This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Start a conversation

Discover LIVEcommunity Through Our New Animated Explainer Video!

We’re thrilled to unveil a brand-new animated video that highlights everything LIVEcommunity has to offer! This short and engaging video gives you a quick tour of the many resources available in our vibrant community — from interactive discussions and customer journey guides to the Cyber Elite program and Member Spotlight features. Whether ...

kiwi_0-1745308399217.png
kiwi by Community Team Member
  • 4228 Views
  • 0 replies
  • 0 Likes

Resolved! Scheduling policies and continuous tcp sessions

Dear Gentlemen,Does anybody know how we can configure the policies to block a continuous TCP session when the schedule runs out?The test we are trying to do is to block a skype discussion during a scheduled time.During the 'allowed' time, we can launch skype and discuss normally. Good.During the 'blocked' time, we are not able to connect skype t...

itbrain by L0 Member
  • 4869 Views
  • 3 replies
  • 0 Likes

Button for "Dynamic URL Filtering" is not there

The checkbox for "Dynamic URL Filtering" is supposed to be in the URL Filtering security profile.I have a PA-4020 that does not show it. It's running 3.0.6.I also have a PA-2050 which is running v3.0.5 and it does have the checkbox. Did the checkbox disappear in 3.0.6?

ksalustro by L3 Networker
  • 5160 Views
  • 5 replies
  • 0 Likes

Using two different Radius at the same time?

In service route configuration one can define which interface should be used by the managementplane to reach the Radius server which you will use.However Radius can be used both for admin-logins aswell as captive portal (user-logins).Is it possible to setup one Radius to be used for admin-logins (towards the PA unit) and another Radius to be use...

rps by L3 Networker
  • 5815 Views
  • 8 replies
  • 0 Likes

How do one completely drop packets for a specific url or url-category?

When setting up an url-filtering you can choose from the following actions:AllowBlockContinueOverrideAlertThe downside with block (like when blocking the category web-advertisements) is that the content is exchanged into the response page for blocked url filtering.How should I setup the policy if I want to completely drop all packets that belong...

rps by L3 Networker
  • 3483 Views
  • 2 replies
  • 0 Likes

PAN agent to captive-portal fallback

It's possible to configure a fallback to a web form (captive portal) if a user is unkown without specifing a source ip adress in the captive portal policy? In our DHCP network we a mix of AD connected user and not AD connected. If yes how ?Best regards Boris

asecus by Not applicable
  • 3212 Views
  • 1 replies
  • 0 Likes

Threats log for denied packets

Dear all,I currently have a generic rule which blocks netbios-like traffic to and from internet with a simple deny. As this traffic is very likely to be malware generated (at least in my context) I have enabled a simple alert-only antivirus profile on that rule, but I don't get any entries in the thread logs. On the other hand, when I turn the r...

x-forwarded-for and User Identificaton

We have configured x-forwarded-for flagging along with the User Identification.Traffic logs from a tap upstream of a (squid) proxy carry the x-forwarded-for flag, but the IP is not resolved to a user.Is this expected behaviour? (i.e. is ip-to-user translation supported in reference to x-forwarded-for?)Many thanks in advance.

User-ID not detecting logged off users?

I have the User-ID agent configured and working nicely, however I just noticed a few entries in the URL logs showing for the domain user who last logged on to one of our PC's when I know that the PC is currently logged on using a local account rather than a domain account.I guess I've missed something?

SSL Forward Decryption - Understanding Override

I'm looking at the pros and cons of enabling forward decryption. I noticed there's an "Are you happy to continue" over-ride option but it's global i.e. it's simply on or off.I assume this won't play nice with any non-browser based https downloads?Also I couldn't work out if you say "yes" what constitutes a session, for example I went to https:/...

Which variables are allowed in response pages?

According to Custom-Block-Pages-TN-revB.pdf the variables available are:<user/><url/><category/><appname/><pan_form/><fname/>Where <pan_form/> can only be used for captive portal and url filtering continue and override page.But what about the others?Later in the same document there is a table that claims...

rps by L3 Networker
  • 3431 Views
  • 1 replies
  • 0 Likes

Resolved! UIA

How to download User Identification Agent ?

Can a PA replace data in a stream?

PA have support for datafiltering but is it possible to also, when a rule is triggered, to replace the data and pass it through?Like exchanging "User-Agent:" in all http-requests (where User-Agent exists in the header) into a common User-Agent string, or for that matter completely remove data in a stream (lets say if you want to remove "Via:" he...

rps by L3 Networker
  • 2387 Views
  • 1 replies
  • 0 Likes

Resolved! User Identification Agent with Active Directory

I know that PA Firewall uses MGT interface to connect to user Identification Agent, I know that most of the other services can be set to use any other interface with the "Service Route Configuration" commands.Is there any method to use any other interface as a source for communication with User Identification Agent? Thanks in advance

  • 24355 Posts
  • 124 Subscriptions
Top Solution Authors
View All
Top Liked Authors
View All
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks