This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Start a conversation

Discover LIVEcommunity Through Our New Animated Explainer Video!

We’re thrilled to unveil a brand-new animated video that highlights everything LIVEcommunity has to offer! This short and engaging video gives you a quick tour of the many resources available in our vibrant community — from interactive discussions and customer journey guides to the Cyber Elite program and Member Spotlight features. Whether ...

kiwi_0-1745308399217.png
kiwi by Community Team Member
  • 4119 Views
  • 0 replies
  • 0 Likes

Resolved! Creating an Authenticated Tunnel from One Internal Zone to Another Internal Zone

I would like to create a secure internal tunnel such that a user requires authentication (ideally MFA, or a cert, or at least a PW, etc) to get from one internal zone to another internal zone (ie user zone to the management zone). What are my options? Is anyone doing this sort of thing with Okta? Is there a certificate based way to do this? ...

Active/Passive PA with Dual ISP in eBGP and private owned /24 ASN

Hi, Looking for some guidance on our setup. I am looking to establish pure ISP failover without having to take action on my / my team's side. Presently when there is an outage, we need to do manual intervention to get connectivity back up. Here is an overview of our network, internet facing. ISP A (/30) -> Cisco ASR Router 1 (I control) (/24 ...

system2 by L0 Member
  • 2675 Views
  • 1 replies
  • 0 Likes

multicast test

PA is using cisco switch as external RP. Over a system I start the stream on VLC but I don't see the multicast address in multicast FIB. System is connected to network that is directly behind firewall. I use this tool multicast test tool (https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=21729) I see the entry of add...

raji_toor by L4 Transporter
  • 2834 Views
  • 1 replies
  • 0 Likes

IPSEC s2s VPN between VM-50 and PA-3220

We've done plenty of s2s IPSEC VPN tunnels between our DC firewalls and branch offices. I have a new branch office which we are configuring the same way as the others, yet the IPSEC VPN is not operating as expected. The tunnel is showing as up and the IKE Phase 1 & 2 are successful. However, on both firewalls, when I go into Tunnel Info all ...

popeja by L2 Linker
  • 2769 Views
  • 3 replies
  • 0 Likes

MS Active Directory Security Group Changes Not Applying over VPN w/ prelogon

Our organization has been struggling with getting MS AD security group changes to apply over VPN w/ prelogon enabled for a long period of time now. I have had support tickets in with Palo support and MS support. Palo support has determined via Globalprotect logs, prelogon appears to be functioning properly and no traffic for this function is bei...

Palo Alto blocks legitim applications

Hi everyone,We have defined Risk App block rule which contains the app by risk category, characteristics and vice versa.After upgrading PA to 10.1.5-h1 version it starts to block ssl, web-browsing, google-base, whatsapp and other apps which are not among apps which is blocked by my defined rule.I'va looked for matching apps in app filters, but t...

OGasimli by L0 Member
  • 2496 Views
  • 1 replies
  • 0 Likes

Okta has 400+ IPs that are all /32. Looking for an EDL solution

Has anybody figured out an edl to allow communications to Okta without manually entering the whole list? My customer is using Okat for MFA and the Okta Portal uses a whitelist so they have policies that anything hitting Okta should use ip x.x.x.x. This is legacy config from a newly replaced firewall. FQDN Address objects are only reporting 2 I...

No change in retention of summary log after the log storage allocation update

Current panorama and log-collector issuesPanorama – mgmt. server only – SW-version: 9.1.12-h3Log-collectors :PAN02- – PAN03 – same SW version as Panorama 1.The summary log retention days did not change after the log storage allocation updatePAN02> show log-diskquota-pctcfg.diskquota.pct.config: 25.000cfg.diskquota.pct.detailed: 80.000 --à...

Pras by L4 Transporter
  • 2971 Views
  • 3 replies
  • 0 Likes

Cortex XSOAR search "contains" instead of "equals"

Hello Is there a way to search a Domain in Minemeld with "contains" instead of "equals"? As example: We have entered *.blabla.com" in one of our Nodes. I would like to search for blubb.blabla.com - which of course does not match. Also "blabla.com" will not work... Does anyone have any Idea about? thanks

Apply QOS for a particular Server published to internet

Hi Team, We have a SFTP server behind our firewall and its NATed to one of the interfaces of the firewall , we need to restrict the bandwidth to the SFTP server from Internet. When clients from internet connects to the server for downloading files they will be restricted to use 10 Mbps only. The generic KB is not helping in this case Thanks,Sam

Resolved! DH Group 24 phase 2

Hi all,could you confirm that pan does not support dh group 24 in phase 2?I've a peer that (just a test, is an android device with native ikev2 psk vpn configured) asks for that group and I got this errorDH group id 24 != 20, responding with INVALID_KE_PAYLOAD Thanks

N2Z2 by L2 Linker
  • 4090 Views
  • 1 replies
  • 0 Likes

Palo Alto Network Service Route IP List

Hello all,please excuse me if I am posting this question in the wrong section. This is my first LIVEcommunity post and I wasn't sure about the section I chose.Several of our customers would like to know exactly which Palo Alto Network services are hosted where. The customers found out that some services are hosted in Amazon IP ranges and they wo...

ThorbenH by L0 Member
  • 2139 Views
  • 1 replies
  • 0 Likes
  • 24336 Posts
  • 124 Subscriptions
Top Solution Authors
View All
Top Liked Authors
View All
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks