diff --git "a/csv/paloaltonetworks_messages_copy.csv" "b/csv/paloaltonetworks_messages_copy.csv" new file mode 100644--- /dev/null +++ "b/csv/paloaltonetworks_messages_copy.csv" @@ -0,0 +1,79 @@ +thread_ts,messages_json +paloaltonetworks-1,"[{""user"": ""70h0rfmb"", ""timestamp"": 1694803280.0, ""content"": ""Title: Configuring Global Protect to use Azure AD (Entra ID) credentials on Intune managed machine\n Body: Hey all - Seemed to have hit a snag on trying to configure Global Protect for my organization. I deploy it just fine with Intune, portal baked in and all that. But when the users sign in, their Windows sign in credentials aren't being used to automatically connect to the VPN. It's being sent over on our domain managed machines, but not with our Intune managed ones. I've made sure the settings are right in the firewall, but I can't figure anything else out. Anyone have any experience on this?""}, {""user"": ""zps23"", ""timestamp"": 1694803831.0, ""content"": ""Not enough info to really help.\n\nWhat is your auth backend? Are you using LDAP or SAML or CIE?\n\nWhat errors do you see on the firewall?""}, {""user"": ""70h0rfmb"", ""timestamp"": 1694804993.0, ""content"": ""Oh sorry about that -\n\nWe use LDAP currently, but this is where it's weird.. we have an ldap config that's looking at our DC and users can authenticate that way. We utilize userprincipalnames for the username (which is email address). The SSO happens perfectly fine no matter who logs in.\n\nSo my first thought was, how does the client know what info to use for domain machines when it's the same login type. Do we need to change it from UPN to email address for what data is being used for the username?\n\nThis is my first deep dive into our PA and global protect so I apologize if a lot of this seems stupid and easy. I'm very green on this subject haha""}]" +paloaltonetworks-2,"[{""user"": ""msfsh"", ""timestamp"": 1694817805.0, ""content"": ""Title: OpenSSL showcerts on Digicert certificate gives error unable to verify the first certificate\n Body: Hi,\n\nI have some issue with my wildcard certificate that is used in Azure WAF listener.\n\nRunning the following command:\n\nopenssl s\\_client -showcerts \\\\-connect [myapp.example.com:443](https://myapp.example.com:443)\n\nGives me following error:\n\n CONNECTED(00000005)\n depth=0 verify error:num=20:unable to get local issuer certificate \n verify return:1 \n depth=0 verify error:num=21:unable to verify the first certificate \n verify return:1 \n depth=0 verify return:1\n\nBut if I am checking it from the browser then it seems like everything looks fine, It shows the following certicicates: \\*.example.com, DigiCert TLS RSA SHA256 2020 CA1, DigiCert Global Root CA.\n\nHowever, this issue causes problem for some of my API to communicate as an exception with unable to verify the first certificate occurs.\n\nDoes anyone know how I can check if my certificate is correct and that the chain in the certificate is OK?""}]" +paloaltonetworks-3,"[{""user"": ""151ozs"", ""timestamp"": 1694802533.0, ""content"": ""Title: For HA pairs, any reason to not use one management cert with both firewall names as subject alternative names (SANs)?\n Body: I was getting ready to redo all of our Palos' management certs when I realized I could probably just create one cert for each HA pair with the DNS names of both the firewalls in the subject alternative name attributes. I could then set this common cert as well as a common SSL/TLS cert policy pointing to that cert as part of the template stack that gets pushed to both firewalls.\n\nAny reason to not do this?""}, {""user"": ""6qgsi"", ""timestamp"": 1694805148.0, ""content"": ""Nope""}, {""user"": ""1stnubp2"", ""timestamp"": 1694811076.0, ""content"": ""We are doing that without any issues""}]" +paloaltonetworks-4,"[{""user"": ""2c207fsg"", ""timestamp"": 1694814970.0, ""content"": ""Title: Dynamic Address Group vCenter mapping\n Body: We have many Datacenters and Clusters configured in our vCenter and whenever a new one is configured we have to manually add the path to the DAG. Is there any way to get around this using wildcards or other variables?\n\nThis is an example DAG configuration:\n\n\""vcenter01\\_datacenter01\\_cluster05\\_tag-category.tag-name\"" or\n\n\""vcenter01\\_datacenter02\\_cluster10\\_tag-category.tag-name\"" or\n\n\""vcenter01\\_datacenter03\\_cluster23\\_tag-category.tag-name\""\n\nI have tried this and it doesn't work but something like:\n\n\""\\*\\_\\*\\_\\*\\_tag-category.tag-name\""\""\n\n​""}]" +paloaltonetworks-5,"[{""user"": ""jrw1ikdos"", ""timestamp"": 1694791922.0, ""content"": ""Title: VPN Failed login notification confusion\n Body: Hey all \n\n​\n\nI have VPN set up and we use Okta for authentication. I get emails on failed/successful login attempts. Recently there has been a bruteforce attempt on our VPN so I get a lot of emails, this is fine, for now. But my confusion comes with the fact that I cannot replicate the failed log in attempts. If I try to authenticate through okta with a invalid user I never get a notification.\n\n​\n\nMy question is, how can I figure out how/where they are attempting to log in that is causing these failed attempts? I'm stumped""}, {""user"": ""4yt6w"", ""timestamp"": 1694794787.0, ""content"": ""Please be aware there are Okta vulnerabilities right now.\n\nhttps://www.computerweekly.com/news/366551034/Okta-customers-targeted-in-new-wave-of-social-engineering-attacks\n\nIt is thought that the very recent MGM hack was via an Okta issue, though the full story there is still developing. \n\nIf it were Okta based, is there no logging on that side that you can glean extended information from?""}, {""user"": ""jrw1ikdos"", ""timestamp"": 1694796518.0, ""content"": ""Thank you for your response. Interestingly enough the okta side does not show any failed attempts except for my own.\n\n​\n\nThis leads me to believe they are somehow bypassing this login and attempting to send authentication attempts with another method. I'm not super familiar with how SAML works but is it possible they can send login requests directly to the firewall?\n\n​\n\nGlobalProtect logs show auth method saml and \""Authentication failed: Invalid username or password\"" for these failed attempts""}, {""user"": ""4yt6w"", ""timestamp"": 1694797894.0, ""content"": ""> I'm not super familiar with how SAML works but is it possible they can send login requests directly to the firewall?\n\nThat's a great question and I'm not entirely sure. I would consider if it was a lot of these to open an emergency ticket with Palo Alto to glean whatever is possible from the attempts.\n\nIf this is a lone attack or very low frequency, a ticket still might be necessary depending on your comfort with the failures seen or accounts being attempted. Even using SAML, under Monitor -> Logs -> GlobalProtect, we still see the connection type, the attempted user and the IP address it is attempted from.\n\nAre you not getting any of that?""}, {""user"": ""jrw1ikdos"", ""timestamp"": 1694798391.0, ""content"": ""I am getting that information, this has been going on for probably a month now. The reason I've not acted urgently on it is because it's very slow and the usernames its attempting to use don't exist so I'm honestly not very worried about it, I'm really just curious how they are attempting to log in since I cannot recreate it.\n\n​\n\nI agree that maybe I should just contact PA""}, {""user"": ""4yt6w"", ""timestamp"": 1694798578.0, ""content"": ""I wonder if there is some sort of replay or injection attack they are attempting. That would worry me greatly if is starts happening here. \n\nI think PA TAC is the way to go. If this is something like above, hopefully they might be able to spot it in progress to narrow it down.""}]" +paloaltonetworks-6,"[{""user"": ""j6gf6"", ""timestamp"": 1694809089.0, ""content"": ""Title: 1400s: how\u2019re they running so far?\n Body: I need to move to new hardware now after some EoS dates. 1410s look real appealing from the hardware perspective, but PANOS 11 still has me nervous. \n\nCan you guys who administer them let me know how\u2019s it\u2019s been so far?""}, {""user"": ""37ve4gbk"", ""timestamp"": 1694809368.0, ""content"": ""Sold a pair of 1410s and 1420s to a couple different customers recently, and no stability problems or anything like that.""}, {""user"": ""5jh7pojzs"", ""timestamp"": 1694814160.0, ""content"": ""11.0 is a no go, 10.2 either. 10.1 is the only stable OS with some decent longevity left. \n\nSource: work support for a major palo ASC.""}, {""user"": ""p1pda"", ""timestamp"": 1694811929.0, ""content"": ""Same have a few pairs installed already with different customers and more expecting a PO soon. No issues to speak of. 11.0 has been good so far.""}]" +paloaltonetworks-7,"[{""user"": ""krpry"", ""timestamp"": 1694797289.0, ""content"": ""Title: old CVE's showing up on endpoint vulnerability assessment even though up to date\n Body: I am pretty new the vulnerability assessment tool. I have numerous endpoints with similar CVEs being listed but they seem to be out of date. For example i have one (of many) machine that has CVE-2023-23403. This one is solved by update kb5023696, however that update is superseded by kb5025221, which is superseded by update kb5026361 and so on. In the end the machine in question has the updates that makes the above CVE not valid. I know we can filter out CVE's from our report but what happens if a machine actually has that vulnerability? Does anyone have experience filtering these CVEs so that updates needed are accurate?""}]" +paloaltonetworks-8,"[{""user"": ""46d15a34"", ""timestamp"": 1694796151.0, ""content"": ""Title: Add PSexec to Cortex as exception\n Body: Hi all,\n\nI've been trying to execute PSexec on my machine, but Cortex always blocks it. \n\n\n \n\nScreenshot below:\nhttps://imgur.com/6DvainA\n\n\n \n\n\nDetails:\n\n Application information:\n Application name:\tWindows host process (Rundll32)\n Application version:\t10.0.22621.1 (WinBuild.160101.0800)\n Application publisher:\tMicrosoft Corporation\n Process ID:\t27588\n Application location:\tC:\\Windows\\System32\\rundll32.exe\n Command line:\t\""C:\\WINDOWS\\system32\\RunDll32.exe\"" \n C:\\WINDOWS\\System32\\SHELL32.dll,RunAsNewUser_RunDLL Local\\{4ddb9f3f- \n 700c-4bd6-9fc0-eaf85c01d25b}.000001cc\n File origin:\tHard drive on this computer\n User name:\tadmin_as\n \n Prevention information:\n Prevention date:\tFriday, September 15, 2023\n Prevention time:\t12:35:44\n OS version:\t10.0.22621\n Component:\tBehavioral Threat Protection\n Status code:\tc0400067\n Prevention description:\tBehavioral threat detected\n Additional information 1:\tRule amsi_malicious.b.773263364473\n\n\n\n\n \n\nI've created a new malware profile and added the psexec path to it, and assigned the policy to my machine. \n\nStill has the same issue.\n\n\n \n\nI only want to enable PSexec to be run on a machine (my machine).**Is there any way to do this?** \n\n \n\nPA Support tells me that exception cannot be added.""}]" +paloaltonetworks-9,"[{""user"": ""8vst355xo"", ""timestamp"": 1694766637.0, ""content"": ""Title: High Availability on ESXi for Panorama VM\n Body: Hi, \n\nwe will deploy panorama VM on esxi server, but only bought 1 panorama license.\n\nSo our users want to use high availability from the hypervisor Esxi. Im not familiar with esxi/vsphere.\n\nThe question is, if we trigger high avilability from Esxi/vsphere, is the UUID and CPUID will change?\n\n​\n\nThanks,\n\nDenny""}, {""user"": ""bz77iuek"", ""timestamp"": 1694767318.0, ""content"": ""UUID and CPUID are unique to each firewall vm""}, {""user"": ""bz77iuek"", ""timestamp"": 1694767346.0, ""content"": ""They wont change if you implement HA""}, {""user"": ""8vst355xo"", ""timestamp"": 1694769789.0, ""content"": ""even HA from esxi?""}, {""user"": ""bz77iuek"", ""timestamp"": 1694772301.0, ""content"": ""Yes""}]" +paloaltonetworks-10,"[{""user"": ""dqlcisgg0"", ""timestamp"": 1694766381.0, ""content"": ""Title: Can create Zone for Shared Gateway on Panorama\n Body: Hi All\n\nI have a pair of Panorama managed firewalls and trying to configure a zone for the shared gateway but unable to do so . It just hangs ( Please see attachment )\n\nHowever I can perform the task locally on the firewalls although that s not the recommendation .\n\nHas anyone come across a similar situation ? Any help will be greatly appreciated . I m using version 10.2.4-h2 on both Panorama and the NGFWs\n\nLooking forward to hearing from you and thanks in advance.\n\n​""}]" +paloaltonetworks-11,"[{""user"": ""m252bam4"", ""timestamp"": 1694753442.0, ""content"": ""Title: Pa 200\n Body: Hello everyone! I am trying to setup an pa 200 just for learning purposes but I am a bit stuck at the moment. I am connecting to it via ethernet and configuring the Ip to a static ip and I'm still not having luck with it. Could someone please give me a bit if help?""}, {""user"": ""16m5mf"", ""timestamp"": 1694754449.0, ""content"": ""Do you have any policies in place to allow traffic to flow?""}, {""user"": ""b9ysa1a2"", ""timestamp"": 1694772789.0, ""content"": ""Are you connecting to your ethernet to the management port? You should be able to console into the device via the console port and check the management interface configuration \u201cshow interface management\u201d and change the IP address accordingly, don\u2019t forget to commit. If you\u2019re still having issues you should reset the entire device to its factory settings. One last thing you could try is disabling your firewall on your PC, assuming you\u2019re on a Windows machine""}, {""user"": ""m252bam4"", ""timestamp"": 1694770190.0, ""content"": ""I think I do. I am not able to change the Ip to find and manage it through my browser for some reason.""}, {""user"": ""7uevj7r2"", ""timestamp"": 1694787477.0, ""content"": ""does it have an IP address? if yes you can put a static IP on your computer on the same network and connect direclty your PC to the MGT port. From there you can have access to web UI""}]" +paloaltonetworks-12,"[{""user"": ""g5qd48tnl"", ""timestamp"": 1694716372.0, ""content"": ""Title: Blocking URLs that are using quic\n Body: Hi, trying to block a few URLs that are using the quic protocol. Could this be accomplished by using FQDNs since they are also on layer 4 with application set to 'quic'. I'm hoping this will block the quic traffic for the URLs and revert it back to TLS/SSL where it will be blocked by category.""}, {""user"": ""2z38uxaj"", ""timestamp"": 1694716664.0, ""content"": ""If you want to use URL filtering block Quick App and Encrypted DNS as one of your top rules. Then URL filtering will work fine. \n\nThe clients will fall back to traditional protocols to continue to function.""}, {""user"": ""v7o149dc"", ""timestamp"": 1694728094.0, ""content"": ""Could I ask about the use-case? Is something preventing you from blocking quic as an application using a security policy?""}, {""user"": ""8e8pvsdc"", ""timestamp"": 1694744806.0, ""content"": ""Why not turn quic off in everyone\u2019s chrome browser? It\u2019s really not doing anyone any favors leaving that beta protocol enabled so google can use their client base as beta and often alpha testers.""}, {""user"": ""8qk1un9z"", ""timestamp"": 1694787672.0, ""content"": ""I just doesn't allow port 443 UDP from internal zones to external. Quic automatically downgrade to TCP and HTTP2/.0 or HTTP/1.1 when the port is closed.""}, {""user"": ""g5qd48tnl"", ""timestamp"": 1694717705.0, ""content"": ""Unfortunately, my scope is essentially just trying to block these URLs only. I am just hoping the traffic will match FQDNs or if I have to use IPs which isn't ideal.""}, {""user"": ""g5qd48tnl"", ""timestamp"": 1694732680.0, ""content"": ""Without getting into specifics, I am a small cog in the machine. I can't affect other rules or traffic essentially.""}, {""user"": ""14gpx8"", ""timestamp"": 1694779095.0, ""content"": ""You should do this as well as drop it at your perimeter. If you turn it off at the perimeter and don\u2019t turn it off on browsers, performance will suck because browsers will still try a QUIC connection first, wait for that to fail, then fall back to legacy protocols.\n\nIf you turn it off on browsers only, you stand the chance of missing a device, maybe someone has an unsanctioned browser, devices that are not under your management that make it on the network, etc..""}, {""user"": ""4yt6w"", ""timestamp"": 1694718656.0, ""content"": ""It should work with three rules, you'll need to test it.\n\n* Create an object group full of the individual objects of the FQDNs you want to apply this to. \n* Block any outbound to the internet zone with that object group as the addresses using quic protocol\n* Block any outbound to the internet zone with that object group as the addresses using either udp\\80 or udp\\443\n* Allow any outbound to the internet normally in susequent rules as determined without blocking quic, udp\\80 or udp\\443.\n\nWhat I don't know is if this will match a URL group. I say that because one of the issues with URL blocking (not FQDN) is that if it cannot match http or https, the URL group blocking is ignored, from my understanding. This is also why you don't mix URL blocking rules with other ports.""}, {""user"": ""6lriu4sg"", ""timestamp"": 1694746939.0, ""content"": ""That\u2019s generally the wrong way to do it because you\u2019ll potentially block other sites or won\u2019t block everything you intend.""}, {""user"": ""v7o149dc"", ""timestamp"": 1694739215.0, ""content"": ""Okay, fair...but that's where the rest of the policy comes in. If you want to block quic for your team, use address group or user groups to limit the scope of the impact.""}, {""user"": ""8e8pvsdc"", ""timestamp"": 1694782970.0, ""content"": ""Good point, trust but verify. Trust you disabled all of them and verify by blocking the protocol at the edge.""}, {""user"": ""g5qd48tnl"", ""timestamp"": 1694719196.0, ""content"": ""Thank you this is kind of what I had in mind, I will give it a shot and hope for the best""}, {""user"": ""4yt6w"", ""timestamp"": 1694732122.0, ""content"": ""We did the reverse, which is created a quic allow group, mostly because we actually ran into one site used by an internal team that didn't like quic being blocked. All other quic, upd\\80 and udp\\443 is blocked, forcing quic off for everything else. \n\nI know that works fine, I don't see why the reverse wouldn't work as well.""}]" +paloaltonetworks-13,"[{""user"": ""bz77iuek"", ""timestamp"": 1694733724.0, ""content"": ""Title: Disk Type for Panorama Log Storage on Azure\n Body: Hi everyone, \n\nWhat is the recommended disk type (Standard HDD, Standard SSD or Premium SSD) for log storage on Panorama in Azure? \n\nNone of the documents (Deployment Guide, KB, Panorama Admin guide) address this and I'm trying to design a cost-effective solution.\n\nThanks!""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1694737124.0, ""content"": ""Depends on the number of logs. More logs will need more iops. \nHow many firewalls sending logs? Any clue what the log rate will be?""}, {""user"": ""bz77iuek"", ""timestamp"": 1694737213.0, ""content"": ""There are 1 on-prem\n2 HA esxi \n2 HA in azure \nSending log \nHow do I define log rates ?""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1694737322.0, ""content"": ""Unless there is crazy traffic going through those, I think you\u2019ll be fine with standard HDD. Standard SSD at most.""}]" +paloaltonetworks-14,"[{""user"": ""60u62"", ""timestamp"": 1694702832.0, ""content"": ""Title: Grouping rules for my PA tool\n Body: Hello there,\n\n​\n\nI'm a looking for a tool (in a wonderful world, that is free) to help me regroup my Pa rules.\n\n​\n\nI'm in an environment with a huge historic rules, that should be factorized IMO.\n\n​\n\nIs someone knowing a tool that could allow this kind of task ?\n\n​\n\nBest regards,""}, {""user"": ""6qgsi"", ""timestamp"": 1694707795.0, ""content"": ""expedition""}, {""user"": ""60u62"", ""timestamp"": 1694764181.0, ""content"": "">expedition\n\nI didn't know it is now working aside from migrating from other vendors FW. \n\n​\n\nThanks for the information, I will definitively take a look.\n\n​\n\nBest regards,""}]" +paloaltonetworks-15,"[{""user"": ""os3hi"", ""timestamp"": 1694676701.0, ""content"": ""Title: Threat Prevention vs Advanced Threat Prevention - huge cost increase?\n Body: Hi, we've been informed that the Threat Prevention subscription on our PAN-PA-3220 has been phased out and that we have to now opt for Advanced Threat Prevention which has resulted in a pretty significant price increase. Are there any options available for us to continue using TP? Or do we just have to eat the increased cost?""}, {""user"": ""15zxsi"", ""timestamp"": 1694687318.0, ""content"": ""Talk to your sales rep for tech refresh and Go for PA 1410, it'll give you better bandwidth and over all cost.""}, {""user"": ""i5gzh"", ""timestamp"": 1694681071.0, ""content"": ""Not sure who informed you of that but it\u2019s not the truth on a 3220""}, {""user"": ""7yor6"", ""timestamp"": 1694691794.0, ""content"": ""We pushed back and they allowed us to renew with regular threat prevention this year on our 3220s.""}, {""user"": ""c8iwwydk"", ""timestamp"": 1694677380.0, ""content"": ""I believe they still have to offer TP for firewalls in an air gapped environment since they wouldn\u2019t be able to have a cloud connection to take advantage of the \u201cA\u201d in ATP.""}, {""user"": ""11qli9"", ""timestamp"": 1694692594.0, ""content"": ""Tell your rep you will be shopping other vendors, that will change their tune.""}, {""user"": ""43ro04kl"", ""timestamp"": 1694743410.0, ""content"": ""Tell the rep to get you ATP for the price of TP- they do it all the time""}, {""user"": ""3up2qoit"", ""timestamp"": 1694687522.0, ""content"": ""And you can take advantage of the core bundles which will give you ATP, AURL, AW, DNS, and SD-WAN for the cost of 2.7 subs.""}, {""user"": ""qviia"", ""timestamp"": 1694713206.0, ""content"": ""Exactly what we did.""}]" +paloaltonetworks-16,"[{""user"": ""4wsimck3"", ""timestamp"": 1694706758.0, ""content"": ""Title: Weird Global Protect Issue\n Body: I have an Global Protect Environment that consists of one Portal (Hosted in the Cloud) and three Gateways (On hosted in the Cloud and two others hosted on on-prem Firewalls). I currently have MFA Authentication setup through OKTA via Radius. We are currently running GP 6.1.0 and 10.2.x on the Firewall at this time.\n\nThe weird issue that I am noticing is specifically only for our windows endpoints is that when a user first launches their GP Agent and hits \""connect\"" the VPN process goes from \""**connecting**\"" then to \""**not connected**\"" and if left untouched for 4-5 seconds the agent will automatically prompts the user to sign in using their AD Creds. Once they sign in their is no further issues and the connection works perfectly. The process of the VPN going from \""**connecting**\"" then to \""**not connected**\"" then randomly going to user sign-in after 5 undisturbed seconds creates concerns for us because if an end user keeps clicking \""**connect**\"" rather then waiting for 5 seconds while the app says \""not connected\"" they will get stuck in a loop. \n\nMy original theory on the issue was that perhaps that was something surrounding my authentication cookie configuration, however I am starting to think not the case, as this issue appears prior to the portal/gateway authentication stage.\n\nI have tried testing around with different versions of GP throughout the major versions of 5.x.x and 6.x.x and still notice this issue throughout the different versions. I have also tested with company managed PCs and my personal PC thinking that perhaps our company PCs have a setting that is causing this issue, but still this issue exists when trying to connect to the portal. This makes me believe perhaps its not the agent itself that's the issue but something on my portal instead Unfortunately, pantac has been of no help to me either. The are claiming that this is \""expected behavior\"" which I find it really hard to believe...\n\nAny thoughts on what may be wrong?""}]" +paloaltonetworks-17,"[{""user"": ""dqlcisgg0"", ""timestamp"": 1694683303.0, ""content"": ""Title: Apps and Threats Mismatch\n Body: Hi All\n\nI have a pair of Panorama managed Firewalls configured in a HA Setup . However I m observing a mismatch on the App and Threat versions across both devices . Although the \""Synch To Peer\"" option is enabled on the App and Threat schedule settings they both appear to be running on different versions ( Please see attachments for reference)\n\nHow do I best fix that ?\n\nThanks in advance""}, {""user"": ""38yqnraq"", ""timestamp"": 1694704177.0, ""content"": ""The \""Sync to peer\"" option is likely causing your problem. This option is only meant to be used to sync to Passive devices that are using a service route for Dynamic Updates and therefore cannot retrieve the updates themselves while the dataplane is passive and down. If a device tries to install it's own dynamic updates at the same time that the peer is trying to sync to it the whole thing can fail.\n\nDisable the \""Sync to peer\"" on the schedules and just make sure that both devices are using the same Dynamic updates schedule.""}, {""user"": ""dqlcisgg0"", ""timestamp"": 1694685922.0, ""content"": ""Yes the clock is matching on both firewalls , this is synchronized by Panorama""}, {""user"": ""dqlcisgg0"", ""timestamp"": 1694695804.0, ""content"": ""It s sorted now , I use the \"" Check Now \"" option and downloaded and installed the version that matches the peer device .\n\nThanks for your help""}, {""user"": ""1jt5cf50"", ""timestamp"": 1694684826.0, ""content"": ""Did you verified the clock on each firewalls?""}, {""user"": ""4nafb"", ""timestamp"": 1694692925.0, ""content"": ""I see this happen occasionally on a HA Pair - it sometimes fixes itself on the next update or I manually download/install the update on one or both of the HA pair.\n\nUsually I notice that the latest version is downloaded but no active on one of them.\n\nNot using Panorama though.""}, {""user"": ""bf73y"", ""timestamp"": 1694723045.0, ""content"": ""Agreed. I just have both firewalls in a pair download the updates themselves and then you can create a rule in the log settings to let you know if an update fails.""}]" +paloaltonetworks-18,"[{""user"": ""cqa62xx"", ""timestamp"": 1694689484.0, ""content"": ""Title: Global Protect Error: Valid Cert required.\n Body: Hi\n\nI am having an issue with Global Protect on an M2 Macbook Pro. User cert is installed and trusted. I am using the latest install of Global Protect, and I am receiving an error saying that a valid cert is required for connection. The cert has a one year expiry date set. The same cert is working 100% on a Windows system. \n\nAny advice would be appreciated. ""}, {""user"": ""ao50hldk"", ""timestamp"": 1694694431.0, ""content"": ""Is the private key installed along with the cert? And the mac itself recognizes that the cert had the full CA chain trusted and installed?""}, {""user"": ""2z38uxaj"", ""timestamp"": 1694807747.0, ""content"": ""If you control the firewall I have had the best luck with MAC allowing the firewall to first push the certs down to the host and then doing a check for them. Manual is hit and miss typically.""}, {""user"": ""cqa62xx"", ""timestamp"": 1694703809.0, ""content"": ""The Root and the Issuing CA cert are installed yes. All certs are set as trusted.""}, {""user"": ""ao50hldk"", ""timestamp"": 1694706899.0, ""content"": ""Besides that yea private key would be the last thing. Are they in the user store or in the machine store?\n\nThe portal has a setting to where it searches either user\nOr machine store, set it to both for testing if it\u2019s already isn\u2019t there.\n\nTake pcaps on the Mac and check the ssl handshake where the sever is requesting client auth, then check to see what the client sends, is the client cert portion 0 bytes?""}]" +paloaltonetworks-19,"[{""user"": ""80kgfvtr"", ""timestamp"": 1694684826.0, ""content"": ""Title: Bidirectional Support in Prisma Cloud\n Body: Hello everyone, I had a doubt. Does Prisma cloud has Bidirectional support for status and severity changes. Like if I change status or severity on Prisma Cloud, can the same thing change on my platform automatically as well, and vice-versa. ? ""}, {""user"": ""kevpn"", ""timestamp"": 1694704009.0, ""content"": ""When you say \u201cplatform as well\u201d, what do you mean by that? Cloud providers don\u2019t natively have CSPM capabilities unless you\u2019re paying for something else, in which case we\u2019d need to know what that something else is.""}]" +paloaltonetworks-20,"[{""user"": ""7m4fg2wbv"", ""timestamp"": 1694664836.0, ""content"": ""Title: Restricting GlobalProtect user access rights in security rules\n Body: Hello everyone\uff0c\n\nThere is such a requirement. The customer wants to restrict the access rights of GP users in the security policy, and then the following configuration on firewall\n\nwe need to add AD domain control to the firewall, configure server profile and authentication profile. and complete the configuration of gp gateways and portals ,\n\nIs it necessary to do group mapping?\n\nConfiguration requirements\uff1a\n\nhttps://preview.redd.it/k90cckmzb5ob1.png?width=1031&format=png&auto=webp&s=ec379ebc3a32439c557c23b88ae4ff634ce197c1""}, {""user"": ""3kx8u"", ""timestamp"": 1694666100.0, ""content"": ""you only need to do group mapping if you want to write rules based on group membership. If all you want AD for is authentication, then you don't need to deal with group mapping.\n\nThat said, group mapping and being able to write rules based on user group membership is pretty awesome, and GlobalProtect users are a great use case for this, since by nature all of them will have been authenticated and the firewall knows who they are. UserID is more complicated for on-prem users.""}, {""user"": ""4yt6w"", ""timestamp"": 1694666547.0, ""content"": ""This is an answer in two parts. \n\nFirst, you want to set up User-Identification. This leverages a server profile (to your AD domain, usually under Server Profiles - LDAP.) But it also references the User and Group Attributes and usually a Group Include List for things that are searched within AD. To do this you'll leverage a base and bind DN with account/password that is allowed to do those lookups. You'll also need one or more AD servers that will allow the lookups from that account. \n\nAfter that's done, then the reference of the user from GP into a policy is as easy as adding that under the source category as the domain\\user and performing the allow or block as needed. You can also do this by group.\n\nI apologize I don't have examples to link but adding User-ID based on AD is WELL covered on the Palo Alto online documentation.""}, {""user"": ""12a1gw"", ""timestamp"": 1694722958.0, ""content"": ""Hi u/tom_xia\n\nIf you only want to restrict GP users specifically, and don't need group mappings, you can just create the security policy using the GP zone. I guess you've created a specific zone for your GP clients?\n\nAs soon as you use GP, you will already have the User-ID mappings collected from the GP agent.\n\nIf you need User-ID information distributed to other firewalls, look up Data Redistribution.\n\nHope it helps, or feel free to comment any questions.""}, {""user"": ""7sfhnl2p"", ""timestamp"": 1694790625.0, ""content"": ""You can use SLDAP, SAML and Azure Directory Services to do your security group mappings \n\nor \n\nIf you want to go simply old school you can just add local user accounts to your PaloAlto and do GP that way but of course there are security considerations with this.""}, {""user"": ""7m4fg2wbv"", ""timestamp"": 1694671554.0, ""content"": ""Thank you for your answer. What I understand is that there is no need to configure group mapping.""}, {""user"": ""7m4fg2wbv"", ""timestamp"": 1694671705.0, ""content"": ""What you said is very detailed and professional.I will do further testing next time, there should be no problem.\n\nThank you\uff01""}, {""user"": ""60u62"", ""timestamp"": 1694702220.0, ""content"": ""100% agree that User-ID / Group-mapping is a really good feature. Also note that your PA will be able to map also local users (without global protect), which is allowing a lot of flexibility in your rules writing.""}]" +paloaltonetworks-21,"[{""user"": ""djpc5"", ""timestamp"": 1694676546.0, ""content"": ""Title: GlobalProtect disconnecting in remote desktop\n Body: I have a desktop that runs scripts that require access to a specific folder. To access this folder, GlobalProtect needs to be 'on'. This desktop is access remotely by two users (I and another member of my team). To access this desktop, I have to have GlobalProtect 'on' in my laptop.\n\nWhat I need is to have GlobalProtect always 'on' on the desktop. However, every time I log into the desktop, GlobalProtects asks for my credentials, so, I think GlobalProtect is randomly disconnecting, because the scripts cannot reach the specific folder.\n\nIs there something I can do to prevent that from happening?\n\nThanks.""}, {""user"": ""c8iwwydk"", ""timestamp"": 1694677640.0, ""content"": ""GP can be configured as \u201calways-on\u201d so that if there are network issues it will reconnect automatically.\n\nThe use case it solves are for where you want an endpoint to be connected immediately at login for a user. You can even configure it so that it connects before a user even logs in if you want.\n\nBut it sounds like it will help you here too.""}, {""user"": ""djpc5"", ""timestamp"": 1694680477.0, ""content"": ""I have requested the \""always-on\"" to be enabled, which I received confirmation it was, but it does not seem to be working. By looking at the docs, I did not find anything I need to do from the endpoint. Maybe I am missing something?""}]" +paloaltonetworks-22,"[{""user"": ""6puhf"", ""timestamp"": 1694640515.0, ""content"": ""Title: BGP Only Advertise Subnet from Larger Advertisement\n Body: Hi all,\n\nApologies if this is a dumb question, but hitting a bit of a brick wall and my google-fu is coming up short.\n\nDoes anyone know if/how you can export a route via BGP to a peer that is a subnet of a summarised route learnt from a different BGP peer (different AS)?\n\nFor example, if I'm learning [10.10.0.0/18](https://10.10.0.0/18) from BGP Peer 1 on AS1, how can I just export [10.10.40.0/24](https://10.10.40.0/24) to a different BGP peer on say AS2?\n\nIf I try to restrict the IP in the export filter, it just doesn't match (which makes sense), and doesn't get exported.\n\nThe only hit I can find is a Palo page on using route tracking to redistribute a static, which seems a touch hacky/not-easy to support (well I say support, more I worry others coming along to support this later down the line would scratch their head).\n\nThanks all!""}, {""user"": ""4yt6w"", ""timestamp"": 1694665511.0, ""content"": ""You'd have to use a static and redistribution via BGP, along with an export filter. You could go the OTHER way, like having 10.10.40.0/24 as an advertised BGP route to you and you send 10.10.0.0/18 as a summary route, but otherwise you're wanting to advertise something MORE specific than you're getting. So .... static and redistribute via BGP.\n\nMy guess, based on your use of private routes is that you're the sole peer that will advertise that to AS2? At that point what's the harm in using the static to source it from your gear? \n\nThis is when you have to traffic engineer routes a bit. If you don't get that route directly but are NOT the sole source of that route to AS2, then why are you wanting to source it from yourself? If AS2 is getting it from another source but you are backup, prepend it to them instead of just sending it out as a static redistributed into BGP.""}, {""user"": ""6puhf"", ""timestamp"": 1694678468.0, ""content"": ""Thanks all, sounds like my fears/approach are confirmed (thanks for being a sounding board!).\n\nUnfortunately I'm getting /18's, so for now I'll have to keep to advertising the /18 across as think it will be simpler for future engineers to pick up.""}, {""user"": ""yy2by0u"", ""timestamp"": 1694643737.0, ""content"": ""Are you seeing the 10.10.40.0/24 in your RIB or just the aggregate? If just the aggregate then you\u2019ll need to generate the route somehow BUT depending how you generate the route you can introduce unwanted results. Maybe static towards BGP peer in AS1 and then redistribute.""}, {""user"": ""bknba"", ""timestamp"": 1694716986.0, ""content"": ""Do you control Peer 1? If you do, this might be an option:\n\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kFJLCA2""}, {""user"": ""x04u8"", ""timestamp"": 1694658069.0, ""content"": ""This is basically accurate. To add some clarification. To advertise a prefix (subet) u have to have exactly that prefix in your route table.""}]" +paloaltonetworks-23,"[{""user"": ""64lm8o2w"", ""timestamp"": 1694643779.0, ""content"": ""Title: Learning palo alto and PCNSA\n Body: Hi everyone, \n\nI'm interested in learning palo alto firewalls but don't know where to start. I saw the PCNSA certification on their website and I'm willing to learn and study for it. I recently got my ccna so I'm pretty confident in basic networking. My question is, what's the best resource (free if possible) to learn this stuff? I saw that there is self-study material they provide on their website but is there more to it? In terms of getting hands-on experience/labbing, what's the best way to go about it? I'm willing to pay if need be but I'm also looking for something inexpensive. ""}, {""user"": ""iwa56tljh"", ""timestamp"": 1694721878.0, ""content"": ""today I passed my exam with exam dumps . try now and clear your exam in first attempt: [https://www.pass4surexams.com/palo-alto-networks/pcnsa-dumps.html](https://www.pass4surexams.com/palo-alto-networks/pcnsa-dumps.html)""}, {""user"": ""16m5mf"", ""timestamp"": 1694656001.0, ""content"": ""There are some great courses at Udemy everything from basic to advanced firewall configuration. Palo Alto Live also has bunches of videos on configuration.\n\nHere is a what to do after unpacking the NGFW kind of a course 0.\nhttps://www.youtube.com/watch?v=f0hHcITXqDw""}, {""user"": ""64lm8o2w"", ""timestamp"": 1694662109.0, ""content"": ""Thanks I'll check those out. But how about actual hands on/lab experience. Is there anything similar to how the ccna has packet tracer?""}]" +paloaltonetworks-24,"[{""user"": ""1bhdcdb"", ""timestamp"": 1694621793.0, ""content"": ""Title: Palo Alto 410 - Default route behaivor?\n Body: Hi all,\n\nI have a PA-410 at a site, and I have two ISP connections on two different interfaces. The default route for both of these connections is a [0.0.0.0/0](https://0.0.0.0/0) with the Primary one being metric 10 and the secondary being metric 200. When the primary goes down or can't ping out, it is swapped over to the secondary. I use an external ping monitor application to monitor these connections. For some reason, even though the default route is the primary one for this site, I'm still able to ping the IP address on the secondary interface from outside on the internet. Why is this? All other sites with this configuration I cannot ping the secondary IP until the first one goes down (as it should be as the firewall has no default route out to reply back).\n\nI have verified this by issuing 'show routing fib' and see the primary being the default.\n\nI see the pings in the firewall logs hitting my firewall to the secondary IP being allowed through. Why is my firewall responding?\n\n​\n\nEdit: I should note that these two interfaces are the in same zone. I see the traffic being allowed as \""intrazone default\"".""}, {""user"": ""151ozs"", ""timestamp"": 1694642757.0, ""content"": ""My experience is that Palos will allow session traffic across multiple interfaces so long as they are in the same zone. So when pings come in on ISP2, the Palo will send the replies using ISP1 and its default route.\n\nAre the ISPs in the same zone at the other sites?""}, {""user"": ""i5gzh"", ""timestamp"": 1694630291.0, ""content"": ""Sounds like the default route isn\u2019t being removed out the primary. Are you doing any tracking? You\u2019d need to track IPs out the default and make the default route dependent on those. If those fail you can remove the default route automatically""}, {""user"": ""ks5ff"", ""timestamp"": 1694639890.0, ""content"": ""Why not enable ecmp and just use both isp links? Actually you may be doing that aready? Check if ecmp is enabled could explain what is happening""}, {""user"": ""3c7af5b5"", ""timestamp"": 1694650048.0, ""content"": ""Can you post a screenshot of your static routes?""}, {""user"": ""2iok9w7f"", ""timestamp"": 1694662367.0, ""content"": ""This. Exactly. Because the interfaces are in the same zone it isn\u2019t seen as an asymmetric flow.""}, {""user"": ""38yqnraq"", ""timestamp"": 1694704804.0, ""content"": ""Yes, and the likely reason you are seeing a return on the ping at this site compared to others is that the ISP at this site is not fussy about forwarding packets from source IPs that don't match your assigned IPs. Other ISPs might drop it as a spoofed packet.""}, {""user"": ""1bhdcdb"", ""timestamp"": 1694631970.0, ""content"": ""Tracking as far as path monitoring? If so, yes it is monitored. I see the primary being up and is reflected in show routing fib. But the secondary IP on the other interface can still be pinged even though the monitor for the primary is up. In show routing fib, the primary default route is the proper one, not my secondary ISP connection. I do have monitoring on the secondary as well, in the case that fails as well as the primary, it falls back to our cellular backup. Secondary monitor is up, but route is not in fib table as the primary isn't down.""}, {""user"": ""1bhdcdb"", ""timestamp"": 1694640263.0, ""content"": ""We are not using ECMP. We don't want to use both ISP links for general internet traffic, as the secondary is used for our primary link for SD-WAN. Only time we use the secondary link for general client internet access is if the main internet goes down.""}, {""user"": ""i5gzh"", ""timestamp"": 1694632684.0, ""content"": ""Screenshot your path monitoring settings. Try remove sensitive data""}, {""user"": ""1bhdcdb"", ""timestamp"": 1694635861.0, ""content"": ""[https://imgur.com/a/b2IbUtb](https://imgur.com/a/b2IbUtb)\n\nHere you go, no sensitive info as we use templates/variables.""}]" +paloaltonetworks-25,"[{""user"": ""yy2by0u"", ""timestamp"": 1694639399.0, ""content"": ""Title: Global Protect Connecting to Portal Post-Install\n Body: Does anyone know what registry settings prevents Global Protect from automatically trying to login post-install? This is before initial connection to the portal/gateways.""}, {""user"": ""yy2by0u"", ""timestamp"": 1694659012.0, ""content"": ""We push custom options to use on-demand, default browser for SAML, and the portal address that\u2019s about it. But immediately after install it tries to connect to the portal and then fails, this is all before the user interacts with the GP client. So it\u2019s an unwanted result and tried all the different registry keys with no success.\n\non-demand\nuse-sso\nconnect method""}, {""user"": ""shq4z6me"", ""timestamp"": 1694650873.0, ""content"": ""What connect method are you using? Believe default is user logon(always-on).\n\nIf deployed/installed with on-demand should resolve auto connect on installation.""}, {""user"": ""7m4fg2wbv"", ""timestamp"": 1694666040.0, ""content"": ""Set the Global Protect connection method to On-demand (Manual user initiated connection)""}, {""user"": ""yy2by0u"", ""timestamp"": 1694686858.0, ""content"": ""It is set to on-demand via the install options. For some reason it tries to initially connect to the portal after install.""}]" +paloaltonetworks-26,"[{""user"": ""f8pfz"", ""timestamp"": 1694632956.0, ""content"": ""Title: Dual ISPs with ECMP and static route monitoring - Path monitoring fails on second route every 30-60 minutes - is this a bug?\n Body: Hi all, hoping somebody has faced a similar situation to me with configuring dual ISPs with a PA firewall. \n\nWe recently brought in a second ISP line to our building and opted to use ECMP to aggregate the links and provide failover. I configured a single virtual router with 2 default routes (1 route to each ISP) with the same metric. I enabled path monitoring on both routes using Cloudflare and Google DNS servers as the targets. Failover condition is set to all, with a 2 minute pre-emptive hold time. I also enabled ECMP, with Symmetric Return and Strict Source Path enabled, Load balancing is IP Hash using source/destination ports. I configured the appropriate NAT for each ISP as well.\n\nThe issue I'm facing is that every 30-60 minutes or so, the path monitoring fails for ISP2. It's ALWAYS ISP2. I tested the ISP2 circuit independently didn't find any issues. This failure is causing major issues as connections seem to randomly drop. \n\nMy hunch is the route monitoring packets for ISP2 are occasionally going through the wrong interface (ISP1), which is causing packets to drop and the link to fail. Is there a configuration I am missing somewhere? \n\nI'm running PanOS 10.2.4-h4 on a PA-450. I also tried PanOS 10.2.3-h4 and 10.2.5 - all exhibit the same issue. \n\n​""}, {""user"": ""briif"", ""timestamp"": 1694639411.0, ""content"": ""I have same config running perfectly for months+ on 10.1.x track in half dozen sites.""}, {""user"": ""1bvg0jmi"", ""timestamp"": 1694650632.0, ""content"": ""I've never had an issue with this. The only thing I do that you didn't mention is that I put extra static routes each direction for the IPs that I'm tracking for each. I'm 99% sure that's not necessary though, since it sources those tracking pings from the appropriate interface.""}, {""user"": ""f8pfz"", ""timestamp"": 1694642700.0, ""content"": ""Hmm.. wonder if it's something to do with 10.2.x series firmware then. Or perhaps a bug with PA-44x series. It's absurd how intermittent this issue is.\r \n\r \nI followed all available documentation to a T. The fact that the monitoring packets drop randomly after 30-60 minutes is really perplexing. I tested the circuit for hours and there were no issues.\r \n\r \nI might go the dual-virtual router method to see if it fixes the problem. Unfortunately ECMP doesn't work with multiple VRs (AFAIK). I'm beginning to hate PA now. Too many stupid little bugs that are adding up.""}, {""user"": ""15zxsi"", ""timestamp"": 1694655892.0, ""content"": ""Add static routes for each monitoring IP and point out to next hop.""}, {""user"": ""briif"", ""timestamp"": 1694645538.0, ""content"": ""Disable ecmp and change route metric to use ISP2 only for a day or two (keeping route monitoring in place) to see if the problem remains? \n\nOr make ISP1 the active, but put a policy based route in for a single host to do checks via firewall for a single inside device you control to see if you still see failures.""}, {""user"": ""f8pfz"", ""timestamp"": 1694717688.0, ""content"": ""u/bryanether u/shoieb-arshad\n\nThat's an interesting suggestion. So how would this work? If my monitoring IP is [1.1.1.1](https://1.1.1.1), do I create two additional static routes, one for each ISP, with the same metric using the respective gateway for each ISP? ie:\n\n**Static Route #1:** \n`Destination: 1.1.1.1/32` \n`Interface: ethernet1/1` \n`Next Hop: IP Address ` \n`Admin Distance: ` \n`Metric: 10`\n\n**Static Route #2:** \n`Destination: 1.1.1.1/32` \n`Interface: ethernet2/1` \n`Next Hop: IP Address ` \n`Admin Distance: ` \n`Metric: 10`""}, {""user"": ""1bvg0jmi"", ""timestamp"": 1694659444.0, ""content"": ""Yep, that's what I do. Just because I want 100% predictable behavior.""}, {""user"": ""f8pfz"", ""timestamp"": 1694649055.0, ""content"": ""Thanks for the suggestion. I'll try disabling the ECMP and will keep route monitoring in place. Will see how things look over the next day or two. \n\n Unfortunately I have two site to site VPNs configured on ISP1, and I haven't been able to get the tunnel to work properly with ISP2. So many cascading issues, trying to debug one at a time.""}, {""user"": ""1bvg0jmi"", ""timestamp"": 1694717955.0, ""content"": ""I always use different monitoring IPs too. Like 8.8.8.8 and 1.1.1.1 on the primary connection, and 8.8.4.4 and 1.0.0.1 on the secondary.""}, {""user"": ""15zxsi"", ""timestamp"": 1694718195.0, ""content"": ""No. \n\nonly add static route #1. And monitor for ISP1\nThen for static route #2 put 8.8.8.8/32. And monitor for ISP2.\n\nJust make sure it 1.1.1.1 is always ISP1. And 8.8.8.8nis always ISP2.""}, {""user"": ""38yqnraq"", ""timestamp"": 1694705296.0, ""content"": ""How did you test the pings to google/cloudflare on ISP2?\n\nSo far I'm hearing you say you have 2 problems that only happen on ISP2. That seems like a red flag to me.""}]" +paloaltonetworks-27,"[{""user"": ""gg3d6"", ""timestamp"": 1694627934.0, ""content"": ""Title: Need some help updating lists in security policy via CLI and the syntax.\n Body: Hello!\n\nI'm trying to work with the following item from one my security policies\n\nset device-group Alpha\\_Template pre-rulebase security rules \""Permit X to Y\"" application \\[ ms-office365 outlook-web-online smtp ssl web-browsing \\] \n\nI want to remove smtp via cli. But when I issue the following command:\n\nset device-group Alpha\\_Template pre-rulebase security rules \""Permit X to Y\"" application \\[ ms-office365 outlook-web-online ssl web-browsing \\] \n\nIt just adds the items in the new list, changing nothing. It doesn't treat the command as being the absolute list I want applied. Searching Palo Alto's CLI references have come up with nothing, likely because I'm not asking the right question. Can anyone give me some guidance?\n\n​""}, {""user"": ""ibia0"", ""timestamp"": 1694636256.0, ""content"": ""Use the starting keyword 'delete' and post application 'smtp'\n\nShould remove just SMTP from that rule""}, {""user"": ""91wqd"", ""timestamp"": 1694637896.0, ""content"": ""delete device-group Alpha\\_Template pre-rulebase security rules \""Permit X to Y\"" application \\[ smtp \\]""}, {""user"": ""gg3d6"", ""timestamp"": 1694637994.0, ""content"": ""Thank you. It felt weird to use delete since previously I only used it to delete whole policies.""}, {""user"": ""ibia0"", ""timestamp"": 1694638073.0, ""content"": ""It's still danger mode everytime I think about doing it (and use it often). Always lab test that delete command there first!""}]" +paloaltonetworks-28,"[{""user"": ""5qq8l"", ""timestamp"": 1694626284.0, ""content"": ""Title: HIP Check for Minimum MacOS Versions?\n Body: So I've been struggling to get an answer from Palo Alto support about this and wanted to ask the group. We're trying to get a HIP check to enforce minimum versions of MacOS and it's been difficult to get an answer. \n\nAt a high level, we'd want to pass clients who are running a MacOS higher than one of the three releases.\n\n12.6.9 +\n\n13.5.2 +\n\n14.0.1 +\n\nIs this even reasonably doable? It seems like this should be an easy regex but I'm running into dead ends from the PA team.""}, {""user"": ""kmxur"", ""timestamp"": 1694627945.0, ""content"": ""You're going to need to define HIP objects for each of the allowed versions, and then use them in a HIP profile. The OS identification is a Contains match, not regex.""}, {""user"": ""bf73y"", ""timestamp"": 1694632629.0, ""content"": ""Make sure you have the GlobalProtect Data File set to download and update in the dynamic updates section. Same place as the content updates""}, {""user"": ""5qq8l"", ""timestamp"": 1694637305.0, ""content"": ""That makes sense, if only PA explained it to us that way.""}]" +paloaltonetworks-29,"[{""user"": ""cn3l7k32"", ""timestamp"": 1694620685.0, ""content"": ""Title: How to delete Panorama pushed configure\n Body: Trying to delete a specific network configuration( IPsec tunnel) pushed from panorama .\n\nIf I select the override option, I can make modifications but I can\u2019t delete it completely from the Firewall.\n\nIs there a way to delete the panorama pushed configuration without disconnecting the firewall from panorama and making the configuration all local.""}, {""user"": ""em3neum"", ""timestamp"": 1694621911.0, ""content"": ""Not if it's in the Template that is being pushed to the FW. The only way to not push it to the FW would be to delete it from the Template or move that config to a Template that doesn't apply to that FW.""}, {""user"": ""91wqd"", ""timestamp"": 1694637771.0, ""content"": ""If you need to delete it completely remove the tunnel configuration from the template being used and do a full push of the template stack to the firewall.""}]" +paloaltonetworks-30,"[{""user"": ""ucp8a"", ""timestamp"": 1694610128.0, ""content"": ""Title: Panorama Push with Force Template Values not working? via XML API\n Body: I am using the Panorma XML API on Software Version 10.2.4.\n\nI am trying to send an API request to get the Panorama to push to a specific template-stack and force the template values. However, even after copying the exact command from the XML API docs, the PA API is still returning an error.\n\nHere is the XML command I am sending:\n\n \n\nThis is the response I get back:\n\n \n\n \n \n template-stack -> force-template-values is invalid\\]\\]> \n \n \n \n\n\nIf I specify the template name, it works fine, e.g:\n\n my-cool-template\n\n​""}, {""user"": ""t2swg2j"", ""timestamp"": 1694615843.0, ""content"": ""Did you try specifying the name along with the force?""}, {""user"": ""t2swg2j"", ""timestamp"": 1694616415.0, ""content"": ""I think you may also have to specify a value of \u201cyes\u201d inside the force tag.""}, {""user"": ""ucp8a"", ""timestamp"": 1694617198.0, ""content"": ""Yes you are right thanks, I just figured this out now too.""}]" +paloaltonetworks-31,"[{""user"": ""o5x44"", ""timestamp"": 1694609921.0, ""content"": ""Title: Auto client update for Linux?\n Body: Good day\n\nI saw that the GP gateway is capable of promt a update message to the user when there is a client update. Does this works only on windows or does it also work for Linux and Mac?""}, {""user"": ""kmxur"", ""timestamp"": 1694628006.0, ""content"": ""It works for Mac and Windows. Not Linux or mobile.""}, {""user"": ""o5x44"", ""timestamp"": 1694628517.0, ""content"": ""Oh okay, thanks for the info!""}]" +paloaltonetworks-32,"[{""user"": ""2z38uxaj"", ""timestamp"": 1694549926.0, ""content"": ""Title: Ignite 1 day VS Ignite 3 day\n Body: Just touching base with the community looking for some feedback on how people are feeling about the 1 day Ignite at multiple cities VS the historical 3 single site conference.\n\nPersonally I am not in a large city where the conference it going to be so I have to travel for two days to attend a one day conference. It appears that the one day conference is moving away from technical and to more sales driven for C level type folks. Which does not interest me as an engineer.\n\nI hope personally hope they go back to that traditional Ignite conference. Would love to hear thoughts from the rest of the members here. Thank you!""}, {""user"": ""p1pda"", ""timestamp"": 1694555963.0, ""content"": ""Agree, a three day one I would have gone to, but as you say traveling for two days for a one day event makes no sense - I\u2019m on west coast.""}, {""user"": ""b84zwlas"", ""timestamp"": 1694561356.0, ""content"": ""The one day conferences this year are focused on content for senior mgmt and leadership, so I'll be skipping this year. It even says on the homepage that if you\u2019re a cybersecurity practitioner seeking technical demos, training, and certifications, you won\u2019t find those here.""}, {""user"": ""316f9mua"", ""timestamp"": 1694563884.0, ""content"": ""Agreed, as a pre and post sales engineer being able to interact with Palo SEs and other customer/channel partners was great. Now I dont have an event to go to for Palo. We wont attend a sales focused event.""}, {""user"": ""bf73y"", ""timestamp"": 1694583816.0, ""content"": ""I think it's dumb and confusing.""}, {""user"": ""3b04ti1j"", ""timestamp"": 1694598042.0, ""content"": ""As other have said, the new travelling Ignite is geared towards leaders and \""influencers\"" (jeeez). I have been to 3 day Ignite in the past and found it really valuable. Especially the technical breakout sessions, hands on labs and talking to SEs.""}, {""user"": ""1bvg0jmi"", ""timestamp"": 1694555715.0, ""content"": ""I just found out about the new 1 day format yesterday, and I'm absolutely not a fan. Spending 3 days in Vegas is basically torture to me (even ignoring that I got food poisoning at Ignite this year) but at least I get something out of going. I see no reason for me to go to the one day one.""}, {""user"": ""bs3ejnsb"", ""timestamp"": 1694607644.0, ""content"": ""Nothing good has come from Palo the last few years. 9.1 was rock solid for us, 10.1 has been a disaster of epic proportions. I thought they went cheap on last years Ignite Conference, looks like they're rolling down the hill a little further this time.""}, {""user"": ""pddpnfq"", ""timestamp"": 1694550153.0, ""content"": ""It's confusing to me that they use the same name as Microsoft's big conference every year.""}, {""user"": ""nqh6ed9"", ""timestamp"": 1694561683.0, ""content"": ""Wtf. Really a single day?! What are they thinking. I wonder if this is a foreshadow of other \u201cspecials\u201d to come?\n\nWhere did you officially hear/see that it\u2019s this single day format?""}, {""user"": ""d0116jewf"", ""timestamp"": 1694575775.0, ""content"": ""I\u2019ve been curious about this- has it been announced that there will not be a 3 day event as in prior years?""}, {""user"": ""uwrd82fs"", ""timestamp"": 1694751073.0, ""content"": ""Incredibly thought out! Please stop!""}, {""user"": ""2z38uxaj"", ""timestamp"": 1694607791.0, ""content"": ""100% this ^""}, {""user"": ""kevpn"", ""timestamp"": 1694559242.0, ""content"": ""Palo's actually got MSFT beat here I think on timing. Here's a page for [Ignite 2012 with Palo](https://www.paloaltonetworks.com/blog/cam/ignite-2012/index.html) and [here's Microsoft in 2015 deciding to call it Ignite](https://www.itprotoday.com/cloud-computing/microsoft-ignite-new-name-teched).""}, {""user"": ""kevpn"", ""timestamp"": 1694562742.0, ""content"": ""It\u2019s a touring program. Google \u201cignite on tour\u201d and you\u2019ll see it. It makes sense it\u2019s one day if they\u2019re traveling to your backyard, larger vendors do similar things (AWS where I live in comes to mind).""}, {""user"": ""2z38uxaj"", ""timestamp"": 1694564576.0, ""content"": ""[https://register.paloaltonetworks.com/igniteontour/](https://register.paloaltonetworks.com/igniteontour/)\n\nSE also confirmed this is all they are doing this year. \""New Format\"".""}, {""user"": ""kevpn"", ""timestamp"": 1694572380.0, ""content"": ""I\u2019m an employee but personal opinion: I think this is the future honestly. Corporate travel is going to continue to be less and less common (but still common, sure) and just look at how PITA it was for some people to get to SKO with that weather (which is also only going to progressively get more extreme)""}, {""user"": ""3up2qoit"", ""timestamp"": 1694575315.0, ""content"": ""I am a partner and from what we were told, there will be no partners attending ignite because it is for customers and SKO combined SE Summit, so it looks like there won\u2019t be a summit at the beginning of next year. That\u2019s kinda sad. I enjoy going.""}, {""user"": ""10ob38"", ""timestamp"": 1694590581.0, ""content"": ""Yeah, I loved the SE Summits and did not mind traveling for those\u2026""}]" +paloaltonetworks-33,"[{""user"": ""e83ra27h"", ""timestamp"": 1694561070.0, ""content"": ""Title: Systems Engineer interview\n Body: Hey all, been a long time and have an interview coming up as a system engineer, would like to know what to kind of questions to expect..my experience is as a generalist presales engineer...so understand all concepts on a high level""}, {""user"": ""dlz8m"", ""timestamp"": 1694575138.0, ""content"": ""People who have gone through the interview process generally have to sign NDAs, just a heads up.""}, {""user"": ""17i517"", ""timestamp"": 1694624868.0, ""content"": ""Don\u2019t try to be technical, be commercial. Very important! You\u2019ll learn the tech stuff on the job.""}, {""user"": ""suz08"", ""timestamp"": 1694611799.0, ""content"": ""Probably they want to understand 3 key things. \n\nHow well you communicate. \n\nYour knowledge of Cyber Security. \n\nYour commercial skills in the target segment for the role.""}, {""user"": ""ckgmojt"", ""timestamp"": 1694650308.0, ""content"": ""So I can answer this\n They ask you about your experience with Palo Alto and networking. Then on another interview is a very simple lab with simple tasks like creating a security policy""}, {""user"": ""141t1d"", ""timestamp"": 1694688749.0, ""content"": ""If its for pre-sales, talk about being the technical advisor for customers. An SE role is typically 40% sales / 60% tech. That can swap at times.""}, {""user"": ""e83ra27h"", ""timestamp"": 1694659131.0, ""content"": ""Thank you!""}, {""user"": ""e83ra27h"", ""timestamp"": 1694659114.0, ""content"": ""Thank you!""}, {""user"": ""e83ra27h"", ""timestamp"": 1694659124.0, ""content"": ""Thank you!""}, {""user"": ""e83ra27h"", ""timestamp"": 1694659102.0, ""content"": ""Thank you!""}]" +paloaltonetworks-34,"[{""user"": ""ua88e460"", ""timestamp"": 1694577816.0, ""content"": ""Title: After the rule blocked Quic App, the internet is getting slow\n Body: Dear Friends, \n\nHas anyone experience this before? After I create a security rule to block \""Quic\"" as suggested by Palo, I noticed my internet speed or my Chrome browser response is getting slow, or it was just me? I also placed the rule to somewhere down the bottom...\n\nThanks\n\nLarry""}, {""user"": ""46lxm"", ""timestamp"": 1694580394.0, ""content"": ""Set a group policy (or equiv) to disable QUIC in the browser as well. That will stop it from even trying, so in theory it might speed it up since it skips that step and will go straight to using http/https like it should.""}, {""user"": ""i5gzh"", ""timestamp"": 1694578971.0, ""content"": ""Disable QUIC in chrome and see if it helps. Your browser is going to try QUIC fail then use SSL. That whole process could be perceived as \u201cslow\u201d""}, {""user"": ""9twqtwg1"", ""timestamp"": 1694578308.0, ""content"": ""I haven\u2019t noticed a difference""}, {""user"": ""quitq"", ""timestamp"": 1694578454.0, ""content"": ""We cut off all-out quic access forcing Chrome to use 443 TCP and had no fall out. Looking at a large enterprise with 13 ish main sites and many smaller sister sites.\n\nBefore you blocked quic, did you add a rule to allow SSL/http/https traffic for access?""}, {""user"": ""3xxj5"", ""timestamp"": 1694617876.0, ""content"": ""If you're not using decryption, leave quic alone. Only reason to disable it is to force SSL inspection.""}, {""user"": ""3hczxhat"", ""timestamp"": 1694594902.0, ""content"": ""YouTube seems rubbish with quic blocked, might just unblock quic in the end :)""}, {""user"": ""nu9wc"", ""timestamp"": 1694583493.0, ""content"": ""We found using the app causes chrome to slow down. I use a global policy to reject udp 443 which works like a charm.""}, {""user"": ""9twqtwg1"", ""timestamp"": 1694599739.0, ""content"": ""Are you using decryption?""}, {""user"": ""6epgk"", ""timestamp"": 1694625332.0, ""content"": ""when you block quick make sure you select send icmp unreachable to reset the udp socket on the browser""}, {""user"": ""ua88e460"", ""timestamp"": 1694580907.0, ""content"": ""Thanks""}, {""user"": ""3939q"", ""timestamp"": 1694626235.0, ""content"": ""I feel stupid now for not having done this \ud83d\ude02""}, {""user"": ""ua88e460"", ""timestamp"": 1694581025.0, ""content"": ""Getting better after I disabled the quic..""}, {""user"": ""ua88e460"", ""timestamp"": 1694580892.0, ""content"": ""thanks""}, {""user"": ""ua88e460"", ""timestamp"": 1694578645.0, ""content"": ""Yeah, there is a rule basically allow internal - external any any to allow generaal internet access. Comes before Deny Quic.. Is it required to have another rule Allowing SSL HTTP HTTPS particularly? \n\n​\n\nThanks""}, {""user"": ""6lriu4sg"", ""timestamp"": 1694620740.0, ""content"": ""Except you won\u2019t be able to see a lot of web based apps either. It\u2019ll all show up as QUIC.""}, {""user"": ""4yt6w"", ""timestamp"": 1694666965.0, ""content"": ""> Only reason to disable it is to force SSL inspection.\n\nThis also applies if SSL inspection is handled further down the line. I know that should be obvious, but we leverage a separate platform for inspection and realized we forgot to block QUIC on the Palo, which is the first point where that can be done along the way.""}, {""user"": ""ua88e460"", ""timestamp"": 1694595588.0, ""content"": ""Yeah man, I am thinking the same...still noticeably slow ...""}, {""user"": ""ua88e460"", ""timestamp"": 1694584560.0, ""content"": ""Only UDP 443? Won't affect anything else other than Quic? \n\nThanks""}, {""user"": ""6lriu4sg"", ""timestamp"": 1694620947.0, ""content"": ""Even if they aren\u2019t, not blocking QUIC will cause web apps to show up as QUIC.""}, {""user"": ""ua88e460"", ""timestamp"": 1694609088.0, ""content"": ""Not really""}, {""user"": ""ua88e460"", ""timestamp"": 1694649612.0, ""content"": ""How would I do that? Thanks""}, {""user"": ""492u7klb"", ""timestamp"": 1694780592.0, ""content"": ""Same!""}, {""user"": ""vhclcucd"", ""timestamp"": 1694608684.0, ""content"": ""Yup you have it twisted in your post, it should read: \""Google's insistence on enabling a non-standard protocol by default in their browser is causing my internet to be slow.\""""}, {""user"": ""1dg8x369"", ""timestamp"": 1694591176.0, ""content"": ""Uhm, you have a rule that says permit any any to internet with applications any? and the quic rule comes afterwards? is that rule even hitting?""}, {""user"": ""quitq"", ""timestamp"": 1694579693.0, ""content"": ""Not necessarily required if you have the access in place, but we have things locked down significantly, so we try to be as specific as possible when we are writing rules.""}, {""user"": ""i5gzh"", ""timestamp"": 1694613590.0, ""content"": ""I don\u2019t have this problem. Across multiple clients and even at my house.""}, {""user"": ""3hczxhat"", ""timestamp"": 1694595872.0, ""content"": ""Yeah easier to just not deal with the whinging \ud83d\ude02""}, {""user"": ""nu9wc"", ""timestamp"": 1694584649.0, ""content"": ""Nothing yet.""}, {""user"": ""17h9qo"", ""timestamp"": 1694636641.0, ""content"": ""It is a standard protocol as of 2021, RFC 9000.""}, {""user"": ""h8df04r1"", ""timestamp"": 1694609263.0, ""content"": ""Network down, can't reach any site for all users after changes to firewall ...""}, {""user"": ""ua88e460"", ""timestamp"": 1694591342.0, ""content"": ""Sorry I moved it back top""}]" +paloaltonetworks-35,"[{""user"": ""a0tw8eaf"", ""timestamp"": 1694527548.0, ""content"": ""Title: what do your internet rules look like?\n Body: We moved from ASA's to Palo edge firewalls.\n\nI don't think we are versed enough on palo and think we may be doing our internet rules wrong.\n\nWe block every and allow what is needed. Pre-rules are basic lan to internet other than http/https rules like some ftp, ms-updates for our wsus servers, etc.\n\nOur thinking was have one \""final\"" post-rule that uses URL filtering to allow/block traffic for service http/https traffic, works great.\n\nMy issue is we want to allow certain AD groups to either job search sites, streaming sites (youtube, etc.), zoom.\n\nWe have these rules above the URL filtering rule, my issue is, when trying to use URL categories for the above rules it's not working and I was wondering if there was some other way we should be going about this?\n\n​\n\nexample\n\npre-rule 1\n\nsource: all users\n\ndestination: n/a\n\nURL category: custom zoom URL category with \\*.zoom.us, \\*.zoomgov.com\n\napplication: zoom, ssl, stun, zoom-info\n\n​\n\npost-rule 1\n\nsource: job-search AD group\n\ndestination: n/a\n\nURL category: custom job search URL group\n\nservice: service-http, service-https\n\n​\n\npost-rule 2\n\nsource: streaming AD group\n\ndestination: n/a\n\nURL category: custom streaming URL group\n\nservice: service-http, service-https\n\n​\n\npost rule 3 \""final/last\"" rule\n\nsource: all domain users\n\ndestination: n/a\n\nURL Filter: Allows/Denys normal pre-defined categories and some custom categories (streaming-media and internet-communications-and-telephony are being blocked in the URL filtering)\n\nservice: service-http, service-https\n\n​\n\nEverything kind of worked about two weeks ago and then NONE of the URL categories work now, even if I set app and service to any, it skips those rules and goes to the post rule 3 and is denied.\n\nShould we not have just one \""final/last\"" rule and use more URL filters to allow/deny custom categories? I have a tac open for zoom not working as well as youtube, if I put the predefined category \""streaming-media\"" in my streaming rule, it works, but not with my custom URL catgegory.\n\nZoom works with 443/SSL but skips the rule when it tries to us udp 8801 which is part of the zoom application.\n\nIs there a strategy to setting up these rules better that we aren't thinking of? Any help is appreciated.\n\n​""}, {""user"": ""4yt6w"", ""timestamp"": 1694539541.0, ""content"": ""> We moved from ASA's to Palo edge firewalls.\n\nSay no more. Many of us are in the same boat. \n\nChances are for the http/https rules you have an issue with QUIC preventing the rules from matching correctly. You can help that a bit with blocking QUIC as your first rules, which forces the rest of things to not be tunneled across those ports and thus, perhaps match what you're looking for instead.\n\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC\n\nBut beyond that, be sure and leverage the BEAUTIFUL thing that Palo Alto does over ASA style rules. \n\nUse the following when setting new initial rules:\n\n* Block specific traffic as strictly as possible with App-ID within the rule.\n* Immediately have a rule after that allowing that traffic less specifically, with App-ID not used (destination and port only, match ANY application.)\n* If needed and you still have things slipping through, follow the above two with another even more loose allow rule that doesn't restrict ports at all (defined source or destination, any port, any application.)\n* Note here that you can also first filter out with User-ID, but allow any user in subsequent rules. Again, you want the net to be specific, then less specific. This lets you catch what the actual traffic is matching.\n\nThen within Palo Alto rules, you can track the hits on each of those rules and if you see slips through rule 1 or 2, you will also see any, \""Apps Seen,\"" on the final rule, or additional catch-all rules you put in place. Sometimes you might want to not block them at all during this process but set the rules as, \""Allow,\"" and, \""Log at Session End.\"" \n\nThis lets you see the miss, see what application ID it saw, change your prior rules and retest. Since the flow it also logged you can check your external logging or if within a close enough window, on the Palo Alto monitor logging, getting further information that was as well.\n\nIt's hard to show this without a visualization but here you can note the more-to-less-specific approach, the hits see, the applications seen (which is a link from the number if you click on it,) and the days since any changes to the application count.\n\nhttps://imgur.com/izU3zFg\n\nHere you can see that the very specific top two rules did not match, the more open port based rules did, so they could use some App-ID fixes, but also we have some traffic that's getting through we may not have considered (applications/ports we didn't even consider that might need to be allowed.)""