SSLlabs test is blocked on decryption with F5 passthrough

https://live.paloaltonetworks.com/t5/general-topics/extra-certs-inbound-decryption/m-p/457936

Adding to the previous discussion with same setup where PA is doing decryption and the F5 is doing SSL bridging/offload while proxying for the server behind

Custom URL Categories - ending tokens

Let's say we want to match a domain in a custom URL category or EDL, including all sub-domains. While most people would expect "youtube.com" to do the job, in a PAN-OS this would only match youtube.com and not content.youtube.com. To achieve the resu

QoS priority - 'real-time' vs 'high'

Hi,

What is the difference between 'real-time' and 'high' priority than? Will there be any difference under similar circumstances when you have 100 Mbit/s MAX egress and 50 Mbit/s guarantee, while actual traffic matching this class exceeding 100 Mbit

User Mapping on Mac with M1 chip in domain

Hi All,
I joined Macbook on m1 chip to the domain and the firewall don't recognize user (Don't work user-mapping). I can't apply policy which works via users.

We have 3 Mac's on m1 chip with the same problem. Also checked on Mac with intel - no proble

Newbie: VPN on PanOS 10

Hi everyone,

This is probably trivial, but I am fairly new to this so bear with me:

I would like to set up the PA firewall as a VPN server for users to connect to (ideally, using only the built-in windows client). After authentication they should have

PANOS 9.1 know issue PAN-83610 network processor

PAN-83610

In rare cases, a PA-5200 Series firewall (with an FE100 network processor) that has session offload enabled (default) incorrectly resets the UDP checksum of outgoing UDP packets.
Workaround: In PAN-OS 8.0.6 and later releases, you can persist

Maintenance mode

When we try to access maintenance mode keeping "M" press the device just stop booting and nothing appears on console. Then if I press the M after some seconds just normal boot. We also try typing "maint" but no luck

VWire Radius (NPS) via Mgmt

Happy 2022 ! 

We've just setup VWires for our branches firewalls (A/A Layer 2), no ip address on any interfaces except :

- Mgmt (routable and managed by Panorama)

- HA1-3 (non-routable address) 

Most of the device management (SNMP, NTP and etc via Mgmt

Downgrade from 9.1.12.h3 version to 9.1.9

Hi All,

I have decided to upgrade my Palo Alto 850 from version 9.1.9 to 9.1.12.h3 but after the secondary Palo Alto upgrade facing an issue where interface are not getting up so my team decided to roll back to version 9.1.9. Should my configuration

PANOS 8.0.x restart IPSEC tunnels from GUI

Dear all,

we found out that we are not able to restart VPN tunnels in PANOS 8.0.x from GUI because its grayed out and it is an expected behavior as you can see the message "Restart disabled because OK".

The conclusion is that on version 8.0.x it's no

Remote backup issue

I am trying to backup the config from a remote backup server. The backup file is generating but no config showing in the file. Instead when I open the xml file, I can see this    " <?xml version="1.0"?>  -<response code="403" status="error">  -<resul

Kerberos SSO for Captive Portal

Been working through options for gathering userID data on non-domain-joined machines lately, so here's another complete option using Kerberos (krb) SSO.

Create a user in AD (my example, username: krb.palo), check the boxes for:

• User cannot change pass