This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Start a conversation

DHCP server issue with PA3020

Hello, I have PA 3020 on which I have configured a DHCP server with about 400 reserving "binding", and IP pool for non reserved.this DHCP server is configured on vlan tagged subinterface.every thing is going well for laptops and PCs "windows", but I have almost with all android phones "Can't get IP address" issue.when I check "view allocation" I...

Resolved! Panorama Pre rule reuse with firewall type but different inside zones

I want to reuse a pre ruleset because all firewalls of a type get these firewall rules. The issue is the inside interfaces are different zone names. Whats the best way to handle that situation while using the "no any zone" best practice? I am alreadly overriding an object-group to specify these zones networks. We cannot override the zones of a p...

trial license for pa-220

Hello guysI m trying to get a trial licence for lab purposes for my personal pa-220Not familiarized with palo alto environment (thats why I bought the pa-220 btw)I don t have an account manager or a ce because I m not a company.More experienced users know how to do it? Regards,

alexwirz by L0 Member
  • 3052 Views
  • 1 replies
  • 0 Likes

Issue With DNS Suffix

Dear Team, The challenge was that we need to do commit with wildcard in dns suffix ie. *.xyz.com but it failed ( PAN OS 9.1.7).For workaround we have removed wildcard. You seen in other firewall with panos 9.1.5 its having dns suffix with wildcard. For resolving dns suffix issue with wildcard, After upgrading to panos from 9.1.5 to 9.1.7 why wi...

Packet capture hitting specific security policies?

I would really like the capability to setup packet captures for traffic that hits specific security rules. For example, we have rules that block outbound connections to Palo's dynamic IP list for known malicious IP addresses and would like packet captures taken when traffic hits that rule. I've not seen that capability and haven't seen a forum p...

Resolved! GlobalProtect Pre-Logon VPN WITHOUT using Machine Certificate for Authentication

Hi, I currently have my lab PA-220 where its configured for prelogon and then on demand for the VPN, and it works just fine with saving cookies for the authentication and authenticates at the windows login screen without any issues. Move to our production PA-220 and we cannot seem to get the pre-logon to connect, and I have mirrored the same set...

Azure CDN (Edge Nodes) list

Hi,I have been asked to import a new IP list within Minemeld; the Azure CDN (edge nodes list).To retreive the list, I have the API documentation here: https://docs.microsoft.com/en-ca/rest/api/cdn/edgenodes/listI am only a beginner when it comes to python programming so I was looking for code examples; is there anything class that implements AP...

dennisss by L1 Bithead
  • 3956 Views
  • 1 replies
  • 0 Likes

Resolved! Palo alto decryption issue

We have an issue with a thick client application (AWS Workspaces client) connecting successfully to the AWS workspace over the internet. The palo alto firewall logs shows the traffic is allowed but the type is 'deny' instead of 'end'. Also session end reason is "decrypt error". Now we think we understand that the URL’s the client application is ...

Revoked Machine Certificate still able to Connect Global Protect Gateway

It appears possible to configure the firewall to be an OCSP responder to itself/clients from the posts below? Is that correct? (Specifically referring to self-signed certificates generated on the firewall) If so, is there any risk to having this service run on an external interface, in order to control/revoke machine certificates? If the need...

Sec101 by L4 Transporter
  • 7827 Views
  • 2 replies
  • 0 Likes

Resolved! DNS Proxy - invalid EDNS response

Hi all, I'm having a issue with the DNS Proxy feature. I'm running a Palo Alto VM (9.1.8) in Azure and want to use the VM as DNS Proxy. As default DNS Server, I want to use AZURE DNS 168.63.129.16. Additionally I have some Proxy Rules for internal Domains via VPN to our On Prem Datacenter (DNS). DNS Lookups for On Prem are fine, but resolution ...

AKufner_0-1616596994150.png
AKufner by L0 Member
  • 6728 Views
  • 3 replies
  • 0 Likes

Test URL -> Operation Failed: URL access error

Ive been reading this forum for similar problems, but seems I have different problem.I must say I had difficulties building this, but now this seems to be the last obstacle.So I got minemeld up and running and its able to get feed and I can access the URL https://"Server IP here"/feeds/o365-worldwide-any-url-feedThen I created new CA for the min...

LassiK_0-1615887365458.png
LassiK_3-1615890134113.png
LassiK_1-1615887417734.png
LassiK_2-1615887442645.png
LassiK by L1 Bithead
  • 3730 Views
  • 1 replies
  • 0 Likes

Resolved! DNS proxy sharepoint domain issue when cache enabled

Hi there, i have some issues with my firewall when using dns-proxy with enabled cache. I cannot resolve sharepoint domains e.g. bitmix.sharepoint.com, but when I disable the cacheoption everything works fine.Does someone have any suggestion how I could solve this?I'm using PanOS 10.0.2

Chris.Ka by L1 Bithead
  • 9779 Views
  • 9 replies
  • 0 Likes

Pallo Alto Version 10 show transceiver command for SFP check/troubleshooting

Before only the "show system state filter xxx" ( https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaMCAS ) was used to check issues with SFP but in version 10 the show transceiver is here and this is great 🙂 https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/monitoring/monitor-transceivers.html

URL Filtering Clarification - Wildcards behavior (implicit match on the rear of the URL)

Figured I'd share this here as I already have on another platform. Been using PanOS for ~8 years and came across something with URL filtering and wildcards. URL filters with wildcards will match on the front, and back of the URL(implicit), if you don't use the trailing /. What this means is *.microsoft.com doesn't just match www.microsoft.co...

  • 24379 Posts
  • 123 Subscriptions
Top Solution Authors
View All
Top Liked Authors
View All
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks