSOAR\n- MISP\n\nWhile MISP is open source, you can search for managed MISP where the provider hosts it and keeps the server and MISP software up-to date while you manage the day to day of the platform (sources, destinations, scoring etc). Both TIM or a managed MISP instance would achieve the supported system requirement. Managed MISP can be a similar cost as TIM.""}]" +paloaltonetworks-189,"[{""user"": ""2z38uxaj"", ""timestamp"": 1692737533.0, ""content"": ""Title: Panorama 10.2.5 email notifications now scrambled\n Body: Upgraded Panorama today from 10.2.4 H2 and quickly found this annoying nugget. \n\nWe use email alerts for certain levels of logs messages and today immediately after the upgrade I got an email that used to be formatted in a nice human readable format is now turned into this mess.\n\ndomain: 1
receive\\_time: 2023/08/22 15:19:54
serial: 0212010
seqno: 7244001891381098384
actionflags: 0x8000000000000000
type: SYSTEM
subtype: wildfire
config\\_ver: 2562
time\\_generated: 2023/08/22 15:19:46
high\\_res\\_timestamp: 2023-08-22T15:19:46.604-05:00
dg\\_hier\\_level\\_1: 0
dg\\_hier\\_level\\_2: 0
dg\\_hier\\_level\\_3: 0
dg\\_hier\\_level\\_4: 0
vsys\\_name:
device\\_name: 45FW01
vsys\\_id: 0
vsys:
eventid: wildfire-auth-failed
object:
fmt: 0
id: 0
module: general
severity: critical
opaque: Validation of Local client certificate failed resulting in error 58, Problem with the local SSL certificate
dg\\_id: 0
tpl\\_id: 0
\n\nIt appears that all emails now are formatted this way. Now how did the devs manage to do this? I mean seriously. \n\nDoesn't break anything, no. Is it super annoying, yes!""}, {""user"": ""82gqx"", ""timestamp"": 1692738376.0, ""content"": ""It\u2019s a known issue in a few versions: https://live.paloaltonetworks.com/t5/general-topics/broken-email-notifications-formatting-in-version-11-0-1/td-p/539663""}, {""user"": ""azicu"", ""timestamp"": 1692763070.0, ""content"": ""This is in every os and will be fixed in 10.2.6 and 10.1.12""}, {""user"": ""7bd0k"", ""timestamp"": 1692777924.0, ""content"": ""I'm just glad 10.2.5 stopped all my Pa-220s sending thousands of emails a day about root disk space.""}, {""user"": ""3mbw0swp"", ""timestamp"": 1692799726.0, ""content"": ""Bug ID PAN-221126\n\nIt's supposed to be fixed soon in all tracks.""}, {""user"": ""2z38uxaj"", ""timestamp"": 1692738721.0, ""content"": ""Perfect, Thanks for the link. Always something, fix one thing break another, LOL!""}, {""user"": ""iwlnp"", ""timestamp"": 1692815866.0, ""content"": ""Do anyone know of any estimated release dates?""}, {""user"": ""4bzzarp8"", ""timestamp"": 1692781384.0, ""content"": ""I also upgraded and now am facing issues with disk space :D""}, {""user"": ""ao50hldk"", ""timestamp"": 1692751577.0, ""content"": ""Just the way technology works unfortunately. Big corps with very careful upgrade management will scrub the new version for potential issues and weigh them against the fixed issues in their current version. Then they move into test environment and so on""}, {""user"": ""7bd0k"", ""timestamp"": 1692781690.0, ""content"": ""Even after going to 10.2.5? 10.2.5 fixed the disk space for mine.""}, {""user"": ""7bd0k"", ""timestamp"": 1692781704.0, ""content"": ""Even after going to 10.2.5? 10.2.5 fixed the disk space for mine.""}, {""user"": ""4bzzarp8"", ""timestamp"": 1692782257.0, ""content"": ""Unfortunately :/ It fixed another issues but it caused a big one. The /opt/pancfg is filling up slowly until it reaches 100%. TAC wasn't able to offer any help. Dropping the DB and complete Panorama VM redeploy was just a temporary solution so now I'm thinking about downgrade with occassional intruding thoughts of PANOS 11. I might give it a try just for the Panorama..""}, {""user"": ""2z38uxaj"", ""timestamp"": 1692800335.0, ""content"": ""On what device are you running into this? Sounds like Panorama?""}, {""user"": ""4bzzarp8"", ""timestamp"": 1692782334.0, ""content"": ""And I had no issues with disk usage before the upgrade.""}]" +paloaltonetworks-190,"[{""user"": ""g94fqlyju"", ""timestamp"": 1692757535.0, ""content"": ""Title: Seeking Guidance to Learn About Palo Alto Networks\n Body: Hello Redditors,\n\nI'm excited to dive into the world of Palo Alto Networks and gain a solid understanding of its concepts, technologies, and applications. However, as a beginner, I could use some guidance on where to start, what basics to cover, job opportunities, and free certification options. Any advice or suggestions would be greatly appreciated!\n\n* I'm looking for recommendations on the best resources to learn about Palo Alto Networks. Whether it's online courses, video tutorials, blogs, or textbooks, I'm open to all suggestions. What resources have you found most helpful in grasping the fundamentals?\n* For those experienced with Palo Alto Networks, could you outline the essential basics I should focus on? What are the core concepts, terminologies, and technologies that form the foundation of this field? Any tips on how to effectively grasp these basics would be fantastic.\n* I'm also curious about potential job roles that involve working with Palo Alto Networks. What are the job titles to look out for? Are there specific industries or sectors where Palo Alto Networks skills are in high demand? Any insights into the job market for beginners would be really helpful.\n* While I'm eager to learn, budget constraints can sometimes be a challenge. Are there any reputable platforms or organizations that offer free certifications related to Palo Alto Networks? A certification can certainly add value to my learning journey and future career prospects.\n\nYour advice, experiences, and recommendations will not only help me but also others who are starting on this journey. I'm grateful for any insights you can share. Let's learn and grow together!\n\nThanks in advance for your time and support.\n\nBest regards,\n\nsubreader-1996""}, {""user"": ""8pwisooa"", ""timestamp"": 1692759346.0, ""content"": ""The best way is to get a palo firewall. You don\u2019t need licenses to get an understanding of routing etc. YouTube like always if you want vids. There\u2019s so much to review.""}, {""user"": ""on3lx"", ""timestamp"": 1692769059.0, ""content"": ""Cbtnuggets has some good configuration videos. They might be a little dated, but it's a great intro if you're just starting.""}, {""user"": ""flxiy0zp"", ""timestamp"": 1692765466.0, ""content"": ""PM me, I\u2019ll run you through some basics in a prod env. \n\nPA has amazing docs on their site thought. Start with some basics, like NAT, Security rules, objects, zones. QoS, etc.""}, {""user"": ""x04u8"", ""timestamp"": 1692767062.0, ""content"": ""Get a firewall and the book in the link below. Go through the Palo Alto admin guide and setup everything. Then gi through the book and apply what it teaches to optimize. Then use PAN in production on a corporate network fkr a while so you can learn the operations and troubleshooting side. \n\nhttps://www.amazon.com/gp/aw/d/1803241411?psc=1&ref=ppx_pop_mob_b_asin_title""}, {""user"": ""657phrhh"", ""timestamp"": 1692769809.0, ""content"": ""Have you worked with other firewall vendors, if so which ones?\n\n​\n\nThe basics of security policies, NAT, routing and network segmentation will be similar.\n\nThe Palo Alto firewall is a NGFW (Next Generation Firewall) which means that it analyzes traffic though the application layer and can do more than just filter traffic based on a protocol (TCP/UDP), port and IP address.\n\n​\n\nAs suggested by someone else you can start by reading the admin guides. The latest major PAN-OS is 11.0. There are 3 major guides I would suggest that you review:\n\nFirewall Admin Guide: [https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin](https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin)\n\nPanorama (This is a management tool used to manage physical and virtual firewalls) Admin Guide: [https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin](https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin)\n\nGlobal Protect (Palo Alto VPN client) Admin Guide: [https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-overview](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-overview)\n\n​\n\nIf the company you work for have Palo Alto firewalls you might be able to get someone to set an up account for you so that you have access to the Palo Alto Beacon Learning Center. If not I know there used to be a way to get an account as a student. \n\nHere is the link: [https://beacon.paloaltonetworks.com/student/catalog](https://beacon.paloaltonetworks.com/student/catalog)\n\nFurthermore, if the company you are working for have Palo Alto firewalls you might be able to n Palo Alto VM that you can play with in a lab environment.""}, {""user"": ""8jhssb02"", ""timestamp"": 1692781360.0, ""content"": ""I used their official training materials to study for PCNSE last time. That was pretty good. I had dozens of PAN NGFW at work but I also spun up a few VM-Series in my home lab. You can do most things without license.""