This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Start a conversation

Discover LIVEcommunity Through Our New Animated Explainer Video!

We’re thrilled to unveil a brand-new animated video that highlights everything LIVEcommunity has to offer! This short and engaging video gives you a quick tour of the many resources available in our vibrant community — from interactive discussions and customer journey guides to the Cyber Elite program and Member Spotlight features. Whether ...

kiwi_0-1745308399217.png
kiwi by Community Team Member
  • 4125 Views
  • 0 replies
  • 0 Likes

Missing Secure Flag on the SSL Cookie after a vulnerability assessment ran on PA820

In my case, the team is performing a vulnerability assessment on PA820Vulnerability Title: Missing Secure Flag From SSL Cookie Description: The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests....

Barracuda to Palo Conversion

I've tried searching but have not been able to find much information. Does anyone have experience converting a Barracuda ng800 to Palo Alto? I'm working with someone that just received a pair of PA-5200 series firewalls and want to move their Barracuda config over to them.I don't think Barracuda is a supported firewall type in Expedition, but ma...

Resolved! GlobalProtect Certificate to Encrypt and Decrypt Cookies

Hi All,I'd like to find out what type of certificate you need if you are configuring Authentication Override for GlobalProtect Portal and Gateway. That is, for the option to specify a certificate to Encrypt/Decrypt Cookie (screenshot below), does this need a Machine Certificate, Web certificate??? Secondly, what is the behaviour if you don't spe...

override.PNG
Bocsa by L3 Networker
  • 20895 Views
  • 5 replies
  • 1 Likes

GlobalProtect multiple gateways

Hi All, Similar to a Cisco ASA tunnel-group configuration where we can have different VPN configurations using the same public IP, I wonder if similar configuration can be achived on Palo Alto. My objective would be to configure different gateways using the same public IP address, however i haven't yet grasp how can i specify which gateway to us...

ipsec question

Hello,Do I need a tunnel interface for site to site vpn ? If yes How can I do that and what is the benefit Thanks

tifotano by L0 Member
  • 1845 Views
  • 1 replies
  • 0 Likes

destination port in PBF

Is there an option to define destination port in PBF. Now if a service is selected, PA applies PBF if source or destination has that port.I am looking for a PBF which should match only if destination port is 80.

ceapen01 by L2 Linker
  • 2534 Views
  • 3 replies
  • 0 Likes

Dynamic updates not working after RMA replacment - Download Error Problem with local SSL certificate

We recently got a RMA replacement in for a failed PA5250 in HA but we are now noticing that Dynamic updates are not downloading and installing. We get a message in the Panorama Job Schedules section stating "Failed to upload image. Device msg:'Failed to download panup-all-antivirus-3977-4488. Download error:Problem with the local SSL certificate...

cruz77 by L1 Bithead
  • 2388 Views
  • 1 replies
  • 0 Likes

Resolved! Always on Global Protect

Hello All, Looking to get advice on this topic. The idea is to have the users connect via a VPN tunnel regardless of their location, internal LAN or working from home, etc. I need to make it easy on the users so its to a burden, e.g. having to authenticate to the vpn after logging into heir workstations with similar creds. I'm thinking of someth...

Resolved! How to find a URL for session_end_reason eq decrypt-error

I have SSL Decryption and URL Filtering implemented and I see lots of decrypt-errors listed as session_end_reason. Is there a way to see the exact URL that the user was attempting to connect to? That way I can troubleshoot the site and see if an exclusion is needed. Version 9.1.10

exclude a network from static route

Is it possible to exclude a network from static route. For eg I have static route 10.20.0.0/16 to the core-switch.unfortunately my management network (including PA) is 10.20.200.0/24I dont want traffic to 10.20.200.0/24 going to core switch. just exclude that network from the route. As it's directly connected to PA, it should take that path by ...

ceapen01 by L2 Linker
  • 4113 Views
  • 3 replies
  • 0 Likes

Knowledge sharing: IP and user TAG Mappings redistribution for DAG / DUG

Hello to All, I see a lot of questions about redistributing IP and user TAG Mappings from Panorama or a firewall to other firewalls. In version 10 this is possible but in older versions only the user id can be be redistributed and maybe a REST/XML API script is needed to take the mappings(tag and IP or user) from Panorama/Palo Alto and uploa...

LDAP-S Authentification failed (LDAP-S with TLS1 ?)

Hi, while using LDAP-S (port 636) on a PAN Firewall for a connection to an active directory on a Windows Server 2019 I have the problem that the Firewall just can't connect. If I try the "test" command for testing the authentication profile I get this: Authentication to LDAP server at [....] for user "ldap"Egress: [.....]Type of authentication: ...

maximum length of TACACS User ID

We use TACACS+ server for admin authentication. Is there a limit on the length of an ID? I have one that is 40 characters (we use email IDs). Getting an auth-success log message for this user, but then a Critical "create-admin-acct-error" message: Failed to create local user account for admin user: <40 character email>

cdwing by L1 Bithead
  • 3138 Views
  • 2 replies
  • 0 Likes
  • 24336 Posts
  • 124 Subscriptions
Top Liked Authors
View All
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks