This article is based on a discussion, Security Profiles - URL Filtering - Update Multiple Categories within all Profiles.     Read on to see how @PingMyServer  was able to accomplish this from the CLI.   Hello all, I'm looking for some suggestions, or information on how I can quickly update all security profiles, with 3 select objects at once. In total, our Panorama has 129 profiles, so I would need to login to all 129 profiles, and update 3 categories in them to block.   By way of the gui, I think the only way would be able to edit 1 profile at a time, and search all 3 categories, and update them accordingly. Can anyone suggest any easier way to maybe resolve this? Solution for Update Multiple Categories Within All Security Profiles With the CLI:   After doing further research, I found through the CLI you can do this fairly easy. Using the following commands. You can pull your profile names from the command "set device-group GROUP1 profiles" and pressing tab. It takes a little work, but with excel you can get all the commands you need fairly quickly   set device-group GROUP1 profiles url-filtering PROFILE_NAME block ransomware set device-group GROUP1 profiles url-filtering PROFILE_NAME block encrypted-dns set device-group GROUP1 profiles url-filtering PROFILE_NAME block real-time-detection  

This article is based on a discussion, Prioritizing a BGP route over other BGP routes for IPSec tunnel traffic redirection, posted by @tamilvanan. Read on to see the guidance from our Cyber Elite @aleksandar.astardzhiev!   Hi All,   We have a physical Firewall on-premise. We have Three ISP and a single virtual router with ECMP enabled(Balanced Round Robin) in it.   Recently, we had configured Two pairs of IPsec tunnels(Pair one -Tunnel 1 and Tunnel2// Pair 2 - tunnel 3 and tunnel 4) to communicate to AWS Peer(Only one Subnet on AWS 10.x.x.x/24) using the BGP Method for successful failover.   ISP 1 -->Tunnel 1, Tunnel 2 ISP 2-->Tunnel 3 and Tunnel 4   As we had already enabled the ECMP Balanced round robin method the traffic is currently passing through tunnel 2 and tunnel 4   Now, we need the traffic to pass through only tunnel 1 and the traffic should pass through other tunnels only if the tunnel 1 fails. All the tunnels are configured under BGP.   Thanks in advance!   My guess is do we have some metrics mechanism which will influence the Tunnel through which the traffic will be egressed.   BGP Routing Question IPSec Tunnel Creation BGP Peer Configuration      Solution:   I don't understand what ECMP have to do in this question... I understand you use ECMP for Internet access (your default route), but on top of that we are talking about IPsec tunnels, so the routing to AWS private range as nothing to do with the ECMP (as long as you have any tunnel up 🙂 ). So I will abstract from this.   Now I understand that you are receiving the AWS prefix via BGP from all four tunnels. So all you have to do is to create import policy under the BGP. As I said with BGP you have lots of options to controll what you receive, how you receive it and what you advertise, probably the straight forward would be: - Create one import policy for BGP peer over tunnel1 - Since you receive only one prefix, you can leave "match" tab as it is (meaning match any route received from that peer - On "action" tab put 100 as local preference (for example)   - Create one more import below the previous one for BGP peer over tunnel2, 3 and 4 - Leave match tab as it is - On "action" tab put 200 for local preference   This way your firewall will receive same prefix over all four tunnel, but it will prefer the route over tunnel1. If this tunnel fails, BGP peering will also fail and fw will stop receiving the prefix from tunnel1, so it will switch to the other tunnels.   Now depending what you actually try to accomplish you may want to split the second import policy and have four different policy for each bgp peer with different local pref for each.

This article is based on a discussion, How to Configure GRE over IPSEC?, posted by @ZhouYu. Read on to see the solution!   Hello    Some implementations require multicast traffic to be encapsulated before IPSec encrypts it. If this is a requirement for your environment and the GRE tunnel and IPSec tunnel share the same IP address, add GRE Encapsulation when you set up the IPSec tunnel.   PAN-OS TechDocs: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/gre-tunnels/gre-tunnel-overview.html   How do you configure GRE over IPSEC？       How to configure?   @v.vittih's Accepted Solution:   Hi all! There is a working version of this GRE over IPSec. According to the official manual from Palo Alto Networks, there are 2 options for creating this bundle. In the first case, when the source and destination addresses are the same (as in my case) and the source and destination addresses are different. Let's start setting up: Side A: PanOS 10.2 WAN: 10.10.2.50 LAN: 192.168.50.0/24 VTI IP: 10.200.200.1/30 Side B: Mikrotik: RouterOS 7.6 WAN: 10.10.2.60 LAN: 192.168.10.0/24 GRE IP: 10.200.200.2/30 -------------------------------- Let's start with PaloAlto: Create a tunnel (for example 1), add it to the default router and register the ip address 10.200.200.1/30 on it. Next, we create IKE Crypto, IPsec Crypto with the settings that you need. Create IKE Gateways (I use IKEv2 only mode), then specify Local IP Address 10.10.2.50/24 and Peer Address 10.10.2.60, specify PSK, specify Local Identification 10.10.2.50 and Peer Identification 10.10.2.60. also do not forget to specify IKE Crypto Profile on the Advanced Options tab: Next, we proceed to configuring IPsec Tunnels: Select the previously created tunnel 1 Select the previously created IKE Gateway Select Show Advanced Options and select Add GRE Encapsulation Go to the Proxy IDs tab and add the IP addresses of our external interfaces: Local 10.10.2.50 Remote 10.10.2.60 Don't forget to specify routes: Virtual Router -> Static Routes: add -> Destination 192.168.10.0/24 Interface tunnel 1 Next Hop IP Address 10.200.200.2 Commit ---------------------------- Moving on to Mikrotik: Interfaces -> GRE Tunnel Creating a GRE tunnel Specify Local Address 10.10.2.60 Specify Remote Address 10.10.2.50 OK Next, add the IP address to the interface: IP -> Addresses add 10.200.200.2/30 ok Moving on to creating IPsec: IP-> IPSec Creating a Profile We specify the data we need Creating Identites: Specify the PSK My ID Type Auto Remote ID Type Auto Creating Peers: Specify Address: 10.10.2.50 (IP Address of party A) Local Address: 10.10.2.60 Specify IKE profile Exchange Mode IKE2 Creating a Proposal: We specify the data we need Creating Policies: Specifying Peer Select Tunnel Src.Address 10.10.2.60 Dst.Address 10.10.2.50 Protocol 255(all) On the Action tab, do not forget to specify the Proposal. We specify the routes to the network we need (in my case it is 0.0.0.0/0 10.200.200.1 so that there is Internet access in the office via PaloAlto) Within the current example 192.168.50.0/24 10.200.200.1 Profit.

This article is based on a discussion, Dual ISP Global Protect Redundancy, posted by @DonohoeRobert. Thank you for the insight!   Hi Team,    I hope ye all are well. We recently worked a case for a customer that had dual ISP configuration and wanted the Palo Alto Networks device to provide redundancy for the Global Protect Portal and Gateways in the event one ISP went down. We came up with a handy way of providing this using NAT rules and a loopback and I am posting this to share with the community.    There are some screenshots from the lab below. Eth1/1 & Eth1/2 represent ISP-A and ISP-B.       We popped the Global Protect Portal and Gateway on a loopback interface.               We created two NAT rules to bounce the incoming traffic whether its from ISP-A or ISP-B to the loopback address.            The system has two Virtual Routers for both ISP's. VR-A and VR-B. VR-A has the loopback interface added.            Virtual Router B has a static route to VR-A which has a route to the loopback interface with the Portal and Gateway.          This simple setup allows access to the portal and gateway from either ISP interfaces. We simulated one ISP failing and changed the A record of the portal fqdn to resolve to the other interface and the users could connect without any input or changes from the end user. There are a number of ways to automate dns integrity and failover to resolve to a different ip address if it can't resolve to another. Beyond the scope of Palo Alto. Infoblox and Route 53 can provide these features. If you just have an MS server, changing the A record from one IP to another isn't a massive task.   Hope this helps few others and is nice way to provide an extra layer of redundancy for networks to big to fail.   Best regards,   Robert D 

