General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Sometime is user authenticate sometime is not in Paloalto

Hey, guys, one of my customer have an issue regarding the Source user let me explain in detail. There is one user having four outlook account in three of them the internet working properly but in one account he selects in outlook and checks the internet connectivity gone and in the logs the Traffic going through a cleanup rule which is the last ...

Online payment with SSL decryption

Hi We have SSL decryption enabled on our PA NGFWs but our users have reported issues relating to online payment transactions. We have worked around this by creating a whitelist to bypass decryption but as more sites offer payment facilities online, it will eventually become unfeasible to maintain a bypass list. What is Palo's approach to dealing...

Joe_Ng by L1 Bithead
  • 3316 Views
  • 3 replies
  • 0 Likes

Site to Site VPN | Remote traffic hidden behind remote peer

I'm almost done with a Cisco ASA to Palo Alto site to site VPN migration project. What I am having an issue with is once a tunnel is built, traffic from the remote side is coming out of the tunnel, hidden behind the remote peer, a typical hide-nat. For instance, Peer IP = 1.1.1.1ProxyID (remote) = 1.1.1.1 How do I get this to work in PanOS? It w...

Internal Host Detection in GlobalProtect

I am confused with GlobalProtect offical documents.From GlobalProtect troubleshooting guide:Internal Host DetectionInternal Host Detection provides hints to GP client to determine quickly if the PC is inside or outside office. If it is not configured, GP client will always try to connect to each internal gateway first. If it fails to connect to ...

linusso by L1 Bithead
  • 33793 Views
  • 4 replies
  • 0 Likes

PBF Dual ISP, inbound NAT broke with spoofing protection enabled

Having an issue where we implemented PBF for dual ISPs on an HA pair that already had inbound NATs configured. When we did this the inbound NATs broke and I found this article:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzeCAC which basically said to remove the interface from the PBF specific route which I did but...

drewdown by L4 Transporter
  • 6441 Views
  • 6 replies
  • 0 Likes

Userid timeout - renew action

How can a user trigger/renew UserID? Is there some action a user can take on the PC that would trigger UserID renewal. Rebooting is one way and has resolved this couple of times I was reported this issue. I think logoff and Log on should also work. Or installing globalprotect agent, which we don't want to on every system. So I am looking for som...

raji_toor by L4 Transporter
  • 2104 Views
  • 1 replies
  • 0 Likes

HA4 Clustering to present a single NAT IP across two Data Centres

Can anyone who is using the HA4 cluster in production, to present the same external NAT IP across 2 data centers give any advice on how they are doing the routing. I saw in the docs that some of the security functions don't work if the traffic is asymmetric. Obviously the easy answer is to push all the traffic to one DC. Is that how people do...

Rich.H by L2 Linker
  • 4500 Views
  • 3 replies
  • 0 Likes

Connect to globalprotect vpn using verizon mifi

Can you use a verizon mifi to connect to a globalprotect vpn tunnel? This is so they don't have to install the gp client on their pc. We do not have licensing for gp to be used on phones and to me a mifi is kind of a glorified phone.

jdprovine by L4 Transporter
  • 5433 Views
  • 4 replies
  • 0 Likes

GP 5.2.5 Error authentication check failed

Hi Team, We have GP 5.2.5 on PAN OS 9.1.7Connection method is pre logon then on demand.on GP Gui logs i see error Error authentication check failed for ( eventid eq gateway-hip-check ) Even though we do not have hip check enabled on the GP.Is this error by design?how can i get rid of this error from gui logs?any config i need to modify?

Resolved! log at session end?

I have around 500 policies having 'log at session end' enabled and 'log at session start' disabled. I know Palo recommends logging at session end only but I also have a concern that for eg. a malicious file export that lasts for 8 hours and 10gigs go unnoticed if the session wasn't logged at the start. I am in a dilemma to enable the logging at ...

Resolved! IPv6 dual stack configurations.

Hello, I want to achieve IPv6 dual stack configuration on PA-850. What are the requirements for this type of configuration? For IPv4 traffic will hit to our IPv4 configured wan IP and for IPv6 traffic will hit to IPv6 configured wan IP. Please enlighten me how can I achieve my requirements. @SutareMayur @JoergSchuetter @kiwi @BPry @Brandon_Wer...

  • 24393 Posts
  • 123 Subscriptions
Top Solution Authors
Labels