}, {""user"": ""a0tw8eaf"", ""timestamp"": 1694545463.0, ""content"": ""Thank you for your reply! I have blocked QUIC as well as the ports and did not see any difference nor do I see any blocks for those yet. \n\nI have played with the rules\n\n​\n\ntop rule 1:\n\nsource: all users\n\ndestination: n/a\n\napplication: zoom, zoom-info, ssl, stun, rtcp\n\nURL category: custom zoom category with \\*.zoom.us and \\*.zoomgov.com\n\n​\n\nnext rule 2:\n\nsource: all users \ndestination: n/a \napplication: any\n\nservice: udp 8801 \nURL category: custom zoom category with \\*.zoom.us and \\*.zoomgov.com\n\n​\n\nnext rule 3:\n\nsource: all users \ndestination: n/a \napplication: zoom, zoom-info \nURL category: none\n\n​\n\nthis works as the 8801 traffic ends up hitting rule 3 where there is no URL category but the URL being used clearly show it's a \\*.zoomgov.com URL and it's using UDP 8801\n\n​\n\nReran test but changed rule 3 to the same custom zoom URL category\n\nit then skips all rules and goes straight to the explicit deny rule at the very end but just for the 8801 traffic \n\nif it's SSL/443 it hits the rule 1 and URL Category is our custom zoom url category name and it's allowed through\n\nI can't upload pics but it's plain as day that if I use our custom URL category it ignores it, if I use the same rule but allow any destination it works and the URL is still the same \\*.zoomgov.com that should be allowed in our URL category.""}, {""user"": ""4yt6w"", ""timestamp"": 1694549653.0, ""content"": ""I have a suspicion you aren't doing SSL decrypt, is that correct? I ask because sometimes actually using the URL in a policy block can be an issue if you aren't decrypting.\n\nAnd/or addition to that, and more importantly, you're combining non web ports with a custom URL as a match on the policy. Unfortunately that isn't going to work. You can match by FQDN, but trust me, I understand that's probably not going to work for a service as large as Zoom. But for sure using a URL category match will mostly ONLY work with standard web ports.\n\nNot to mention, Zoom's list of IP blocks for hosting is a nightmare:\nhttps://support.zoom.us/hc/en-us/articles/201362683-Zoom-network-firewall-or-proxy-server-settings\n\nThat being said, you -could- leverage that list and inputting a large object list covering that with the help of Palo Alto. This would allow you to reference non-web ports / applications and yet still restrict it to just those destination ranges.\n\nWhen we've entered large object lists like that in the past, the Palo Alto command line input is much preferred, Adding all of the IPs and subnets within the defined object, then applying that object as the destination for the policy rule.""}, {""user"": ""a0tw8eaf"", ""timestamp"": 1694550808.0, ""content"": ""I understand the whole standard internet ports things and using URL category, thought these were \""NGFW\"" lol\n\nmy only issue with this is, on my youtube rule, I am using service-http and service-https and app is any and youtube passes that rule and hits my default internet rule that has the URL filter on it that blocks streaming-media, why will it not work since it's using standard internet ports? The deny shows 443 as the port? \n\n​\n\nGuess I'll have to go back to the old ways and use the stupid IP addresses again :( what pain, thought my job was gonna get a whole lot easier with the URL category thing.""}, {""user"": ""4yt6w"", ""timestamp"": 1694550227.0, ""content"": ""EDIT:\nI completely forgot this might be a great use for an External Dynamic List, or EDL. You can create policies that reference an EDL, then that EDL has all of the allow/block list of IPs you want to reference within a single policy.\n\nEDL's are also more preferred for ranges that change often, Microsoft O365 ranges for example. You can either create and maintain the EDL on your own (allowing the management of the EDL on a host outside of the firewall for ease of administration,) or you can leverage a third party who can create and maintain those lists for you, or ones they actively create and update, like from here:\nhttps://www.edlmanager.com/""}, {""user"": ""4yt6w"", ""timestamp"": 1694551831.0, ""content"": ""> I understand the whole standard internet ports things and using URL category, thought these were \""NGFW\"" lol\n\nTrust me, I feel ya. They do a great job though, especially once you get past just policy rules and start applying threat prevention, etc. \n\nYou're in luck, we have all been there beating our head in with YouTube...\n\nhttps://live.paloaltonetworks.com/t5/blogs/tips-amp-tricks-allow-or-block-youtube-video/ba-p/306732\n\nI would also mention that based on your mention of your policies, if you require much more stringent URL base proxying, a common solution is to go outside of the firewall for that piece through a content filtering solution. Yes, I know, \""I should be able to do that with my Palo Alto,\"" and in most cases, you can. But there sometimes comes a point when it's a logistical or configuration nightmare working around things with just the one platform. \n\nWe leverage Zscaler for that piece. I know there are plenty of others. But for sure, you have and own the Palo Altos. Stay on TAC's back with helping assist you get through some of these blocking issues and if you get slow responses, push it through your VAR or partner as well.\n\nI should also mention, Palo Alto sold me on leaving ASA on the day I got training on the Monitor logging, searching and spotting live issues. That, all by itself, is a NIGHTMARE with ASAs. You can do it, but you're going to be all over the place from GUI to command line, to captures, etc. I remember getting pushback from an app team that I was blocking something and I went to the Palo Alto monitor, spotted every bit of their allowed traffic, added the bytes sent and received to the log headings, then tapped one button for a CSV of all of that, showing me allowing it, showing two way handshake and communication, and showing, \""not my problem.\"" The firewalls paid for themselves right then.""}, {""user"": ""a0tw8eaf"", ""timestamp"": 1694555070.0, ""content"": ""I\u2019ll look at your YouTube thing tomorrow as I just logged off. \n\nWe are moving from ASA and WSA and trying to have the palo\u2019s do an all-in-one. I\u2019m sure I can figure something out with all of it. Just a bummer we can\u2019t use the \u201ceasy\u201d way with the URL categories. \n\nWhat does everyone do for other stuff like limiting ms updates with all their IPs and URLs as well?\n\nDo people use multiple URL filters instead of the singular internet rule I am trying to use with one URL filter? \n\nMy issue with that is if you are in day the YouTube group and I am using URL filtering then your \u201cinternet rule\u201d will end up being that YouTube rule instead of the singular rule at the bottom.""}, {""user"": ""4yt6w"", ""timestamp"": 1694610347.0, ""content"": ""Ahh, great questions. Now it's time to introduce you to security profiles. \n\nCreate a few custom URL Categories for different things. We'll get to those in a bit but they can either be allow or deny URL groups, but consider them custom to you and your environment. What is an absolute no-no, and what is and must be work related, etc.\n\nNow go under Objects, Security Profiles, URL Filtering. Pick the default group there and clone it, then call the new group what you will.\n\nAdd your custom URL Categories here and select the actions needed for those categories from nothing to allow, alert, deny, drop, etc. Those are explained in long form on Palo's documentation. \n\nNow that you have a URL profile it's important to understand this is just one part of an overall security profile. You can also add anti-virus, anti-spyware, vulnerability protection, etc. These can be formed into a group just below the definitions called a security profile group. \n\nNow go back to your policies. Each and every policy can now have an associated security profile applied. And that profile includes all the URL allows/blocks, all the additional security items you add, etc. You don't have to use a single policy rule to block specific urls for everything. I can literally have just one rule:\n\nAllow-inside-to-outside\n\n... and put that after I've blocked specific things I don't want going on. But to that rule I attach the security profile that does the rest of the heavy lifting for me. (And btw, this is where we really see the NGFW kind of thing.) This is applied under the Actions tab on the policy.\n\nSome screenshots below kind of showing what I'm talking about. Of note, we, \""alert,\"" on nearly all categories of URLs for a specific reason, which is that alert will also copy the URL seen into the logs. We leverage this both to troubleshoot things on the Palo Alto under the Monitor URL Filtering log, but also allowing the URL to be passed to our logging devices internally and to our SIEM for correlation of events. I.E. \""User went to badstuff.com and clicked on the link for something and here are the actions seen afterward.\""\n\nhttps://imgur.com/a/5SAjxjT""}]" +paloaltonetworks-36,"[{""user"": ""w723yenq"", ""timestamp"": 1694559894.0, ""content"": ""Title: Allowing file-sharing apps but blocking Medium-Risk\n Body: We block Medium-Risk URLs per PANs best practices. We are looking to allow file-sharing to our sites (risk approved by senior mgmt) and I'm trying to figure out how to write a rule that allows sites like Dropbox & Onedrive but blocks other Medium-Risk sites. I created an app filter that filters on SAAS/File-Sharing and Office Applications and I'm sure applications installed on individual users' machines would work without any problem. The only problem is when I browse to [www.dropbox.com](https://www.dropbox.com) it is trying to access the site with the SSL or web-browser app-id. I can't just open those apps to medium risk. Looking for some advise on how to structure this rule set.""}, {""user"": ""bknba"", ""timestamp"": 1694560375.0, ""content"": ""We have a rule for this that references the built-in online-storage-and-backup URL category for the destination and is linked to a URL filtering profile that alerts on medium risk and online-storage-and-backup among others. Then layer on port and app-id and whatever else on top of that and it should accomplish what you're looking for.""}, {""user"": ""w723yenq"", ""timestamp"": 1694560383.0, ""content"": ""I think I have it figured out. I just need to make sure my \""file sharing\"" policy is filtering on the online-storage-and-backup category and then I can add SSL & web-browsing.""}, {""user"": ""w723yenq"", ""timestamp"": 1694560398.0, ""content"": ""Just figured it out.""}]" +paloaltonetworks-37,"[{""user"": ""532coyo9"", ""timestamp"": 1694557415.0, ""content"": ""Title: How to check an application signature on Palo Alto\n Body: Hello,\n\n​\n\nI want to ask how to check an application signature on Palo Alto like for example WhatsApp ? \n\n\nfor example WhatsApp voice , video or Audio ? so I can block on of them or analyze any of them ? \n\n\n Best Regards,""}, {""user"": ""bi7wp"", ""timestamp"": 1694557594.0, ""content"": ""https://applipedia.paloaltonetworks.com/""}, {""user"": ""kevpn"", ""timestamp"": 1694559450.0, ""content"": ""Realistically, if you're an admin, the most straightforward way is to simulate and log the traffic""}, {""user"": ""532coyo9"", ""timestamp"": 1694593911.0, ""content"": ""Thanks a lot""}]" +paloaltonetworks-38,"[{""user"": ""d6ey9v5"", ""timestamp"": 1694528044.0, ""content"": ""Title: DNS over TLS and DNS over HTTPS inspection? Confused.\n Body: I am still uncertain after reading the documentation. Does PA allow you to inspect DNS queries over TLS and HTTPS? Or does it still just forward the requests to the DNS server configured?""}, {""user"": ""bknba"", ""timestamp"": 1694550768.0, ""content"": ""For versions prior to 11.0 there's no support for inspection of encrypted DNS and PAN's recommendation has been to block that traffic. DoH inspection is added in 11.0:\n\nhttps://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/content-inspection-features/dns-security-support-for-dns-over-https""}, {""user"": ""2z38uxaj"", ""timestamp"": 1694557440.0, ""content"": ""Blocked that traffic and Google\u2019s Quic (sp) protocol. Especially if you use URL filtering. The client will resend the traffic in historically normal protocols.""}, {""user"": ""83zag91l6"", ""timestamp"": 1694599921.0, ""content"": ""I try to keep all dns traffic internal. Only letting my forward dns servers send dns traffic outbound over wan. Same with NTP. Both can be used for tunneling / exfiltration. Internal DoT can be allowed if you you have use case, but only whitelist this access.""}, {""user"": ""d6ey9v5"", ""timestamp"": 1694567759.0, ""content"": ""Appreciate the education. u/cowardlyginger and u/whiskey-water. I should have mentioned that this in regards to DNS filtering specifically. So, if I read that right, DoH and DoT inspection (DNS filter) are available in 11.0. Making sure I am clear on this.""}, {""user"": ""da5f3fdc1"", ""timestamp"": 1694596532.0, ""content"": ""Block that traffic.\n\nBesides being unfriendly for inspection and dangerous for enterprise security they are a tentative of centralizing in the hand of few an infrastructure that has been neutral and free for all.""}, {""user"": ""bknba"", ""timestamp"": 1694569427.0, ""content"": ""The 11.0 announcement only mentions DoH. Since it doesn't specifically say anything about DoT, I'd guess there's no inspection coverage there, but that's only a best guess.""}]" +paloaltonetworks-39,"[{""user"": ""12f1ra"", ""timestamp"": 1694540248.0, ""content"": ""Title: Application override - inheritance questions\n Body: Hi,\n\nI have an client-server communication using 'nearly' standard application, but in order to prevent random aging out of sessions on PA i need to adjust timers for it. My question is:\n\nIf i select parent application while creating application object for override, will it inherit parent app timers (other than ones i set specifically) and threat prevention/av signatures when handling traffic? Or does it have to be all set manually?""}, {""user"": ""i5gzh"", ""timestamp"": 1694546065.0, ""content"": ""I\u2019d say don\u2019t use app override unless you absolutely have to. It disables a bunch of security features. What\u2019s the app? If it\u2019s widely used but not in the Palo DB you can log a TAC case and they might add it as an official app with the timers it needs. \n\nhttps://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/application-override-policy#:~:text=Application%20Override%20policies%20prevent%20the,Application%20Override%20unless%20you%20must.""}, {""user"": ""12f1ra"", ""timestamp"": 1694548020.0, ""content"": ""For all intents and purposes its an already existing application in terms of app-id, and generally adheres to the standard. I know i \\_could\\_ just adjust application timers for existing app-id object, but this is an edge case of server-server traffic within secure DMZ and timers i need are quite extreme (and yes, people that wrote application will have no idea how to create some sort of keepalive).\n\nLooking at link you provided seems to indicate that what i should actually do is create custom service and apply it to normal firewall policy and it should do exactly what i want it to accomplish.\n\nBut still question remains whether custom application \\_with\\_ parent application inherits timers/other properties, because i didnt find conclusive information in palo documentation.""}, {""user"": ""i5gzh"", ""timestamp"": 1694548415.0, ""content"": ""I don\u2019t believe editing the inherited application will influence the base application. I stand under correction though. \n\nhttps://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/app-id/service-based-session-timeouts""}]" +paloaltonetworks-40,"[{""user"": ""5ifce4sx"", ""timestamp"": 1694537495.0, ""content"": ""Title: Anyone moved from Crowdstrike to Palo XSIAM\n Body: I was wondering if anyone here has gone through this move?\n\nIt is something my company is looking at.""}, {""user"": ""bf73y"", ""timestamp"": 1694580865.0, ""content"": ""I've had a few clients try to use crowdstrikes LogScale and I really mean TRY because they all complain about it not being able to ingest and parse logs properly from other sources even with engagement from CRWD. If the goal is to not only take data in but also understand the data and also perform remediation actions across various enforcement points, I've yet to see them deliver that. I had a recent engagement with a client who had falcon + LogScale, and Palo for FWs and they couldn't find out how a bad actor got in looking in LogScale. They knew something was going on but honestly were chasing the wrong things because even though they were sending FW logs to it, it just doesn't understand them. Reminds me of Splunk, it'll take the data in but you better have someone who is going to train the system to know what it's taking in. 15 mins in the Palo console and I showed them C2 and DNS tunneling that they weren't paying attention to and weren't blocking (because of really shitty FW configurations from a Cisco migration years before), and was able to get things contained and ultimately find the exposed server where the initial infection began. \n\nI've been doing this for nearly 2 decades and I really do see a future where the SOC is mostly automated, but just like you hear with chatgpt and the like, building good ML models and AI first takes having good data and a lot of it. Not every company that is trying will be able to successfully do it. \n\nDo a PoC, make them prove they can do what they say they will.""}, {""user"": ""7bnbk"", ""timestamp"": 1694541165.0, ""content"": ""I only know people who move the other way.""}, {""user"": ""4wfpg"", ""timestamp"": 1694589967.0, ""content"": ""Kind of an odd description of splunk.. ingesting new data into splunk doesn't involve \""training\"" anything, there's not some sort of ML based parsing.""}, {""user"": ""5ifce4sx"", ""timestamp"": 1694546052.0, ""content"": ""Thanks, we don't think it is the right move but executives are leaning another way.""}, {""user"": ""4gh4seoe"", ""timestamp"": 1694550300.0, ""content"": ""XSIAM hasn\u2019t been on the market long. Are you sure you aren\u2019t talking about an older endpoint solution like TRAPs which is very old and no longer sold.""}, {""user"": ""bf73y"", ""timestamp"": 1694601365.0, ""content"": ""exactly it's problem. It just ingests. It's up to you to do anything with it that is actionable.""}, {""user"": ""kevpn"", ""timestamp"": 1694553722.0, ""content"": ""I\u2019m hesitant to think there\u2019s a massive exodus of XSIAM just because XSIAM is fairly new\u2026 it was in a \u201cfirst customer\u201d program where they worked very closely with early participants for a while""}, {""user"": ""kevpn"", ""timestamp"": 1694553811.0, ""content"": ""Or even XDR. XDR is a lot better than traps but it\u2019s at least been out for more than 30 seconds.""}, {""user"": ""nqh6ed9"", ""timestamp"": 1694562488.0, ""content"": ""What do you mean mass exodus? Is xsiam worth anything or is it mostly AI/ml hype with a larger price tag and more hands on support from palo while the product settles in?""}, {""user"": ""kevpn"", ""timestamp"": 1694562614.0, ""content"": ""I am a Palo employee so I am biased beyond belief so I do not make product recs here typically\n\nI mean \u201chearing all your friends leaving XSIAM\u201d as they suggest would shock me because the ink has barely dried on most XSIAM contracts""}, {""user"": ""k3lq2"", ""timestamp"": 1694656122.0, ""content"": ""Can confirm""}, {""user"": ""kevpn"", ""timestamp"": 1694656209.0, ""content"": ""Can confirm I am not biased, XSIAM ink is still wet, or XSIAM is not good? \ud83d\ude03""}, {""user"": ""k3lq2"", ""timestamp"": 1694662503.0, ""content"": ""ink is still wet, even the early adopters (design partners) are not even a full year in yet.""}]" +paloaltonetworks-41,"[{""user"": ""b75zaghi"", ""timestamp"": 1694534976.0, ""content"": ""Title: Accessing some websites such as amazonawas.com showing as site not secure\n Body: If I add the website ro SSL exclusion list - the site starts working. \n\nI know Palo Alto has a default list of CA\u2019s that it trusts - but I can\u2019t think of a reason why this happens.\n\nFor other sites such as bbc.co.uk this doesn\u2019t happen.\n\nI do have SSL decryption enabled on the firewall and works fine for most websites""}, {""user"": ""6lriu4sg"", ""timestamp"": 1694536144.0, ""content"": ""There\u2019s a few potential problems. One of the less obvious ones is that if the web server does not provide the full CA chain, the Palo will fail decryption. Windows and other OSs will find those certs on their own. Palo sees that as a security issue. You either have to go find the rest of the chain and install the intermediate CAs on the Palo or you have to use a custom URL category and create an exception list for decryption where it won\u2019t decrypt it at all.""}, {""user"": ""57bwa"", ""timestamp"": 1694539657.0, ""content"": ""Have a look in the decryption log - the error column will tell you.\n\nProbably a new CA that your palo doesn't know about""}, {""user"": ""b75zaghi"", ""timestamp"": 1694597246.0, ""content"": ""Yes I have had a look and I am seeing \u201creceived fatal alert UnknownCA from client CA issuer \n\nHttp//alaitrust.net/1k-chain256.cer\n\nPalo Alto says not all websites send their complete certificate chain event though RFC requires them to provide a valid certificate leading to an acceptable certificate authority \n\nIf the intermediate certificate is missing from the certificate list the website server presents to the firewall, the firewall can\u2019t construct the certificate chain to the top (root) certificate \n\nWhich then presents the forward untrust certificate which is what is happening to me\n\nBut on a different firewall \u201cCisco\u201d this does not happen for the exact same website it happens on the Palo Alto firewall""}, {""user"": ""b75zaghi"", ""timestamp"": 1694597237.0, ""content"": ""Yes I have had a look and I am seeing \u201creceived fatal alert UnknownCA from client CA issuer \n\nHttp//alaitrust.net/1k-chain256.cer\n\nPalo Alto says not all websites send their complete certificate chain event though RFC requires them to provide a valid certificate leading to an acceptable certificate authority \n\nIf the intermediate certificate is missing from the certificate list the website server presents to the firewall, the firewall can\u2019t construct the certificate chain to the top (root) certificate \n\nWhich then presents the forward untrust certificate which is what is happening to me\n\nBut on a different firewall \u201cCisco\u201d this does not happen for the exact same website that it happens for on the Palo Alto firewall""}, {""user"": ""6lriu4sg"", ""timestamp"": 1694616955.0, ""content"": ""It doesn\u2019t happen on Cisco because Cisco will retrieve the certificate.""}, {""user"": ""57bwa"", ""timestamp"": 1694608171.0, ""content"": ""Have you got \""Block sessions with untrusted issuers\"" set in your decryption profile? You can ignore it for that website by creating a new profile and decryption policy.\n\nThe more secure resolution would be to add the root and intermediate certs to device > certificates and mark them as \""trusted root CA\""s""}]" +paloaltonetworks-42,"[{""user"": ""iqki9"", ""timestamp"": 1694515836.0, ""content"": ""Title: Question on Upgrading PAN-OS on VM Series\n Body: Newb question incoming.....Currently upgrading some hardware and vm-series firewalls from 9.1.x to 10.2.4-h4 and have a question about process. Hardware seems fairly straight forward if you follow the correct \""upgrade path\"". The vm-series documentation doesn't refer to following the upgrade path, does that mean on a vm-300 I can go straight from, say, 9.1.14 directly to 10.2.4-h4 ?\n\nAppreciate any help!""}, {""user"": ""briif"", ""timestamp"": 1694516967.0, ""content"": ""you need to follow the upgrade path.""