General Topics

Discover LIVEcommunity Through Our New Animated Explainer Video!

We’re thrilled to unveil a brand-new animated video that highlights everything LIVEcommunity has to offer! This short and engaging video gives you a quick tour of the many resources available in our vibrant community — from interactive discussions and customer journey guides to the Cyber Elite program and Member Spotlight features. Whether ...

Resolved! Error No valid URL filtering license

Hi All, Recently license has been renewed and part of the renewal was change to "Advanced URL Filtering". I got the error whenever commit a change. But looking at the licenses section I can see PAN-DB URL Filtering listed as expired. Any step to fix this issue or I need to check with TAC?Thanks !!

Resolved! QoS - show drops in web view

Hi there, where can I find the packet drops of an interface in the PA web frontend, I wanna monitor the QoS function, without the use of ssh command line tool.

URL allow list for some of the subdomains

Hi all I want to limit the user to access the company's sharepoint only, but not other sharepoint from other tenant or even the sharepoint from personal account. Then I found the below KB (section 6) and show how to use allow list in the URL filtering profile to block *.sharepoint.com but allow company.sharepoint.com. But I cannot find the allow...

Decryption GitHub not working

Hi We are trying to run a api from passbolt to Github. In this we are doind decryption in PA. If we add a SSL exception *.github.com is working fine or "no decrypt" policy is working fine. any idea? Here our health check: passbolt]# su -s /bin/bash -c "./bin/cake passbolt healthcheck" nginx ____ __ ____/ __ \____ _____ ____/ /_ ____ / / /_/ /_...

Resolved! Panorama logs per second

Does upgrading the CPU and memory for panorama increase the logs per second that a single virtual panorama in panorama mode can handle? Link below appears to show that as the case. I always thought that the limits were around 10k per second regardless. Upsizing specs must increase that? https://docs.paloaltonetworks.com/panorama/10-1/panor...

Layer 2 interface vs Virtual Wire

Virtual wire mode, the interfaces assigned to virtual wire are transparent mode.Layer 2 interfaces: interfaces can assigned to different zone.

Resolved! Replace PA-5060 HA pair with a PA-5220 HA pair appliances while keeping the same config and having minimum down time.

Hello,What is the best practice to replace a HA pair appliance with a different model HA pair appliance, where the configuration must be the same and down time must be kept to minimum.Is there a guide that outlines the recommended process?Thank you

DNS resolution stops working as long as GlobalProtect connected

hello guys, Some of the users got the DNS issue for the external websites after globalprotect connected, the users are able to ping the external IP address but just the DNS does not work.There was no change applied to the Firewall recently and only a few users got this issue.not sure if someone else got the same issue and how did you fix that? T...

Strict IP Address Check after 9.1.12

Customer upgraded to 9.1.12 and after that it was noticed that for some of the zones, traffic was dropped. During debug,it was concluded that reason is Strict IP Address Check in the Zone Protection Profile:"flow_dos_pf_strictip 1 0 drop flow dos Packets dropped: Zone protection option 'strict-ip-check'"In the 9.1.12 release notes it is noted:PA...

Why Did Strict IP Address Check Break this VPN?

We have been working with TAC to find the cause of this issue where FTP client could no longer upload to external companies FTP server over the VPN tunnel. After many days, we started a packet filter on the Public Internet (WAN) interface, which is a different zone from the tunnel interface, and were still seeing drops due to "flow_dos_pf_stric...

Internal error when attempting to do commit action

Hi guys, I've received an "Internal error" when trying to attempt to commit to applying policies changes. "Internal error (module device) that's all I got. Can you please help me with this?

Resolved! refresh external dynamic list real time with cli

Hi,I need to update in real time the external dynamic list IP. Looking for this doc https://docs.paloaltonetworks.com/pan-os/9-0/cli-reference/pan-os-9-0-configure-cli-command-hierarchy.html and cli command "find command keyword",didn't see any command help me to do the issue.I think take a cli command and execute them with api request solve my ...

Resolved! FIPS Failure upon boot

One of devices was not properly shut down due to a power outage in a building. When the device started back up, it appears that it entered maintenance mode. The reason is FIPS failure. I have attempted to reboot the device from maintenance mode and appeared to work (was able to get to the normal prompt for asking password when attempting ssh)...

QoS max egress, no effect

Hi there, I'm playing with QoS in our lab. I have a simple setup with two queue, first for SMB traffic, second for RDP traffic.The max egress value is set, but when I transfer data, then both queues get bandwith values. What I am doing wrong here?

active-directory-base application isn't match traffic when services/URL Category is set to "application-default" in security rule

Hello,I use a Firewall at version 10.0.8-h8. I wrote a rule to allow the application "active-directory-base" (which contains several ports) in the application section then "application-default" in the services/URL category section as recommended by PA. The observation I made is that the flow never matches this rule. It is even dropped by the int...

Discussions

Discover LIVEcommunity Through Our New Animated Explainer Video!