This Nominated Discussion Article is based on the post "External DHCP Configuration".

Digitization has revolutionized banking, empowering fintech firms to offer innovative services. Banks collaborate with fintech companies to enhance offerings and reach more customers. This shift is driven by the need to adapt to scalability and resiliency requirements.  

This Nominated Discussion Article is based on the post "Palo Alto Cluster Questions".

This Nominated Discussion Article is based on the post "Cant Download Panorama for esx ova".

This Nominated Discussion Article is based on the post "Test command does not work".

This Nominated Discussion Article is based on the post "SSL forward proxy with real certificate"

This Nominated Discussion Article is based on the post "Allow a single user logon for each session via GUI/SSH".

This document describes the use-cases, architecture design and traffic flows for Palo Alto Networks VM-Series deployed in Active-Passive mode in Google Cloud.  

This Nominated Discussion Article is based on the post "Cortex XDR Firewall configuration query.".

This Nominated Discussion Article is based on the post "Unable to change hardware udp session offloading setting as false".

You can use debug filters to enable the Palo Alto Networks firewall to collect packet captures for troubleshooting purposes.  

This Nominated Discussion Article is based on the post "Query For Routing Table".

This Nominated Discussion Article is based on the post "ECMP Virtual Router Inquiry".

Enabling symmetric return ensures that return traffic is forwarded out through the same interface through which traffic ingresses. This feature is useful when the requirement is to access servers through two ISP connections (on different ingress interfaces) and the return traffic must be routed through the ISP that originally routed the sessions.

This Nominated Discussion Article is based on the post "CLI Guide Needed for Palo Alto FW" by @ganeshprasad and answered by @Raido_Rattameister. Read on to see how you can find commands in the CLI!   Hello All,   Please share me the Palo alto cli guide which will have all command line. Solution:    HTML https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-cli-quick-start/use-the-cli   PDF https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/11-0/pan-os-cli-quick-start/pan-os-cli-quick-start.pdf   You can also find commands using find command. For example searching for "license"   > find command keyword license delete license key <value> delete license token-file <value> show oss-license show running url-license show license-token-files name <value> debug dataplane ctd-agent license request license install <value> request license info request license fetch auth-code <value> request license api-key set key <value> request license api-key delete request license api-key show request license deactivate VM-Capacity mode <auto|manual> request license deactivate key mode <auto|manual> features request license deactivate key mode <auto|manual> features [ <features1> <features2>... ] request dnsproxy license refresh scp import license from <value> remote-port <1-65535> source-ip <ip/netmask> scp export license-token-file from <value> to <value> remote-port <1-65535> source-ip <ip/netmask> tftp import license from <value> file <value> remote-port <1-65535> source-ip <ip/netmask> tftp export license-token-file from <value> to <value> remote-port <1-65535> source-ip <ip/netmask> > configure Entering configuration mode [edit] # find command keyword license set shared admin-role <name> role device webui device licenses <enable|read-only|disable>

Palo Alto Networks covers the deployment of the VM-Series Next-Generation Firewall on the ESXi hypervisor in Layer2 mode.

In today's digital world, where encryption is all around us, SSL decryption becomes a real superhero in the fight against hidden threats and bolstering network security. Luckily, Palo Alto Networks Next-Generation Firewall comes to the rescue with its powerful SSL decryption capabilities.

Searching for the obvious can sometimes be hard. You simply might have overlooked something or you might have never needed it before. Things can become especially tricky when you have a security policy that's several hundreds of rules long.

This Nominated Discussion Article is based on the post "User ID group mapping, not pulling groups".

SAML-based, SSO login summary with most of SAML components in the picture below, I want to point out some important things that need to be done to make SAML work:

Palo Alto Networks' Commit and Config Locks are important features that help ensure the integrity of network configurations and prevent unauthorized changes.

This Nominated Discussion Article is based on the post "what does "SWITCH" in hardware architecture mean? ".

This Nominated Discussion Article is based on the post "Configure second DUO for PA firewall MFA ".

