This article was created by @aalex Enabling symmetric return ensures that return traffic is forwarded out through the same interface through which traffic ingresses. This feature is useful when the requirement is to access servers through two ISP connections (on different ingress interfaces) and the return traffic must be routed through the I...
Hello everyone, I wanted to share some knowledge I've gained about investigating common Layer 1 to Layer 4 issues, such as MTU mismatches and DoS attacks, using key Palo Alto Networks firewall features like Global Counters, Flow Debug, and packet captures. The first steps in troubleshooting these issues are always to check your routing, run ...
Written by Alex Laulhe. With special thanks to Anupam S. & Amogh G. for their contributions. This guide is designed to help firewall admins effectively understand flood attack prevention and troubleshoot flooding incidents detected by Palo Alto Networks firewalls. Whether the event is triggered by packet buffer protection (PBP), Zone Pro...
This article is inspired from Tips & Tricks: Flow Basic Debugging written by @kiwi and I recommend reading that article first before reading this one. Palo Alto Networks NGFWs use App-ID to detect the exact application inside a traffic stream but sometimes traffic will be first classified for example as App-ID "SSL" and after the decrypti...
Let’s discuss upgrading your PAN-OS. It might sound routine, but without proper planning, it can turn into a real nightmare. Consider this: Do you actually need to upgrade? On many occasions, I talked with customers that were upgrading just for the sake of upgrading. Think about these first: Do you absolutely need the new features from the l...
New Generation Firewalls are equipped with TPM chips to help secure the devices These systems are designed to "Lockout" after 32 abrupt power down events(Power Failure, Pulling power cord to turn the device down).For every ungraceful shutdown(Power Failure, Pulling power cord to turn the device down).the TPM counter is incremented by 1 , after 3...
1. Allowing only on-prem outbound connections to the Prisma Access SASE cloud (VPN responder/passive mode) 2. Why there is no need for XFF(X-Forwarded-For HTTP) headers to be inserted 3. Prisma Access SASE DNS proxy and resolution 4. GlobalProtect Agent Explicit Proxy support 5. Prisma Access ADEM (Access Autonomous Digital Experience Managemen...
This Nominated Discussion Article is based on the post "Configure Split tunneling by domain" by @BigPalo and responded to by @Raido_Rattameister and @BPry Read on to see the discussion and solution! Hi, I just configured split tunneling by domain using this domain test: *.portal.microsoft.com (port 443) But i can not see this traffic going ...
How to Write Palo Alto Networks Custom Vulnerability and Application Signatures with Examples Palo Alto Networks NGFW and Prima Access have many predefined IPS vulnerability signatures but sometimes extra custom signatures are needed that are specific to the application being protected as this need internal domain knowledge. I'll provide e...
What is Selective Push? Selective Push on Panorama lets you deploy specific configuration to your firewalls instead of pushing everything all at once. Terminology Push Scope: The final admin view of committed changes with an option to select the changes that will be pushed to the selected target firewalls. Config Audit Window: This window is ...
You can use debug filters to enable the Palo Alto Networks firewall to collect packet captures for troubleshooting purposes. However, there are situations where you may require a more in-depth understanding of the firewall's internal operations. Flow basic provides an extensive view into every stage of the firewall process, including packet ...
This article is based on a discussion, Dual ISP Global Protect Redundancy, posted by @DonohoeRobert. Thank you for the insight! Hi Team, I hope ye all are well. We recently worked a case for a customer that had dual ISP configuration and wanted the Palo Alto Networks device to provide redundancy for the Global Protect Portal and Gateways i...
Palo Alto Networks 7-byte Custom Signature Minimum Removed in Newer Versions and Why it Matters! In the newer versions after 9.1, Palo Alto Networks now does not have 7-byte minimum length limit and is really useful, as an example, to make a signature that will block traffic to a web page if too many times the login parameter "user" is seen in...
Palo Alto Networks NAT Session Distribution as a Way to Implement Server Load Balancing The Palo Alto Network Destination NAT Session Distribution can be used to implement similar to Load Balancer functionality by using one of the "distribution" methods. You need to allow the traffic with a with a security policy rule from the correct sour...
Most days, BGP runs quietly in the background. BGP advertises routes that keep your WAN, VPN, cloud environments, and public services connected and reachable. Until it doesn’t. And when BGP breaks, it’s not just a routing issue, it’s unreachable services and frustrated users. This guide will help you troubleshoot BGP on Palo Alto Networks fire...
