Destination NAT Mismatch error

Hi I'm configuring a new PA-500 and have it working for source NAT going from Tusted to Internet. Now I want to create a destination NAT rule to allow traffic in to a web server located on the trusted net. I have created a rule almost exactly as it s

Does anyone have any experiences or "gotchas" they'd like to share when they've implemented Riverbed Steelhead appliances behind PA firewalls?

I see that there's a 'riverbed-rios' app listed in Applipedia, which gives me some hope.

Specifically what I am concerned about is discussed here (with configuration examples for PIX/ASAs):

http://www.dslreports.com/faq/16494

The Riverbed appliances we

Defining patch management in HIP objects.

Hi All,

We are configuring global protect with HIP enabled.

Our requirement is, If the patch defined in the HIP object is missing in client machine then access should be denied. Below screen shows the patches (windows updates) for windows 7 machine.

Fro

Exclude www.google.* from decryption

Hello,

are you able to exculde https://www.google.com ; https://www.google.de and other domains from SSL decryption?

Or clients complain about the slow loading of the website when they open Google or try to search something.

Currently i add in a white c

SysLog setup not working

Hi,

I am using PA-2050, with PAN OS 4.1.3.

From few days I am trying to configure the syslog to be sent to a central logging system. I followed every possible documentation, but I am not getting any syslogs coming to the syslog server.  I tried on sys

Exporting URL Filter objects/groups

Is there a way (CLI or WebUI) to export the URL Filtering objects and their details?  We are looking to export the objects and their block/allow categories so we can put them in front of management.

allowing MS product activation and denying web access

I have a network that I want to allow MS product activation to work but web browsing and other internet activity to be denied.

I have two main security policies that apply just to this network although DNS and ntp is also allowed:

The first one is an a

Secondary IP and DHCP

Greetings,

Say we have an interface that is configred the following way:

e1/2.240

Tag: 240

IPv4 Address (two addresses on the interface):

-10.10.100.1/24

-192.168.100.1/24

Now, if that interface is configured as a DHCP relay, which network is it going to se

nslookup on the management port ?

I would like to check a few DNS issues I'm seeing on the management port.

I had hoped to find nslookup in the CLI, but it isn't there.

Is there something equivalent ?

Thanks.

Authentication Fallback

Hello,

So, we currently authenticate administrators to our PA's via Radius (TACACS).  Is there a way to configure the PA's that it will only use the local DB / Administrators if Radius isn't available? 

Thanks!