General Topics

Discover LIVEcommunity Through Our New Animated Explainer Video!

We’re thrilled to unveil a brand-new animated video that highlights everything LIVEcommunity has to offer! This short and engaging video gives you a quick tour of the many resources available in our vibrant community — from interactive discussions and customer journey guides to the Cyber Elite program and Member Spotlight features. Whether ...

Monitor traffic - filtering issue

Hi all,we have noticed inconsistency in PAN OS 5.0.8 and 5.0.9, compared to 4.1.9, related to monitor traffic filter. In older version message box pops-up in case filter is not properly defined (i.e. if there is syntax error), which is fine and helpful. In mentioned 5.0.8 and 5.0.9 nothing pops-up in case of erroneous filter, only white area is ...

Active/Active traffic log.

HelloI knew session owner generate traffic log.Does session setup device generated traffic log If a session is denied L4 processing before L7 processing???Network DiagramRouter#1(Power-OFF) ------ Router#2(Power ON) | | FW#1 FW#2 | ...

Resolved! use GlobalProtect for Network Logon

Dear,Is it possible to use GlobalProtect with pre-logon enabled as a "Network Logon" for Windows?This way I want to use the GlobalProtect to tunnel the domain-login request to our AD when the pc is on the road.Ultimately we want to use this for users with expired accounts to be able to reset their domain password remotely.If this is not possible...

Resolved! L3 deployment with dynamic IP and DMZ (NAT and PBF required?)

Dear all,I'm trying to move from my initial vWire deployment to L3 in order to get rid of my SSG5. Later on I'll also get rid of my SA-2000.Current layout:ISP (dynamic IP) - PA vWire - SSG5 - PA vWire - Intranet | SA-2000I'm clear how to set up NAT to access...

About updating AD group membership

Hello guys1. I configured LDAP profile and update from AD DC2. AD group named domain-users has about 10900 user3. Customer created new user and applied new user to domain-users groupSo I tried to refresh a group-mapping information by debug command. But PAN could not be updated domain-users group information and refreshing member of group.1. I c...

Resolved! will an unlicensed Palo Alto pass traffic?

We have a fully configured cold spare racked - unlicensed, no subscriptions. If pressed into service wil it at lease pass traffic until an RMA arrive for instance?

How to disable global protect portal exposure in public

HI all,it.s that any way I could disable the global protect portal pages exposure in public? Could I just manually install the global protect client to the pc and get the ssl VPN feature works?

7-Zip ARJ File Buffer Overflow Vulnerability(31030)

Has anyone come across this vulnerability? We have several PC's with 7-zip installed for extracted .tar files in windows. Even after we delete 7-zip, we still see these vulnerabilities being flagged by the pan. Has anyone seen this behavior before? Possibly a rootkit or other malware on the pc's?Thanks

Resolved! pa performance analyze

hey i am trying to analyse if the PA is under load regarding to the PA specs,the customer is having sometimes disconnects on the network, i can see that the CPU have peaks sometimes but mainly is OKnetcom@PA-IL-ACTIVE(active)> show running resource-monitor hourResource monitoring sampling data (per hour):CPU load (%) during last 24 hours:core...

best practice User-ID strategy?

Hello,first I try to give you some information. Our headquarter is located in Germany. All of our subsidiaries are connected to Germany via relatively slow VPN lines. Overall we have round about 20 DCs in different countires. Until now we have only 3 Palo Alto firewalls (Germany, USA, Canada) but in the future we plan to buy more.Our setup until...

Why both portal and GW license for HIP ?

Hi,Can someone give a competitive explanation for that ? Portal for once, GW for every year.But why both ?Vendor updates make sense for GW subs., what extra portal makes ?Regards.

SYSTEM ALERT : high : HA Group 1: ** version does not match

Hi Friends,I wanted your help in solving this persiting issue.I have a PA4020 in HA mode which is configured in Active-Passive mode. From last few days i am getting the below errorSYSTEM ALERT : high : HA Group 1: Anti-Virus version does not matchSYSTEM ALERT : high : HA Group 1: URL Database version does not matchthe extracts of the logs is att...

Does PA firewall really support 6in4 tunnel?

I have a free 6in4 tunnel from Hurricane Electric. The tunnel profile inucludes IPv6 Tunnel Endpoints, Routed IPv6 Prefixes and Anycasted IPv6 Caching Nameserver. I used these information to configure a Juniper SSG firewall and it works. I was told by Technical Support Engineer that PA does support 6in4 and it is termed as NAT64. However it need...

Resolved! Unable to Perform Debug Flow

Hello, have a PAN-5050 running 4.1.13, where I am trying to debug flow on. Followed the steps necessary to turn on flow debugging but I am not seeing anything log to either of the dataplane pan_packet logs files. I've confirmed the settings are in place on both data planes but nothing is logged. Anyone know of any issues with flow debugging on...

Resolved! Forward Trust Certificate

Hi,In my office environment, we have an internal certificate that we have been using prior to installing PAN device. Lately after installing PAN, our office staff are always getting certificate warnings whenever they visit a SSL enabled website. I read in the PAN documents that a self-signed certificate generated by PAN firewall will eliminate t...

Discussions