log forwarding

Team, Have few questions on log forwarding .. 1. Is there any best option to check what are the policy rules doesn't configured with log forwarding from Panoroma or any other tools ? 2.How to enforce users to specific custom log forwarding profile 3. is there any alert system we can configure if user configure policy without log forwarding pro...

Migrating config from fortigate to paloalto ,having interfac mapping issue and also in service no ICMP and PING available

Initial GlobalProtect connection and subsequent drop-outs.

It routinely takes me over 10 minutes to login to my VPN every morning, because the network response is so slow and droppy. There's so much already loading when I login that I receive "cannot connect" errors from other apps before GlobalProtect even prompts me. I have gigabit Internet at home with speeds routinely registering at over 300mbps, ...

Rule creation query

Hi Team, We have created policy Source: Internal subnetDestination: Any Application:Any service/url category:custom category.Action allow. In custom URl category, we have added 2 domains. Our requirement is internal subnet user should access these 2 domains only.However traffic is getting allowed for all other destination IP address. Why it is h...

Validation failed when committing a changes to managed firewalls from Panorama

Last week we made a changes(added new IP addresses as a Source) to the existing security policy and tried verifying by validating template/device group for target firewalls however it results in validation failed with following errors. user-id-agent unexpected hereVsys is invalidDevice is invalidConfiguration is invalid Any help and suggestions...

Globalprotect dissonnection issues

I have a couple of users who say that when on the GP VPN client it disconnects them multiple times and I have not been able to reproduce their issues.The only thing I have found so far is this in the system logs "globalprotect gateway user login failed. error existing user session found" collected logs on the client and nothing really stands out...

Forwarding logs to MS Sentinel

Hi Guys, How to send Data Filtering Logs to our Microsoft Sentinel as there is no option in Log Settings for Data Filtering? Many thanks in advance.

Palo alto certificate error?

hi all, I am using PA-850 and configure certificate decryption. I am having the problem with this. when I configured to decrypt for any source, client would get the error "ERR_SSL_VERSION_OR_CIPHER_MISMATCH", and could not access to any websites. But when I configured to decrypt some client only in source, it worked well. I dont know if It was...

Firewall stopped sending traffic to internet from trust zone, after upgrade from 10.1.3 to 10.1.5h2

I have upgraded 3 set of palo alto PA-3220 (3 pairs) to 10.1.5h2.Two set works good without any issue.When upgrade completed with last set, the active firewall stopped sending traffic from trust zone to internet, though it has all valid routes in it. Post I shifted all traffic on secondary firewall and all started working.This is the issue I am ...

User to IP mapping for LAN with computer on hybernet/sleep

I have Palo Alto firewall and implemented the user ID in our environment. I am looking for some help on specific use case. I am hoping to get some answers/guidance for the same. Firewalls : PA-820/850 as well VM-300PAN OS : 9.1.13-h3/9.1.9 I have install the windows based user ID agent on couple of servers. Windows Server OS : Server 2019 Standa...

Some users have pre-populated usernames in global protect VPN client

Hi all, I was wondering if anyone else has seen this. There are about 3 users that I know of that are having user credentials pre-populated in global protect that are incorrect for the VPN login. We can't seem to clear this, and even if we do a restart, the credentials are populated automatically. I've tried registry tweaks, taking the global...

Palo Alto content apps update 700 800 compatibility 8.0.X

Palo Alto content update 700-800 compatibility 8.0.XHello good evening, thanks as always for your support, we have the following case:-A device firewall version 8.0.X was manually installed a content update of Apps, current version 8563-7374.-After that it is not possible to finish a commit, we went back to a configuration backup and the same er...

Cannot log into firewall if authentication profile specifies an AD group instead of AD username

So last Thursday we upgraded our PA-5220s from 9.1.10 to 10.1.5-h1 and everything went incredibly well - absolutely no issues during the upgrade. About 15 hours after the upgrade was complete, we suddenly could not log onto the firewalls with our LDAP credentials. Typically we have an AD group specified in the Authentication profile we use for ...

PAN-OS 10.2 : filter incoming OSPF routes

Hi, We are trying to setup OSPFv2 between a PA-5220 in 10.2 and a Cisco ACI Fabric with "Advanced Routing" enabled.For now, we are able to advertise routes to our ACI Fabric, we can filter outgoing advertisement but we are unable to filter incoming routes. We tried with RIB Filter - OSPFv2 without success (https://docs.paloaltonetworks.com/pan-o...