General Topics

Discover LIVEcommunity Through Our New Animated Explainer Video!

We’re thrilled to unveil a brand-new animated video that highlights everything LIVEcommunity has to offer! This short and engaging video gives you a quick tour of the many resources available in our vibrant community — from interactive discussions and customer journey guides to the Cyber Elite program and Member Spotlight features. Whether ...

test security-policy-match

HiSomebody help me write command test security-policy-match....... which WORKS and search that rule: VIP-TEST { from zone-v586; source any; source-region any; to zone-v8; destination 192.168.81.81; destination-region any; user cn=net_vip-test,ou=paloalto,dc=domena; category any; ...

Resolved! PAN-OS Upgrade with HA

Has anyone found a really good tech note that goes over performing a PAN-OS upgrade on an HA pair? Both Active-Passive and Active-Active?

Resolved! Mgmt Plane Always high CPU

I have a PAN fw at a client site that always has the mgmt plane cpu at 100%. The data plane CPU barely ever goes above 10%. Is there an easy way to troubleshoot the cause of this or what is taking up so much CPU usage?

Has anyone taken a look at panug.com ?

I stumbled across a site that I think aims to be similar to https://www.cpug.org - sort of the community's independent forum where discussions about Palo Alto can take place. Kind of a neat idea, but I'm not sure how much community momentum it has.Check it out: http://panug.com

Is the pintsized Java exploit that got Apple, Facebook, Twitter identified on the PAN FWs?

I'm wondering if the Java exploit that caused Apple, Facebook, Twitter, Zendesk, etc. to get hacked is something that is identified and blocked by up-to-date Palo Alto Firewalls.

Resolved! Can't download GP client from the portal

We are setting up GP for SSL VPN. For testing purposes , we have created a local db account on the box and setup GB. The portal comes up and when u log in , u never go beyond the login page . It keeps trying to connect and never does . It eventually times out . This is for external users connecting through the public IP . Users on the corporate ...

Certificate for Secure Web GUI creation

HelloWhich attributes shall an external CA certificate have to be accepted as a Secure Web GUI Certificate?I have imported one, but SSL Management doesn't work with it. These are its attributes: Version: 3 (0x2) Serial Number: 15:28:3b:46:00:00:00:02:38:da Signature Algorithm: sha1WithRSAEncryption Issuer: DC=in...

Best practice for OWA and OMA

HiI'm getting rid of our old ISA server which we used to expose OWA and OMA and want to use our PA-500 to allow domain users access to OWA and OMA (for their iPads etc).I've noticed that the application 'Outlook-web' is used for OWA and its dependancies are SSL (understandable) and Web-Browsing (not so understandable but it must be needed otherw...

Commit Error (sslvpn)

Hi,I am recieving the following error when issuing a commit,Management server failed to send phase 1 abort to client sslvpnManagement server failed to send phase 1 to client useriddCommit failedThe only change in configuration is adding new local users which are used for global protect.I am running 5.0.1Regards

Resolved! Any idea about 3rd party verisign certificate with GlobalProtect ?

We were using sslvpn with PA 's certificate.Now we bought 3rd party cert. from Verisign and imported it as using server certificateBut Global Protect gives an error as "Protocol Error: Check server sertificate"I have searched KnowledgePoint but could not find anything for this error.Any idea ?

Inbound SSL Decryption and monitoring

Hello,I'm trying to setup inbound SSL decryption. It is a pretty basic setup. Two layer 3 interfaces on a PA-500. One interface is in an 'Outside' zone, the other is in a 'DMZ' zone. In the DMZ zone is a web server with a signed SSL certificate. The PA is NATing the server in the DMZ to the appropriate address space Outside.I have imported th...

Cisco IPSEC VPN client connecting to PAN 4.1

Hi folks,there were no way to establish a ipsec connection between a Cisco VPN client and PAN. I was "inspired" by the globalprotect guide but wasn't enought.At the cisco vpn client side, I had configured just the ip address, the group and pwd, and nat-t. At the PAN side, I had configured the globalprotect portal, the gateway(using the third-par...

Static route on Management Interface

Hi all,how can I define an additional static route on the Management Interface?I have a setup with a customer were the communication from the management interface to two specific IP addresses has to be routed over another next-hop which is not the default gateway of the management interface. Therefore I need to define a static route on the manag...

Resolved! TAP Mode and IPv6

Hello Everyone,Is it possible to monitor mirrored IPv6 traffic in TAP mode? I have a PA-500 and it has been enabled for IPv6 firewalling. Apart from checking this option, is there anything else that has to be done to monitor IPv6 traffic? If it is possible, will I being seeing the IPv6 traffic under Source and Destination columns?Many Thanks,...

Resolved! External CA Management Certificate

HelloIs it possible to use an external certificate from our corporate CA for the SSL Management Interface of the firewall?I have already Imported it, and the corporate root certificate, but I don't know how to change the management interface configuration, which is using a certificate issued by the own Palo Alto Firewall (version 4.1.10)Thank yo...

Discussions

Discover LIVEcommunity Through Our New Animated Explainer Video!