 This article is based on a discussion, Multiple ISPs with Path Monitoring, posted by @securehops. Read on to see the solution and guidance from Cyber Elite @aleksandar.astardzhiev!   Hi All,   Need a sanity check. When deploying multiple ISPs using path monitoring, instead of policy-based forwarding, should the second ISP become unreachable? It makes sense that it does, but it wasn't mentioned in a Palo Alto Networks article.   Setup would be: ISP1 (e1/1)  0.0.0.0/0  1.1.1.254  priority 10 (with path monitoring) ISP2 (e1/4) 0.0.0.0/0 2.2.2.254  priority 200   VPN tunnels for both ISP1 and ISP2 using tunnel monitor   With this config:   ISP1 tunnel is up,  e1/1 is pingable from outside ISP2 tunnel is down,  e1/4 is NOT pingable from outside     Solution:   Hi @securehops, If you don't use PBF, this behaviour is expected.   Without PBF, firewall will try to establish VPN with source IP assigned on eth1/4, but it will forward the traffic over eth1/1 and ISP1, where most probably traffic will be dropped, since it is sourced from IP that doesn't belong to this ISP.   In this case, ISP2 tunnel should come up, in case of failover - path monitor fail and remove default over ISP1 and ISP1 tunnel will go down, respectively.   If you prefer to have both tunnels IP and ready, you could create a PBF so traffic sourced from eth1/4 to always go over ISP2. Recommendation:    Hey @securehops, I personally always try to avoid PBF, primarily because engineers often forget to check it during pacy troubleshooting. However, the truth is PBF could be very helpful in some situations.   I would say: - If you need simple failover between two ISP absolutely go for path monitor on static route - But in addition to the failover you need faster recovery for the IPsec tunnel you will need PBF to keep the second tunnel ready to take over.   Don't forget to you either case you will need tunnel-monitor or PBF with path-monitor for the routing over the tunnel. Once primary tunnel goes down, you need to switch the route to second tunnel. You could again create PBF that will monitor the path over the tunnel and when down, to switch to second. This was the preferred way for IPsec failover way-way back. May preferable way is to use tunnel-monitor, so firewall will "disable" the static route pointing to tunnel1 and fallback to route pointing to second tunnel.   Regarding the monitored host...I am not the best person to define best practices. I have had few cases where path-monitor was required and in all cases we used 8.8.8.8 and it was fine.  

This article is based on a discussion, Best guides for new Firewall Deployment, posted by @Nhussain. Read on to see the discussion and guidance from @OtakarKlier.   I am deploying a new firewall for a PoC; however, I am having some issues. I have deployed and activated the server on Azure, I am using VM-Series. On the Azure side, there being no restrictions, the server is not able to connect to the internet for updates.  I must be missing something basic in understanding/setup so any pointers would be great. If you are looking for a place to start when configuring your new firewall, check out this post to get started: Secure Day-One Configuration Not for the Faint of Heart.   Solution:    Hello, Sounds like a routing/policy issues with the original PAN you deployed. I wouldn't recommend having the management interface internet facing unless you lock it down to source IP's. However you can change the services, so they use a different interface to reaching out and grabbing updates, etc. If you're adventurous — https://live.paloaltonetworks.com/t5/general-articles/secure-day-one-configuration-not-for-the-faint-of-heart/ta-p/435501 — it blocks almost everything so be careful.    

This article is based on a discussion, Warning certificate chain not correctly formed in certificate, posted by @Nick.Spender. Read on to see the discussion and solution!   Hello All   I have imported a certificate into the PA as a PFX. I have also import the intermediate certs and root CA. The cert is signed by Go Daddy with 2 intermediate certs and a Root CA.   All imports fine, but when I get up global protect portal and use the imported cert (from the pfx) I get an error which says "Warning certificate chain not correctly formed in certificate"   Thanks everyone 🙂     Solution:    @gwesson   Hello, I seemed to have fixxed, using a different method. So I have the cert import into my windows machine with the private keys. I then exported the certs as a *.p7b and selected include all certs in the chain. Sure enough in windows the order is wrong. Whether i'm reading into that or not is a different question.    I then imported my pfx cert back into the PA. Then exported it as a PEM with the private keys. I copied the private keys into a text file and saved it. i then remove all certs apart from my domain cert.    I then removed all certs from the PA, I then imported the cert back into the PA as a PEM and selected the "key File".   Then imported each of the Intermediate CAs (2) as .cer   No errors when committing, globalProtect portal webpage shows secure and green in the url bar. Global Protect connects fine with no errors.   Dose the above sound OK to you?  

This article is based on a discussion, App-ID Windows Remote Management Showing Up As Web-Browsing, posted by @Gun-Slinger and answered by the Support Team. Read on to see the discussion and solution!   We recently upgraded to 10.1.5-h1 and it appears after the upgrade the Windows-Remote-Management traffic over tcp5985 is now being identified as Web-browsing. This is causing that traffic to drop. We checked dynamic updates and presently leveraging the latest update released on 5/16. Seeing if this is a growing issue? Solution:   Closing the loop on this issue. After working with TAC there is a known issue that is resolved in the 10.1.6 code released yesterday. The issue is when a policy uses L7 app-id with specific ports configured in the service port field as opposed to using "application-default". I took the workaround I used and changed it to application-default, removed the specific tcp ports listed, and removed web-browsing; leaving just windows-remote-management. This resolved the issue and will plan on an upgrade in the near future to 10.1.6.  

