General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Resolved! Windows Update Traffic (ms-update) being recognized as web-browsing

Hi Everyone, I have an issue that I haven't been able to resolve. I have a small domain setup with a Windows Server Update Service that is located in a DMZ. The machinges that are in the inside network (trusted), are setup to pull their Windows updates from the server in the DMZ. I have setup Group Policy to make this happend, and it works fi...

Interfaces in power-down state

Hi all...I have a Palo Alto Active/Active pair and the HA3 link between them is down. Will PANOS then power-down all other physical interfaces when the HA3 link is down. Just looking for confirmation that this is expected behaviour or whether I have something more serious happening to this 3260. Any advise would be greatly appreciated name id sp...

Decryption or blocking NordVPN

Is it possible for Palo Alto Firewall to decrypt third party VPN agent traffic such as NordVPN, NordLynx like decrypt HTTPS web-browsing traffic? If it cannot decrypt these traffic, anyone know the App-ID for NordVPN, NordLynx?I found some VPN app-ID like ciscovpn, open-vpn but no Nord related. What App-ID should I use to block NordVPN, NordLynx?

JoeKwok by L2 Linker
  • 7934 Views
  • 3 replies
  • 0 Likes

Resolved! To use Custom URL categories require a URL filtering license?

We are trying to use DNS wildcards and Custom URL categories to restrict access to certain machines in a security policy. We cannot get it to work and I cannot find any docs that a URL filtering license is required to use Custom URL categories. I have opened a ticket and have to been working with level 1 they haven't provided docs to support my ...

Resolved! cortex xdr agent connection problem

hi everybody, we've installed cortex xdr agent on a terminal-master server which gets cloned for distribution xdr-agent on master has active connection to cortex-cloud but cloned servers can't connect... xdr-log: 2022/05/18T14:32:44.590+02:00 <Info> LVTS41 [3608:5152 ] {trapsd:VerdictService:WfDeferredRequestsTimer:} Calling cloud for 3 W...

Url problem

Hello everybody. I allow a url. I also allowed categories for that url, but the site still doesn't work properly. There is a problem connecting to a server on that site and it is deny Thanks in advance

Fagani by L2 Linker
  • 5272 Views
  • 7 replies
  • 0 Likes

Resolved! Panorama 10.0.5 - Scheduled Config Export - ssh custom port

Hi,we try the export of the config of Panorama and our bothe Firewalls 3260 thru the "Scheduled Config Export".It runs well with FTP and SCP port 22. With a custom port ssh, the "Test SCP server connection" failed. I found no future infos on https://panorama01.cid.dom/PAN_help/en/wwhelp/wwhimpl/js/html/wwhelp.htm#href=panorama-scheduled-config-e...

bovay by L1 Bithead
  • 4530 Views
  • 4 replies
  • 0 Likes

Resolved! Palo Alto PA-3220 replace Bluecoat Proxy

Hi Guys, Does anyone tried to use PA-3220 model as proxy server? Currently the internet traffic of my company is using bluecoat proxy with pac file (config in windows proxy setting), and the proxy also inline with sourcefire for doing SSL interception, IPS/IDS. I'm investigating can this model replace the bluecoat proxy. Can I define the PAC to ...

Resolved! Switch port configuration for management interface on HA pair

Are there any recomendations or requirements to configure a switch port for management interface for a PA firewall?Should it be an access port or could it be a 802.1q port (trunk mode)?Are there any recomendations to enable/disable/specify lldp/cdp/vtp/igmp/spf on switch port for management interface?If the management interface will be used for ...

PA_mgmt_interface.jpg

Fast DNS Resolution Issues

Hello Community, I checking to see what everyone is doing for their allow lists for some thing like an S3 bucket. Scenario: Lets say my server has no internet access due to policies denying the traffic. I then create an object, FQDN, xyz-s3.amazon[.]com (just as an example), add it to a policy that allows my server to access just that s3 buc...

Reference guide to configuration xpath and entry?

Is there any PA published document for the node paths and entries in the configuration file? And how do you tell if something is a path or an entry in the config? It seems extremely painful to try and figure out an xpath to pull the data you want. Searching the forums and KB has some hints, but no over arching config format information. For inst...

Resolved! Prisma SD-WAN application SLA setup?

Where can I know how to setup the application SLA condition? I read some Prisma SD-WAN Administrator’s Guide, I seen there are lot of function to enable Path selection and monitoring based on the Link Quality, SLA. But how can I set the SLA of the application such as Packet Loss, Jitter, and Latency? For example, I would like to setup access You...

JoeKwok by L2 Linker
  • 4468 Views
  • 3 replies
  • 0 Likes

Antivirus Security Profile

Hi everybody, i've enabled and configured an antivirus security profile and attached to a security policy for web-traffic as i see web-traffic can be antivirus-scanned, but my problem is: traffic is identified as ultrasurf with port 8080 so antivirus does not scan, how can i handle this problem? regards

Resolved! Can't advertise static route over ebgp

Hi all, i'm not having much joy getting this working.I have created a static route for a subnet which I am trying to advertise to an eBGP peer.I then created a redistribution profile with only static enabledI then added that profile under bgp Redist Rules.The BGP peering is definitely established and I am able to redistribute a Connected route n...

Mushussu by L0 Member
  • 7969 Views
  • 3 replies
  • 0 Likes

Resolved! Static Route Question

I just have a question about static routing on the palo alto and how it deals with traffic. We one VR and a default network route to send traffic for 10.20.0.0/16 out via ethernet 1/5 , zone core. There is another interface 1/6 configured with 10.20.50.1/24 zone lab. On the lan by default all traffic get sent to the firewall. Outbound traffi...

MistryJa by L1 Bithead
  • 3049 Views
  • 3 replies
  • 0 Likes
  • 24393 Posts
  • 123 Subscriptions
Top Solution Authors
Labels