}, {""user"": ""151ozs"", ""timestamp"": 1692794478.0, ""content"": ""Check out the PCNSE bootcamp videos on YouTube. There's a wealth of information in them.""}, {""user"": ""8e8pvsdc"", ""timestamp"": 1692797080.0, ""content"": ""https://www.reddit.com/r/paloaltonetworks/comments/wsurds/palo_alto_virtual_lab/?utm_source=share&utm_medium=ios_app&utm_name=iossmf""}, {""user"": ""suz08"", ""timestamp"": 1692806120.0, ""content"": ""Also, most of us are pointing you towards the NGFW. Is your interest there, Cloud Security (Prisma Cloud) or SOC/Endpoint (Cortex)?""}, {""user"": ""g94fqlyju"", ""timestamp"": 1692845673.0, ""content"": ""Hi, Thanks for your inputs.\n\nI don't have any prior experience in Firewalls, i am working in Telecom Industry as Network Engineer. My company doesn't work on PA VM's.\n\nThat's the reason i need to start from scrath.\n\nAppreciate your response. Thanks""}]" +paloaltonetworks-191,"[{""user"": ""3gyqa"", ""timestamp"": 1692733543.0, ""content"": ""Title: Threat Prevention Rules, Default Actions, and Exceptions\n Body: I am trying to confirm the order of precedence for security profile rules, default actions, and exceptions. For example, the default action for the SSH User Authentication Brute Force Attempt threat is alert. However, the threat profile rule associated (simple-server-high) has an action of reset-both. I think the rule action will override the default action of the signature meaning that the action will be reset-both. Is that correct?\n \n\nI also have an exception for a few IPs with that threat signature with the exception set to use the default action of alert. I think the by enabling the exception that uses the default action of alert, that will take precedence over the rule making the action alert. Is that correct?\n\nI think rules override the default action but exceptions override both the rules and original default action when an exception is enabled. Is that correct?""}]" +paloaltonetworks-192,"[{""user"": ""11howr"", ""timestamp"": 1692714333.0, ""content"": ""Title: Checkpoint R81 to Palo - Expedition conversion - Domain objects not converting\n Body: I am converting a Checkpoint R81.10 config in Expedition and it appears none of the domain objects are getting converted. All of the rules now have \""any\"" where domain objects should be, and in the address section of Expedition there are no domain objects. Has anyone ran into this or have a solution?""}, {""user"": ""8vst355xo"", ""timestamp"": 1692722322.0, ""content"": ""last year i was converting CP to Palo fw, it was pain.\nneed to follow how to convert from CP, make a bundle config from the CLI. and some of the config is not imported so i do the convert manually.""}, {""user"": ""3tcql"", ""timestamp"": 1692753266.0, ""content"": ""Yikes, about to be going through a large CP to Palo conversion.. This does not instill confidence. Good thing they paid for professional services so not exactly a \""me problem\"", until they fuck it up. Appreciate the heads up and best of luck in your cutover.""}, {""user"": ""3mbw0swp"", ""timestamp"": 1692799829.0, ""content"": ""I did it manually. There was simply too much garbage in our Checkpoint config I didn't want to bring over. It took a lot longer since I was looking at rules and seeing what was hit, creating new Palo objects, rules, etc, but very worth it.""}, {""user"": ""11howr"", ""timestamp"": 1692722758.0, ""content"": ""I was afraid of that. This is the first CP I have done after R80 and what I am seeing is Expedition is missing a lot of the config. I did a few in the old R77 days and it was not that bad, now it appears to be very painful.""}, {""user"": ""11howr"", ""timestamp"": 1692754958.0, ""content"": ""To add more to the problem it was not just domain objects that have the problem. Undateable objects, Domain objects, Geo Location, Applications, nor firewall objects were converted. So you need to be very careful about your rules where those objects are applied.""}]" +paloaltonetworks-193,"[{""user"": ""68xt3"", ""timestamp"": 1692739705.0, ""content"": ""Title: Source NAT multiple IPs > 1 public IP\n Body: Someone keep me honest and tell me I am doing this right. I want two private IPs to translate to a single public IP. I already have outbound NAT on my primary egress IP and just want the source IP of these two internal servers to be zz.zz.zz.zz.\n\nIs the configuration below going to do just that? \n\n**NAT:**\n\n**Original Packet:** \n\nSource zone > trust \n\nDestination zone > untrust\n\nDestination interface > 1/10 (untrust interface)\n\nSource address > xx.xx.xx.xx & yy.yy.yy.yy\n\n**Translated Packet**\n\nDynamic IP and Port \n\nTranslated Address: zz.zz.zz.zz""}, {""user"": ""29l079c7"", ""timestamp"": 1692743163.0, ""content"": ""That's what we lifers call a hide-nat, many-to-one, etc.\n\nI'd recommend bookmarking the packetpassers spreadsheet for future reference.\n\n(PS - it will work) \n\n\nhttps://packetpassers.com/palo-alto-nat-config-workbook/""}, {""user"": ""d1lhzh8p"", ""timestamp"": 1692744966.0, ""content"": ""For me yes. This Nat rule have to be before the principal.""}, {""user"": ""68xt3"", ""timestamp"": 1692750867.0, ""content"": ""It worked as designed, thanks all.""}, {""user"": ""5u04b"", ""timestamp"": 1692803729.0, ""content"": ""It will work but I'd suggest removing the destination interface and let the firewall figure it out.""}, {""user"": ""nycni"", ""timestamp"": 1692761223.0, ""content"": ""Good. Just remember that order matters here. So be sure these more specific NATs are positioned above the default catch-all ones.""}, {""user"": ""68xt3"", ""timestamp"": 1692816122.0, ""content"": ""Why would that matter? I mean that interface is where that network/IP I am nat'ing it to resides and isn't going to change.""}, {""user"": ""5u04b"", ""timestamp"": 1692817345.0, ""content"": ""> I mean that interface is where that network/IP I am nat'ing it to resides and isn't going to change.\n\nUntil it does, you move your WAN interface, or you get an additional WAN interface and don't know why your NATs are broken.\n\n​\n\nLet the system figure out the egress interface.""}]" +paloaltonetworks-194,"[{""user"": ""9ws9qq5hm"", ""timestamp"": 1692706817.0, ""content"": ""Title: Support troubles\n Body: I'm curious if there is a 'best' way to get a tech in my timezone. I opened a case at 7AM CST and the tech that picks it up is in a completely different timzone so he will only work on cases when it is our evening. \nWhat i want is to open a case in my timezone and have a tech that is open and willing to work on the case with me. Otherwise i have to work late evenings or early mornings to accomidate their timezone.\n\nDoes anybody else have this issue?""}, {""user"": ""a1671juk"", ""timestamp"": 1692707280.0, ""content"": ""request realignment to your timezone""}, {""user"": ""a1671juk"", ""timestamp"": 1692708953.0, ""content"": ""my suggestion would be to include your working timezone in the case description and request specific timezone tac pick up the case.""}, {""user"": ""i5gzh"", ""timestamp"": 1692712770.0, ""content"": ""I see posts like this a lot. Get your Palo Alto AM to reassign it for you.\n\nYou shouldn't be struggling alone with sucky support. Thats the whole point of an AM.""}, {""user"": ""9ws9qq5hm"", ""timestamp"": 1692721584.0, ""content"": ""Update!!!! I finally got a tech. However, in the Euro time. He only had 1 hour to work on a critical case before his shift ended. Luckily he was able to find my stupidly simple problem (undocumented and difficult to find, but simple) before his shift ended. \n\nMy continued fear also is that the case owner will get all the info then their shift ends and they hand to somebody that will be near the end of their shift too. This has happened to me 3 times the past year out of 3 cases. \n\nOverall, my desire to continue business with Palo is significantly declining. Cisco has fallen off too which is why my 25+ years as a 'Cisco guy' is using Palo. But the grass is NOT always greener no matter what the sales people say. \n\nFortinet ... you are next in line!""}, {""user"": ""9ws9qq5hm"", ""timestamp"": 1692708164.0, ""content"": ""Here is the funny thing. At 2AM this morning (my time) the case owner said they were available to work this. Of course i was sleeping. His shift ends at 7AM which is when i got online. \n\nSo i did call the main line to have this re-assigned. The person that answers their support line tried to call the case owner. I told him that the current case owners shift was over and needed it requeued to my timezone. \n\nThe person on the line said that they needed to contact the case owner so they could release the case so he could reassign. \n\nI would have to wait another 12 hours to get my case even looked at, then i'm guessing the new owner woudl also be in completely different timezone.""}, {""user"": ""vhclcucd"", ""timestamp"": 1692708125.0, ""content"": ""This is the way, I have done it literally dozens of times. It's not personal - if you are just a number to them, they are just a number to you.""}, {""user"": ""9ws9qq5hm"", ""timestamp"": 1692713323.0, ""content"": ""Agree and did this exactly. I actually just closed my original ticket and opened an urgent with this same wording. The new case owner picked this ticket 30 minutes before his shift ended. \n\nPalo support is the worst.""}, {""user"": ""9ws9qq5hm"", ""timestamp"": 1692721642.0, ""content"": ""Thanks! I certainly tried this but it really does not seem to work.""}, {""user"": ""9ws9qq5hm"", ""timestamp"": 1692713540.0, ""content"": ""100%. I called my AM team and they are all at a \""Company sponsored conference\"". \n\nI honestly have patience, but do not understand why the case owners cannot look at our timezone or the notes before claiming the case. They review the case then end their shift. The second case i opened was an URGENT and the owner claimed it then went off shift. What does an urgent mean to them? Very very frustrating.""}, {""user"": ""2yb1e6au"", ""timestamp"": 1692743579.0, ""content"": ""That's not true. They can realign the case. We don't \""release\"" cases.""}, {""user"": ""147byj"", ""timestamp"": 1692719267.0, ""content"": ""Shoot an email to your account manager with this information and they should be able to move this along.""}, {""user"": ""ntqtdiz9"", ""timestamp"": 1692719980.0, ""content"": ""Did you request a realignment via phone or via the support site? You can adjust the case priority, escalations, etc from there.\n\nAlso, even if your account team is on a sales kickoff, they can still \u201crequest a case update\u201d or escalation pretty quickly\u2026even from their phone.""}, {""user"": ""9ws9qq5hm"", ""timestamp"": 1692713657.0, ""content"": ""Agree, and I do not take it personal. This is business. They are also a number to me and once this contract ends i'll be moving to another solution.""}, {""user"": ""i5gzh"", ""timestamp"": 1692717685.0, ""content"": "">I called my AM team and they are all at a \""Company sponsored conference\"".\n\nBlast them all on email and demand a new AM.""}, {""user"": ""unknown"", ""timestamp"": 1692715919.0, ""content"": ""[deleted]""}, {""user"": ""9ws9qq5hm"", ""timestamp"": 1692791665.0, ""content"": ""Agree. But that is what the ID10 t said on the phone. I had to hang up on him. \nBottom line, Palo support is horrible. When you get a tech it seems like they are just googling or hunting and pecking for answers.\nSome may be ok but my experience with Palo has fallen way short.""}, {""user"": ""5geivt3"", ""timestamp"": 1692718898.0, ""content"": ""Their sales kick off is going on in Vegas. The entire sales team is there this week.""}, {""user"": ""9ws9qq5hm"", ""timestamp"": 1692717038.0, ""content"": ""The original was high. The second was critical. \nI\u2019m both cases the tech was not responsive for either of these severity.\n\nI did add the notes that I\u2019m in EST and want a tech in my zone. But a Europe tech with no time on his shift grabbed it. \n\nDo they get paid on ticket count?""}, {""user"": ""i5gzh"", ""timestamp"": 1692720077.0, ""content"": ""I could message my AM right now and they\u2019d respond. It\u2019s currently 6pm at night. I\u2019ve built a relationship of getting stuff done with my AM, who also likes to get stuff done. Using an excuse of \u201cI\u2019m at a conference\u201d doesn\u2019t fly with me and shouldn\u2019t fly with you either.""}]" +paloaltonetworks-195,"[{""user"": ""rtvzz"", ""timestamp"": 1692714228.0, ""content"": ""Title: Payg deployment on Azure for tf module testing.\n Body: Hello,\n\nI'm lookin for a way to deploy a scale set (based on [https://github.com/PaloAltoNetworks/terraform-azurerm-vmseries-modules](https://github.com/PaloAltoNetworks/terraform-azurerm-vmseries-modules)) and i want to test the whole deployment (Previous repo) with Azure services and discover the palo alto terraform provider for appliance configuration.\n\nIf i want to stick with PAYG (I will destroy everything from time to time if i need to pause my testing) i can list the follwing market place products :\n\n* \u274c Palo Alto Networks Panorama (BYOL) *Not needed for the test scope*\n* \u2714\ufe0f VM-Series Next-Generation Firewall from Palo Alto Networks (PAYG Free Trial 1M) *Seems to be the what i need*\n* \u274c Cloud Next-Generation Firewall by Palo Alto Networks - an Azure Native ISV Service Cloud Next-Generation Firewall by Palo Alto Networks (PAYG) D*ont know about it, PA as a managed service right ?*\n* \u274c VM-Series Next Generation Firewall VM-Series Next Generation Firewall Palo Alto Networks, Inc. VM-Series Next-Generation Firewall (BYOL) *BYOL Version, not suitable for me*\n* \u274c VM Series FLEX Private offer VM Series FLEX Private offer Palo Alto Networks *Too soon for this.*\n\nMy question is, if i want to use the second item, i understand i need to select a bundle and the requirement is to accept terms against the corresponding subscription, i have a sandbox subscription for this. Does this terms acceptation only scopes that subscription and not the corresponding Azure tenant ?""}, {""user"": ""suz08"", ""timestamp"": 1692808323.0, ""content"": ""Sorry not an expert but the Terms And Conditions are the standard Palo EULA modified for Azure use, it shouldn't cause a functional change. \n\nThe Cloud NGFW might give you what you want in an easier to setup format. It auto scales and is simple to consume. Manage either natively or via Panorama.""}]" +paloaltonetworks-196,"[{""user"": ""irfog"", ""timestamp"": 1692697768.0, ""content"": ""Title: Migration of Panorama from On-Prem to new Azure-based appliance\n Body: Hi all,\n\nI'm currently in the process of planning out a migration of Panorama from an on-prem hosted appliance to an Azure hosted appliance, and as part of this there will be a change of IP.\n\nI've been following through the [KB article](https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/set-up-panorama/transition-to-a-different-panorama-model/migrate-a-panorama-virtual-appliance-to-a-different-hypervisor) created by Palo Alto, but it seems to miss the part about associating the currently managed firewalls to the new appliance. \nStep 11 talks about setting up the collector/Collector group, then Step 12 goes on to talk about re-syncing the firewalls. \n\nI've raised it as a question to Palo Support, and there response was that I have to import all the firewalls into the new appliance, which is a lot of work.\n\nIs there a better way to associate the firewalls with the new Panorama? Can I not just update the IP address of Panorama on the each firewall, then re-associate them with the new Panorama that carry out a full push to resume the management function?\n\nIf I have to re-import every device then so be it, and I'll watch the overtime clock up.\n\nAny help/advise is welcome and greatfully received. ""}, {""user"": ""i5gzh"", ""timestamp"": 1692699291.0, ""content"": ""I've done this before and I followed that doc but also didn't.\n\n1. Basically I brought up the new PRA did licenses etc.\n2. I then exported the config on the old PRA and imported it on the new one.\n3. Change the IP of the new PRA to whatever IP it was before the import and commit.\n4. At this point I changed the IP of the primary Panorama server on all my firewalls to point to the new PRA IP and added the old PRA as a secondary Panorama.\n5. Shutdown old PRA once the commit had happened and verified that all the firewalls we're connected to the new PRA.\n6. You will likely need to do a full push to all your firewalls to get them into sync again on the new PRA.\n7. Once you are happy that everything is up and stable you can remove the secondary Panorama IP's from the firewalls.\n\nThe reason I did it this way was so that we could just boot up the old PRA and shut the new PRA if we had any weird issues.""}, {""user"": ""hwn0jqe"", ""timestamp"": 1692699695.0, ""content"": ""Yep, can +1 on this method. \n\n\nThe recommendation from your TAC engineer telling you to import the device config is fucking mental.""}, {""user"": ""irfog"", ""timestamp"": 1692702619.0, ""content"": ""I did think it was a bit mental, otherwise what would be the point of importing the PRA config in the first place.\n\nThank you for such a quick response.""}]" +paloaltonetworks-197,"[{""user"": ""4e5qd4lt"", ""timestamp"": 1692720169.0, ""content"": ""Title: Home lab - What is a good replacement for a 3020\n Body: I dont think a 220 would be good. I have a full gig internet connection, which is why I've been using a 3020. But most important is cost. I dont care if it comes off ebay, and has no support. Thats irrelevant to me. Whats important is that it supports the current PAN-OS releases, since the 3020 is stuck at 9.1.""}, {""user"": ""e6qh3"", ""timestamp"": 1692720239.0, ""content"": ""PA-440.\n\nDon't get a 410, no local logging disk. A 415 is MORE expensive than a 440. Since it has SFP ports""}, {""user"": ""6yy8sr6i"", ""timestamp"": 1692720389.0, ""content"": ""PA-440 - It's what I run at home.""}, {""user"": ""ebbbzgxi"", ""timestamp"": 1692720589.0, ""content"": ""PA440 is what I have. Runs smooth.""}, {""user"": ""dlz8m"", ""timestamp"": 1692722691.0, ""content"": ""Probably a 440""}, {""user"": ""4e5qd4lt"", ""timestamp"": 1692723972.0, ""content"": ""Thank you everyone. Looks like the 440 is the appliance of choice. Appreciate all your feedback.""}, {""user"": ""3up2qoit"", ""timestamp"": 1692722954.0, ""content"": ""I run a PA-440. It\u2019s been a decent little box.""}, {""user"": ""6v48c"", ""timestamp"": 1692725640.0, ""content"": ""PA-440 Lab Unit, I have one that replaced my 3020.""}, {""user"": ""vhclcucd"", ""timestamp"": 1692726109.0, ""content"": ""I think sometimes we get tripped up with the term \""homelab\"". There is \""homelab\"" and then there is \""I run my entire home network on this kit\"". Personally, I try not to cross those streams its good policy to not break the wife's netflixing because I was monkeying with a threat profile. For the record, getting a palo off my home network due to how it handled NATing for gaming services made my life much easier.""}, {""user"": ""104zxz8"", ""timestamp"": 1692727111.0, ""content"": ""running a 440 at home too, have 2 3020 as well but they are loud""}, {""user"": ""4q1yj"", ""timestamp"": 1692735500.0, ""content"": ""I have a PA220 and it does gig all day everyday. Even with full threat, AppID, URL filtering, wildfire and some site to site VPNs. We have a pile of wired and wireless devices at our house but it\u2019s just me, the wife and my daughter. Commit times suck, it doesn\u2019t support 11.X and I would much rather have a 400 series, but the 220 can handle a lot for home use.""}, {""user"": ""7runkbj"", ""timestamp"": 1692815118.0, ""content"": ""Been on the 440 myself for a while, and can confirm it handles 1 gig throughput no problem with everything enabled.\n\nI had the 220 before, apart from the fact that it takes ages for a commit to complete, with appid and threat it barely did 450Mbps inter-vlan.""}, {""user"": ""suz08"", ""timestamp"": 1692741359.0, ""content"": ""If you work for a Palo Partner (you have PSE cert which infers that) then have a look at the Cyberforce program on the Partner Portal. They might be able to help out with firewalls.""}, {""user"": ""4e5qd4lt"", ""timestamp"": 1692726165.0, ""content"": ""I run that risk, because I have servers I need to protect inside my lab.""}, {""user"": ""qdw7mkji"", ""timestamp"": 1692726773.0, ""content"": ""Curious what issues you saw with NAT and gaming. I\u2019m still on a 220 so I have my lab network separate from my home network but I will be upgrading soon and this might be an issue for me if I put the 440 in my home network.""}, {""user"": ""4e5qd4lt"", ""timestamp"": 1692735420.0, ""content"": ""I have a small commercial space I rent in downtown. I have a 3020 in my office. I cut two really big holes in the top, and put two super quiet large fans on it. I unplugged the internal 4 small fans, and used two of the headers to power these new ones. Its pretty much silent, and is as cool as it ever needs to be.""}, {""user"": ""vhclcucd"", ""timestamp"": 1692795981.0, ""content"": ""The PA220 data sheet has it toping out at 500mbits. I experience with a 220 was no where near gig either.""}, {""user"": ""4e5qd4lt"", ""timestamp"": 1692741394.0, ""content"": ""That\u2019s old. I haven\u2019t worked for a partner for a couple of years now.""}, {""user"": ""vhclcucd"", ""timestamp"": 1692794773.0, ""content"": ""Everyone's paranoia level is different. I spend 10 hours a day on ASA and Palo Alto, but for the home \""prod\"" servers/network OPNSense + ZenArmor was able to give me the same level of protection at a fraction of the price, with features Palo Alto may not even offer. I realize what sub I am in and the heresy I just typed. Its my opinion PA is ill suited to many home networks, they know it too based of that failed soho project a couple years back.""}, {""user"": ""p1pda"", ""timestamp"": 1692731035.0, ""content"": ""Well there\u2019s no upnp so anything dynamic (most games) doesn\u2019t work. Have customers running vwire for this reason so consoles can do upnp with the gateway the other side of the Palo.""}, {""user"": ""vhclcucd"", ""timestamp"": 1692795369.0, ""content"": ""The other guy is right, its with dynamic ports.\n\nYou can fix one console if you use a static source port outbound NAT and it will work 95% of the time. But all that falls to pieces if you, for example, have two or more Nintendo switches in the house and multiple kids who want to play Splatoon at the same time. Statically NATing the source port through your firewall for multiple LAN hosts playing the same game just will not work with only one public IP from your ISP. So yeah as far as I know if you have two of same game systems that want to play same game online at the same time with a Palo you might be stuck. Having 6, 10 year olds all whining about the network/online play is not worth whatever supposed extra protection Palo would have provided my network.""}, {""user"": ""104zxz8"", ""timestamp"": 1692738172.0, ""content"": "">ut two super quiet large fans on it. I unplugged the internal 4 small fans, and used two of the headers to power these new ones. Its pretty much silent, and is as cool as it ever needs to be.\n\nthat's awesome, might do it one day when I have more time. I've seen various threads on replacing the fan on the 3020 to make it silent so hopefully one day.""}, {""user"": ""4q1yj"", ""timestamp"": 1692802417.0, ""content"": ""The spec sheets are pretty conservative with their numbers, as there are so many variables that go into what a box can handle. There is also a huge difference between say, a small to medium office vs a home lab in terms of load on box such as number of NAT/Security policies, session count, inter-vlan routing etc. \n\nFor production I would 100% follow their sizing guides, but for home lab you can typically squeeze a lot out of the smaller boxes than what they are rated for. \n\nYMMV just wanted to share my experiences. I\u2019ve been deploying palo for over 15 years. All the way back to the 4050s, 500s etc. heh.""}, {""user"": ""suz08"", ""timestamp"": 1692745873.0, ""content"": ""Arrrr. Np""}, {""user"": ""nuvdltb"", ""timestamp"": 1692836028.0, ""content"": ""I have a lab pan not as my primary firewall but as a firewall for me to actually test things on before pushing it into production. My home(lab) is secured with a more \""prosumer\"" grade appliance. Too many complaints from the spouse when things didn't \""just work\"" so I took it out of production.""}, {""user"": ""4e5qd4lt"", ""timestamp"": 1692807381.0, ""content"": ""You're good. And yeah, some PAN nazi's may downvote you. But its totally valid, what you're saying. Honestly I hadnt really considered one of these. And I'll probably take a look at them, now that you mention it. But these are my two biggest draws to stay on a PAN firewall: \n\n\n1) Appliance based, so I dont need to dedicate a server, or further tax an existing server. \n2) Keeps my skills sharp.""}, {""user"": ""vhclcucd"", ""timestamp"": 1692795562.0, ""content"": ""Vwire was how I got around the issue too but once the licensing ran out on my PA lab unit I asked what real utility I was getting from it at home. The answer was really nothing but complexity+BTUs for no practical gains, and that's how my lab unit ended up in the e-waste bin.""}, {""user"": ""vhclcucd"", ""timestamp"": 1692890705.0, ""content"": ""Hell hath no fury like a wife who cant watch Bridgerton.""}, {""user"": ""p1pda"", ""timestamp"": 1692802037.0, ""content"": ""I hate that lab units are so impossible to relicense. My 220 came with three year but at the end PA wanted a letter from an officer of my former employer that it had been transferred to me, which would have been nigh impossible even if I still worked there. Replaced with a 440 which I made sure to get three years on too. Some of these little 2.5G fanless boxes are interesting for the future too.""}]" +paloaltonetworks-198,"[{""user"": ""5amdbun2"", ""timestamp"": 1692656619.0, ""content"": ""Title: Suggestions for interview questions to assess Palo Alto knowledge?\n Body: I find it pretty easy to come up with general design questions and more specific technical questions related to routing & switching topics. Palo Alto, on the other hand, seems to be a bit more difficult to assess knowledge in. \n\n\nFor any of you that do technical interviews, do you have any go-to Palo Alto or NGFW questions?""}, {""user"": ""80fgg321"", ""timestamp"": 1692658161.0, ""content"": ""Ask them about the packet flow sequence? See how in depth they can get.""}, {""user"": ""tsmysiu"", ""timestamp"": 1692671378.0, ""content"": ""*Me reading the replies nervously and judging myself based upon how well I think I'd do*""}, {""user"": ""l9fr0"", ""timestamp"": 1692657450.0, ""content"": ""I\u2019m trying to download something from (site) and it\u2019s not working. What\u2019s wrong?\n\nCould be URL, data, threat filtering, traffic rules i.e app filters, geo blocking, on and on.""}, {""user"": ""133vwp"", ""timestamp"": 1692663947.0, ""content"": ""Ask the difference between an application and a service in a security policy. It's a short question and tells you a lot about what they understand.""