This article is based on a discussion, DUAL ISP configurations, posted by @mohamed.nabeel and answered by @SutareMayur. Read on to see the discussion and solution!   Hello Dear,   kindly I need your kind support to figure out the best way to have configure dual ISP in Palo Alto firewall. Accepted Solution   Hi @mohamed.nabeel,   I would say there are various options available, so it actually depends on how you want to have it? Let’s say you want to configure it as Active / Standby or Active / Active with ECMP enabled and both links will act as a failover to each other, etc. For failovers, you have options like static route path monitoring. If you have IPSEC VPN on these lines, then again the scenario changes. So first, you would need to plan how do you want to have it and then you can look which option is suitable for you. Once you have understanding of these available options and how they work? Then, on your own, you can decide best suitable option for yourself.   There are few Knowledge Base articles available with different scenarios given below. Please review same. It will definitely give you some idea what are those options and how it works!   How to Implement ECMP (Load Balancing) on the Firewall Dual ISP redundancy using Static Routes Path Monitoring Feature, for Traffic Failover How to Configure a Palo Alto Networks Firewall with Dual ISPs and Automatic VPN Failover How to Configure ISP Redundancy and Load Balancing Dual ISP VPN site to site Tunnel Failover with Static Route Path-Monitoring   Hope it helps!  

This article is based on a discussion, Best practice to allow Internet IPs, posted by @Metgatz and answered by @OtakarKlier . Read on to see the discussion and solution!     Best practices - Multi large upgrades pan-os Firewall HA   Good afternoon, as usual, thank you very much for your support and collaboration. We have the possibility with a customer to perform multiple upgrades in one day, maintenance window. We need to move from 8.1 to 9.1, i.e. 8.1.x to 9.0.x and from 9.0.x to 9.1.x.   So the question is the following: 1.- What is the best practice when it comes to make that jump, that intermediate upgrade from 9.0, for example when going from 8.1.x to ""9.0.x"" ( PAN-OS Intermediate, transitive ) final 9.1.x. That intermediate jump, what is the best practice: I mean, for example, the current version 8.1.5, download and install the base 9.0.0? or is it recommended to download the base (9.0.0) and download and install (the recommended version of 9.0.x (9.0.16-h2), although it is say the intermediate transition version? to reach the recommended version 9.1.   2.- Also in relation to the same, the recommendation is still, in each jump, for example when moving to the same intermediate version 9.0, love or reassemble the HA and then continue with the upgrade ? or is it possible to apply both upgrades to a node and then on the other node ? I would understand that the best practice is to re-amplify the HA at each stage of the upgrade.   Please give me your comments, advice, recommendations and suggestions.   Thank you very much   Best regards Solution:   Hello, First backup the config. This doc should step you through the process. I forget when they allowed the base release download only and install the preferred release, i.e. just download 9.0 and download and install the latest version of the 9.0.x release. But you can do it with the 9.1, eg download 9.1.0 code but download and install the preferred release 9.1.x.   https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-pan-os/upgrade-the-firewall-pan-os/upgrade-an-ha-firewall-pair#id062f1ad5-adb3-4d25-b4a4-529bde5dc96a https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-p/258304   With an HA pair, do it all on the standby unit first. I when doing large jumps as these, it might be wise to go slow. What I mean is do the first jump on the standby, fail over, then upgrade the other one to the same version. Then keep going until you are up to the version you want to be at. Also make sure you dynamic updates are up to date as well, otherwise the PAN wont let you upgrade the OS.   Cheers!  

This article is based on a discussion, Web-gui access with no secure certificate., posted by @SaulGlz  and answered by the Support Team. Read on to see the discussion and solution!

This article is based on a discussion, Best practice to allow Internet IPs, posted by @thanawat_l and answered by @PavelK . Read on to see the discussion and solution!    I want to optimize my security policy. I have many rules that allow any, but I want to change from any to internet IP. Does PaloAlto have an Internet IP object by default? or how can I define internet IP space in address?   Solution: You can do it reverse by using "negate" in policy to allow anything except reserved RFC1918 addresses that are not routable on the internet.    For these ranges there are Palo Alto built-in objects including class D IP ranges that you can exclude from policy and allow anything also on internet.