}, {""user"": ""47wj4"", ""timestamp"": 1694518846.0, ""content"": ""https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan-os/determine-the-upgrade-path\n\nfollowing this guide is really about preserving your configuration. (During major revision upgrades, the config file format changes, so part of the background upgrade procedure is the firewall converting your config to the new version.) If you have a brand new firewall or VM with no configuration you want to keep, then yes - you can do it in one step.""}]" +paloaltonetworks-43,"[{""user"": ""36d7dohp"", ""timestamp"": 1694527194.0, ""content"": ""Title: Missing file upload in BPA\n Body: Hi all. New to Palo and trying to upload my tech support file into BPA. Problem is there is no button on the page to generate a new BPA assessment. Any ideas? I\u2019m logged in as super user with BPA role as well.""}, {""user"": ""qnvd8"", ""timestamp"": 1694528755.0, ""content"": ""Bpa is now aiops. Can be accessed at https://apps.paloaltonetworks.com/hub\n\nhttps://live.paloaltonetworks.com/t5/blogs/bpa-transition-to-aiops-for-ngfw/ba-p/548612#:~:text=Why%20Transition%20BPA%20to%20AIOps,like%20the%20BPA%20requires%20today.""}, {""user"": ""36d7dohp"", ""timestamp"": 1694532784.0, ""content"": ""Ah, there it is. Thank you!""}]" +paloaltonetworks-44,"[{""user"": ""8m7boma2"", ""timestamp"": 1694494378.0, ""content"": ""Title: PCNSA Cert study material\n Body: I'm taking the course by Astrit Krasniqi on Udemy and I am about half way done. The content seems pretty basic and easy, a little to much so. Has anybody taken his course to confirm what he covers is enough to pass the test? Is there any other preferred study material or supplement content you could suggest?""}, {""user"": ""6iwfgugp"", ""timestamp"": 1694496212.0, ""content"": ""edu 210""}]" +paloaltonetworks-45,"[{""user"": ""jmttq"", ""timestamp"": 1694472516.0, ""content"": ""Title: What are you blocking outbound on your App-ID rules?\n Body: Currently testing segmenting vlans with specific app-id rules. \n\nWe don't have a written policy on what traffic can go outbound. We do limit the obvious, like RDP, SMB, QUIC etc. We have several EDLs that block inbound and outbound. \n\nHowever, we don't explicitly deny specific app-ids from going outbound. Looking for some best practice App-IDs to start blocking.""}, {""user"": ""91wqd"", ""timestamp"": 1694488641.0, ""content"": ""The question should be 'What do we need to *allow*?' The business needs to make the decision about which applications are sanctioned or unsanctioned. Your risk management or information security team should be involved. There should be a clearly defined business need for every allow rule and anything else should be blocked/denied by a deny all rule at the bottom of the rule set. The main purpose of the firewall is to enable network access for the business while at the same time protecting it from network traffic that is not needed.\n\nIf you don't have a risk management or information security team or if you provide those functions, I would suggest following recommendations in [NIST SP 800-41](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf) as well as the [Center for Internet Security](https://www.cisecurity.org/controls) controls for Palo Alto as a start. There is also the [Internet Gateway BPA](https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices) and the [Security Policy BPA](https://docs.paloaltonetworks.com/best-practices/security-policy-best-practices)""}, {""user"": ""4gigy"", ""timestamp"": 1694476445.0, ""content"": ""Any and all remote access applications like Teamviewer etc unless they are actually used by the company.""}, {""user"": ""5u04b"", ""timestamp"": 1694484617.0, ""content"": ""SMTP, SMB, RDP. That's it. The business has a wide variety of needs and there is no sense in micromanaging it.""}, {""user"": ""ao50hldk"", ""timestamp"": 1694479998.0, ""content"": ""Stick in the ass corporate environments will block like games, social media, streaming etc, but in my deployments I only recommend high threat potential categories.""}, {""user"": ""rsvj6"", ""timestamp"": 1694479228.0, ""content"": ""Social media apps, online storage, games, streaming TV.""}, {""user"": ""dlz8m"", ""timestamp"": 1694475127.0, ""content"": ""I went through and created some app-id groups and filters, and I block outbound filesharing that isn't the explicit major ones, blocking outbound SMB like you already do, etc.""}, {""user"": ""100eg8"", ""timestamp"": 1694502644.0, ""content"": ""We go the \""allow\"" approach as well, otherwise people start using web apps which haven't approved by our security team and work council.""}, {""user"": ""tsmysiu"", ""timestamp"": 1694507673.0, ""content"": ""Any kind of internal authentication protocols""}, {""user"": ""2gbmjiqr"", ""timestamp"": 1694519313.0, ""content"": ""We have a group of applications that we allow. Everything else is denied unless a business case is approved for something outside of it.""}, {""user"": ""da5f3fdc1"", ""timestamp"": 1694510771.0, ""content"": ""I subscribe to this approach.\n\n \nWhat I usually do for management networks/server networks/DMZs... is that anything that has to go out must have a specified destination and a reason to, everything else is blocked.\n\nFor the client networks the only ports that can go out are 80TCP and 443TCP and there is a security profile applied with the Palo Alto best practices as well custom EDLs and also other blocks that I might like (as blocking Remote Assistance, for example).""}]" +paloaltonetworks-46,"[{""user"": ""elsufo4m"", ""timestamp"": 1694477225.0, ""content"": ""Title: Hands-on options for training?\n Body: Hi all,\n\n​\n\nI was previously PCNSE certified and it expired, and now want to go at it again just for kicks.\n\nI am trying to determine options, if any, for getting hands on with the platform in the latest version (or at least the one the exam is based on).\n\nWhile I previously worked for a company that was a PA customer, and even had a pair of lab VMs purchased for me, that was about 3 years ago, and no longer accessible or updateable.\n\nI know there's no free options, but even trying to buy something seems they only sell to companies? (which seems really messed up). And what's with all these \""credits\"" crap that seems to be the standard now?\n\n​\n\nTLDR: IS there any way for an independent guy studying to get access to a FW and/or Panorama?\n\n​""}, {""user"": ""kevpn"", ""timestamp"": 1694493171.0, ""content"": ""Common advice here is usually to pay-as-you-go a firewall in the cloud or get in touch with Fuel to see how far their resources get you.\n\n>I know there's no free options, but even trying to buy something seems they only sell to companies?\n\nLargely correct, PAN like a lot of vendors is largely B2B. I believe folks have LLC'd, etc before to get around this, but I can't speak to that or whether it makes sense.\n\n>And what's with all these \""credits\"" crap that seems to be the standard now?\n\nIf you mean for PAN in general, my grasp is at least one reason is so people can move from e.g. hardware models to cloud products without completely losing any metrics of what they've paid for.""}]" +paloaltonetworks-47,"[{""user"": ""6x7cpppc"", ""timestamp"": 1694452924.0, ""content"": ""Title: Professional Service Hours - How should I spend them?\n Body: Hello everyone. After evaluating firewalls and getting feedback, I may be going with Palo Alto for the core of an upcoming network. Our SE stated he's going to included 80 hours of Professional Service Hours at no additional charge for after the install to assist with basically day two operations. \n\nCurious if you have any thoughts on how I should use them? Anything you wish you would have used them for that you didn't? Anything you did down the road that you wish you would have have Professional Services Hours for? Thanks.""}, {""user"": ""2iok9w7f"", ""timestamp"": 1694453645.0, ""content"": ""Solid choice. What firewall manufacturer are you migrating from? I would use them to help design and configure your SSL decryption strategy. And if you aren\u2019t doing L7 app-based rules, have them help with that as well. Honestly most of the configuration is pretty trivial, but SSL decrypt can be one of the biggest pain points if not planned and configured correctly.""}, {""user"": ""384u79ao"", ""timestamp"": 1694495864.0, ""content"": ""We knew substantially more than our professional services engineer. It was very\u2026weird. Especially the part where we (not me) lie on the monthly check in calls and say everything is great, further perpetuating this mediocrity.\n\nI\u2019d take the guys advice up there and use them for very specific things.""}, {""user"": ""5jhbyzkv"", ""timestamp"": 1694454782.0, ""content"": ""Zone Protection, DoS Profiles would be one of things I would take a look at since TAC doesn't help in configuration also If your keen about your network bandwidth/throughout you could have test and get appropriate values""}, {""user"": ""37ve4gbk"", ""timestamp"": 1694456411.0, ""content"": ""Who's PS hours? PANW proper or the resellers? There will likely be more strings attached if PANW's. \n\nWhenever I give PS hours in a sale, my customers end up allocating it toward the deployment or day1 support. \n\nIf you're not using them to help with the deployment, 80 is quite a bit which means that they're probably making good margin to give that many hours so one way you could use it is to get a better price. \n\nAssuming that they can sit dormant and be used a later time (we do that), you could use the hours for periodic assessments like 6-12 months post deployment.""}, {""user"": ""unknown"", ""timestamp"": 1694458402.0, ""content"": ""[deleted]""}, {""user"": ""9ws9qq5hm"", ""timestamp"": 1694699999.0, ""content"": ""i bought the professional services for the \""cloudgenix\"" prisma SD and was a pretty big waste of $. The tech sent me a 'form' to fill in with all the IP's subnets, links, names, domains,etc. He the proceeded to create a simple dump to setup the devices. \n\nI wanted to be involved with the setup to LEARN more about this product. His was OK at setup but could not properly answer any of my questions and was horrible about explaining. \n\nWhen you buy a car you do not need to know how to change spark plugs, brakes, or the muffler. But in IT we need to know how it works and that starts with the setup. I have to be the mechanic of my environment because \""Professional services\"" will not be there when you have problems. So they need to be better at sharing, explaining, and teaching. \n\n​\n\nOverall worst $40K we ever spent!""}, {""user"": ""6x7cpppc"", ""timestamp"": 1694520980.0, ""content"": ""Migrating from ASAs and a Fortigate. Didn't even think of SSL decryption, will add that to my list as well.""}, {""user"": ""6x7cpppc"", ""timestamp"": 1694520575.0, ""content"": ""Thank you for this. Made some notes and will make sure to put this on the agenda.""}, {""user"": ""6x7cpppc"", ""timestamp"": 1694520694.0, ""content"": ""It's PANW proper and while I won't talk price, I will say the sale margin was low, I think they just really wanted the business.\n\nI like this idea of saving some for a review as well once things are completed.""}, {""user"": ""1bvg0jmi"", ""timestamp"": 1694485654.0, ""content"": ""Your math is off by half an order of magnitude (more like 40k), but your point isn't.\n\nUse them for architecture/high level engineering work, that's the level you're paying for. Generate a very specific list of what you want done, and listen to what they say.""}, {""user"": ""14vm7b"", ""timestamp"": 1694486928.0, ""content"": ""How is it 200k?\n\nRate is 250/hr\n80 hours\n$20k\n\nIf rate is 300/hr\n80 hours\n$24k\n\nHow is that even close?\n\nOP should always use the hours for the hardest items, the more advanced components""}, {""user"": ""37ve4gbk"", ""timestamp"": 1694535230.0, ""content"": ""Respectfully, how do you know their margin was low? \n\nIn any case, despite what others are suggesting on here, I think it would be prudent to not use them for things that would be best for a consistent resource. Like, you just want to avoid paying the $500/hr or whatever they'd charge for additional hours (their list is $550/hr). Honestly though, Idk what their PS is actually like because I've never seen anyone pay (and we are the ones that the customers go to for the actual deployment/implementation services)""}, {""user"": ""6x7cpppc"", ""timestamp"": 1694520766.0, ""content"": ""I like this idea as well, I will generate a list, and get it ready for our upcoming sessions.""}, {""user"": ""6x7cpppc"", ""timestamp"": 1694536481.0, ""content"": ""As far as margin, I took a look at list price for the equipment, services and SFP's. Then compared that against the offered percent %. \n\nIt was against Palo Alto and another vendor, the other vendor offered a higher % off. We showed the % off offered by the other vendor, our rep said not only will match that percent off but we will throw in 80 hours of professional services time that will start after we help you migrate over. CEO said okay, let's do it.""}, {""user"": ""37ve4gbk"", ""timestamp"": 1694537617.0, ""content"": ""Man, that's apples to oranges. There is not a \""normal\"" discount level among vendors out there. For example, if you bought something from PANW at 40% off list vs buying something from Cisco at 40% off list.""}, {""user"": ""6x7cpppc"", ""timestamp"": 1694549851.0, ""content"": ""Now I'm curious if we got hosed or not :) So, while not giving away the *exact* price if one were to have bought 4 5410's for $24,450 a piece, is that a good deal?""}, {""user"": ""37ve4gbk"", ""timestamp"": 1694550128.0, ""content"": ""Sent you a chat-- but yea that's a good price for just the 5410s appliances themselves""}, {""user"": ""6x7cpppc"", ""timestamp"": 1694570879.0, ""content"": ""Thanks for validating, it seemed like it. The services were discounted at an equal margin. Once everything was quoted, they added in the Professional Service Hours and zeroed it out. I'm sure they made money on the SFP's and cables though--nobody priced those out, just told them to add them on and call it a day.""}]" +paloaltonetworks-48,"[{""user"": ""7hcsltow"", ""timestamp"": 1694464537.0, ""content"": ""Title: Renewing a Cert\n Body: Hey everyone, my ssl decrypt cert is going to expire soon. I was curious about how renewing the cert works since it is just a self signed cert. The cert is deployed all over my enterprise, which includes primarily windows and Chrome devices. However, we do allow BYOD on our WiFi. If I renew the cert and extend the time will all those BYOD users have to load the new cert? Or does the old cert still work and just extends the time? I\u2019m not super familiar with certs so I\u2019m treading on new waters.""}, {""user"": ""ibia0"", ""timestamp"": 1694467839.0, ""content"": ""The joy with a self signed CA...you'll have to push the new CA cert to all your devices. Just renewing it won't 'update' it.\n\nId suggest getting in contact with your enterprise certificate team and migration to them proving you an intermediate cert off the main internal CA so they control the chain of trust, not you. (Easy mode)\n\nOr renew/generate a new one and contact your end user device management team to push to those. (hard mode)""}, {""user"": ""91wqd"", ""timestamp"": 1694474485.0, ""content"": ""If it\u2019s self signed, yes you will need to go through the same process you did to initially deploy the certificate. \n\nBest option is to establish an Enterprise CA for your internal devices. For BYOD you should use a public CA to sign the certificate so it will be initially trusted.""}]" +paloaltonetworks-49,"[{""user"": ""164gcr"", ""timestamp"": 1694466958.0, ""content"": ""Title: Explicit Allow Rapid 7 URL Traffic to Whole Org\n Body: Hi All,\n\nSo we are deploying Rapid 7 agent to the organization and I need to allow the 2 wildcard domains ( so cant use a FQDN object as a destination in a security ) for this to work so I have looked into URL filtering. \n\nThe problem I am having is I want to log the URL traffic that uses this rule for visibility. Looking into the Palo logging capability if I use a URL Category within a Security rule it doesn't log. If I use a URL Filtering Profile with that custom category it logs but I cant figure out how to ONLY just allow a custom category and not block/allow other traffic. Is there something in the URL filtering profile that I can set it just to care about a single category versus taking action on the rest ?\n\nWould a combination of a URL Category within a Security Rule and a URL Filtering Profile on the same rule have the outcome I am looking for ?\n\nWe use Syslog as well to send to our SIEM if that helps around the logging requirement. ""}, {""user"": ""66ovb"", ""timestamp"": 1694469976.0, ""content"": "">Would a combination of a URL Category within a Security Rule and a URL Filtering Profile on the same rule have the outcome I am looking for?\n\nYes, that is exactly what you need. Allow rule with custom url category specified. Url filtering profile, with action set to alert on said custom url category.""}, {""user"": ""164gcr"", ""timestamp"": 1694481951.0, ""content"": ""The problem there is the inbuilt categories would then also have some type of action ( allow/block required ). Does having the URL category in the rule then limit the \""allows\"" or \""blocks\"" in the URL filter ?""}, {""user"": ""66ovb"", ""timestamp"": 1694521792.0, ""content"": ""Usually, when I apply these rules, since custom categories take precedence, and you have specified the rule itself to only apply to the custom category. I alert the custom category in the url profile, none for all other custom categories, and block all predefined categories.\n\nI hope that makes sense.""}]" +paloaltonetworks-50,"[{""user"": ""11o6u1"", ""timestamp"": 1694466720.0, ""content"": ""Title: Securtiy rule not working with HIP object\n Body: There are two WAN rules, and in addition to the top rule, I added HIP. I added a HIP object to the profile using \""and.\"" In the HIP object, I removed everything specific and added two checks that only look at the hostname and domain information confirmed through the agent. Nothing else remains except for these.\n\n​\n\nNo matter how many combinations I've tried, I just can't establish a VPN connection with the rule involving HIP; I always connect with the rule that doesn't have the next HIP check.\n\n​\n\nI've tried AND, OR, and various features within the rule, including quarantine and no-hip.\n\n​\n\nWhy do you think it's not working? What am I missing? I see that it's a match in the HIP-Match logs, so why isn't the connection being established through the HIP-applied rule? \n\\*\\*and notification is success\n\nIf didn't understand me i'm sorry sometime my english is not enough-Best Regards, Cheerss""}, {""user"": ""ds0je"", ""timestamp"": 1694468799.0, ""content"": ""You are trying to limit the initial connection to GP Portal/Gateway via HIP objects? Is that what I am reading?""}, {""user"": ""11o6u1"", ""timestamp"": 1694498759.0, ""content"": ""Yes that's right""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1694573478.0, ""content"": ""That isn\u2019t how HIP checks work. HIP can\u2019t stop someone from connecting to VPN, it can stop them from being able to reach anything internal though. \n\nThink about it like this, the HIP feature is built into the GP client. When you connect, the client sends the HIP profile to the Gateway. How could the firewall get the HIP profile if you are t even connected to VPN?""}]" +paloaltonetworks-51,"[{""user"": ""128ufv"", ""timestamp"": 1694443863.0, ""content"": ""Title: Trying to allow specific outbound URLs and blocked URLs not showing in logs.\n Body: I am trying to figure out if there may be a way to find URLs that are being blocked for an application so I can allow. We have a very strict outbound policy and only allow specific apps. We have a vendor that does not know what services their app uses (the vendor is a fortune 500 company!) so we are left with the task of figuring this out. I have a specific URL category on the allow rule for the sites we know about. I have a catch all rule with all categories allowed in the url filtering that I thought should catch anything not caught by the previous allow rule. I have the firewall providing DNS proxy but I can't seem to find anything in the cache and we can see the IPs of the blocked sites but not the URLs. Is there a way to tie the DNS request to the IP? We used developer mode on the browser based portion but the integrated app is the problem. We are unable to install any tools on the workstation due to strict policy but I think that may be the only way forward.\n\nAnyone run across this and have an idea how to get around?""}, {""user"": ""2iok9w7f"", ""timestamp"": 1694461304.0, ""content"": ""Do you have the action set to \u201calert\u201d for the categories on the security profile? It set to \u201callow\u201d it will never show up in the logs.""}, {""user"": ""5hw479ms"", ""timestamp"": 1694455776.0, ""content"": ""Have you looked at the threat logs versus the traffic logs, the URLs will usually show up there.""}, {""user"": ""1bvg0jmi"", ""timestamp"": 1694489249.0, ""content"": ""If there's no host header or sni, it's not going to show up in the URL logs, nor can it be blocked/allowed by URL.""}, {""user"": ""11o6u1"", ""timestamp"": 1694461806.0, ""content"": ""Have you checked Threat and URL Filtering? If this doesn't work for you, there are a few applications that show the addresses the server is trying to go to.""}, {""user"": ""ajcthz98"", ""timestamp"": 1694508790.0, ""content"": ""Create/Clone a URL Filtering Profile that will allow and log (alert) all safe categories, then uncheck the \u201clog container page only\u201d option on the URL Filtering Profile. Apply this URL Filtering Profile to your catch all policy. If you still don\u2019t see what you are hoping for, then possibly your previous policy is silently blocking the URLs you are in search of. In that case, swap the policies briefly to gain visibility.\n\nFor me, the unchecking of the \u201clog container page only\u201d option was a little bit of a \u201cHoly Grail\u201d moment.\n\nI don\u2019t keep this special URL Filtering Profile in use all time, but instead only when trying to discover URLs an application is trying to use. I then create a Custom URL Category containing the discovered URLs to apply to a policy. (We also have a strict outbound policy.)""}, {""user"": ""15jrca"", ""timestamp"": 1694519276.0, ""content"": ""Are you after URLs or Services?\nIf none of the above have worked so far, capture some packets from the server hosting the app when attempting to connect. Check the URI/URL for DNS. \nIf looking for services. From server hosting use NETSTAT from CMD, PowerShell or Linux equivalent.""}, {""user"": ""2gbmjiqr"", ""timestamp"": 1694520233.0, ""content"": ""If it's a safe company, create an allow all policy for one IP or user. Go to that site and see what shows up.""}, {""user"": ""56dcd86r"", ""timestamp"": 1694528386.0, ""content"": ""Create a rule at the end of your internet place allow your-Src - >any (internet), in the profile, add a url profile with block all to all Url categories. This will block out of L7 and it will show up to your Url monitoring.\nConclusion, you allow L4 traffic, you block your L7 traffic - > you get a report on your logs""}, {""user"": ""128ufv"", ""timestamp"": 1694487220.0, ""content"": ""Yep all set to alert""}, {""user"": ""128ufv"", ""timestamp"": 1694487199.0, ""content"": ""Yep. Even checked unified just in case""}, {""user"": ""128ufv"", ""timestamp"": 1694487269.0, ""content"": ""Any that don't require an install? Workstation locked down tight....""}, {""user"": ""128ufv"", ""timestamp"": 1694550137.0, ""content"": ""I have exactly this but I'm going to try the log container only and see if that might help""}]" +paloaltonetworks-52,"[{""user"": ""2veaua92"", ""timestamp"": 1694471192.0, ""content"": ""Title: Palo Alto stopped dynamic updates?