Replacing the Revoked QuoVadis Intermediate Cert

For the benefit of anyone else who was using a QuoVadis certificate for their GlobalProtect portals/gateways (or presumably decryption), the process of replacing that intermediate is surprisingly easy. Just import the new intermediate certificate using exactly the same name as the old intermediate certificate and it simply gets replaced. Which s...

Device showing not connected in Templates

Sometime is user authenticate sometime is not in Paloalto

Hey, guys, one of my customer have an issue regarding the Source user let me explain in detail. There is one user having four outlook account in three of them the internet working properly but in one account he selects in outlook and checks the internet connectivity gone and in the logs the Traffic going through a cleanup rule which is the last ...

Online payment with SSL decryption

Hi We have SSL decryption enabled on our PA NGFWs but our users have reported issues relating to online payment transactions. We have worked around this by creating a whitelist to bypass decryption but as more sites offer payment facilities online, it will eventually become unfeasible to maintain a bypass list. What is Palo's approach to dealing...

Site to Site VPN | Remote traffic hidden behind remote peer

I'm almost done with a Cisco ASA to Palo Alto site to site VPN migration project. What I am having an issue with is once a tunnel is built, traffic from the remote side is coming out of the tunnel, hidden behind the remote peer, a typical hide-nat. For instance, Peer IP = 1.1.1.1ProxyID (remote) = 1.1.1.1 How do I get this to work in PanOS? It w...

Internal Host Detection in GlobalProtect

I am confused with GlobalProtect offical documents.From GlobalProtect troubleshooting guide:Internal Host DetectionInternal Host Detection provides hints to GP client to determine quickly if the PC is inside or outside office. If it is not configured, GP client will always try to connect to each internal gateway first. If it fails to connect to ...

Need to know the Response SLA OR Resolution SLA for high severity case

Need to know the Response SLA OR Resolution SLA for high severity case

PBF Dual ISP, inbound NAT broke with spoofing protection enabled

Having an issue where we implemented PBF for dual ISPs on an HA pair that already had inbound NATs configured. When we did this the inbound NATs broke and I found this article:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzeCAC which basically said to remove the interface from the PBF specific route which I did but...

What process is responsible for Rest API communication?

Hello We use monitoring consulting the Rest API but we are having high management CPU usage. In case we are saturating it, what process is responsible for this? Because I was to make sure we arent overloading it. Thank you

Userid timeout - renew action

How can a user trigger/renew UserID? Is there some action a user can take on the PC that would trigger UserID renewal. Rebooting is one way and has resolved this couple of times I was reported this issue. I think logoff and Log on should also work. Or installing globalprotect agent, which we don't want to on every system. So I am looking for som...

HA4 Clustering to present a single NAT IP across two Data Centres

Can anyone who is using the HA4 cluster in production, to present the same external NAT IP across 2 data centers give any advice on how they are doing the routing. I saw in the docs that some of the security functions don't work if the traffic is asymmetric. Obviously the easy answer is to push all the traffic to one DC. Is that how people do...

Captive portal asking credential for known users

Captive portal asking credential for known users, what is the solution

Wildfire Events "failed to establish or resume a secure session"

Hello I Have a Cluster active-passive PA-820 version 10.0.7 I am receiving the following system events continuously I have configured eu.wildfire.paloaltonetworks.com and wildfire.paloaltonetworks.com but the problem persists. Can someone help me? Thanks so much

Connect to globalprotect vpn using verizon mifi

Can you use a verizon mifi to connect to a globalprotect vpn tunnel? This is so they don't have to install the gp client on their pc. We do not have licensing for gp to be used on phones and to me a mifi is kind of a glorified phone.

GP 5.2.5 Error authentication check failed

Hi Team, We have GP 5.2.5 on PAN OS 9.1.7Connection method is pre logon then on demand.on GP Gui logs i see error Error authentication check failed for ( eventid eq gateway-hip-check ) Even though we do not have hip check enabled on the GP.Is this error by design?how can i get rid of this error from gui logs?any config i need to modify?