Does a security configuration benchmark/checklist exist for Palo Alto firewalls?

There's a ton of fantastic best practices guides on this site in addition to the admin guides. I was wondering if a best practices security configuration benchmark or checklist exists for PA firewalls.

Something I can hand an IT auditor, similar to t

TCP Windows scale option

Hi, could someone explain if PanOS is able to consider  the filed "TCP Window Scale Option (WSopt)" ( http://www.ietf.org/rfc/rfc1323.txt?number=1323). when tcp asymmetric-path is disabled (drop)?

I mean that in my experience the firewall drop the pac

unable to disble CVE ID: CVE-2006-0225

Hi,

Pls help how to disble CVE ID: CVE-2006-0225 on paloalto firewall.

How to disable ssl v3 on vpn web page?

scanned the PA webserver we use for our VPN portal with qualys ssl scanner. Got a grade of F. Suggested to disable ....

• Diffie-Hellman (DH) key exchange
• 512-bit export suites
• Ssl v2 and v3

how can I go about doing this?

Restrict Individual Administrators by Interface or IP

Is there a way to restrict access for specific administrators by interface or IP address? I really thought I'd seen this somewhere, but now I cannot find it in GUI or docs.

Quick explanation of what we want to do. We want to have a sort of backdoor, e

Standard Ports on Applications

I was wondering if anyone knew away to add a secondary default
port on an application. For example people in my company access web-browsing on
port 80 normally but there are a number of site that people have to use that
are based on port 8080. Is there

superreader Cannot Set CLI Parameters in Panorama

I recently upgraded Panorama to 6.1.1 from 5.0.11. When I did so, RANCID was no longer able to log into Panorama and do its configuration tracking.

I tracked down the problem to a superreader not being able to issue the "set cli pager off" command. Th

Anyone use 6.1.2? Is it stable

I'm pretty interesting in upgrading to this version (on 6.0.8 at the moment). Specifically for the Wildfire email link analysis.

Anyone upgraded? Is it working fine or have you run into any bugs?

URL filtering issue, choosing to continue onto a blocked site allows all sites that falls into the same category.

We have a continue action set to all our categories for URL filtering but I just noticed when trying out new templates (I modified and translated the "web page blocked" text to swedish), that if I go to a site like "porn.com" I get the option to cont

Virutal Wire Mode (transparent mode?)

I just received a PA-500. This is my first PAN device, so some of the terminology is different from prior units.  From what I understand, virtual wire mode is the same as transparent mode.  Is this correct?   In short, I want to place this device bef

URL resolving to unknown while know on brightcloud

Hi guys,

We're facing a weird problem.

We currently have the unknown URL category set to alert in order to log all users traffic.

We tried to modify that because of some weird traffic categorised as unknown and always visiting russian website.

However,