Problem with ssh decryption after SSH server upgrade

After upgrade ssh server to OpenSSH_6.4p1-hpn14v2, OpenSSL 1.0.0j 10 May 2012 I can't connect to this server when using ssh decryption on Palo Alto.

Before ssh server upgrade, decryption was working correctly and I could connect and decrypt ssh traffi

Custom APP-ID

Hi,

I'm trying to create a custom APP-ID for nearmaps.com. However, cannot get the monitoring to identify the traffic. Following is how I created the APP-ID,

captured the header information from HTTPFox on Firefox. Refer attached screenshot

Im not sure

Monitor session end reason

Hello,

How to check what was the reason behind session end? I mean it could be RST, FIN or timeout from firewall.

Regards,

ifpilm

Tunnel Monitor Configuration question

Operation CommitResult Failed
DetailsIPSec tunnel #NAME enabled tunnel monitoring while binding to tunnel interface tunnel which has no IP address assigned to it yet.

I receive this error when configuring a tunnel monitor to the IPSec tunnel. I'm guess

IPSEC Tunnels and HA Failover

Hello,

In a scenario with two palo alto firewalls where the active firewall fails over to the passive firewall, if there are IPSEC tunnels established are they suppose to automatically come up on the second firewall when the failover occurs or do we

dynamic address group

Hi,

when adding an dynamic address gorup with a lot of criteria(each or criterias not and)

is there a way to learn which criteria related to which ip address.

when using command " show object dynamic-address-group all" I cannot understand which ip is re

VPN to dynamic (ddns) destination

I have a VPN setup to a destination that using ddns to keep the hostname across IP changes. This works fine as long as the remote end is initiating the tunnel, but it seems the PA cannot be configured to be able to also *initiate* the tunnel:

When the

SFTP Timeout

We are experiencing a timeout across SFTP; while SSH seems to be set to timeout at 120 hours, SFTP transfers are timing out at the 1 hour marker.

Is this an expected result? And if so, can we adjust the timeout for SFTP specifically?

Thank you.

ROUTING INTER VSYS

Hello ,

I need to route users between more than 2 VSYS. do you know if it's possible to route packet between more than 2 VSYS. PACKET IN-> VSYS1 -> VSYS2->VSYS3-> out. What is the limitation for the routing inter VSYS

thks for your help!

ALex

User-ID Agent not reconnecting after network outage?

We had a strange issue today.

We had a network outage which basically meant that all our DCs that run the User-ID agent were still running, and our PAN was still running, but there was no LAN between the DCs and the management interface on the PAN.

The

Scheduled Log Export doesn't accept new SSH host key

Hi everyone,

today I reinstalled our syslog server which we use to archive the traffic logs of our PA-3020s (amongst some other things) and didn't import the old server's ssh host keys.

After updating the configuration for the Scheduled Log Export in t