    Introduction Security administrators can use Google Cloud IAM to control who can access resources within a Google Cloud organization.  However, companies  may require the ability to restrict access to resources and APIs that reside in different Google Cloud organizations.  The combination of Palo Alto Networks URL filtering and Google Cloud organization restrictions, enables security teams to restrict employee access to sanctioned Google Cloud organizations.  The capability provides a variety of security benefits including, preventing insider attacks and also stopping data exfiltration.    Use-Cases There are many use-cases for organization restrictions, for example:    In combination with Palo Alto Networks URL Filtering, you can monitor and control sites users can access, prevent phishing attacks by controlling the sites to which users can submit valid corporate credentials, and enforce safe search for search engines like Google. You can restrict access so employees can only access resources in your Google Cloud organization and not other organizations. You can allow your employees read-only access to any Cloud Storage resources, but restrict all other types of access to only resources in your Google Cloud Organization. You can allow your employees to access a vendor Google Cloud organization in addition to your Google Cloud organization.   How it works The diagram below shows the required components to enforce organization restrictions.  When a managed device accesses a Google Cloud resource, the URL Filtering profile defined within the security policy, inserts the value for the organization restrictions header,  X-Goog-Allowed-Resources .      Managed device: Any device that adheres to the organizational policies of the company and is connected to, or routed through, a Palo Alto Networks enforcement point with URL Filtering enabled.  For example, the managed device can be a remote user connected with GlobalProtect, a datacenter server protected by a PA-Series NGFW, or cloud resources protected by VM-Series NGFW.  Palo Alto Networks URL Filtering: A URL Filtering profile is created and attached to the security policy.  The profile inserts the organization restriction as a custom header for any requests originating from the managed device.  This configuration prevents users and devices from accessing any Google Cloud resources that reside in unsanctioned Google Cloud organizations.   Google Cloud: The organization restrictions feature in Google Cloud inspects all requests for organization restrictions header, and allows or denies the requests based on the organization being accessed.   Example Scenario The network security administrator of Organization A , wants to allow employee access to resources hosted in their Google Cloud organization.  All employee access to cloud resources hosted in all other Google Cloud organizations should be denied.    Configuration A cloud and network security administrator for Organization A perform the following steps to implement organization restrictions.   Retrieve the Google Cloud organization ID for Organization A . gcloud organizations list (output) DISPLAY_NAME: Organization A ID: 0123456 DIRECTORY_CUSTOMER_ID: a1b2c3d4 Create a JSON representation for the value that will be assigned to the organization restriction header,  X-Goog-Allowed-Resources , and save it to a file named authorized_orgs.json .  Please see configure organization restrictions for complete information on constructing the value for the header. { "resources": ["organizations/0123456"], "options": "strict" } Encode the header value in base64 format.  Below is an example using  basenc.   The URL Filtering profile will insert the base64 string as the value for the X-Goog-Allowed-Resources header. cat authorized_orgs.json | basenc --base64url -w0 (output) fdsasdfInJlc291cmNlasjdfaJnYW5pemF0ay8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo​ If there are no upstream devices decrypting HTTPS traffic, configure SSL Forward Proxy.  On the Palo Alto Networks device, edit or create a URL Filtering profile.  In the profile, click HTTP Header Insertion → Add to create a new entry.  Configure the entry as follows: Header: X-Goog-Allowed-Resources Value: Add the base64 encoded value from the previous step. Apply the URL Filtering profile to your security policy that inspects the managed device’s internet traffic. Commit the changes. Verify Configuration The organization restrictions are applied for access to the Google Cloud APIs and Google Cloud console. On a managed device that has access to both Organization A and Organization B , perform the following to test the organization restrictions feature.    On the managed device, log into the Google Cloud Console with an account that has access to Organization A and Organization B . In the Console, click the Organization drop down menu.     Even though the user account on the managed device has access to Organization A and Organization B , only Organization A appears in the Google Cloud Console.  This is because the URL Filtering profile inserts the organization restriction header to enable Google Cloud to block the user from accessing other organizations. From the same managed device, attempt to reach the logging API of a Google Project (i.e. org-a-project ) that belongs to Organization A .   The request should show a successful return of the log entries within the Google Cloud project belonging to Organization A . TOKEN=$(gcloud auth print-access-token) curl -X POST -d '{"projectIds": ["org-a-project"]}' -H 'Content-Type: application/json' -H "Authorization: Bearer ${TOKEN}" "https://logging.googleapis.com/v2/entries:list" (output) { [ <..redacted..> ] nextPageToken": "EAB<..redacted..>RsAB" } Attempt to reach the logging API of a Google Cloud project (i.e. org-b-project) that does not belong to Organization A .   The request should show a failed return to the Google Cloud project that does not belong to Organization A .  This is because the URL filtering profile inserted the organization restriction header into the request of the managed device. curl -X POST -d '{"projectIds": ["org-b-project"]}' -H 'Content-Type: application/json' -H "Authorization: Bearer ${TOKEN}" "https://logging.googleapis.com/v2/entries:list" (output) { "error": { "code": 403, "message": "Access denied by organization restriction. Please contact your administrator for additional information.", "status": "PERMISSION_DENIED", "details": [{ "@type": "type.googleapis.com/google.rpc.ErrorInfo", "reason": "ORG_RESTRICTION_VIOLATION", "domain": "googleapis.com", "metadata": { "consumer": "projects/01234567890", "service": "logging.googleapis.com" } }] } }   Additional Materials Google Cloud: Introduction to organization restrictions Google Cloud: Configure organization restrictions Palo Alto Networks: HTTP Header Insertion Palo Alto Networks: Create Custom HTTP Header Insertion Entries