}, {""user"": ""4ruzz"", ""timestamp"": 1692659150.0, ""content"": ""Sit them down in front of a fresh spun up VM and give them a 30-60 minute live lab exam, with test server VMs to simulate live traffic and verify the results. \n\n\""I need you to allow this list of 3 IPs access to these two internal servers - server 1 already has a public IP and needs ftp on port 37 and https (no decrypt necessary) on port 461, server 2 needs DNS on standard TCP and UDP ports with a NAT'd public ip of 4.3.2.1 and it's located in a different security zone. After this you need to permit external access to the Guest security zone to the Internet but block all Risk5 traffic except SMTP, and block the URL 'example.com'.\"" Bonus marks for following best practices that you didn't explicitly require like naming conventions, tags, descriptions and sorting the policies by Zone. If you want to take it further, have them write up a change control with a test plan, the proposed config (xml or set commands), and a rollback procedure.\n\nEntirely open book and they can ask for clarification of any requirements (record the session) but they optional cite their sources via bookmarks for bonus marks, and you aren't going to hold their hand.""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1692660840.0, ""content"": ""I built a lab using a Cloud Formation template and a bootstrap config. Fire up the CFT, wait 20 min and let them try to do the lab. They have to build a vpn to another firewall they don\u2019t have access to but we provide parameters. Also they have to configure BGP and advertise a prefix not in the route table. There\u2019s a few other requirements as well.""}, {""user"": ""tsmysiu"", ""timestamp"": 1692671675.0, ""content"": ""I'm not sure how relevant it would be, but if/when I quit my job and help them find a replacement, my plan is to put them in a conference room with one of our PA-410s, a couple of Cisco switches, a Meraki access point, all set to default configs. Maybe some basic laptops with which to simulate hots.\n\nAnd then give them as extensive of a set of requirements as I think is appropriate for their skill level. Just get the basics going of a few internal zones with some NAT to the internet, or get more detailed with filtering policies.\n\nGive them a couple hours and see what they come up with.\n\n(I have no idea if this is a fair plan or not)""}, {""user"": ""hq6dl"", ""timestamp"": 1692734557.0, ""content"": ""Ask how to create a rule to allow Internet traffic in to an on-prem web-server (PA is a little tricky with the destination address/zone)\n\nAsk about how they'd create a single rule for general Internet access (see if they know how to leverage application filters)\n\nAsk the difference between a GlobalProtect portal and a gateway.""}, {""user"": ""yjk1v"", ""timestamp"": 1692753930.0, ""content"": ""Ask them how to configure PBF. I they don't say fuck PBF, show them the door.""}, {""user"": ""f1ck2"", ""timestamp"": 1692658937.0, ""content"": ""^ This. I have been working with PA for 6 years and if I get stuck on something, it always comes down to a packet handling quirk that I overlooked.""}, {""user"": ""5amdbun2"", ""timestamp"": 1692729651.0, ""content"": ""I'm in the same boat :P. \n\n\nA lot of the responses are great but seem to be directed towards hiring Palo Alto specialists/SMEs - I'm just looking for a general knowledge in my interviewing.""}, {""user"": ""ibia0"", ""timestamp"": 1692658878.0, ""content"": ""Dns. It's always dns""}, {""user"": ""odjep3mn"", ""timestamp"": 1692747521.0, ""content"": ""I think this is a good starting point.\n\nDo they understand the different features and how they affect traffic. How they can use the different monitors to figure out the issue.\n\nI would also ask something related to security zones and nat rules.\n\nGlobal Protect portals/gateway/hip checks would be useful too.""}, {""user"": ""bdk2p"", ""timestamp"": 1692683240.0, ""content"": ""It\u2019s never network!""}, {""user"": ""5amdbun2"", ""timestamp"": 1692665776.0, ""content"": ""That's a great simple one, thank you.""}, {""user"": ""zps23"", ""timestamp"": 1692672995.0, ""content"": ""That covers about everything, but there is no way a generalist could do that in 30-60 mins, especially if you want a write up for change control too.\n\nSure someone who's entire job is PA's I could see whipping that out pretty quick, but a general sysadmin, not a chance. Also even the PA person wouldn't get all that done if you asked for sources too.\n\nAnd this is from someone who could do that without referencing any documentation.""}, {""user"": ""l9fr0"", ""timestamp"": 1692658963.0, ""content"": ""Today\u2019s issue\u2026it was DNS.""}, {""user"": ""2yb1e6au"", ""timestamp"": 1692712302.0, ""content"": ""I use this one every once in a while, but it's usually incorrect proxy settings on the browser.""}, {""user"": ""kevpn"", ""timestamp"": 1692659358.0, ""content"": ""~~Tomorrow's issue.... it was DNS~~ Wait, it was NTP""}, {""user"": ""ibia0"", ""timestamp"": 1692659714.0, ""content"": ""Your ntp server didn't resolve its dns?""}, {""user"": ""8e8pvsdc"", ""timestamp"": 1692711249.0, ""content"": ""Yep it was dns by the way of ntp""}]" +paloaltonetworks-199,"[{""user"": ""3b2eolld"", ""timestamp"": 1692683878.0, ""content"": ""Title: Duo 2FA User-ID bypass issue\n Body: Howdy,\n\nWe're testing Captive Portal authentication with LDAP and Duo 2FA, and we've come across a weird bug with User-ID in PanOS 11.0.\n\nWhen we browse to the protected resource for the first time, the session is redirected to the Captive Portal page where we are prompted for AD credentials and then hit Login. All good so far. The captive portal page then goes off to load the Duo 2FA page, which fails (as it's not correctly set up yet).\n\nThe issue is that because we had valid AD credentials, User-ID has now identified the user (even though they have NOT passed 2FA yet) and populated the user-id to ip-mapping table, which means that if the user just refreshes the page, attempting to access the protected resource again, the authentication policy is now bypassed (user is no longer unknown) and the security rule that only permits known users (or even specific users/groups) is now permitting traffic from this partially authenticated user, which is obviously not desirable. \n\nAny ideas why an authentication profile with 2FA enabled would still identify and authorise a user that failed 2FA?""}, {""user"": ""wrdsf"", ""timestamp"": 1692684193.0, ""content"": ""Yeah this is working as intended and annoying AF. I highly recommend adding a +1 to the FR via your account team to get it worked on.""}, {""user"": ""i5gzh"", ""timestamp"": 1692689428.0, ""content"": ""I dont think the Palo Alto has a way to understand if the MFA attempt was done or not. This doesn't sound like a bug but more like you need a feature that doesn't exist.""}, {""user"": ""3b2eolld"", ""timestamp"": 1692686070.0, ""content"": ""Oh, so this is a thing? Wow. Is it just a limitation of using LDAP, or is it across the board?""}, {""user"": ""3b2eolld"", ""timestamp"": 1692695992.0, ""content"": ""It just seems odd that they went to the trouble of creating captive portal page that supports 2FA, but have no way of enforcing it in the authentication flow""}, {""user"": ""wrdsf"", ""timestamp"": 1692688833.0, ""content"": ""It's a limitation of how used id mapping works from my understanding. We use LDAP as well and I haven't tested anything else. Can't speak to that.\n\nAre you using auth policy for all resources behind the CP or just auth policy for the redirect?""}, {""user"": ""3b2eolld"", ""timestamp"": 1692696072.0, ""content"": ""We have a single auth rule that matches on all traffic destined to a single server endpoint. This auth rule matches unknown users and maps them to the authentication policy referencing the captive portal page""}]" +paloaltonetworks-200,"[{""user"": ""8vst355xo"", ""timestamp"": 1692677892.0, ""content"": ""Title: Panorama Context Switch Blank Screen\n Body: Hi All,\n\nWe have a Panorama M-300 that installed with PANOS 10.2.4-h3. and manage several firewall device with OS 9.1.6.\n\nWe found that when we using the switch context to the firewall, the panorama is blank screen(Only white display) and we cannot revert it back until the session end.\n\nWe do a lab using panorama VM and the firewall VM with the same OS to replicate the issue, but this still happened. We had tried Firewall PANOS 9.1.16 it works well with the panorama context switch.\n\n​\n\nIs there any people that have the same issue like this?""}, {""user"": ""6lriu4sg"", ""timestamp"": 1692681862.0, ""content"": ""Yes. I have an active ticket for two different clients running two different versions of a panorama and multiple different versions of firewalls and all have a variation of this issue, either on context switching to the firewalls or context switching from a firewall to Panorama or another firewall. They also addressed a similar issue in another recent version.""}, {""user"": ""egqavhh64"", ""timestamp"": 1692690419.0, ""content"": ""Known issue, if you upgrade your fw to 10.1 or 10.2 latest, you shouldn\u2019t face the same issue""}, {""user"": ""nydw4"", ""timestamp"": 1692693140.0, ""content"": ""I stopped using Chrome over the white screen issue. Firefox seems to work much better. Not sure if you tried it but worth a go.""