IPSec VPN tunnel question, Proxy-ID and peer IP same?

I am creating a static routing IPSec VPN tunnel with a 3rd party. The 3rd party wishes to NAT their hosts to their peer IP, which means the remote peer IP will be the same as the proxy-ID IP. How do I support this?

URL Category rule works on some firewalls but not others

We are using a rule to permit traffic for Cisco licensing using URL Categories. The rule is applied via template, so all of the firewalls get the same rule. The only variable is the source IP/host. This rule works on most of the firewalls (all are PA850) but fails on some. The traffic does not match the rule and is blocked by the default rule.

PA-220s randomly crashing

We are having a large number of our PA-220s randomly crashing. No critical system logs are see shortly before the crash, the device just goes down and they are logs of dataplane starting up like 30 minutes later. Our other models are fine, its only the 220s we are having issues with. We have had a critical TAC ticket for the last few days and it...

Need help! Specific subnet cannot access my internal resource

Hi Team, I just need an advise. I have this setup as attached but I have this mystery that's been bugging me for days now. There is only one subnet which cannot access my internal resource. I ran the filter and global counter and there are specific counters I noticed. Can someone enlighten me on this? Regards, Renz

Concurrent Policy Installation

Could someone help me from which PAN-OS version can we do Concurrent Policy installation ? For example : Admin A and Admin B can push 2 different Access Policy to 2 different Clusters ?

PAN HA with different SFPs

Hi Guys quick question.. planning a pair of PA 5420's in HA - the plan was for each to have a 40gb QSFP+ module. however on our secondary core switch we are unable to source a 40gb sfp in time. So.. as a temp solution, will HA work if we have a 40GB QSFP+ module on FW1 connecting to 40GB sfp on Core1 and a 10GB SFP on the FW2 connecting to 10g...

Remove Domain Name from LDAP user mapping IMPOSIBLE =(

Hi Someone know if there is a way to remove the domain name from the group mapping The reason why is because i get from external source on palo alto the user id test1 or "test2" or "test3" Goal is create a policy rule base on the source user that is being part of a domain group In my case LDAP group mapping get this information: show u...

Threat Logs not showing specific source IP Address

Hello everyone! Just have an issue that I can't seem to figure out. In our threat logs, we are noticing that the source address shows the default gateway address rather than a specified address. We will get a specific address, however more often then not, we see the default gateway address. Any idea how we would be able to consistently see...

Modified XML API for Top Users last 30days

Hi Support, We want to get top all users for last 30 days using XML API, how we get it? This is XML API to get top 10 users (Worked😞 <type><panorama-trsum><sortby>sessions</sortby><group-by>srcuser</group-by><aggregate-by><member>src</member><member>app</member></aggregat...

what is the steps for SIEM integration in PA firewall

Security policy with sources on a CDN or domains with wildcard

Hello to all, I would like to know how smart PAN admins would solve this problem: suppose you have to allow inbound traffic from a source address that is: - defined as a FQDN but you know from DNS that it is delivered via a CDN like cloudflare, akamai, etc or - defined as a domain with a wildcard, for example *.letsencrypt.org I know that: - I...