\n Body: Hi, so I'm in the middle of migrating our current ASA firewalls onto Palo Altos, so far so good, I'm pretty far along now. One issue I have ran into recently is that after migrating the OOB network onto the Palo Altos, they no longer update themselves through dynamic updates. The OOB management interface on the Palos is the primary int out for traffic originating from the firewalls themselves. Here is the current traffic flow for them now from the OOB int:\n\nFirewall OOB int >>>>> GW on ASA MGMT FW >>>> Route for MGMT network outbound back to Palo Alto LAN MGMT Zone interface (not the OOB MGMT interface) and then out.\n\nSo the traffic comes back into the firewall onto another interface and now it doesn't work. Currently I have an application filter setup to allow all Palo Alto update applications outbound, and nothing! I've tried allowing just the OOB MGMT IP add out as well on that LAN zone int and still nothing. I'm at a bit of a loss to be honest.\n\nAny ideas anyone?\n\nThanks""}, {""user"": ""412mcpi6"", ""timestamp"": 1694481452.0, ""content"": ""You probably need to configure a security policy to allow the traffic destined for the PA updates server.""}, {""user"": ""ggxts"", ""timestamp"": 1694471509.0, ""content"": ""If the default gateway for the management port is on the palo's you'll probably want to drop the management port completely, or have it route to another device on the network. \n\nBut what you can do is go to Device -> Setup -> Services and update the Service Route Configuration.""}, {""user"": ""nux47"", ""timestamp"": 1694523699.0, ""content"": ""have you checked your dns?""}, {""user"": ""3c7af5b5"", ""timestamp"": 1694533096.0, ""content"": ""Service routes is likely the issue. All updates, ldap queries, ntp, dns, etc. go out the management port by default. If the management network doesn't allow internet access, you'll need to configure separate service routes for any services that need it.""}, {""user"": ""eigr8x5r"", ""timestamp"": 1694573394.0, ""content"": ""Really a bit confused with key word and route what you are using here. OOB in Palo means Management interface in Palo?\n\nDefault Palo takes management interface to get updates. If your management IP don't have access to internet, then it won't. And also you don't need any security policies to make management interface get updates from Palo.\n\nOtherside if you are using any available ethernet interface as Management/OOB then you need security policy, change service route configuration. Also this interface IP should have internet access""}, {""user"": ""2veaua92"", ""timestamp"": 1694521170.0, ""content"": ""Yeah I've done that and I've done an allow as well to everything for the MGMT ip also.""}, {""user"": ""2veaua92"", ""timestamp"": 1694471621.0, ""content"": "">If the default gateway for the management port is on the palo's you'll probably want to drop the management port completely\n\nIt's not, it's on an ASA MGMT int""}, {""user"": ""2veaua92"", ""timestamp"": 1694535528.0, ""content"": ""Why wouldn't the mgmt network allow Internet access if I've allowed it via a security policy? \n\nIf you see my replies to the other person on this post then you'll see where I'm up to with it.\n\nThanks for the help""}, {""user"": ""412mcpi6"", ""timestamp"": 1694528572.0, ""content"": ""What are the traffic logs showing?""}, {""user"": ""ggxts"", ""timestamp"": 1694472532.0, ""content"": ""Okay, lets clarify your connectivity real quick because it is kind of confusing reading it. \n\n\""OOB management interface\"" -> is this the management ethernet on the Palo?\n\nIf it is, is that connected to the ASA which is the L3 gateway?\n\nFrom there, the ASA has a route to say...Eth1/2 as an \""inside\"" interface on the palo?\n\nThen out to the internet? \n\n\nIf that is all correct are you logging dropped packets and have the management IP subject to any NAT policies that may be required? \n\nDoes the ASA have another path out where it may be having traffic able to return to the ASA and skip the palo?""}, {""user"": ""2veaua92"", ""timestamp"": 1694530141.0, ""content"": ""Nothing anywhere on any zone""}, {""user"": ""412mcpi6"", ""timestamp"": 1694531816.0, ""content"": ""You must be hitting the default policy which doesn't log by default. Try temporarily overriding the behaviour of the default interzone policy so we can verify, most likely the traffic is not matching the policies you defined for it.""}, {""user"": ""2veaua92"", ""timestamp"": 1694533097.0, ""content"": ""I already have logging setup on it and there is nothing hitting it, also, I have a custom default block all traffic and block all webports traffic rule above this anyway, that logs everything that is outright blocked. None of them are being hit""}, {""user"": ""412mcpi6"", ""timestamp"": 1694533407.0, ""content"": ""Then most likely the traffic is being lost before it reaches the PA dataplane IF in the first place, a quick packet capture should confirm this.""}, {""user"": ""2veaua92"", ""timestamp"": 1694535448.0, ""content"": ""I've set up captures on the ASA (the Palos mgmt int next hop ip) and nothing there. Its almost as if nothing leaves the PA on any interface. \nThis has worked before though, I migrated the mgmt network across to the Palos last week, everything works on that network expect for the Palos updates.\nIt's as if it doesn't route off the control plane""}, {""user"": ""412mcpi6"", ""timestamp"": 1694537040.0, ""content"": ""Do a capture on the mgmt IF with tcpdump to verify this. Might be the service route is not configured correctly. Can you ping the ASA from the PA mgmt?""}, {""user"": ""2veaua92"", ""timestamp"": 1694592218.0, ""content"": ""Thanks for the help so far, so i did a tcpdump and checked the pcap, showed traffic pinging the HA interface fine and apparently some traffic for public ip's that mapped to google, but nothing else as far as update traffic from the looks of it""}, {""user"": ""412mcpi6"", ""timestamp"": 1694651810.0, ""content"": ""Try to ping the updates server from your mgmt IF.\n\nping host updates.paloaltonetworks.com\n\n** double-check that url before, I'm not at the office atm.""}]" +paloaltonetworks-53,"[{""user"": ""3wjdaezo"", ""timestamp"": 1694433216.0, ""content"": ""Title: Too late for SE Academy?\n Body: I graduated 4 years ago and have been working in Enterprise Presales ever since. I ended up replacing one of the Senior SE's at my company. We sell mainly on-prem servers, storage arrays, networking equipment, services, etc.\n\nI was thinking of transitioning to an SE role in Cyber Security.\n\nIs SE Academy too fundamental for me now? Given that I'm already trained in presales. Or is it more of a focus on the technology?\n\nAlso worried about being bumped off a Mid-Senior salary back to Associate.""}, {""user"": ""ao50hldk"", ""timestamp"": 1694446361.0, ""content"": ""If you\u2019re as skilled as you say you are, you should be fine going to for regular SE role, associate SE might be a step down, so corporate SE is also the base role, maybe for for an SE1 or SE2 role. Check jobs.paloaltonetworks.com and see if the pay for these roles are actually a step down/up from what you are""}, {""user"": ""suz08"", ""timestamp"": 1694434820.0, ""content"": ""I think the best way is to work out the best way you would be attractive to Palo.with your skillset. \n\nIf you have a good fundamental knowledge of a sector of business (e.g. airlines and transportation) and they have a vacancy in that or a related area then that would be attractive to them and you could largely be dropped into an SE role and learn Cyber on the job during the onboarding.\n\nIf however you don't have that vertical knowledge then the SE Academy may be the best way to get your baseline knowledge to the right level.""}, {""user"": ""c8iwwydk"", ""timestamp"": 1694447774.0, ""content"": ""You have the most important SE skills that simply come with time and experience: how to sell.\n\nPalo will teach you the rest when it comes to their technology. Go for it!""}, {""user"": ""3up2qoit"", ""timestamp"": 1694469487.0, ""content"": ""I am a pre-sales SE at a partner. I didn\u2019t do the SE academy. I learned everything from training classes as well as beacon. I have 3 PSE Profession certs as well as a few PCxxx certs. I didn\u2019t get them until after I started. But if you have a good foundation in networking, I\u2019d say check out SE positions at resellers or distributors.""}, {""user"": ""suz08"", ""timestamp"": 1694435022.0, ""content"": ""Regarding salary, that's something to speak to recruitment about. However Cyber is a very dynamic industry that requires you to learn new skills every 2 years. I'd always recommend people to consider a move into the sector and into any top tier vendor in the area.""}, {""user"": ""3wjdaezo"", ""timestamp"": 1694438338.0, ""content"": ""After more research, an Associate role really does look like a step backwards. I know I'm more than capable of learning Cyber on the job (I already have a couple certs) but there are no SE roles available in my city. I guess it's just not meant to be for now.\n\nThanks for the insights!""}]" +paloaltonetworks-54,"[{""user"": ""mozcvrcs"", ""timestamp"": 1694447130.0, ""content"": ""Title: Directory Sync association for Prisma Access is missing or incomplete.\n Body: Hi, I tried to add a new device, and I received this error on my Panorama 10.1.10-h2 in cloud\n\nPlugin VM-Seriesvm\\_series-2.1.11\n\nPlugin GlobalProtect Cloud Servicecloud\\_services-4.1.0-h20 \n\nI cannot find a solution, I already reboot it \n \n\n* Directory Sync association for Prisma Access is missing or incomplete.\n* Failed plugin validation\n\nThanks who could help me""}, {""user"": ""ao50hldk"", ""timestamp"": 1694479878.0, ""content"": ""Is directory sync association actually missing? Check the cloud services plugin >> configure >> Mobile Users (Then Remite networks if you\u2019re using it at all) >> I think onboarding? >> directory sync maybe??? And see if it\u2019s enabled\n\nGoing off memory here so the location names might be off but you get the jist if it""}, {""user"": ""mozcvrcs"", ""timestamp"": 1694507756.0, ""content"": ""Hi, I discussed with my senior colleagues and this is a temporary situation of Prisma.\n\n After going out for dinner, we returned, and the issues had disappeared""}]" +paloaltonetworks-55,"[{""user"": ""a0uw90njj"", ""timestamp"": 1694442087.0, ""content"": ""Title: GlobalProtect VPN won\u2019t load website on Google Chrome\n Body: Hello all, My company I work for uses Palo Altos GlobalProtect VPN which has been working fine since i\u2019ve been here until now. Pretty much one by one every day of the week another person working remote can\u2019t load websites on Chrome but it works fine on Edge. I\u2019ve had them delete cookies and cache, delete and reinstall Chrome and nothing has worked. Some people couldn\u2019t connect to sharepoint.com while connected to the vpn but when they disconnected it would work perfectly fine, which leads me to believe this is a firewall issue, but we haven\u2019t changed anything recently? Has anyone experienced this and does anyone have recommendations to fix?\n\nAlso to note i\u2019ve tried replicating this on my laptop by connecting to my hotspot and then connecting to the vpn and it works fine for me, so this is only happening to a select few.\n\nand i meant websites* the main problem is some of our internal sites won\u2019t load but some can\u2019t even get sharepoint to load""}, {""user"": ""8b4de"", ""timestamp"": 1694443721.0, ""content"": ""Usually when Edge works but Chrome doesn't, it's the quic app-ID. I think the browser is supposed to fall back to TLS, but if you can validate the traffic logs for a session where a user tried to hit a site in Chrome and can't get to it, see if the app is quic. The action may be deny / drop in a policy it's hitting for that App-ID.""}, {""user"": ""4h80c"", ""timestamp"": 1694442512.0, ""content"": ""Seems strange to me that Edge works as it's a Chromium-based browser. If you are not using split tunnel, have you ruled out DNS? It could be possible that Chrome is trying to do DNS over HTTPS and that might be getting blocked.""}, {""user"": ""8qk1un9z"", ""timestamp"": 1694446239.0, ""content"": ""I'll try to guess, maaaaybe a problem with the certificate? But it would be strange too because I think they have the same policy for it, if Firefox is the only one that doesn't work so it can be.\n\nIt would be usefull to have a packet capture from the computer when he try to open the portal from both Chrome and Edge, so you can check when it get stuck.""}, {""user"": ""vhclcucd"", ""timestamp"": 1694444612.0, ""content"": ""QUIC was my guess too. Guessing this is one of those times that desktop guys and the network guys are not on the same page. The network/infosec guys are probably not going to allow quic so it will be on the software/desktop guys to turn it off. Google can take it's quic and eff right off.""}, {""user"": ""11qli9"", ""timestamp"": 1694452829.0, ""content"": ""It\u2019s this I\u2019ve been seeing an uptick in these types of issues. The Palos are classifying quic as a threat and blocking it. We have a whitelist setup under URL to address it.""}, {""user"": ""zps23"", ""timestamp"": 1694484577.0, ""content"": ""Blocking it should be fine as long as you're Denying it and not Dropping it. Deny will tell the browser which should then fall back to normal.""}]" +paloaltonetworks-56,"[{""user"": ""jh6qu642o"", ""timestamp"": 1694418244.0, ""content"": ""Title: I would like to understand the difference between Advanced threat prevention and Threat prevention Licenses\n Body: I have **'advanced threat prevention'** and **'threat prevention'** licenses on my firewall. Renewal date is around the corner and I have a feeling that the two mentioned licenses are redundant. ""}, {""user"": ""x04u8"", ""timestamp"": 1694426218.0, ""content"": ""The simplified answer is that Advanced Threat Prevention includes regular Threat Prevention and provides the Inline Cloud Analysis.""}, {""user"": ""i5gzh"", ""timestamp"": 1694427819.0, ""content"": ""The one costs twice as much as the other""}, {""user"": ""1j514bjk"", ""timestamp"": 1694543359.0, ""content"": ""TP is based on signatures generated from collected malicious traffic from various Palo alto network services it provides signatures for known malware vulnerabilities C2 APP-id and User-id\n\nATP has the features of TP with the additional cloud service that uses deep learning and machine learning to provide enforcement for evasive first-time-seen vulnerabilities and C2 threats\n\n​\n\nI was just studying this, this morning from the official PCNA study guide good i remembered whats writen""}, {""user"": ""7yor6"", ""timestamp"": 1694478062.0, ""content"": ""The advanced licenses are designed to extract more money from the customer.""}, {""user"": ""nycni"", ""timestamp"": 1694429550.0, ""content"": ""Having the ATP license grants you the rights to TP, so you\u2019ll see both licenses downloaded. Also, they are phasing out the TP SKUs.""}, {""user"": ""jh6qu642o"", ""timestamp"": 1694430146.0, ""content"": ""makes sense""}, {""user"": ""8e8pvsdc"", ""timestamp"": 1694438573.0, ""content"": ""Thought that was wildfire?\nI will have to look that up. Thank you.""}, {""user"": ""bf73y"", ""timestamp"": 1694490266.0, ""content"": ""Sounds like what an old Cisco diehard would have said when NGFWs came out... Do you think capabilities/protections don't need to evolve?""}, {""user"": ""jh6qu642o"", ""timestamp"": 1694507720.0, ""content"": ""I always feel like TP & wild fire have similar service offerings.""}, {""user"": ""atjmo"", ""timestamp"": 1694497486.0, ""content"": ""They have advanced WF now too IG""}, {""user"": ""7yor6"", ""timestamp"": 1694533425.0, ""content"": ""I'm all for new features but I feel like these should be included in the product I'm already paying for. Instead they've added cloud features to it, called it a new product and doubled the price.""}, {""user"": ""8e8pvsdc"", ""timestamp"": 1694524164.0, ""content"": ""Yeah I saw that and have no idea what the difference is.""}]" +paloaltonetworks-57,"[{""user"": ""7kj334b3f"", ""timestamp"": 1694411259.0, ""content"": ""Title: Pcnsa; which Beacon path did you guys study ?\n Body: I see a few ones is it just the edu 210? Do I need a voucher for full access?""}]" +paloaltonetworks-58,"[{""user"": ""ua88e460"", ""timestamp"": 1694396161.0, ""content"": ""Title: SDWAN planning, would Palo Support be able to help\n Body: Dear Friends,\n\nSeems all of our Pano managed firewalls are ready to move SDWAN planning, would Palo Support be able to help to plan and do the initial steps? \n\nThanks\nLarry""}, {""user"": ""4fpau"", ""timestamp"": 1694396425.0, ""content"": ""That's pro services typically.""}, {""user"": ""ntqtdiz9"", ""timestamp"": 1694398322.0, ""content"": ""Which SD-WAN? I\u2019m assuming PAN-OS SD-WAN based on the context, but just confirming.""}, {""user"": ""2iok9w7f"", ""timestamp"": 1694461034.0, ""content"": ""Agree. Find yourself a good Palo Alto partner. It will be cheaper than going PAN pro services.""}, {""user"": ""ua88e460"", ""timestamp"": 1694398556.0, ""content"": ""Yeah on-prem SDWAN over MPLS and Public IP etc, not the one with Prisima..""}]" +paloaltonetworks-59,"[{""user"": ""5pz4hc3j"", ""timestamp"": 1694358946.0, ""content"": ""Title: what material study do in need to ace PCCET ?\n Body: on palo site there is a pdf study guide of 268 pages is this enought ? ""}, {""user"": ""j43jipd0r"", ""timestamp"": 1694444961.0, ""content"": ""I think if you have hands on with Palo Alto firewalls then the study guide is enough. The bulk of the PCCET, for me, was knowledge of the different offerings from Palo Alto, what each is used for, and some basic networking questions. I used the study guide and CBT Nuggets but keep in mind that I'm in a Palo every day.""}, {""user"": ""144wwl"", ""timestamp"": 1694374475.0, ""content"": ""I took the PCCET about a month ago just to get in the testing mode for PCNSE.. honestly there isn\u2019t a lot of palo it\u2019s most general security if I remember correctly.""}, {""user"": ""5pz4hc3j"", ""timestamp"": 1694375978.0, ""content"": ""How was the exam for you? Was it easy?""}, {""user"": ""144wwl"", ""timestamp"": 1694376008.0, ""content"": ""Yeah, I didn\u2019t study but I\u2019ve also been working on Palo for about 10 years""}, {""user"": ""5pz4hc3j"", ""timestamp"": 1694379309.0, ""content"": ""well no wonder""}]" +paloaltonetworks-60,"[{""user"": ""7kj334b3f"", ""timestamp"": 1694300237.0, ""content"": ""Title: Pcnsa cert\n Body: What did you guys use to study for the PCNSA, I don\u2019t want to buy the instructor based 3000 dollar course. I did find this: link https://beacon.paloaltonetworks.com/student/path/642692-firewall-9-1-essentials-configuration-and-management?sid=88f82d65-6005-47e4-9446-c33fc5ab56fc&sid_i=4\n\nAnd the study guide. Is that good enough to pass? What materials do you guys recommend? They do not make it easy finding a good path to prepare.""}, {""user"": ""x48k1"", ""timestamp"": 1694322026.0, ""content"": ""I took the edu 200 training (free), worked the study guide, and had limited hands on experience.""}, {""user"": ""7kj334b3f"", ""timestamp"": 1694724154.0, ""content"": ""Found the cbt nugs torrent hit me up for link bitches \ud83e\udd19""}, {""user"": ""h8dz466w"", ""timestamp"": 1694343515.0, ""content"": ""Beacon is a great aide and free. I recommend starting there.""}, {""user"": ""b9jdun9zk"", ""timestamp"": 1694350801.0, ""content"": ""Beacon, study guide and i recommended Keith Barker videos for PCNSA(cbt Nuggets).""}, {""user"": ""7kj334b3f"", ""timestamp"": 1694356948.0, ""content"": ""How did you take the edu 200 training free?""}, {""user"": ""7kj334b3f"", ""timestamp"": 1694361768.0, ""content"": ""Is that link above what you used from Beacon? I wonder if there is a torrent for those cbt nugs""}]" +paloaltonetworks-61,"[{""user"": ""63zl7"", ""timestamp"": 1694278386.0, ""content"": ""Title: PA-220 seems to slow down but is then fine on reboot\n Body: I'm a bit stumped on how to troubleshoot this since when logging in the management plane seem to be responding fine and doesn't show any issues with CPU or memory use. But traffic will keep slowing down till speedtest will report it's in the 0.01mbps range.. (from 250mbps) But after a reboot it's back to normal. \n\nI suspect the issue is heat related since it started after relocating the device into our network rack. (and it's either passive or has a VERY quiet fan).\n\nSuggestions on what to check or try? I've got a 440 proposed for next year but need to wait till Jan1 to make the order.""}, {""user"": ""briif"", ""timestamp"": 1694282087.0, ""content"": ""I am willing to make a guess you are not running on 9.x and skipped the parts about 10.x being significantly slower in every conceivable way""}, {""user"": ""iqi7f"", ""timestamp"": 1694282086.0, ""content"": ""Have you opened a supoort case? Could be hardware issue""}, {""user"": ""kevpn"", ""timestamp"": 1694284564.0, ""content"": ""Knowing PAN-OS version is usually a requirement for this kinda stuff""}, {""user"": ""63zl7"", ""timestamp"": 1694449321.0, ""content"": ""What is this stack exchange? I'm on 9.1.16. Not leaving 9.1 till I get different hardware.\nhttps://imgur.com/a/0n9jgAm""}, {""user"": ""63zl7"", ""timestamp"": 1694449427.0, ""content"": ""That's likely to be my next move. Unfortunately it's been sporadic so I'm not sure if I should open one when it's working or, or try to time it for when the internet is out. (it's also only happened 3 times in the last 6 months, which is WAY more than acceptable, but pretty hard to \""catch\"")""}, {""user"": ""63zl7"", ""timestamp"": 1694305146.0, ""content"": ""Oh right. Most current 9.1 version.""}, {""user"": ""8qk1un9z"", ""timestamp"": 1694440960.0, ""content"": ""Do you upgrade it recently? Try to downgrade to the precedent version""}]" +paloaltonetworks-62,"[{""user"": ""1erblxul"", ""timestamp"": 1694259179.0, ""content"": ""Title: Endpoint HIP logs\n Body: Is there a way to disable or hide the HIP parts in PanGPS log? We don't want our \""creative\"" employees to be able to see what we are trying to capture.""}, {""user"": ""ao50hldk"", ""timestamp"": 1694282752.0, ""content"": ""No""}]" +paloaltonetworks-63,"[{""user"": ""7gfh1mxh"", ""timestamp"": 1694244097.0, ""content"": ""Title: Cortex XDR Install during SCCM OSD\n Body: Hello, \n\n​\n\nI am running into a bit of a snag here - We are in the process of a POC for Cortex XDR and testing integrations into our normal workflows. One of the things we do is install all security software during a SCCM OSD task sequence. This just makes it easier to get a system up and running quickly. I followed the guide Palo Alto has on their site to get XDR added in as an application and when I test the OSD deployments out on my VM, it fails every time as it installs Cortex XDR with an error code that states the log file location could not be accessed, but I don't have logging enabled for the install. I tested with it again with verbose logging and still was receiving the same error. Has anyone been able to get it to install during an OSD or is this something we should have as a post image task? ""}]" +paloaltonetworks-64,"[{""user"": ""jb3o0ts8w"", ""timestamp"": 1694203563.0, ""content"": ""Title: Best way to bulk move DG objects to Shared when some of them already exist?\n Body: Hi all,\n\n I have a situation where I need to move nearly 4000 objects from a device group to shared. The problem is that nearly 50% of them are duplicated both in the device group and the cloned group, so I can't just highlight the entire list and move them to shared (it will say \""This address is already in use\"").