This Nominated Discussion Article is based on the post "Palo Alto Firewall Commit Error" by @Dhirajjagdale and answered by @BPry.   Hi,   I'm getting the below Validation error after committing the changes in firewall.   As I checked there is no user in the local user database. Please help to identify the issue.      Validation Error: mgt-config -> users -> operator is invalid. it is a system user name mgt config -> users is invalid Commit failed   Most systems usually have a list of reserved words that you can't use as they are used by the system internally.   In this case, the error isn't complaining about a local user, but rather about an administrator account that you created using  such a reserved word.   The name "operator" is not a feasible name to configure as a user, application, object, etc as it is used by the firewall internally. Deleting the user or renaming it will solv your problem.

This Nominated Discussion Article is based on the post "Security Profile Question". Read on to see the discussion and solution!

   

This article is based on a discussion, Best practice to allow Internet IPs, posted by @thanawat_l and answered by @PavelK . Read on to see the discussion and solution!    I want to optimize my security policy. I have many rules that allow any, but I want to change from any to internet IP. Does PaloAlto have an Internet IP object by default? or how can I define internet IP space in address?   Solution: You can do it reverse by using "negate" in policy to allow anything except reserved RFC1918 addresses that are not routable on the internet.    For these ranges there are Palo Alto built-in objects including class D IP ranges that you can exclude from policy and allow anything also on internet.