This article is based on a discussion, "SSL Decryption Session is Full".

This Nominated Discussion Article is based on the post "Generate cookie vs Accept Cookie".

This Nominated Discussion Article is based on the post "Block the Tiktok Application".

This Nominated Discussion Article is based on the post "View exported Policy details from console" by @Shahwaz_Md and responded to by @anlynch. Read on to see the discussion and solution!   We have exported all the policies from the console (.export) format but are unable to view them or open them anywhere.   Kindly help me view these exported policy details. When exporting policies or profiles in Cortex XDR they are going to be given a file extension of .export. Using a program like Sublime Text or Notepad++ you can open the documents and see they're Base64 encoded. You can use a variety of tools like Cyberchef or built in windows utilities to decode the Base64. Just so you're aware once decoded the Base64 will be in .JSON format. Depending on the utility you use the format may need to be edited slightly to appear properly.    

This Nominated Discussion Article is based on the post "CLI configuration of adding interface to virtual router".

This Nominated Discussion Article is based on the post "CLI configuration of adding interface to virtual router" by @nowayout and responded to by @aleksandar.astardzhiev  . Read on to see the discussion and solution!   When adding an interface into VR using CLI, do I need to copy all the existing interfaces currently in the VR and then add this new interface into the list ?   For example, current default virtual router has two interface ethernet1/1 and ethernet1/2, I want to add another interface ethernet1/3 what I need to do is only "set network virtual-router default interface [ ethernet1/3 ]" or I have to do "set network virtual-router default interface [ ethernet1/1 ethernet1/2 ethernet1/3] If the latter one, it'll involve some programming work if doing automation in real world environment as we don't know what interfaces already in the virtual router, so need to get the list first and then add the interface into the list and issue the set command.   You don't need to list existing interfaces when adding new one to virtual-router. If you run the following command it will add to the existing list, and will not override it:   > set network virtual-router default interface ethernet1/3   The square brackets are options in your case, they are needed if you want to add multiple interfaces with single command.   Even if you are adding multiple interfaces with [ ethernet1/4 ethernet1/5 ethernet1/6 ], it will still only add those three without overriding or removing any interface from the list.   Now if you want to remove interface/s from the list you either remove interface one by one or all interfaces at once:   # will remove only one interface from the list and the rest will remain > delete network virtual-router default interface ethernet1/3 # will remove all interface from virtual router > delete network virtual-router default interface