Palo alto starter questions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo alto starter questions

L2 Linker

Hi,


Iam a starter for paloalto .. I have few questions so any answers on this will be help full...


  1. What is dynamic block lists and how can we use that?
  2. What is disable server response inspection in a security policy?
  3. how to add virus exceptions based on threat ID , because we don't see any database unless we specify the threat ID
  4. What is Log container page only in URL filtering
  5. how to change the web time out for palo alto firewall
  6. Differnece between config and commit locks


Regards

Raju Reddy

5 REPLIES 5

L5 Sessionator

Hello Rahu,

Please find the answers inline.

1.What is dynamic block lists and how can we use that?

Dynamic Block Lists page to creates an address object based on an imported list of IP addresses.

The source of the list must be a text file and must be located on a web server.

You can set the Repeat option to automatically update the list on the device hourly, daily, weekly, or monthly.

After creating a dynamic block list object, you can then use the address object in the source and destination fields for security policies

2.What is disable server response inspection in a security policy?

This option enforces unidirectional  (client to the server),bypassing the inspection in reverse direction which optimizes Dataplane CPU usage.

3.how to add virus exceptions based on threat ID , because we don't see any database unless we specify the threat ID

4.What is Log container page only in URL filtering

With this box checked g only the URLs that match the content type that is specified are logged .This feature is meant to reduce the number of logs that are generated (mostly images and other code that you may not find useful).  If, however, you do want everything logged, simply disable container page logging.

how to change the web time out for palo alto firewall

Device > Setup > Management>Authentication Settings>Idle Timeout

5.Differnece between config and commit locks

Config lock—Blocks other administrators from making changes to the configuration. This type of lock can be set globally or for a virtual system. It can be removed only by the administrator who set it or by a superuser on the system.

Commit Lock—Blocks other administrators from committing changes until all of the locks have been released. This type of lock prevents collisions that can occur when two administrators are making changes at the same time and the first administrator finishes and commits changes before the second administrator has finished. The lock is released when the current changes are committed by the administrator who applied the lock, or it can be released manually.

P.S: Most of these answers are excerpt from the Admin Guide or the Help (?) Menu in the WebUI

Regards,

Ameya

Ameya

Hi,

Thanks for the answer.

What is the default limit of rollbacks.

Please let me know if we can change the number of rollbacks limit.

Thanks Raju Reddy

You can rollback to around 99th config version from the running config version.This limit cannot be changed.

Regards,

Ameya

-Ameya

But we are able to load the configuration versions for more than 1000?

I suppose PAN has something called as config versions instead of rollbacks and this can be close to 65000.

THanks,

Srikanth

Hello Srikanth,Raju,

I stand corrected.

Maximum number of saved config version is 1048576 ,default being 100.

This setting can be changed from the following  section :

*Device > Setup > Management>

Logging and Reporting Settings

Number of Versions for Config Audit

Enter the number of configuration audit versions to save before discarding the oldest ones (default 100).

config -versions.PNG

  • 3401 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!