General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Resolved! Apply zone protection - to which zone?

Hi,I am wondering where and how zone protection profiles are applied to. I figure if I attach a zone protection profile to a zone, all resources behind that zone are under protection. But let's take the following example:* one interface connected to internet (zone: untrust)* one interface connected to internal LAN (zone: trust)* several interfac...

Resolved! Can there be alone WF-500(Wildfire appliance) without FW?

Hello,I have questions about WF-500.Can there be alone WF-500 without FW?I read WF-500 Doc that WF-500 doesn't provide wildfire web portal for detail report.It sends result(malware or benign) to only FW wildfire log.How way does user check log without FW? Does WF-500 have connected UI interface?Thanks.

SSL traffic mis-identified as TOR

Hi,Seeing over the last few days traffic going from our users (various different users in different locations) to IP addresses in Google's range (74.125.0.0/16) being identified as TOR, and subsequently blocked - traffic is all dest port 443. This is preventing access to certain websites hosted on Google's platform - appspot.com for example.I a...

Delete user out of the user agent via API

Hi.I would like to delete a specific user out of the user agent cache via the XML API. Is it possible to do this when the ip user mapping was done by the agent itself (get the user via DC or exchange login). I enabled the user id XML API on the agent and send them this string:<uid-message><version>1.0</version><type>updat...

Report Management via the GUI...

I sent the following in to our VAR/SE for a product Enhancement. If you feel the same, I hope you can request this also. What are your thoughts on this request?The Reporting structure on the PA GUI is set up to MAKE lots of reports, and/or auto-generate to email or view on the device. (Not sure, but I believe the Panorama is similar, if not the ...

SSL Decryption with Mutual (2 Way) Authentication

Hi,I have traffic that uses mutual (2 way) SSL Authentication that I would like to decrypt. I was able to decrypt when just using the server certificate, but when I add the client certificate it no longer decrypts (the connection still works though).I have look around the docs/site and have not seen much mention of this scenario. I would like to...

ckawecki by Not applicable
  • 4883 Views
  • 2 replies
  • 0 Likes

Resolved! Editing profile

Hi.Does anyone know is it possible to change main email address on palo alto web site profile?Thx

Global Protect bugs/enhancements

I may be doing something wrong on my end, but I have a few things that could improve the product a bit. I am using the latest version 1.2.3-6.1) When using On-Demand basic mode I cannot click File > Connect. The option is grayed out. However I can right-click in the taskbar and choose connect. I am then prompted for my credentials. This ...

nthen by L3 Networker
  • 2369 Views
  • 1 replies
  • 0 Likes

Authentication after blocked page

Dear All,If I have two groups of users, one with more restrictive access to the internet via URL Filtering than the other.If the more restrictive group access the internet and receive a block page as their policies do not allow access to that resource. I would like the possibility for a user that is in the less restrictive group to authenticatio...

JAG by L1 Bithead
  • 3164 Views
  • 3 replies
  • 0 Likes

SSL Decryption

Hi All, I have an issue with SSL decryption and using the inbuilt CA. What appears to happen is that various parts of SSL websites don't trust the CA on the palo alto and as a consequence sites do not load fully and report various certificate issues.This is what https facebook looks like:The corresponding browser complaints:I'm running the very ...

Resolved! Ubuntu and PA-200 DHCP

I'm having a problem with mostly Ubuntu users not being able to resolve DNS. I say mostly because there is at least one Windows user having the same problem. None of the Mac workstations are having the same problem and the majority of the Windows machines work as well.I have the PA-200 configured with DHCP on the trust interface all users are co...

Global Protect - How does patch matching work?

Can someone please detail how a HIP profile for missing patches works? I have tried every combination possible and I always get the same result.My Criteria is as follows:Patching is Enabled Yes is Installed CheckedSeverity - Greater than 2 (Which means 3 or Critical for Microsoft related patches)Check - Has NoneVendor - Microsoft Corp.My Gatewa...

allens by Not applicable
  • 3062 Views
  • 1 replies
  • 0 Likes

Antivirus DB not showing up on inactive HA node

Hi,I have a pair of PA-500 in an active/passive cluster. The Dashboard says that all content is matching between the nodes. However, if I go into Device->Dynamic Update on the secondary node, there is no Antivirus in there. I can only see it on the primary node. When I do a 'request anti-virus upgrade install' on the command line of the inact...

Resolved! Policy Based Forwarding - Enforce Symmetric Return

Hi,I am planning a firewall migration right now and trying to solve the problem that traffic comes in through two different interfaces during the migration (Internet through old firewall, Internet through new firewall). I was looking at policy based forwarding and stumbeled across the "e, nforce symmetric return" option, which unfortunately is n...

Port Forwarding Without NAT

So, I have a very interesting network. I have a media server that is on a separate VLAN. There is no way for me to statically configure the client(s) with a static IP (they just search for the server). It uses tcp/32400. Basically, my host will show as coming from a different zone than where my media server is. So, I need to forward any tcp...

  • 24401 Posts
  • 123 Subscriptions
Top Solution Authors
Labels