General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Help with using URL Category as part of a rule.

I'm trying to change my rules for allowing outgoing SFTP connections from using IP's to using URL's as more and more vendors are going to AWS and such and locking into an IP address doesn't work. I cloned my current working rule which says server x.x.x.10 can connect to IP's z.z.z.1, z.z.z.2, etc using the applications SSH and enhanced file tra...

Walt by L1 Bithead
  • 4360 Views
  • 2 replies
  • 0 Likes

Captive Portal Error Android - Iphone

Good afternoon, please your support, I have the following problem:I configured the captive portal function. Pan OS: 9.1.9 All the corresponding configurations were made, certificate, ssl decrypt, authentication rules, decrypt rulesIf I connect to a Wireless signal from a laptop, when I open Crome, Edge or IE, I look for a site and I jump the Pal...

Metgatz by L4 Transporter
  • 4013 Views
  • 1 replies
  • 0 Likes

eBGP between remote Palo Alto devices.

Folks,Similar to Cisco routers we are checking if we can form remote eBGP neighbors between Palo Altos located in different DC's.One PA is located in DC-01 and the second is located in DC-02 We are looking at this design to as both these Palo's form BGP on a IPSec tunnel to a customer location. As of now the failover is manual and we should be a...

nson2139 by L3 Networker
  • 4929 Views
  • 4 replies
  • 0 Likes

Resolved! PA and icap?

Hello world,is there a chance/way of talking icap between my squid and the PA?Thanks a lotMarcus

Resolved! Test Mail getting failed

Dear Team, We have tried to create a email scheduler, We don't have a local SMTP server. We getting the below error, Please find the packet flow below. c2s flow: source: 10.1.1.5 [LAN] dst: 172.217.194.109 proto: 6 sport: 56175 dport: 25 ...

VishnuPS_0-1630582731903.jpeg
VishnuPS by L3 Networker
  • 9779 Views
  • 2 replies
  • 0 Likes

Disable Weak cipher suite

Has anyone had success getting past a B on ssllabs for the globalprotect web portal # TLS 1.2 (suites in server-preferred order)TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK256TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits FS WEAK When i disable Weak cipher suite i got this error pleas...

Joshan_Lakhani_2-1597424067542.png

GlobalProtect Portal SSL in PANOS 8

Hello all, I have noticed an important difference in PANOS v8.0 in comparison with PANOS 7.x.x concerning the SSL settings for the GlobalProtect portal. More specific, the famous site for SSL Server tests, Qualys SSL Labs presents PANOS 7.0.x with Grade A-, while for PANOS 8.0.x the grade is lowered to Grade B (worst). This happends because, whi...

ggoudr by L2 Linker
  • 6403 Views
  • 4 replies
  • 1 Likes

GlobalProtect Split tunneling support on Chrome OS

We have implemented split tunneling in GP configuration for operating systems including Windows, iOS, and ChromeOS. It is working on all devices except Chromebooks. Doing further research, we are not very clear whether split tunneling is supported on Chrome or not. On Chromebooks we are using the "GlobalProtect for Android" app. Because there do...

JatinSingh_1-1630476320899.png
JatinSingh_0-1630476280089.png

Resolved! FQDN with 80 characters not resolving in Address object

Hi All, I have a client running PAN OS 8.1.3 Panorama 9.1.3, that is trying to implement an Address object with an FQDN that is 80 characters long. When clicking the resolve button in the Address object GUI it does not resolve. When running the command 'request system fqdn show' or a ping to those domain's they do resolve in the CLI. All other F...

Ben-Price by L4 Transporter
  • 4379 Views
  • 2 replies
  • 0 Likes

Gmail, Me email not being allowed through on Mac Mail

Hi, I use gmail.com and me.com for email. when I used the web interface, no problem at all. But when I use my Mac (OS X 10.6.6) Mail client 4.4, however I for some reason or another the client cannot access these two email accounts it just times out. They are both configured for SSL using 993 so nothing unusual here. The PA is configured to allo...

djbisbey by Not applicable
  • 5343 Views
  • 3 replies
  • 0 Likes

Resolved! Exclude all Zoom traffic from GlobalProtect VPN

We have been trying to exclude all Zoom-related traffic from the GlobalProtect VPN tunnel. So far we have tried with: "*.zoom.us" exclusion configured directly on the GP gateway as a domain in:Network --> GlobalProtect --> Gateways --> GW NAME --> Agent --> CLient Settings --> Split tunnel --> Domain and Application But this...

MarcelST by L3 Networker
  • 73561 Views
  • 59 replies
  • 0 Likes

User-id agent secure connection using enterprise CA

We are using one user-id agent for four locations and want to use enterprise CA cert to resolve vulnerability detected on port 5007.https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGFCA0 Have below queries :1. Can we generate CSR on firewall and signed the same on enterprise CA , how we can create root cert in this cas...

Deepak25 by L3 Networker
  • 3537 Views
  • 2 replies
  • 0 Likes

U-turn Nat between isolated networks

Hey Guys and Gals I am having an issue getting u-turn nat to work between two isolated networks on the same Palo. I am basically tiring to allow Interanal clients to access a webcam server in a IoT network. I think might issue might be that I need to add a Statement in my Virtual Route or a Policy Based Routing rule. Though the reality is that...

u-turn Nat.jpg
trees by L1 Bithead
  • 6077 Views
  • 3 replies
  • 1 Likes

Palo Alto multiple configuration for log forwarding

Hello, I am in the process of setting up a server for syslog relay to Azure Sentinel. Currently my Palo Alto systems forward their CEF logs to LogRythm. I am looking for a way to set up my Palo Alto to forward the same logs to the new syslog relay server. My question is does Palo Alto allow configuration for forwarding to multiple SiEMs at the s...

Ematek by L0 Member
  • 2235 Views
  • 1 replies
  • 0 Likes
  • 24393 Posts
  • 123 Subscriptions
Top Solution Authors
Labels