General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Address object limits / Panorama ...

Heya,Two related questions regarding address objects and current limits....1) Is there a command to see the number of address objects currently on a specific firewall (whether they're local objects or Panorama objects)? I'm familiar with how to view address object limits for a particular platform (show system state | match address)...but would ...

Resolved! Upgrade caused AD admin authentication to fail

I upgraded my passive unit from 4.1.6 to 4.1.8 after the reboot I can't login using my domain credentials. I still can with the active unit still on 4.1.6 and I can login with the local admin account. Everything is setup the same, and LDAP lookups seem to still be working. All I see in the logs is: general auth-fa 0 User 'DOMAIN\USER' failed...

rgreens by L2 Linker
  • 3497 Views
  • 2 replies
  • 0 Likes

Import global sign root CA

Hi,I'am setting up global protect. The customer has a global sign certificate to use with the Global Protect. But I have to select the root ca in the Global Protect configuration. On the website from Global sign I can copy the certificate but can I import this in some way on the Palo Alto?Or how should I do this?Regards,Kevin

4.1.5 and 4.1.7 Upgrades (Including hotfix 2)

So, I recently ran into an issue and I wanted to try to see if I could get some feedback from users to see if anyone else had something similar happen to them.We recently ran into an issue where our active firewall tanked and transferred responsibility to it's peer. Everything was working as it should, so i contact support to check what the iss...

emortaro by L0 Member
  • 9739 Views
  • 16 replies
  • 0 Likes

Resolved! URL categories not being resolved

Hi,Our PAN 2020 is setup for URL filtering. After a reboot we're now getting excessive matches for the "unknown" category. It appears URLs are not looked up on "Dynamic DB" and "Cloud DB".Ex:(active)> test url www.nds.org.auwww.nds.org.au society (Dynamic db)(active)> test url-resolve-path www.nds.org.auURL www.nds.org.au, category unknow...

BTS_MS by L2 Linker
  • 10385 Views
  • 9 replies
  • 0 Likes

Resolved! User Activity Report

I was wondering if there was a way to either use the Custom reports to look exactly like the User Activity Report, and how would I script that or can I fit multiple users into the User Activity Report? This is what I want the end result to be, have reports automatically generated every month for certain users, that will automatically be emailed ...

dgunsolus by Not applicable
  • 4933 Views
  • 4 replies
  • 0 Likes

Resolved! NAT Bidirectionnal,IPSEC NAT-T and secondary address problem

Hello,I am trying to have a Cisco router establishing an IP SEC Tunnel behind a pao alto firewal configured in L3 Mode.The tunnel should be established on a secondary address on a sub interfaceEth 1 Public, Two Sub interface 1.666 and 1.667eth1.666 address is x.y.z.131/25and need the tunnel on x.y.z.132 then I do NAT 1-1 rule with option bidirec...

Resolved! Captive portal with Client Certificate Profile and fallback to radius/kerberos

Hi,I have the following use case for a large customer :1/ Captive portal authentication with client certificate profiles.2/ When the client has no valid cert, an authentication fallback mechanism is required with username/password ( radius or kerberos)I know how to configure both authentication mechanisms seperate , but would it be possible to g...

Resolved! Virus definition upgrade server issues - anyone else?

Hi.I've just noticed that my PA's can't download the latest virus upgrade from Palo Alto.Every time I try, I get "Failed to download due to server error - please try again later".I've been getting this error for several days now - is anyone else seeing it?Trying to download virus incremental upgrade 835-1175, dated 2012/10/07. My automatic overn...

darren_g by L4 Transporter
  • 3564 Views
  • 4 replies
  • 0 Likes

Resolved! 4.0 to 4.1 Upgrade Path

I have 22 firewalls plus Panorama that I am looking to upgrade from 4.0 to 4.1.x. Part of this will also require the upgrade of the User-ID Agent on a few servers.I have seen a few threads saying that Panorama needs to be a higher version than the firewalls, but have not seen an answer to the question if Panorama 4.1 can push policy to a 4.0 fir...

Resolved! iOS 6 and IPSec VPN

We have iPad 3's with IPSec VPN working with the Palo Alto 5020. We upgraded one iPad from iOS 5 to iOS 6 and now the VPN is not working. I know iOS 6 just officially came out this morning, but anyone else have this problem? Here's what I'm getting from a tail of the ikemgr.log...2012-09-19 17:22:39 [INTERNAL_ERR]: decrypt output length does n...

jambulo by L4 Transporter
  • 4451 Views
  • 4 replies
  • 0 Likes

Resolved! Add second ip to tunnel interface

Hello All,I am wondering if it is possible to add a second IP to a tunnel interface. I want to add some extra IPs to a tunnel interface (/28 subnet). To allow a remote party to connect to some servers in our internal network using NAT over IPsec tunnel. I have been looking at both CLI and GUI both cannot find it.Kind regards,Jorg

jorgdc by L0 Member
  • 6301 Views
  • 3 replies
  • 0 Likes

Resolved! File Blocking and the Continue Action

Hello,I understand the main purpose of the continue action, and the additional level of effort the end user must take to ensure they intended to download a specific file. Can anyone verify that the continue feature works if someone was trying to upload a file? Think of a scenario where a company roles out a new AUP and they are trying to ease ...

jclimer by L0 Member
  • 6646 Views
  • 5 replies
  • 0 Likes

Resolved! Can't get internet access, routing problem?

I have worked with many different types of firewalls, but this is my first time with the Palo Alto 5050. Currently I have a basic configuration, a single internet connection and a VR with a default route, properly addressed interface, policy that allows all traffic, zones, etc. Right now I just want to be able to ping out to the internet, the re...

mgross by Not applicable
  • 19166 Views
  • 5 replies
  • 0 Likes
  • 24396 Posts
  • 123 Subscriptions
Top Solution Authors
Labels