}, {""user"": ""8vst355xo"", ""timestamp"": 1692722133.0, ""content"": ""i was check the release note, it was fixed on panorama 10.2.4, but this is still occured.\ni have an active ticket too they said it was a bug and will fix on 10.2.8, i will update my ticket on this post too""}, {""user"": ""8vst355xo"", ""timestamp"": 1692721916.0, ""content"": ""later we plan to upgrade the firewall from 9.1.6 to 9.1.16 since we see it works normally on that version. i have a active ticket that they says it was a bug, i will update later""}, {""user"": ""8vst355xo"", ""timestamp"": 1692722005.0, ""content"": ""still not working, we use the other browser when we want to do a config from panorama, since the session stuck on the browser when we use the context switch.""}]" +paloaltonetworks-201,"[{""user"": ""rgulsqjh"", ""timestamp"": 1692676972.0, ""content"": ""Title: GlobalProtect Downloading Issue on Mac\n Body: Hello:\n\nI have a MacBook Pro 13\"" with MacOS Ventura 13.3. I click the button that says \""Download Mac 32/64 bit GlobalProtect agent\"", download the file, open the file, go through all the steps, and then, at the very end, I am given the message \""Installation Failed\"". I am thinking that this may be caused by my previous choice to not let the GlobalProtect file access my downloads folder. If this is they cause, how do I undo this issue? Thank you.""}, {""user"": ""i4b96h0ru"", ""timestamp"": 1692901098.0, ""content"": ""I don't know if that is the reason (although I have a faint recollection of having this happen to me in the past), and I don't know if anything of what I write below will help either, but shooting a few suggestions from the hip :)\n\nDo you see the installer/GlobalProtect in System Settings > Privacy & Security > Files and Folders, or Full Disk Access?\n\nIf not, does it work if you move the installer to another directory, e.g. Desktop? Maybe it will prompt for access to the directory the installer is executed from.\n\nIf not, does it work if you delete the installer and download it again?""}]" +paloaltonetworks-202,"[{""user"": ""v5tel"", ""timestamp"": 1692482874.0, ""content"": ""Title: Prisma Access 3.2.0 upgrade\n Body: Hey there,\n\nHow to request or force Prisma Access instance (Cloud Managed) to upgrade to version 4.0 or newer? We currently stuck with the 3.2.0 version and 10.0.8 PAN-OS (GER located instance).\n\nAlso, there is a scheduled update to 10.2.4 PAN-OS ongoing (already done for 1 from 6 locations), but I'm not sure if this process will upgrade PA version to 4.0 too.""}, {""user"": ""ao50hldk"", ""timestamp"": 1692484278.0, ""content"": ""PANOS 10.2.4 IS prisma access 4.0 just wait until all of your locations are upgraded and you\u2019ll be \u201cofficially\u201d on 4.0""}, {""user"": ""10ob38"", ""timestamp"": 1692532038.0, ""content"": ""The alerts on Prisma Access Insights should offer you the timeline for your upgrade. Target date for most clients is aug/sept/oct.\n\nYou can always **try** to expedite your upgrade by asking your SE's.""}, {""user"": ""v5tel"", ""timestamp"": 1692484339.0, ""content"": ""thanks for confirmation""}, {""user"": ""v5tel"", ""timestamp"": 1692533958.0, ""content"": ""This is what I did and it works. SE was able to speed up the update schedule for our tenant. Before that there were no views to get the newest PAN-OS version anytime soon.""}]" +paloaltonetworks-203,"[{""user"": ""fxjzpvz2j"", ""timestamp"": 1692462131.0, ""content"": ""Title: Anyone affected by RTO?\n Body: I\u2019m one of the affected even though I have moved, but technically under the minimum miles away from office, so. My role quite literally does not need to be in site at all, but the biggest theory so far is tax breaks given by cities are enough for companies like these to force RTO. I\u2019m thinking of quitting because of this, my life will no longer be the same because of it. Maybe just give excuses to why I can\u2019t come in until I can find a new job and ride it out. I thought Palo was different, but tbh I think the only ones affected at the end of the way will be the customers of progress goes down fit to force rto. \n\nAnyone else\u2019s lives will drastically change because of the RTO?""}, {""user"": ""4b04i"", ""timestamp"": 1692464315.0, ""content"": ""My company luckily downsized all their offices to be 1/4 the size they use to be with just a few desks to checkout for people that want to come in occasionally, there is no way they can force RTO now without remodeling again and wasting a ton of money.""}, {""user"": ""kevpn"", ""timestamp"": 1692478084.0, ""content"": ""Definitely recommend filing to go remote before quitting with your boss. It\u2019s not exactly a guaranteed process (I know the details I\u2019m just not going to post them here lol) but may as well shoot your shot if you haven\u2019t.""}, {""user"": ""4njik"", ""timestamp"": 1692480358.0, ""content"": ""My Company decided to axe all of IT at the corporate HQ in San Francisco and relocate everyone to Atlanta or over seas as they where discussing RTO plans.\n\nIt really sucks - they are also getting rid of a lot of other people across California. It's a general - get out of CA move.\n\nSo I have 4 months until I'm gone...""}, {""user"": ""l250m"", ""timestamp"": 1692545390.0, ""content"": ""Not yet. I hope they don't. I moved to the other side of the city, bought redundant internet. I have better uptime than most of the sites. They have ran out of desks at each site. The only desk I could possibly get would be completely on the other side of the city in my old office, inside the server room that is crowded with disused equipment now. 2 new desks in there, I haven't worked from there more than a couple hours since before covid when I ended up in the hospital.""}, {""user"": ""hlpm6ev9"", ""timestamp"": 1692468458.0, ""content"": ""I'm the same, leased out 50% of office so not possible for everyone to come back.\n\nThe cost savings for company far outweigh any tax breaks""}, {""user"": ""fxjzpvz2j"", ""timestamp"": 1692478641.0, ""content"": ""Already have :,)""}, {""user"": ""2z38uxaj"", ""timestamp"": 1692483821.0, ""content"": ""Sorry to hear that\u2026""}, {""user"": ""4njik"", ""timestamp"": 1692490038.0, ""content"": ""I'm a senior level network engineer with extensive experience - I'm not super concerned. I've already gotten offers; I just need to stay until the last day to get my separation package...""}]" +paloaltonetworks-204,"[{""user"": ""6je5z8jl"", ""timestamp"": 1692469366.0, ""content"": ""Title: Vsys Memory commit error\n Body: Hi team, when applying a commit to a VM series I get the following error:\n\nError: Error unserializing profile objects\n\nfailed to handle CONFIG_UPDATE_START\n\n(Module: device)\n\nCommit failed\n\nI cannot apply any commit whatsoever. Not even deleting objects. I found a workaround that it has to do with the EDL, but si cannot even modify that. There's also the memory utilization output so you can see how much it's currently using.\n\n\nAny ideas?""}, {""user"": ""171ur7"", ""timestamp"": 1692477953.0, ""content"": ""https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kEuzCAE""}, {""user"": ""i4b96h0ru"", ""timestamp"": 1692704650.0, ""content"": ""I believe I had the exact same issue, are you trying to push config changes from Panorama?\n\nFor me it worked when rolling back to an old content version on the firewalls. I was on version 8745-8229 and rolled back to 8735-8187. Push to Devices worked like a charm after that. No idea why recent content versions caused the issue though.""}, {""user"": ""6epgk"", ""timestamp"": 1692717656.0, ""content"": ""What version are you on? If on 10.1 I recommend going to 10.1.9h3 atleast. I ran into this on 10.1""}, {""user"": ""e2fpx"", ""timestamp"": 1692728467.0, ""content"": ""Give this person their flowers. We were having the same issue with a PA-VM 100, same error message, same amount of consumed memory. We were on 8745-8229 and rolled back to 8735-8187 and were able to push updates from Panorama again.\n\nGood find sir!""}, {""user"": ""i4b96h0ru"", ""timestamp"": 1692898666.0, ""content"": ""So, I created a TAC support case regarding this, and this is caused by a bug in certain PAN-OS versions. See PAN-201910, fixed in 9.1.16, 10.1.9, and 10.2.4.""}, {""user"": ""i4b96h0ru"", ""timestamp"": 1692898760.0, ""content"": ""I'm glad it helped! After TAC informed me of the bug I will be upgrading our PA-VMs, please consider to do the same.""}, {""user"": ""e2fpx"", ""timestamp"": 1692899897.0, ""content"": ""We upgraded our two PA-VMs to 10.1.9-h3 last night. We put a ticket in as well, but our TAC guy was clueless.\n\nSupport roulette I suppose.""}]" +paloaltonetworks-205,"[{""user"": ""5vh2ebtn"", ""timestamp"": 1692467392.0, ""content"": ""Title: Best OS Version for PA-220\n Body: We have a PA-220 currently running OS version 9.1.16. What would be the recommended version? Should we be looking to upgrade to a 10.x version?""}, {""user"": ""ab7yj"", ""timestamp"": 1692467783.0, ""content"": ""You\u2019ll have to move off 9.1 it\u2019s en of support in december.\n\nI am currently migrating 1200+ boxes to 10.1.10-hwhatever.""}, {""user"": ""87uedzdm"", ""timestamp"": 1692492795.0, ""content"": ""It doesn't run well on 10.1 or 10.2. 10.2 train has a significant bug that causes root partition to fill up causing firewall to fail. 10.2.5 supposedly fixes that issue but haven't tested it. It was just released on Thursday.""}, {""user"": ""j1yqh2ib"", ""timestamp"": 1692475521.0, ""content"": ""10.1 in my opinion is the most stable and has a very similar feature set to 10.2, I would steer clear of anything higher than the preferred release of 10.1. 220s are shown as supported for 10.2 but face many performance issues.""}, {""user"": ""ebbbzgxi"", ""timestamp"": 1692522131.0, ""content"": ""If only theres a choice to stay at 9.1, I will.\n\nBut 9.1 will be eol by end of this year so, no choice. :D\n\nFor now, go to latest preferred in 10.1.""}, {""user"": ""rsvj6"", ""timestamp"": 1692486097.0, ""content"": ""In my experiences, basic traffic processing is ok, but the UI, commit time, reboot time and upgrades/downgrades are just down right painful.""}, {""user"": ""adnrztef"", ""timestamp"": 1692541543.0, ""content"": ""This is known issues in 10.1.10 and it seems that they have not fixed PA 220 1 hour upgrade.\n\n[PA 220 1hour known issue](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-release-notes/pan-os-10-1-10-known-and-addressed-issues/pan-os-10-1-10-known-issues)""}, {""user"": ""21g83eb4"", ""timestamp"": 1692527094.0, ""content"": ""1200 PA-220s ?! All together you\u2019re looking like 800 hours of rebooting to update \ud83d\ude06""}, {""user"": ""2z38uxaj"", ""timestamp"": 1692737123.0, ""content"": ""100% right, Going to upgrade today to 10.2.4 to 10.2.5 to see if they actually fixed it as this is a major pain. Will post back here.""}, {""user"": ""2z38uxaj"", ""timestamp"": 1692819401.0, ""content"": ""Well time will tell but after upgrade the PA-220 to 10.2.5 that has had space issues on root it looks really good. Have not seen this much root free space in a very long time.\n\nuser@XX-XXX-FW> show system disk-space\r \n\r \nFilesystem Size Used Avail Use% Mounted on\r \n/dev/root 3.8G 3.1G 512M 87% /""}, {""user"": ""2z38uxaj"", ""timestamp"": 1692483949.0, ""content"": ""Yeah stay off of 10.2 PA-220\u2019s kinda suck on it""}, {""user"": ""5vh2ebtn"", ""timestamp"": 1692476312.0, ""content"": ""Thanks! I was concerned that might be the case.""}, {""user"": ""adnrztef"", ""timestamp"": 1692541594.0, ""content"": ""I would ping TAC over a CSP ticket to confirm""}, {""user"": ""72dnoi59"", ""timestamp"": 1692559774.0, ""content"": ""No, that's easy with panorama. You can upgrade all Boxes within 1 hour""}, {""user"": ""ab7yj"", ""timestamp"": 1692527593.0, ""content"": ""I stopped counting, I recently went from 9.1.4 to 9.1.14 then 9.1.16 then the big jumps to 10.1. I am far from finished""}, {""user"": ""azicu"", ""timestamp"": 1692494063.0, ""content"": ""It is the case . We have a group of firewalls on 10.2.5 and the problems with them failing over when they get pushes is not fixed""}]" +paloaltonetworks-206,"[{""user"": ""12v6z4fk"", ""timestamp"": 1692392171.0, ""content"": ""Title: Export SSL Cert with Key\n Body: Hello all,\n\nI am going to start off by saying I'm new to working with certs. I have an expired SSL on a Palo. I have seen my coworker in the past export the cert including the key, import into the personal windows store, import the key from a trust CA and use some wizardry with digicert to rebundle the private key with a new cert. \n\nCan someone give me some pointers on how I can accomplish exporting the cert and key and rebundle with the key with the new cert so I can reimport into the Palo? Any help is appreciated.""}, {""user"": ""7zg68sfx"", ""timestamp"": 1692392823.0, ""content"": ""Device Tab >> Certificates >> [click on desired certificate] >> at the bottom there should be an export button >> set is as PKCS12 or whatever as long as you can export the private key.\n\nIf it prompts you to put in a password, you\u2019re on the right track. Type in an easy to remember password, this is just to encrypt/decrypt the private key.\n\nOnce you export it, you can import it into windows, it will prompt you for a password, put that same password in and boom, cert + private key.""}, {""user"": ""883xh"", ""timestamp"": 1692457386.0, ""content"": ""If you have a certificate expiring, you don\u2019t need to export it. Just create a certificate signing request (CSR) on any server or even the Palo Alto firewall. Once you have the CSR using the common name (fqdn) of whatever you\u2019re using it for, go to the certificate authority (CA like digicert or go daddy) webpage and renew, then you paste the CSR in the order process and download the signed certificate from the CA. You can import it back on the Palo Alto (or server where you generated the CSR). Be sure you have the common name match exactly what is was before and any subject alternative names match too (if you have any).""}, {""user"": ""12v6z4fk"", ""timestamp"": 1692393881.0, ""content"": ""Thank you for that info. I imported it into windows but how do I bundle that private key with the new cert?""}, {""user"": ""7zg68sfx"", ""timestamp"": 1692394961.0, ""content"": ""If you exported it in pkcs12 or in pem with the password, it should already have included the private cert""}, {""user"": ""12v6z4fk"", ""timestamp"": 1692396121.0, ""content"": ""Yes it did. I'm just not sure how the private key gets bundled with the new cert. When I try to export the new cert with the key it's greyed out.""}, {""user"": ""7zg68sfx"", ""timestamp"": 1692396975.0, ""content"": ""Okay so circle back. Delete the cert on windows. Then re import it. On the section where it prompts the password, there\u2019s a checkbox that says something along the lines of \u201cmake private key exportable\u201d. Should be exportable now with the key. \n\nThe cert gets exported along with the key as part of the same file from the firewall, try opening it up the file in a notepad and you\u2019ll see.""}, {""user"": ""bvg7yc65"", ""timestamp"": 1692450553.0, ""content"": ""I think your question is more for your PKI infrastructure and not the Palo, as long as your exporting it with private key and then importing it in (making sure private key export is ticked) it\u2019s down to your SSL certificate server to renew this with the same private key, that doesn\u2019t involve the Palo and you\u2019d need to look at documentation for your specific certificate signing server""}]" +paloaltonetworks-207,"[{""user"": ""151ozs"", ""timestamp"": 1692378632.0, ""content"": ""Title: PSA - If you have a PA-500 there's a nasty bug that could affect you\n Body: TLDR; retire your PA-500s now.\n\nWe had a PA-500 go wonky (wouldn't become active in an HA pair, Radius auth wouldn't work, dashboard HA widget said HA wasn't enabled when device tab said it was, lots of errors about failing jobs - including autocommit, commits fail with a message about not all daemons running).\n\nRunning the latest 8.1 code\n\nNOTE: This is not the cdb process stopped problem. When viewed from the CLI, all process are up.\n\nFirst level tech floundered around before escalating. Eventually got Palo \""root level\"" support and found that this an \""issue\"" (absolutely NOT a bug according to the tech) that is known to Palo, but only root level support has access to the symptoms and fix.\n\nI may have the details wrong (the tech was a cagey about the details) but essentially the daemon that is responsible for writing packet captures gets confused and starts writing files to the disk which fills up. The not-bug is present in PanOS up until somewhere in 10.1.x but only PA-500s are affected.\n\nThe fix is for the tech to get a linux command prompt (requires Palo magic), delete a bunch of files, reboot, and do a commit.""}, {""user"": ""5u04b"", ""timestamp"": 1692384500.0, ""content"": ""\""Do you suffer from long commit? You may be entitled to compensation\""""}, {""user"": ""4q1yj"", ""timestamp"": 1692385335.0, ""content"": ""I still have PTSD from PA-500s, thanks for resurfacing all of that. Now I have to find a therapist again.""}, {""user"": ""15q3ae"", ""timestamp"": 1692383861.0, ""content"": ""Sounds pretty bad, however you should have migrated off of 8.1.x last year when it went EoL. And you should (IMHO) avoid 9.1.x as that goes EoL in December this year.""}, {""user"": ""unknown"", ""timestamp"": 1692386290.0, ""content"": ""I feel like I lost months off my life working on that platform.""}, {""user"": ""5jh7pojzs"", ""timestamp"": 1692400813.0, ""content"": ""Never say that first-level engineers \u2018flounder\u2019 around. The work they do is to qualify out stupid customers who don\u2019t know how basic concepts work and correct configuration discrepancies. \n\nIt\u2019s highly likely that if you\u2019re saying they\u2019re \u2018floundering\u2019, that they did what they\u2019re supposed to and fool-proofed the issue ready for upper levels of TAC. \n\nOtherwise 2nd/3rd line would have to deal with all the issues where \u2018floundering\u2019 would have easily solved the issue.""}, {""user"": ""a0vvqhvg"", ""timestamp"": 1692405426.0, ""content"": ""your on 8.x, cmon you should of migrated away""}, {""user"": ""ebbbzgxi"", ""timestamp"": 1692386103.0, ""content"": ""I think I faced the same issue few days back.\n\nSo both PA500 got rebooted and on one of the firewalls the autocommit was failing and it was saying about a process not started ( if I remember correctly its varrcvr process) so I decided to restart the process but no luck, restart the mgmt server still no luck.\n\nWhen doing a force commit it says that all the daemons are not ready and causing the autocommit to fail.\n\nDecided to get TAC engineer and he went into root and deleted some files from 2020-2021-2022 and then commit and restarted mgmt server and it all started to perform the autocommit. :)""}, {""user"": ""2q18uey9"", ""timestamp"": 1692453797.0, ""content"": ""Haven\u2019t touched one in years. Palo Alto should have stopped selling them much sooner than they did IMHO""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1692537164.0, ""content"": ""When the 3020 came out in 2012, we bought a pair. I think code was 4.x back then. Commit time was about 20-25 minutes. I think when 5.0 came out it dropped commit time to like 10 minutes. \nIt was brutal.""}, {""user"": ""4ibq2q1u"", ""timestamp"": 1692389358.0, ""content"": ""I know it's not possible but I would almost pay to see how long a big commit would take on a PA-200 running 10.2. Would have to be over 30 minutes I'd imagine.""}, {""user"": ""151ozs"", ""timestamp"": 1692387025.0, ""content"": ""Lol, I hear you. I laugh my ass off when people on here piss and moan about commit times on PA-820s.""}, {""user"": ""33qa1"", ""timestamp"": 1692405572.0, ""content"": ""Lol... I remember my first time upgrading a PA was on a PA-500. The time after the management came up until it passed traffic was so long I thought I bricked the thing.""}, {""user"": ""62yxv"", ""timestamp"": 1692426013.0, ""content"": ""I have also had the experience to do it on a PA-2050 and it was a total nightmare. Much much worse than the PA-500""}, {""user"": ""151ozs"", ""timestamp"": 1692386876.0, ""content"": ""Not on a PA-500. 8.1 is the end of the line for it. And the PA-500 is still supported until next month.""}, {""user"": ""151ozs"", ""timestamp"": 1692387099.0, ""content"": ""Waiting for commits on my PA-500s is when I do my best redditing.""}, {""user"": ""9yd4cxsu"", ""timestamp"": 1692449524.0, ""content"": "">Never say that first-level engineers \u2018flounder\u2019 around. The work they do is to qualify out stupid customers who don\u2019t know how basic concepts work and correct configuration discrepancies. \n\nI see your point but alot of the time it is straight up floundering. I had a WAN connection which wouldn't even come up and spent hours over a handful of sessions with 1st level checking east west rules and routing tables. I get what your saying but in my experience it's massively floundering and a reluctance to escalate.\n\nEdit: in the end it's been recorded as a bug and is being fixed in an upcoming release so all good but it took alot of fighting to escalate to get it that far.""}, {""user"": ""151ozs"", ""timestamp"": 1692408385.0, ""content"": ""Do tell how\u2019d I\u2019d do this on a PA-500?""}, {""user"": ""7udhk"", ""timestamp"": 1692426031.0, ""content"": ""You know PA500's only support up to 8.1, right?""}, {""user"": ""151ozs"", ""timestamp"": 1692386904.0, ""content"": ""Yes, those are the folders they deleted from.""}, {""user"": ""15q3ae"", ""timestamp"": 1692391830.0, ""content"": ""Ah didn't know that. Although you should consider migrating to new hardware as the pa500 is EoL as you said next month""}, {""user"": ""ebbbzgxi"", ""timestamp"": 1692387444.0, ""content"": ""I did check the disk-space and it has big space left. I asked the TAC and he mentioned that inside that folder there is a quota and that quota is already full so he needed to delete those files filling it up. :)""}, {""user"": ""151ozs"", ""timestamp"": 1692393051.0, ""content"": ""we've got pa-460s arriving any day.""}, {""user"": ""15q3ae"", ""timestamp"": 1692429068.0, ""content"": ""That's exciting. Hopefully you get better commit times. When we had pa500 the commit times were about 5 minutes""}, {""user"": ""151ozs"", ""timestamp"": 1692448543.0, ""content"": ""I've already deployed a PA-440 in a new facility. Commit times are close to a PA-850.""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1692536775.0, ""content"": ""They should be much faster than 800s on 10. \nI\u2019d say 850 commit time on 10 is like what a 220 was on 9. 400s on 10 are faster than 800 on 9.""}]" +paloaltonetworks-208,"[{""user"": ""9ra5wuskt"", ""timestamp"": 1692379240.0, ""content"": ""Title: What is the remote network bandwidth (Mbps) in Prisma access?\n Body: If I have a branch network connect to an SPN and at my branch I have 100Mbps of ISP bandwidth. However I have only assigned 50Mbps to the SPN, is the 50 Mbps the bandwidth of the tunnel between the branch and SPN and how is this enforced by Palo Alto to limit it to 50Mbps even though I have 100Mbps of speed. Sorry for the noob question lol.""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1692402721.0, ""content"": ""You don't specify the bandwidth for each RN connection. You assign it to compute regions however you want. Let's say you buy 1500 Mbps, you could assign 750 to US West and 750 to EU. All sites that connect to the region, share the bandwidth, but you can guarantee an amount of bandwidth to one site.""}, {""user"": ""twx73"", ""timestamp"": 1692384209.0, ""content"": ""The 50mbps will be the bandwidth limit allocated for traffic that in in the tunnel to Prisma Access \nThe BW model should be aggregated to a region so if you have only allocated 50mbps to that region then all the branches in that region share that 50mbps, if you are the only office you have it all.""}, {""user"": ""4qv1mlbu"", ""timestamp"": 1692443864.0, ""content"": ""The correct answer is actually: assign 50Mbps, get up to 1G\n\nAll spns are capable of 1G now. Assigning the minimum of 50 doesn't mean much it simply creates a new spn capable of 1G\nAs far as I know, this might change in the future for obvious reasons. But right now, nothing is enforced,no qos.""}, {""user"": ""4qv1mlbu"", ""timestamp"": 1692444136.0, ""content"": ""Test it, assigning 50M for the remote office with 100M that site will get the full 100M. Sure, there is overheads so a simple speed test will show less, maybe 70 or 80 or whatever, but if you do a pcap client side you should see on the bandwidth feature on wireshark 100M being used.""}, {""user"": ""9ra5wuskt"", ""timestamp"": 1692437939.0, ""content"": ""Thanks for the response, is that via QoS feature ?""}, {""user"": ""9ra5wuskt"", ""timestamp"": 1692437918.0, ""content"": ""Thank you for the response""}, {""user"": ""10ob38"", ""timestamp"": 1692468954.0, ""content"": ""No, only SPN's in a location where you have **more** than 500Mbps allocated to will be capable of doing that. Also slight note that overusage is not the intention under their license policy.""}, {""user"": ""9ra5wuskt"", ""timestamp"": 1692450576.0, ""content"": ""Means I can.just buy 50 remote network bandwidth and assign the 400 sites (max capacity per spn) and ill get good enough speed whenver required?""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1692461747.0, ""content"": ""Indeed it is. Here is the Palo doc on this.\n\n [https://docs.paloaltonetworks.com/prisma/prisma-access/3-2/prisma-access-panorama-admin/configure-quality-of-service-in-prisma-access/qos-for-remote-networks-that-allocate-bandwidth-by-compute-location/ipsec-termination-nodes-bandwidth-allocation-and-guaranteed-bandwidth](https://docs.paloaltonetworks.com/prisma/prisma-access/3-2/prisma-access-panorama-admin/configure-quality-of-service-in-prisma-access/qos-for-remote-networks-that-allocate-bandwidth-by-compute-location/ipsec-termination-nodes-bandwidth-allocation-and-guaranteed-bandwidth)\n\n​\n\nThis is from one of the environments I manage. You can see I don't currently have anything set for this.\n\n[https://imgur.com/a/dRqSYmp](https://imgur.com/a/dRqSYmp)""}, {""user"": ""4qv1mlbu"", ""timestamp"": 1692455022.0, ""content"": ""For now, that's my understanding, yes, but it will change in the future I heard so I would not recommend it for production or on a permanent basis at all. \nIt's not meant to be used this way :) but as soon as you give 50M , that spn is capable of 1G . \n\nWe use it to save bw. We have over 100G total bw and many spns are simply configured for 50M to get the most out of it""}, {""user"": ""9ra5wuskt"", ""timestamp"": 1692474194.0, ""content"": ""Thanks for the help !!""}, {""user"": ""9ra5wuskt"", ""timestamp"": 1692474417.0, ""content"": ""That's one way to save a lotta cost !! Thanks though I'll take your suggestion that they may throttle or enforce it anytime so wont be taking chances.""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1692478068.0, ""content"": ""Me pleasure.""}]"