Internal Root certificate replacement

Does anybody have any experience of changing out the internal root CA cert? Our server guys have updated our internal cert authority to support SHA-256 certs which has had a knock on affect of causing issues with our GlobalProtect gateway certs on ou

Crazy policies needed for BGP and VPN

Hi,

first read this article:

https://live.paloaltonetworks.com/t5/Learning-Arti​cles/Any-Any-Deny-Security-Rule-Changes-Default-Be​...

then

 I have this exactly behavor but I don't have wrote any/any/deny rules!

In my enviroment both intrazone-defa

Palo Alto NSX-Edition for multi-VC environments.

Hi all ,

Is there support documentation available for multi-VC implementations of the NSX-Edition ? I found plenty of good Deployment guidelines as per https://www.paloaltonetworks.com/search?q=NSX&%3Acq_csrf_token=eyJleHAiOjE0NTk4NDY1NTgsImlhdCI6MTQ

Vulnerability exemption

Hi

what is actually
simple-client-critical
simple-client-medium

I

I  want to change the default action from alert to block .
the rule is under simple-client-medium , but the search result shows it is under
simple-client-high

Thanks

URL White Listing

Hi all,

First of all, we are impressed about MineMeld, thanks Luigi for your ideas and work.

We have just started to play with MineMeld and wandering the format to whitelist domains and network ranges using stdlib.listURLGeneric (as wlURL)

We would l

No Email protection for SaaS

The closest way to protect a SaaS email soltuion I have found is Proofpoint which has a wildfire API hook option.

I am supprised there is no SaaS service for forwarding attechments or inline scanning of email directly from paloalto networks.

TAP mode on VM edition

Hi everyone,

is there any chance somehow to SPAN physical port from switch to VM port group in promiscuous mode, where I placed TAP port of my virtual firewall? Actually, is this supported in any way, or this interface mode is suited only for vir

TAP interface questions

I'd like to monitor a portion of my network on my failover PA in TAP mode.

Will this affect my HA pair at all? 

Is it possible to set up an aggregate TAP of 2 ports?

thanks in advance...

any to application default

We are working on hardening our firewall rules by replacing any to application default(service) and from any to the specific application(application). Example - we changed any to web-application and any to application-default. People hitting the same

RFC2397 Data URL Scheme Usage Detected(30419) reset-both

Seeing quite a lot of this for various sites/traffic which is undoubtedly legitimate.

Is it appropriate that it flags so high?

I'm not entirely comfortable simply excluding it but it's alerting so much it's almost "boy who cried wolf".

High count of packet retransmissions/Dups over IPSEC/VPN

Hi!   

I'm running IPSEC-VPN (AES256/SHA256/DH14) tunnel between a PaloAlto PA-500 and a Fortigate 110C via Internet (10MBit up/down guaranteed both sides - latency between 40 and 50ms).

90% connections are ICA/HDX connections (TCP 1494 and 2598) for X

ipv6 aggregator

Is there an ipv6 aggregator on the roadmap?

I noted that the URL aggregator can already extract them when the miners includes ipv6 IPs in the URLs (ex: office365), but did not find a way to get just the IPv6 addresses.