Does GlobalProtect refresh USER-ID bindings mid session?

The GlobalProtect section of the Admin guide for PAN-OS 8 says the following:For mobile or roaming users, the GlobalProtect client provides the user mapping information to the firewall directly. In this case, every GlobalProtect user has an agent or app running on the client that requires the user to enter login credentials for VPN access to the...

SD-WAN Hardware Change / Migration

We have been running SD-WAN since release a year or so ago, regular PAN-OS SD-WAN not Prisma SD-WAN. All the sites were deployed with PA-220 at the time, but we are rolling more sites in and I need to swap a couple of the PA-220s with a PA-440. Anyone done a hardware replacement of an SD-WAN device, that is being repurposed? I followed along t...

How to deploy the Palo Alto Firewall in GNS3

I want to download and install the PA-VM-KVM-8.1.3.qcow2 file on GNS3 but I`m not allowed to.Can anyone please tell me the steps to getting a PA-VM for GNS3?

Replacing the Revoked QuoVadis Intermediate Cert

For the benefit of anyone else who was using a QuoVadis certificate for their GlobalProtect portals/gateways (or presumably decryption), the process of replacing that intermediate is surprisingly easy. Just import the new intermediate certificate using exactly the same name as the old intermediate certificate and it simply gets replaced. Which s...

Device showing not connected in Templates

Sometime is user authenticate sometime is not in Paloalto

Hey, guys, one of my customer have an issue regarding the Source user let me explain in detail. There is one user having four outlook account in three of them the internet working properly but in one account he selects in outlook and checks the internet connectivity gone and in the logs the Traffic going through a cleanup rule which is the last ...

Online payment with SSL decryption

Hi We have SSL decryption enabled on our PA NGFWs but our users have reported issues relating to online payment transactions. We have worked around this by creating a whitelist to bypass decryption but as more sites offer payment facilities online, it will eventually become unfeasible to maintain a bypass list. What is Palo's approach to dealing...

Site to Site VPN | Remote traffic hidden behind remote peer

I'm almost done with a Cisco ASA to Palo Alto site to site VPN migration project. What I am having an issue with is once a tunnel is built, traffic from the remote side is coming out of the tunnel, hidden behind the remote peer, a typical hide-nat. For instance, Peer IP = 1.1.1.1ProxyID (remote) = 1.1.1.1 How do I get this to work in PanOS? It w...

Internal Host Detection in GlobalProtect

I am confused with GlobalProtect offical documents.From GlobalProtect troubleshooting guide:Internal Host DetectionInternal Host Detection provides hints to GP client to determine quickly if the PC is inside or outside office. If it is not configured, GP client will always try to connect to each internal gateway first. If it fails to connect to ...

Need to know the Response SLA OR Resolution SLA for high severity case

Need to know the Response SLA OR Resolution SLA for high severity case

PBF Dual ISP, inbound NAT broke with spoofing protection enabled

Having an issue where we implemented PBF for dual ISPs on an HA pair that already had inbound NATs configured. When we did this the inbound NATs broke and I found this article:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzeCAC which basically said to remove the interface from the PBF specific route which I did but...

What process is responsible for Rest API communication?

Hello We use monitoring consulting the Rest API but we are having high management CPU usage. In case we are saturating it, what process is responsible for this? Because I was to make sure we arent overloading it. Thank you

Userid timeout - renew action

How can a user trigger/renew UserID? Is there some action a user can take on the PC that would trigger UserID renewal. Rebooting is one way and has resolved this couple of times I was reported this issue. I think logoff and Log on should also work. Or installing globalprotect agent, which we don't want to on every system. So I am looking for som...

HA4 Clustering to present a single NAT IP across two Data Centres

Can anyone who is using the HA4 cluster in production, to present the same external NAT IP across 2 data centers give any advice on how they are doing the routing. I saw in the docs that some of the security functions don't work if the traffic is asymmetric. Obviously the easy answer is to push all the traffic to one DC. Is that how people do...