\n\nDoes anyone have any ideas on how to speed this process up? Maybe a way to do this faster via CLI? Going one by one on each object and trying to move it will take a very long time. I wish there was a way to move all of the objects into the shared group but just ignore the ones that already exist in there. ""}, {""user"": ""zlbzd"", ""timestamp"": 1694212612.0, ""content"": ""Expedition is the way.""}, {""user"": ""jb3o0ts8w"", ""timestamp"": 1694438558.0, ""content"": ""Ty all, so it sounds like I have multiple options - Expedition, CLI, and PHP scripting. I will try CLI for now.""}, {""user"": ""7ucaq"", ""timestamp"": 1694204739.0, ""content"": ""CLI is the way. make sure you do a \""cli scripting-mode on\"" to let putty do its thing with that many commands.\n\nset cli config-output-format show\n\nshow\n\n*find relevant section*\n\nCopy into Notepad++, Ctrl+H for proper commands\n\ncopy and paste back into CLI""}, {""user"": ""shq4z6me"", ""timestamp"": 1694213481.0, ""content"": ""#pan-os-php""}, {""user"": ""gpf65"", ""timestamp"": 1694206458.0, ""content"": ""I would think that should read\n\nset cli config-output-format set\n\nconfigure\n\nshow\n\n​\n\nYou probably need to make some bulk changes to move from a DG into Shared. I love using notepad++. You can hold the alt button and select by column and then just change the highlighted text all at once to Shared\n\n​\n\nAlso if you are trying to find a specific area from the cli you can do show | match 'match term'\n\nOnce you find the area you are interested in then just run the show command with more specific section listed\n\nie.\n\nshow device-group 'DG name'""}, {""user"": ""29l079c7"", ""timestamp"": 1694222191.0, ""content"": ""THIS! \n\n\nI use this ALOT and it's great. You want to use the address-merge function /u/Fungman1 .""}, {""user"": ""jb3o0ts8w"", ""timestamp"": 1694440237.0, ""content"": ""Hey - couple questions - does\n\n*set cli config-output-format set*\n\naccomplish the same thing as\n\n*cli scripting-mode on*\n\nThey both seem to bring me from xml format to set format?\n\n​\n\nAlso one other thing, the syntax of the shared addresses and device group addresses is a little different -\n\n\""set shared address *address*\""\n\nvs\n\n\""set device-group *device-group* address *address*\""\n\nI don't want to clone everything from the DG to shared, I just want it moved. Will I have to do the set shared address command on all of my addresses first, and then \""no set device-group\"" command afterwards on those addresses?""}]" +paloaltonetworks-65,"[{""user"": ""3ja98pd6"", ""timestamp"": 1694215175.0, ""content"": ""Title: PA-410 vs Fortinet 40F\n Body: What would you say are the main differentiators to the 2 products? How do the specs compare?""}, {""user"": ""eq4blh7ao"", ""timestamp"": 1694258660.0, ""content"": ""Fortinet is straight trash compared to Palo, from an interface to CLI perspective. Get the company onboard with Palo.""}, {""user"": ""8k029"", ""timestamp"": 1694223728.0, ""content"": ""Just an FYI, the PA-410 is the ONLY PA firewall that doesn\u2019t do on-box logging. Zero onboard log storage, so you need to have something else to log to (Panorama, SIEM, Cortex Data lake, syslogd, etc).\n\nIf you are a cafe and want one firewall, you should go PA-440.\n\nIf you have 1,000 retail branches, you should have the supporting infra so the 410 would be fine.""}, {""user"": ""3ehm8kce"", ""timestamp"": 1694329932.0, ""content"": ""you should ask the same question in the Fortinet reddit sub to get a full picture :-)""}, {""user"": ""4gigy"", ""timestamp"": 1694361751.0, ""content"": ""So is the only worthwhile firewall Palo then? If Fortigate is trash then checkpoint must be sewage and firepower nuclear waste. If the only firewall worth using is Palo we have a monopoly and should be concerned.""}, {""user"": ""5uekzbgu"", ""timestamp"": 1694417702.0, ""content"": ""Really? From interface and GUI? Really?""}, {""user"": ""3ja98pd6"", ""timestamp"": 1694224210.0, ""content"": ""It\u2019s for multiple retail stores. Debating between the 410s and the Fortinet 40F. Franchise so price will play a part although Palo is competing price wise. Just curious what the pros cons of each are.""}, {""user"": ""i5gzh"", ""timestamp"": 1694237374.0, ""content"": ""This isn\u2019t 100% accurate. There is logs for everything not from the data plane so: Configuration, System, Alarms logs are there.""}, {""user"": ""3ja98pd6"", ""timestamp"": 1694350891.0, ""content"": ""Good idea!""}, {""user"": ""eq4blh7ao"", ""timestamp"": 1694378075.0, ""content"": ""We should be concerned, Firepower is equally as shitty, addons are expensive and cumbersome, CLi is fine. Checkpoint is decent at best for small business or bottom of the barrel decent UI/CLI.""}, {""user"": ""eq4blh7ao"", ""timestamp"": 1694459449.0, ""content"": ""Absolutely, it\u2019s god awful to work with, poorly laid out, I could go on.""}, {""user"": ""8k029"", ""timestamp"": 1694224611.0, ""content"": ""If you have 4 or fewer APs/PoE devices, a PA-415 is the same performance as the 410 but has on box logging, 4 PoE ports, dual power supplies, and an SFP port (which I have tested with the Proscend 180-T VDSL SFP and seems to work fine).\n\nSo may save you the cost and management overhead of a PoE switch.\n\nI prefer Palos over Fortinet, I find that if you\u2019re turning on lots of the security features then the performance on Palo isn\u2019t impacted as much as Forti.\n\nIf you\u2019re just doing straight FW, then probably not much in it.""}, {""user"": ""2z38uxaj"", ""timestamp"": 1694225653.0, ""content"": ""Do you know where cost of the 415 falls? More or less than a 440?""}, {""user"": ""37ve4gbk"", ""timestamp"": 1694234101.0, ""content"": ""415 was overpriced last time we quoted this out for my customer. Not worth the premium for the single SFP port.""}, {""user"": ""37ve4gbk"", ""timestamp"": 1694234470.0, ""content"": ""It costs \\~$200 list more with the specs of a 410. The premium also extends to the subs too.""}, {""user"": ""e6qh3"", ""timestamp"": 1694262195.0, ""content"": ""The 415 is more than a 440.""}, {""user"": ""2z38uxaj"", ""timestamp"": 1694270541.0, ""content"": ""Thank you""}, {""user"": ""2z38uxaj"", ""timestamp"": 1694270598.0, ""content"": ""Thank you""}, {""user"": ""2z38uxaj"", ""timestamp"": 1694270304.0, ""content"": ""Thank you""}]" +paloaltonetworks-66,"[{""user"": ""cb6pttw0g"", ""timestamp"": 1694186912.0, ""content"": ""Title: PCNSE PAN-OS Version\n Body: Hello guys, \n\nMy question is if the PCNSE is already for PAN-OS 11 or it is still about 10.x?""}, {""user"": ""p1pda"", ""timestamp"": 1694201520.0, ""content"": ""11.0. Lots of questions on new stuff.""}, {""user"": ""j43jipd0r"", ""timestamp"": 1694203930.0, ""content"": ""Took it last week, there was some 11 on it.""}, {""user"": ""6gexp"", ""timestamp"": 1694262850.0, ""content"": ""Mostly 10.2 with a bit of 11 new features mixed in.""}, {""user"": ""4va2fgn7"", ""timestamp"": 1694345085.0, ""content"": ""Was it difficult?""}, {""user"": ""j43jipd0r"", ""timestamp"": 1694345482.0, ""content"": ""I found it very difficult. Our FWs are on 10.x and I feel pretty confident there. But there were a lot of questions on web portal, NAT questions that I felt could go multiple ways, and quite a few of those where they show a screenshot of the GUI and you have to figure out which answer it\u2019s correct. I usually can\u2019t even make out the screen on those. Too blurry and the entire screen never fits on the monitor at the test site. Also, feel like there were a lot of questions for the time allotted.""}]" +paloaltonetworks-67,"[{""user"": ""a0tw8eaf"", ""timestamp"": 1694189989.0, ""content"": ""Title: URL category being skipped\n Body: We just setup kerberos sso auth, that\u2019s working good. we have a pre rule for zoom, source is all users, application is ssl, zoom and zoom-info, URL category is *.zoom.us and *.zoomgov.com. \n\nWhen we try to use zoom phone or just connecting to zoom it\u2019s skipping this rule and going to our post rule explicit deny rule. \n\nIt hits the zoom rule for ssl 443 just fine for some of the same URLs as below. \n\nIt shows up as zoom-meeting 8801 which is within the zoom application and the URLs come across as .zoomgov.com URLs\n\nI have tested this and if I remove the URL category it will work no problem. \n\nWe also have another post rule for YouTube and it\u2019s doing the same thing. If I keep just my URL category it doesn\u2019t work, if I add palo\u2019s predefined \u201cstreaming media\u201d then it works. \n\nAny ideas? I have had a ticket with Palo and they can\u2019t figure it out either yet.""}, {""user"": ""47db6"", ""timestamp"": 1694204638.0, ""content"": ""One thing to try:\n\n\\-Separate the zoom app rule from the ssl rule, placing the zoom rule above the ssl rule and keeping your custom URL category in the ssl rule, but the zoom rule set to 'Any' (no URL category)\n\nI think the way it works is, the palo will initially see the traffic as ssl and allow it based on your url category, then once it has seen a few packets it can identify the app as zoom and do the 'app shift', re-evaluate the traffic against the zoom rule, which should let it continue.\n\nThe only other thing i can think of is that custom URL categories do not work with the zoom applications.""}, {""user"": ""ao50hldk"", ""timestamp"": 1694202547.0, ""content"": ""Take pcaps, find the SSL handshakes for each session, find the SNI value in each client hello.\n\nIs it *zoom.com or *.zoomgov.com?\n\nIf yes then there\u2019s a deeper issue, if not, then there\u2019s your issue.""}, {""user"": ""474w3zgp"", ""timestamp"": 1694444181.0, ""content"": ""I see all my zoom-base application traffic with destination-port 443. It is not resolving the destination URL, but shows IP address 170.114.15.x. Have you tried a security policy based on application?""}, {""user"": ""1oj2b1xo"", ""timestamp"": 1694321469.0, ""content"": ""Couple of extra checks:\n\n to see if you have any ports configured under Service. We\u2019ve had a few where the firewall team keep selecting the https-443 port object under service so the match fails when the application try\u2019s to use another port even though it\u2019s part of the app-ID profile.\n\nAlso check the URL filter profile you have assigned to the policy too. Again people selecting url profiles in override policies that block say \u201cshareware and freeware\u201d while trying to match a URL Category list with giphy.com/ (need to do this for customers using Teams)""}, {""user"": ""a0tw8eaf"", ""timestamp"": 1694445610.0, ""content"": ""Mine resolves the URLs normally to something like x-x-x-x-zoomgov.com where x is the ip address. Or it resolves to zoomsva3zc.zoomgov.com has no issue with the SSL application I\u2019m allowing but always skips the rule for zoom application that uses 8801, I also have another rule below this one that is using the same URL category but using the ports udp 8801 instead of application and it\u2019s skipping that one as well.""}]" +paloaltonetworks-68,"[{""user"": ""gfle6x2w"", ""timestamp"": 1694181798.0, ""content"": ""Title: IP Sec Tunnel - having to add irrelevent Proxy IDs to keep the tunnel up\n Body: Hello, we have noticed that if we don't add Proxy IDs to an IP Sec Tunnel for all of our VPN Subnets, then we have issues down the line. For example, let's say we have just setup a new VLAN with the subnet of [10.113.1.0/24](https://10.113.1.0/24) and we want to add it to our Palo VPN (which has a subnet of 192.168.96.0/24), we find that we can't just get away with adding one proxy ID from the site to the Palo, but we have to add one for all our other VPN locations. Is anyone able to clarify this?""}, {""user"": ""5u04b"", ""timestamp"": 1694184039.0, ""content"": ""Without knowing what's on the other end of the tunnel it's impossible to say. Route based VPNs do not need Proxy IDs""}, {""user"": ""16p19w"", ""timestamp"": 1694220738.0, ""content"": ""It\u2019s purely a compatibility thing, if the other end is a Palo you should be able to get rid of them on both sides as they support route based. The use of proxy IDs is smoke and mirrors to appease policy based VPN appliances on other end or systems that may require specific non-wildcard proxy IDs.""}, {""user"": ""h8df04r1"", ""timestamp"": 1694184630.0, ""content"": ""You either run dynamic routing protocol over it or you add proxyid .... It needs traffic to keep tunnel up ...otherwise its on demand .. the proxy id is used to create phase 2 if no routing is there ...""}, {""user"": ""ao50hldk"", ""timestamp"": 1694202358.0, ""content"": ""If there\u2019s proxy IDs, (aka route based in the other side) it has to match both ends to negotiate properly. If you really don\u2019t want those proxy IDs, remove them from both sides of the tunnel.""}, {""user"": ""iwlnp"", ""timestamp"": 1694386054.0, ""content"": ""There is a lot of info in this thread, and there are some that are more correct than other bits.\n\nProxy ID serves a few puposes:\n\n\\- If you want multiple VPNs with the same remote IKE peer then proxy ID is needed.\n\n\\- If you have a peer that requires a proxy ID to be given (wether correct or not that is needed), then you need to be able to match it.\n\n\\- Per the Rf>cs the proxy ID is only used during the establishmen of the tunnel (IPsec/phase 2), but if it is present it has to match the peer. Not all other firewalls allows you to omit the proxy ID and it will supply at minimum a \""0/0\"", then you need to match it.\n\n\\- A lot of people mix up proxy ID with traffic selectors. This can also bite.""}, {""user"": ""y7eds"", ""timestamp"": 1694319952.0, ""content"": ""Why not. Just cause the Palo doc says that. If you have no proxy id you leave yourself open to any traffic coming down the VPN""}, {""user"": ""y7eds"", ""timestamp"": 1694320026.0, ""content"": ""I'm not sure that's 100% true we use proxy id to filter what traffic is allowed over there""}, {""user"": ""nycni"", ""timestamp"": 1694227103.0, ""content"": ""Either way, it needs a route in the forwarding table. Also, it works with static routes.""}, {""user"": ""16p19w"", ""timestamp"": 1694377858.0, ""content"": ""It will still route traffic through the tunnel regardless of the proxy id, I just went through an issue around this causing issues.""}, {""user"": ""16p19w"", ""timestamp"": 1694378312.0, ""content"": ""I do think you can use policy based forwarding along with proxy ids to make it work but if you are just using regular routing tables it will not. I would validate if I was you to make sure. You could easily test with just some ICMP to an address that doesn\u2019t have a Proxy ID.""}]" +paloaltonetworks-69,"[{""user"": ""1yymo6u8"", ""timestamp"": 1694168711.0, ""content"": ""Title: Disable port 80 on Global Protect interface\n Body: Hello,\n\nAs post title says, I'm trying to gracefully disable GP portal service listening on port 80 on the outside interface for Global Protect termination. I know it gets redirected to HTTPS, but vulnerability scanners are failing me in the report due to redirect manipulation possibility.\n\nIs there any way to do it system wide, or do I have to go caveman and just filter it out in FW policy rules?""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1694176218.0, ""content"": ""The correct and only way to deal with this is security policy. You should have a rule that explicitly allows access for SSLVPN using the necessary apps, and anything else should hit an implicit deny at the bottom of your rule base. \n\nIf you don\u2019t need to have the portal page, you can disable it.""}, {""user"": ""104io1"", ""timestamp"": 1694186053.0, ""content"": ""We put the GlobalProtect Gateways on a Loopback interface. We control access to the loopback via NAT rules and security policies. \n\nThe added benefit is that it make deployment via a template a bit easier.""}, {""user"": ""1yymo6u8"", ""timestamp"": 1694178130.0, ""content"": ""Thanks for the input. I can disable portal page, but the web service listening on port 80 will still be up, just show 404 instead of landing page and that won't cut for scanner.\n\nI do have exclusive implicit deny configured in the end between all to all, but it does not apply to GP portal. Connections opened to its 80/443 port do not show up in standard traffic logs either. I can see successful GP client connections in GlobalProtect log page though.\n\nSeems like connections destined to the firewall itself are not evaluated by security policy, only forwarding plane \""through it\"" gets there.""}, {""user"": ""3uqxds9f"", ""timestamp"": 1694190306.0, ""content"": ""Every packet to and across the firewall must match a security policy. Packets to port 80/443 of the firewall are matching the intra zone allow and you're not seeing it in your Iogs because the default intra zone doesn't have logging enabled. \n\nAdd a specific intra-zone rule blocking port 80 and it will fix your issue""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1694189109.0, ""content"": ""Not sure why you would be seeing the 404 for traffic going to port 80. That isn't needed for GlobalProtect, so I would review the rule you have allowing GP access, or create a supersceding rule to explicitly block the port 80 traffic to you GP portal IP.\n\n​\n\nThis situation is a bit of a pain in the ass. I have gone through this excercise about 5 times this year with various clients and different auditors.\n\nConversation generally goes like this...\n\nThey ask why that IP is responding on 443 fom any internet IP.\n\nI explain how it would be impossible to know the IPs our users will connect to VPN from, and this is only for portal access which is to download app settings, blah blah blah.\n\nThis goes back and forth a few times and eventually we get through it.\n\n​\n\nHere is what you should do for the auditors and best practice:\n\n* Use SAML with an IdP. This is a hard fail if you're not doing it.\n* Unless you have a need for using the GP portal such as clientless VPN, disable it. Doesn't do much for an audit, but it's slightly more secure.\n* Provide screenshots showing how going to the portal web page redirects to your IdP where authentication is enforced and MFA is mandatory. This generally satisifes most auditors.\n* If you can lock down the access to the portal by country, that is a big help to show them. If you are a US based company only expecting employees connecting from the US, only add that as a source country. You could also approach it from the other direction where you block access from countries like North Korea, Russh, China, etc. but you should already be doing that, and it's better to explicitly allow from a source rather than to block specific sources.\n\nIf you really need to secure the hell out of the portal, spin up a FW in AWS, Azure, GCP, etc. and dedicate it to your portal. You can explain what the portal does in the GlobalProtect architecture and how it is 100% air gapped from your company resources.""}, {""user"": ""8e8pvsdc"", ""timestamp"": 1694179809.0, ""content"": ""I would love to know as well. A couple versions ago they removed the ability to fully disable the portal page and now the pci scanners all flag it. I end up putting in an exception but that gets annoying after a few submissions.""}, {""user"": ""bf73y"", ""timestamp"": 1694191871.0, ""content"": ""If you go to your session browser (not the logs) and filter on the Portal IP, it should show the rule it is using. I see it all the time where someone doesn't realize their GP traffic is hitting the \""intrazone-default\"" because the IP lives on the public facing interface/zone and so it is Untrust/outside to Untrust/outside. And the default rules do not have logging enabled by default.""}, {""user"": ""g0057"", ""timestamp"": 1694195434.0, ""content"": ""There are other ways of allow listing mobile VPN connections, one such way is if you're using a tool such as NinjaRMM Agent which reports back the public IP of a system. You can then have a scheduled task that runs a powershell script that enumerates a security group in AD for computer account names and then query the Ninja API for them and pulls out the public IP.\n\nYou then dump those into a text file and upload to a locally hosted gitlab server, have the file address used as an EDL on the firewall and apply that as the source address.\n\nIf your scheduled task runs every 5 min and your EDL is set to 5 min updates, you'll basically need to wait a max of 10 mins after getting a new public IP before you can connect through.\n\nYour MFA provider can help to protect the auth, on a successful auth you can then have your HIP profiles on your security rules to ensure those systems are what they should be.""}, {""user"": ""1yymo6u8"", ""timestamp"": 1694180144.0, ""content"": ""I'm also undergoing PCI certification and external scanner just fails the vuln. assessment scan, because of this pseudo redirect, which will never manipulate anything in principal, as there is no user content anyway.""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1694197257.0, ""content"": ""Of course you could do something like that, but that is a cluster fuck to deal with unless you hate your help desk. The expectation of a user understanding that sometimes they will try to connect to vpn, but it won\u2019t work for up to 10 minutes, and that is expected is a pipe dream in my opinion. Security is always a balancing act and IMO that is going way too far. If you\u2019re doing that, get rid of VPN and use Citrix or something similar.""}, {""user"": ""g0057"", ""timestamp"": 1694207306.0, ""content"": ""It's really simple, the powershell script outputs logging info and helpdesk only need to look in the security groups for both the allow list and for permission to even auth (you're not using All on your GP portal/gateway for auth, are you?) in AD to make sure they have their user and computer accounts in the right place.\n\nIf the groups are fine, then it's a case of telling the user to wait harder. I can imagine it would be a bit of a nightmare if you're dealing with thousands of users, but a few hundred? It's not an issue.""}]" +paloaltonetworks-70,"[{""user"": ""3ngl1xj6"", ""timestamp"": 1694193291.0, ""content"": ""Title: Anyway to Turn Off Configuration Validation?\n Body: I am failing commits on my firewalls because of some overrides that are needed on one of our clusters. When trying to make changes, the changes fail because of IP addresses being \""invalid\"". Long story short, we are trying to migrate from one backup ISP to another. The interface that it comes in on is overridden and it can't be reverted to Panorama. Now, trying to restore values to previous values and commits fail due to \""invalid\"" IP addresses.\n\nI'm incredibly frustrated with Palo Alto's firewalls. Cisco I could build NAT rules or IPSec tunnels using IP addresses that don't exist on the firewalls in preparation. With PAN, if the IP isn't configured on an interface, you can't use the config. Its the dumbest thing I've ever had to deal with. Let ME, the engineer, tell YOU what IPs are being peered with or used...I don't care if they don't exist on an interface...they will eventually. There is no reason these configurations shouldn't be valid. It seems in PAN's infinite attempt to dumb down firewalls and make them idiot proof, they've taken the ability for engineers to build things on the fly and in preparation. \n\nSo, orignal question...can I turn off configuration validation and FORCE values to be put on IPSec tunnels and NAT rules without them existing on interfaces?""}, {""user"": ""ao50hldk"", ""timestamp"": 1694202272.0, ""content"": ""no\n\nIt makes to me, but I guess I\u2019ve been using Palo for a while, and \u201csafety\u201d features like this makes sense. logically this configuration CANT work if it\u2019s referencing a non existent piece. The running config won\u2019t be able to perform its actions specific, \n\nThis is actually put in to make it idiot proof, to avoid people using config that doesn\u2019t exist, then complaining why it doesn\u2019t work if it\u2019s put in there (let\u2019s say NAT or IPSEC). \n\nWhy can\u2019t the config be reverted? or better yet, why not just make all of the template config local? It\u2019s a click of a button and no impact some to production as it\u2019s just pulling the config and making it local.""}]" +paloaltonetworks-71,"[{""user"": ""j8q7q81mp"", ""timestamp"": 1694121026.0, ""content"": ""Title: Authentication Failed\n Body: After going through the whole process of entering the portal, going through logging on and the authentication process, the screen pops up that says \"" When you see the dialog on the browser, click **Open GlobalProtect**. If the dialog does not appear, click here to launch GlobalProtect.\"" and GlobalProtect starts saying \""Connecting\"" and that goes on for a while (5-10 minutes maybe) until finally the browser opens back up and says \""Authentication Failed\""\n\nMy login for GlobalProtect works on other user profiles, and on my personal pc, but not my user profile on my work pc. I sat with our IT department for hours today troubleshooting and have come up with nothing other than it has to be something on my user profile's setting.\n\nWas hoping to get SOME direction here. Anything is helpful! Thank you in advance. ""}, {""user"": ""shq4z6me"", ""timestamp"": 1694135934.0, ""content"": ""There a particular reason you have GP set to use \u201cdefault browser\u201d versus the native GP browser found on the agent?\n\nOtherwise this is a browser issue. I would clear/reset your default browser so you get the notification to open GP and also the little check box to always trust/open GP on following conditions. But I still recommend not using default browser and use native GP browser.""}, {""user"": ""91wqd"", ""timestamp"": 1694129678.0, ""content"": ""If you can post an error message from your PanGPS.log on your device, that might be helpful in understanding what is happening. \n\nHow is your authentication configured for the portal and gateway? What type of authentication profiles do you have set up? You can authenticate users multiple ways. For example you can use SAML, LDAP, Kerberos or certificate based authentication.""}, {""user"": ""ss7ye"", ""timestamp"": 1694199011.0, ""content"": ""When it gets stuck, have you clicked on the \""Click Here\"" link to manually send the SAML response back to the GP client? If you have and it's still not authenticating, then the GP logs are your friend. Or just get your IT folks to blow away your profile on that machine and start over. Might be a whole lot faster than spending hours tracking down an obscure issue.""}, {""user"": ""j8q7q81mp"", ""timestamp"": 1694174312.0, ""content"": ""It's how my company has it set up unfortunately so I'm not 100% sure what their reasoning is""}, {""user"": ""j8q7q81mp"", ""timestamp"": 1694175514.0, ""content"": ""I can't access the PanGPS.log file. It says \""Windows cannot find 'C:\\\\Program Files\\\\Palo Alto Networks\\\\GlobalProtect\\\\PanGPS.log'. Make sure you typed the name correctly, and then try again.\"" When I click on the file and when I right click and go through the open with option.""}, {""user"": ""shq4z6me"", ""timestamp"": 1694135658.0, ""content"": ""It\u2019s obvious he\u2019s using SAML and GP is set to use default browser since he\u2019s getting a browser prompt to launch GP.""}]" +paloaltonetworks-72,"[{""user"": ""eo1zs"", ""timestamp"": 1694103512.0, ""content"": ""Title: Deleting or cleaning up pending \""Push to Devices\""\n Body: I'm involved in a project that includes a handful of firewalls managed by Panorama. There are lingering changes made by other admins (no longer with the company) that seem to have already been committed to Panorama a while back.\n\n I don't know what those pending pushes include, there are changes to Device Groups and Template Stacks but not able to see the specifics. My thought process to clean up those pending pushes is to make the pushes and revert to a named snapshot of the current running config. Open to suggestions or other factors to consider.""}, {""user"": ""91wqd"", ""timestamp"": 1694130371.0, ""content"": ""I wouldn't perform the push to the devices if you're not sure what they will do or the settings that will change. If you know the settings you need to have, you can create new device templates and device groups and reassign the firewalls to the new templates/template stacks and device groups. Its basically rebuilding everything in Panorama from scratch but its the cleanest way to do it if you're not sure.\n\nYou could also look at the previous commits in Panorama and restore the running candidate configuration to back before each of the commits your not sure of took place and verify the settings in the template/device group. Then when you are sure that everything in the existing template/device group is set correctly, do a full push to the firewall and you'll be back in sync.""}, {""user"": ""nuvdltb"", ""timestamp"": 1694132218.0, ""content"": ""You can't see the changes by doing a diff in panorama of the pending configuration vs the existing deployed configuration?""}, {""user"": ""eo1zs"", ""timestamp"": 1694633205.0, ""content"": ""Update: I was able to view the changes in the GUI, found them to be harmless or not applicable (different lines in the XML file and such), and did a full push.\n\nThere were still some lingering changes in the push under the \""share-object\"" Push Scope which I found to be an existing cosmetic bug: [https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGhiCAE](https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGhiCAE)\n\nAlready got approval to do a quick OS update to 10.2.5""}, {""user"": ""80fgg321"", ""timestamp"": 1694132438.0, ""content"": ""You can preview what it wants to push down from panorama. Are the devices out of sync with panorama when you look at the firewalls under managed devices?""}, {""user"": ""eo1zs"", ""timestamp"": 1694136094.0, ""content"": ""Too much was done after his commit, unfortunately. His were just ignored as others made changes, committed and pushed without his changes selected. And rebuilding is going to be a hard sell for this client.\n\nIf I save the current running config that exists in Panorama which is apparently working for the client, I can't use that to commit and push after pushing this ex-employee's changes? The current state of what we see in Panorama (Templates, TStacks and Device Group settings) are fine atm.""}, {""user"": ""eo1zs"", ""timestamp"": 1694134972.0, ""content"": ""It's already been committed by the past employee but for some reason wasn't pushed. The most I can see is the push scope and object type that's ready to be pushed to the specific devices.""}, {""user"": ""eo1zs"", ""timestamp"": 1694135621.0, ""content"": ""Devices look to be in sync with Panorama atm. At best I can look at the Logs > Configuration with a filter for his specific username. I can view his history, full path of the config, and a simple before/after change in the logs but I can't tell which of these commits are part of the push in question.""}, {""user"": ""nuvdltb"", ""timestamp"": 1694136097.0, ""content"": ""You can try logging into panorama via the cli and doing:\n\n​\n\n~~show config push-scope device-group ~~\n\n~~and/or~~\n\n~~show config push-scope template-stack ~~\n\n​\n\n~~and then see what is pending on panorama to be deployed to the devices (I believe) It's been a minute since I've done this via CLI.~~\n\nThe above is not correct. I'll keep digging but it may be easier just to export the config of panorama and look at what is setup for that device and compare.""}, {""user"": ""80fgg321"", ""timestamp"": 1694194585.0, ""content"": ""So when you click push to devices, then select the devices under either device config or template, then click preview changes, or shows a blank screen with no proposed changes?""}, {""user"": ""eo1zs"", ""timestamp"": 1694192701.0, ""content"": ""Honestly, that helps quite a bit. I can instead use\n\nshow config push scope admin \n\nThis displays what I believe to be the lingering configs waiting to be pushed. It's not incredibly descriptive but gives me a clearer picture on what is being changed (log settings, objects, etc).""}, {""user"": ""eo1zs"", ""timestamp"": 1694207167.0, ""content"": ""And just like that, I learned something that seems simple...yes when looking at the individual device groups and templates, I see the icon to preview the changes. Now I can see the line diff related to Device Groups and Templates. There is a Template and Device Group Pair (same vsys in the firewall) that is out off sync.\n\nGoing to go through this and see what the client want to do with this pending push. Greatly appreciated!""}, {""user"": ""nuvdltb"", ""timestamp"": 1694603546.0, ""content"": ""I wonder if also these would help.\n\nshow config list changes partial device-group \\[device-group-for-that-fw\\]\n\nand\n\nshow config list changs partial template-stack \\[template-stack-for-that-fw\\]""}]" +paloaltonetworks-73,"[{""user"": ""vcyenh35"", ""timestamp"": 1694118825.0, ""content"": ""Title: Expedition tool export to Panorama\n Body: Hello,\n\nhave you ever succesfully exported config to Panorama from expedition tool? \n\n\nWe have 2 configs from Cisco in expedition tool and each config needs to be exported to a different template/device group in Panorama. \n\n\nI can succesfully connect expedition tool to Panorama (pan os 11.0.2), but I am not able to drag and drop vsys from expedition to Panorama. Only zones are shown as merged in Panorama.\n\nI did not try to connect expedition to FW, as FWs are already managed by panorama and I am afraid of current existing config on FWs. I am not sure, if I will be able to merge config on FW with panorama in case I will upload the xml file to FW directly. \n\n\nI would rather fix importing config to panorama from expedition tool.\n\nAnyone has any kind of experience?\n\n \nThank you!\n\n​""}]" +paloaltonetworks-74,"[{""user"": ""7m4fg2wbv"", ""timestamp"": 1694100359.0, ""content"": ""Title: Firewall not Forwarding Logs to Panorama\n Body: Dear all,\n\nI have configured log forwarding on the firewall and a log collector on the PN. The PA NGFW only sends traffic, threat, and system log to the PN.\n\nThe connection status between NGFW and PN is normal, and the ports are not restricted.\n\nFW&PN Version: 10.2.4-h4\n\nI refer to kb for equipment and still haven't solved the problem, If anyone has experienced any of the above symptoms or knows a solution, please share with me. Thanks!\n\n[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFCCA0](https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFCCA0)\n\ntom@PA-3220-1> debug management-server log-collector-agent-status\n\n​\n\nLogcollector agent status\n\n\\-------------------------------------------------------------------------------\n\nSerial IP Address Connected Last Disconn Time Failed conns\n\n\\-------------------------------------------------------------------------------""}, {""user"": ""7m4fg2wbv"", ""timestamp"": 1694100839.0, ""content"": ""PN cannot obtain traffic and threat log, but system log can be obtained.""}, {""user"": ""7m4fg2wbv"", ""timestamp"": 1694102120.0, ""content"": ""I reconfigured the PN log collector group, the traffic log can be seen, but the threat log is still not visible""}, {""user"": ""6gexp"", ""timestamp"": 1694102309.0, ""content"": ""Fixed in 10.2.5\n\nPAN-221881\n\nFixed an issue where log ingestion to Panorama failed, which resulted in missing logs under the Monitor tab.\n\nCould be your issue.""}, {""user"": ""10ceo3"", ""timestamp"": 1694101382.0, ""content"": ""Are your rules configured to log, and using the right log forwarding profile?""}, {""user"": ""29l079c7"", ""timestamp"": 1694104098.0, ""content"": ""Do you have a threat policy on the rule(s)?""}, {""user"": ""7m4fg2wbv"", ""timestamp"": 1694102557.0, ""content"": "">PAN-221881\n\nHI friend, you can't make fun of me, I can't believe what you said, oh no...""}, {""user"": ""7m4fg2wbv"", ""timestamp"": 1694101553.0, ""content"": ""yes, The NGFW is connected to the PN through the mgt interface, and there is no policy control and the rule associates the log forwarding configuration to the PN.""}, {""user"": ""7m4fg2wbv"", ""timestamp"": 1694141398.0, ""content"": ""yes, I'm going to upgrade to the next version and see the effect.""}]" +paloaltonetworks-75,"[{""user"": ""c5mjna3"", ""timestamp"": 1694113000.0, ""content"": ""Title: Global Protect Gateway IP Question\n Body: I've got a question about the IP of the default gateway when connected to Global Protect. I am getting [0.0.0.0](https://0.0.0.0) as the default gateway and [255.255.255.255](https://255.255.255.255) as the subnet mask and wanted to see if that was normal?\n\nUnder Network -> GlobalProtect -> Gateways -> Gateway Name -> Agent -> Client Settings -> Configs -> IP Pools. I've got an IP Pool for VPN Users that pulls from Addresses under Objects and it is set as IP Netmask of [10.10.253.0/24](https://10.10.253.0/24)\n\nWe were troubleshooting a VPN issue and the user had [10.10.253.1](https://10.10.253.1) as an IP and .1 is usually the gateway for everything here but I can't find a gateway set anywhere for Global Protect users and when I connected I got the [0.0.0.0](https://0.0.0.0) and wanted to make sure that was all correct.\n\nThanks for any help.""}, {""user"": ""3uqxds9f"", ""timestamp"": 1694116241.0, ""content"": ""There\u2019s no default GW concept with GP. The IP you're getting is fine. \n\nUnder the Split Tunnel tab, have you included any prefixes that need to route across the tunnel? That is how you define what needs to come across it. If you want all traffic to come over the tunnel then add 0.0.0.0/0 in the Include section.\n\nMake sure you refresh client settings on the GP client after making any changes on the firewall""}, {""user"": ""czvic3dk"", ""timestamp"": 1694120515.0, ""content"": ""I put the .1 of the GP subnet on the tunnel interface. It is not required but it gives you a pingable IP within the same zone so you can at least tell if you are getting to the firewall. It also gives you a first hop in traceroutes which I find useful for troubleshooting.""}, {""user"": ""c5mjna3"", ""timestamp"": 1694116759.0, ""content"": ""No, we don't have anything listed in the include only the exclude, I've gathered all the Office 365 IPs and put them in a group, mainly because we don't want Teams going through the VPN and causing issues for meetings and calls.""}, {""user"": ""3uqxds9f"", ""timestamp"": 1694117030.0, ""content"": ""Why not try to just add prefixes in the include section rather than exclude. You also definitely need something in Include if you want traffic to come across the tunnel.\n\nIf you add your private ranges to Include, that should be enough. All internet traffic will break out locally on the client.""}, {""user"": ""czvic3dk"", ""timestamp"": 1694120567.0, ""content"": ""I am on Teams calls all day long with it all going through the tunnel out the firewall at our datacenter without issues.""}, {""user"": ""c5mjna3"", ""timestamp"": 1694117407.0, ""content"": ""I guess I am not sure what you mean by prefixes?\n\nEverything seems to be coming across just fine and this is the first time we have heard of this problem (mapped drive not connecting) in trying to figure out why the one user couldn't get to the file server we noticed the IP of the gateway. We do have all the IPs of the internal networks we can add to the include section though.""}, {""user"": ""3uqxds9f"", ""timestamp"": 1694117661.0, ""content"": ""Yeah a prefix is nothing but an IP subnet. Like 10.10.253.0/24 is a prefix. \n\nSo if all user and server IPs fall under 10.10.0.0/16, just add this prefix to the include section and it will all come through the tunnel. This will include all local Teams traffic too.""}, {""user"": ""c5mjna3"", ""timestamp"": 1694117889.0, ""content"": ""Ah, got it, thanks.\n\nBut with the exclude of the 365 IPs that traffic will still use the local/home internet connection and not go over the VPN correct?""}, {""user"": ""3uqxds9f"", ""timestamp"": 1694118096.0, ""content"": ""Yeah it will. It's just simpler to use positive enforcement by only including your private ranges to Include. \n\nEverything else will break out locally. You can test that with a traceroute. Or you can see the route table in the GP client under Troubleshooting""}, {""user"": ""c5mjna3"", ""timestamp"": 1694118176.0, ""content"": ""Sounds, good. Appreciate the help.""}, {""user"": ""shq4z6me"", ""timestamp"": 1694136183.0, ""content"": ""If you leave include BLANK it will include all traffic. Ignore the fool that is telling you to do so. Excluding the teams IPs only excludes those, everything else gets included automatically.""}]" +paloaltonetworks-76,"[{""user"": ""11o6u1"", ""timestamp"": 1694092130.0, ""content"": ""Title: What is best way separate HIP users/ profile on rule?\n Body: I have 5 different types of users, each of them is part of the Office 365 group, and each has a different subnet.\n\n​\n\n4 types of users use company computers and are members of the domain (with company antivirus, DLP, etc. installed).\n\nThe 5th type consists of consultants whose computers are not related to the company.\n\nI've created a HIP profile for company employees and assigned it to a WAN rule. Now, how should I handle consultants? I don't want to apply HIP to them, but how can I implement HIP based on groups? What is recommended in this regard?\n\nSecond a wan rule? Or second public and a new address? consultant.vpn....com? or a new GP GW?\n\nIf an employee's computer is not HIP-compliant and they want to connect to the VPN, I want to prevent them from doing so.""}, {""user"": ""briif"", ""timestamp"": 1694093197.0, ""content"": ""Separate gateway in different zone with it's own HIP profile for consultants is my vote.""}, {""user"": ""5gj3sjhny"", ""timestamp"": 1694135997.0, ""content"": ""The only time you have to separate gateways is if you want to provide different alert messages for passing or failing a HIP profile. Assuming that is not an issue here, \n\nIt's important to understand that a HIP profile is just another item being matched on a rule. So, if you have one rule allowing internet access with a source group containing employees and the HIP profile, and a rule below it contains a source user/group for consultants, but no HIP profile, it works fine.""}, {""user"": ""147byj"", ""timestamp"": 1694183341.0, ""content"": ""I'm going through something similar right now where I'm migrating a large AnyConnect deployment to GP. I was fortunate enough to have a large number of unused IPs in the BGP range so I strictly used loopbacks for portals and gateways. I ended up deploying an employee portal and gateway (actually on separate IPs due to a SAML caveat). This also requires a machine certificate, hence why vendors can't connect to it. The vendor portal/gateway lives on a different IP and requires just SAML authentication with 2FA. These are all in the same \""remote\\_vpn\"" zone but using different subnets and intra-zone traffic is blocked. Rather than reference HIP in firewall rules we went the quarantine route via log forwarding. We have a \""NONCOMPLIANT\\_VENDOR\"" HIP profile. If it gets triggered and the source IP is in the vendor VPN subnet, it quarantines the device, sends an email and alerts the SOC. We're using HIP profiles to ensure vendors are using either MacOS, Win10, Win11 and we're also checking that they have anti-malware installed with real-time protection enabled. If you didn't want to actually enforce HIP and instead just send an alert if a vendor fails HIP, you could setup log forwarding to do just that, just forego the actual quarantine part of that setup. I should note we only have a few dozen users using GP right now as we're still in the testing phase, so my dataset is rather small but this has been effective in my testing.""}, {""user"": ""bf73y"", ""timestamp"": 1694201653.0, ""content"": ""HIP is for devices, not for Users. You should be using a combination of User-ID and HIP/Device-ID in your rules. \n\nIf the devices aren't compliant then let them connect and block them from doing anything, have them hit a block rule. You can modify your URL Filtering response page to display a message to users who hit that rule so it says hey you're not compliant blah blah. Would you rather they don't connect at all and have 0 protections?""}]" +paloaltonetworks-77,"[{""user"": ""j5th8"", ""timestamp"": 1694105089.0, ""content"": ""Title: Testing bad sites\n Body: I am setting up polices to block \""bad sites\"". Are there any known URL's that simulate a site hosting malware, C&C etc. so I can show that the PAN is blocking the sites?""}, {""user"": ""qnvd8"", ""timestamp"": 1694106647.0, ""content"": ""Palo alto networks have a few setup for testing. https://docs.paloaltonetworks.com/dns-security/administration/configure-dns-security/dns-security-test-domains""}, {""user"": ""9udzipdy"", ""timestamp"": 1694110360.0, ""content"": ""I have two rules setup both for ingress and egress that drop connections to all of the built-in Palo \""bad sites\"" - Bulletproof IP Addresses, High Risk IP Addresses, Known Malicious IP Addresses and TOR Exit IP Addresses. If you create rules to drop traffic destined to/from there, give it a day or so and you'll probably have some traffic you can look at.""}, {""user"": ""ibia0"", ""timestamp"": 1694116560.0, ""content"": ""https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaDCAS""}, {""user"": ""vrvsa7l"", ""timestamp"": 1694133054.0, ""content"": ""I use zscaler and checkpoints firewall test sites also, along with banging on gruyere from google with a vuln scanner""}, {""user"": ""oevnopy5"", ""timestamp"": 1694550378.0, ""content"": ""Eicar. \nAnd there is a kb from Paloalto for the same""}]" +paloaltonetworks-78,"[{""user"": ""h2vjrskd"", ""timestamp"": 1694082959.0, ""content"": ""Title: Question: How to automatically authenticate on a shared device that uses a random guest account\n Body: Hi everybody,\n\nI've been doubting if this is more a question for Intune or PaloAlto, but I'll take my chance here. \n\n\nWe have an Intune Autopilot Windows 11 notebook that's set up to be used as a shared device, and where Windows automatically creates a new passwordless local guest account, every time the notebook reboots.\n\nThe resource the notebooks needs to reach, can only be reached in our domain -and that's also the only thing the device should be able reach-, so we've installed and configured GlobalProtect.\n\nNow I'm kind of stuck on how to 'automate' the authentication part. \nBecause a new local user is created every time, SSO with that user's credentials isn't possible and there is no user certificate. \nI was thinking about creating a domain user and tought it would be possible to push the credentials via Intune, like how it can be done on Android and iOS devices, but I can't find any option to do this for Windows.\n\nIs there a way to do this? (did I miss something in Intune? A registry setting containing credentials that GP can read? Or something like a custom profile i can create that contains the credentials and put in a specific folder? A script that runs at Windows logon that somehow can fill in the credentials?)\n\nThanks!""}, {""user"": ""57bwa"", ""timestamp"": 1694085720.0, ""content"": ""Machine certificate?\n\nhttps://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/authentication/set-up-client-certificate-authentication/deploy-machine-certificates-for-authentication""}, {""user"": ""h2vjrskd"", ""timestamp"": 1694096861.0, ""content"": ""Thanks for the suggestion. I've read the info from the link you've posted, but Step 5 \""Create a client certificate profile\"" poses a problem.\n\nWe've tried with only a Machine certificate, and that seems to work but we see all kinds of warning and the message that no user information was found -\n\nI'm surprised it works, but pretty sure it's not going to be a stable solution.""}, {""user"": ""57bwa"", ""timestamp"": 1694117845.0, ""content"": ""Where do you see that warning? The \""user\"" information comes from the CN of the certificate, which I usually make to be the machine name""}]"