General Articles
LIVEcommunity's General Articles area is home to how-to resources, technical documentation, and discussions with Accepted Solutions that turn into articles related to all Palo Alto Networks products.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
About General Articles
LIVEcommunity's General Articles area is home to how-to resources, technical documentation, and discussions with Accepted Solutions that turn into articles related to all Palo Alto Networks products.
This article is based on a discussion, Issue that specific policy traffic logs fail to forward to syslog server and drop from firewall, posted by @JoHyeonJae. Read on to see the discussion and guidance from @PavelK!   Hello, PAN-OS : 9.1.6 Currently, my customer is facing Issues where logs generated (TO_DNS policy) from a specific policy of more than 10,000 LPS are dropped without being forwarded to the syslog server.   The Traffic Log of the firewall is verifiable, but the Forwarding Stats Syslog Drop Count is constantly increasing, debug log-receiver statistics have been confirmed, and less than 1,000 Total LPS appear in addition to this policy. There is no logs for that policy on the syslog server because it is dropped without being forwarded by the firewall. The Log Setting/Log Forwarding Profile in the policy settings is set normally, so it seems to be no problem with the settings. I will let you know, if you guys need additional info. The Device Log Forwarding Limit of PA-3260 is written in 24,000/LPS as shown in the document below, so I wonder why it is dropped.   Thanks,   Hello @JoHyeonJae   your customer might be hitting an issue PAN-185616 addressed in 9.1.14:     Kind Regards Pavel
View full article
This article is based on a discussion, Best guides for new Firewall Deployment, posted by @Nhussain. Read on to see the discussion and guidance from @OtakarKlier.   I am deploying a new firewall for a PoC; however, I am having some issues. I have deployed and activated the server on Azure, I am using VM-Series. On the Azure side, there being no restrictions, the server is not able to connect to the internet for updates.  I must be missing something basic in understanding/setup so any pointers would be great. If you are looking for a place to start when configuring your new firewall, check out this post to get started: Secure Day-One Configuration Not for the Faint of Heart.   Solution:    Hello, Sounds like a routing/policy issues with the original PAN you deployed. I wouldn't recommend having the management interface internet facing unless you lock it down to source IP's. However you can change the services, so they use a different interface to reaching out and grabbing updates, etc. If you're adventurous — https://live.paloaltonetworks.com/t5/general-articles/secure-day-one-configuration-not-for-the-faint-of-heart/ta-p/435501 — it blocks almost everything so be careful.    
View full article
This article is based on a discussion, Warning certificate chain not correctly formed in certificate, posted by @Nick.Spender. Read on to see the discussion and solution!   Hello All   I have imported a certificate into the PA as a PFX. I have also import the intermediate certs and root CA. The cert is signed by Go Daddy with 2 intermediate certs and a Root CA.   All imports fine, but when I get up global protect portal and use the imported cert (from the pfx) I get an error which says "Warning certificate chain not correctly formed in certificate"   Thanks everyone 🙂     Solution:    @gwesson   Hello, I seemed to have fixxed, using a different method. So I have the cert import into my windows machine with the private keys. I then exported the certs as a *.p7b and selected include all certs in the chain. Sure enough in windows the order is wrong. Whether i'm reading into that or not is a different question.    I then imported my pfx cert back into the PA. Then exported it as a PEM with the private keys. I copied the private keys into a text file and saved it. i then remove all certs apart from my domain cert.    I then removed all certs from the PA, I then imported the cert back into the PA as a PEM and selected the "key File".   Then imported each of the Intermediate CAs (2) as .cer   No errors when committing, globalProtect portal webpage shows secure and green in the url bar. Global Protect connects fine with no errors.   Dose the above sound OK to you?  
View full article
This article is based on a discussion, Best practice to allow Internet IPs, posted by @Metgatz and answered by @OtakarKlier . Read on to see the discussion and solution!     Best practices - Multi large upgrades pan-os Firewall HA   Good afternoon, as usual, thank you very much for your support and collaboration. We have the possibility with a customer to perform multiple upgrades in one day, maintenance window. We need to move from 8.1 to 9.1, i.e. 8.1.x to 9.0.x and from 9.0.x to 9.1.x.   So the question is the following: 1.- What is the best practice when it comes to make that jump, that intermediate upgrade from 9.0, for example when going from 8.1.x to ""9.0.x"" ( PAN-OS Intermediate, transitive ) final 9.1.x. That intermediate jump, what is the best practice: I mean, for example, the current version 8.1.5, download and install the base 9.0.0? or is it recommended to download the base (9.0.0) and download and install (the recommended version of 9.0.x (9.0.16-h2), although it is say the intermediate transition version? to reach the recommended version 9.1.   