General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Is Palo Alto Globalprotect Always On mode possible only for the portal?

Hello to All, Is it possible to set the Globalprotect Always-ON mode enable Single Sign On, so that the user automatically logs into the portal but after that the user to need to authenticate to the gateway? The idea is that for the portal and gateway different authentication methods are used and the gateway authentication method does not use ...

Resolved! panos 10.0.5 can't commit firewall changes

Hi, I'm brand new to PA firewalls. Have a new pair of 3220's in active-passive HA. This is not in production. We are using them to learn on and eventually, hopefully later in the year move to production, replacing an active-passive Cisco ASA. I have two 10gbps fiber links to both our core switches in an mlag at the switch (so it looks like a ...

ksauer507 by L3 Networker
  • 5190 Views
  • 2 replies
  • 0 Likes

DNS Proxy inheritance source

I want all devices on one of my interfaces to use my DNS servers, regardless of their configuration. Seems pretty simple, but I'm stuck.I can edit and OK/OK out of the DNS proxy dialogs (PANOS 4.1.2), but commit fails with "Inheritance source needs to be specified."The only option I have for "Inheritance source" is "None." I can only choose "Inh...

rgraves by Not applicable
  • 10917 Views
  • 3 replies
  • 0 Likes

GlobalProtect OCSP validation not working

Hi, OCSP verification configured in a Certificate Profile on my Palo Alto 3020 doesn't seems to work. My GlobalProtect configuration with pre-logon is working with machine certificate but when I want to see the status of the OCSP cache on the Palo, I've an unavailable status : debug sslmgr view ocsp allCurrent time is: Thu Feb 2 10:21:28 2017Cou...

ocsp-request.png
ocsp-response.png

Resolved! Route selection algorithm

Hi everyone! I have a question about PA virtual router logic. For example, I have two static routes 0.0.0.0/0 AD 10 metric 10 next hop 1.1.1.10.0.0.0/0 AD 10 metric 10 next hop 2.2.2.2 ECMP disabled. All dynamic routing protocols are disabled. Which of these two routes will be chosen and why? Does anybody know how the firewall selects the route ...

Check Log storage per day

Hi guys, Is there any way to find out stored log size per day? on show system logdb-quota command, there are full data stored size there.I'd like to know how much size for log storage per day. Thanks,

Kang_Han by L1 Bithead
  • 9769 Views
  • 2 replies
  • 1 Likes

Is it possible ! How to get internet from dhcp client with vlan

Hello Friends ! I am new to palo alto network ,i starting to understand and learn palo alto network firewall some time back .I have setup a firewall panos 9.04 on ubuntu with kvm using bridge connection and vlan ( i want to setup a passthroguth but due to iommu group i am fail to do so)my isp (with rj 45) is providing me dhcp address with vla...

shrikant by L2 Linker
  • 5514 Views
  • 7 replies
  • 0 Likes

Remote Access VPN - Strongswan client to PA GP Gateway

Is it possible to access a GlobalProtect gateway using the strongswan client on Ubuntu 16.04 LTS? I am trying to use ikev2 and use certificate authentication. PA guidance suggests it is possible using Ubuntu 14 and PAN-OS7 but I can see no guidance for later versions.

CC2021 by L0 Member
  • 2679 Views
  • 2 replies
  • 0 Likes

Resolved! Applications Depends On Column - Prelogon Policies

I am trying to setup prelogon and have a question about the sec policies described in Step 2 of this guide: https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/globalprotect-quick-configs/remote-access-vpn-with-pre-logon.html I assume the source zone would be VPN (applied to tunnel) and the destination zone is Trusted (inte...

MichaelMedwid_0-1618764222665.png

Blocking outside-to-outside blocks ping from outside interface. Is that ok?

Hi Gang, First, thanks for having a look and a big thank you for taking the time to respond. I recently created a security policy rule that blocked outside-outside zone traffic. I did this due to outside traffic that did not match any NAT rules, for some reason, ended up matching the intrazone-default rule. Although this effectively allowed such...

GlobalProtect Use Connect Before Logon is not compatible with Pre-logon(Always On) ?

Hello to All, We are use globalprotect with Always-on and "Enforce GlobalProtectfor Network Access" and blocking the users to delete or disable the globalprotect app. This way we are forcing them to always use the VPN. We are planning to test "Connect Before Logon" but the strange thing is ''Pre-logon(Always On)'' is not mentioned as to not be ...

Resolved! Certificate Validation not working

Hi all,hope you are doing well!I've a little probelm with the certificate validation.I've changed the DDNS provider to a custom one bit certifiate validation dows not work.PAN OS: 10.0.5First what I've done on CLI:set network interface ethernet ethernet1/1 layer3 ddns-config ddns-vendor-config dyn-api-host value updates.dnsomatic.com set network...

Image 4.png
Image 5.png
Image 3.png
Image 2.png

Is PANOS 9.1.6 is vulnerable for wreck security vulnerability?

Hi guys, Im having a query whether any of the PAN OS has the vulnerability as wreck in Palo alto network firewall. If so kindly update me here.I have searched with the PAN Advisory as well as other portals. like these https://www.cvedetails.com/vulnerability-list/vendor_id-12836/product_id-26167/Paloaltonetworks-Pan-os.html but no luck. So incas...

Resolved! About DNS security

Hello Bros, I my network and my firewall 3220 setup I have a question regarding the DNS security feature.If you go through creating an anti-spyware profile, and exactly in the DNS signature what is the difference between DNS signature source "Palo Alto networks content DNS signature sinkhole as an action" and " Palo Alto network D...

Hybrid model (where some exchange mailboxes are hosted in Microsoft 365) (using DNAT) Palo Alto inspect the traffic be regarded secure enough?

We have clients who want a Hybrid model (where some exchange mailboxes are hosted in Microsoft 365) rather than full blown integration. Would the proposed solution (using DNAT) with the sources constrained to the Microsoft approved IP/URL list and having the Palo Alto inspect the traffic be regarded secure enough?

NavidAlam by L3 Networker
  • 3521 Views
  • 2 replies
  • 0 Likes
  • 24396 Posts
  • 123 Subscriptions
Top Solution Authors
Labels