2.- Also in relation to the same, the recommendation is still, in each jump, for example when moving to the same intermediate version 9.0, love or reassemble the HA and then continue with the upgrade ? or is it possible to apply both upgrades to a node and then on the other node ? I would understand that the best practice is to re-amplify the HA at each stage of the upgrade.   Please give me your comments, advice, recommendations and suggestions.   Thank you very much   Best regards Solution:   Hello, First backup the config. This doc should step you through the process. I forget when they allowed the base release download only and install the preferred release, i.e. just download 9.0 and download and install the latest version of the 9.0.x release. But you can do it with the 9.1, eg download 9.1.0 code but download and install the preferred release 9.1.x.   https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan-os/upgrade-an-ha-firewall-pair#id062f1ad5-adb3-4d25-b4a4-529bde5dc96a https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-p/258304   With an HA pair, do it all on the standby unit first. I when doing large jumps as these, it might be wise to go slow. What I mean is do the first jump on the standby, fail over, then upgrade the other one to the same version. Then keep going until you are up to the version you want to be at. Also make sure you dynamic updates are up to date as well, otherwise the PAN wont let you upgrade the OS.   Cheers!  
View full article
This article is based on a discussion, Panorama Issue - cannot edit an interface on a template stack, posted by @Kai_Ulrich  and answered by the Support Team. Read on to see the discussion and solution!     I cannot open/edit anything in a template stack under template->network->interface  Zones and other things in the stack are working fine but if I click on an interface e.g. ethernet1/1 the window for the interface is popping up for some milliseconds and is closing directly.   Ive tested serval browsers on serval computers - restarted and updated panorama. the editing on a template works well:   but not on a template stack (all stacks)     As panorama admin everything is working. The problem is only happen when I use a user with the type "Device Group and Template Admin"     Ive created a user with the type "DeviceGroup and Template Admin" and one access domain and one admin role. in the admin role Ive enabled everything for the WEB-UI excluding panorama, save for other admins and commit for other admins but the network part is completely allowed.   The template and the stack re also included   I m using Panorama 10.0.7 (same problem was also with 10.0.6 and 10.0.5)   i couldn't find anything on the internet and just don't know what to do. i've been despairing about this problem for a very very long time. Maybe someone can help me , maybe it is a really stupid configuration issue. but i cannot find it. i played a lot with the rights but only as panorama admin it works in the stack.   Thanks a lot! Solution:   Hello @PavelK ,   here the answer from Palo Alto:   I would like to update that we have been able to replicate this issue in our lab. It seems as if the concerned issue is only observed for the DG&T admin when SDWAN plugin is installed but not configured on Panorama. We are discussing this internally if it requires another code change or the aforementioned change in 10.1.3 should be sufficient. Meanwhile, since i see that the SDWAN is not configured on this Panorama, as a workaround we can remove the SDWAN plugin from this Panorama if acceptable. I've uninstalled the plugin and it works    
View full article
This article is based on a discussion, Web-gui access with no secure certificate., posted by @SaulGlz  and answered by the Support Team. Read on to see the discussion and solution!
View full article
This article is based on a discussion, Best practice to allow Internet IPs, posted by @thanawat_l and answered by @PavelK . Read on to see the discussion and solution!    I want to optimize my security policy. I have many rules that allow any, but I want to change from any to internet IP. Does PaloAlto have an Internet IP object by default? or how can I define internet IP space in address?   Solution: You can do it reverse by using "negate" in policy to allow anything except reserved RFC1918 addresses that are not routable on the internet.    For these ranges there are Palo Alto built-in objects including class D IP ranges that you can exclude from policy and allow anything also on internet.    
View full article
  • 181 Posts
  • 257 Subscriptions
Customer Advisories

Your security posture is important to us. If you’re a Palo Alto Networks customer, be sure to login to see the latest critical announcements and updates in our Customer Advisories area.

Learn how to subscribe to and receive email notifications here.

Listen to PANCast

PANCast is a Palo Alto Networks podcast that provides actionable insights to customers, helping you maximize your investment while improving your cybersecurity posture.

Labels
Top Contributors
Top Liked Posts in LIVEcommunity Article
Top Liked Authors