General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Resolved! Convert VSD Juniper(Screen OS) configuration to Palo Alto

Hi team,We have a Juniper firewall configuration with 4 VSD(virtual security device) and we want to migrate that kind of configuration on Palo Alto.We have tried to migrate that configuration but we didn't find this capability on palo alto firewall.Does exist any similiar capability in palo alto?Thanks ,Regards.

Fjrubiab by L0 Member
  • 4140 Views
  • 3 replies
  • 0 Likes

Resolved! VPN Best Practices

I'm looking to make some modifications to Site-to-Site VPN IKE-Gateway/IPSec profiles and GlobalProtect IPSec Crypto Profile. For GlobalProtect IPSec, I'd like to switch from aes-128-cbc to GCM. I know GCM is more secure and has better performance but what I'm unsure about is if I need aes-256-gcm or is aes-128-gcm acceptable. For the site-t...

ce1028 by L4 Transporter
  • 7337 Views
  • 5 replies
  • 0 Likes

BGP configuration

I am looking to see the commands to check bgp configuration on palo alto 5050 Software version 8.1.14 We have that PA in our organization but i am new and trying to check why i am not able to learn a route 10.104.55.0/24 in BGP in PA 5050 I am learning 10.104.55.0/24 in the routing table.admin@SHA-FWPA01A(active)> show routing route virtual-r...

Need to export policy rule in excel format.

Hi, While exporting all policy backup in excel sheet as we need this all policy details with all fields in rules.As when I tried to export directly via console it gives only object name, not real ip address. So it is difficult to know which object has which ip address inside it.Please help us to get this all rules details in excel sheet.

PA-3220 Power Supply Air Flow Direction Optional?

As I have encountered and many others may also, when this unit was installed in a data center, the person did not follow hot and cold isle standards. Is there an option to replace only the power supply or type of fans to reverse the air flow? This would be much easier than unracking and recabling everything.

DHCP server issue with PA3020

Hello, I have PA 3020 on which I have configured a DHCP server with about 400 reserving "binding", and IP pool for non reserved.this DHCP server is configured on vlan tagged subinterface.every thing is going well for laptops and PCs "windows", but I have almost with all android phones "Can't get IP address" issue.when I check "view allocation" I...

Resolved! Panorama Pre rule reuse with firewall type but different inside zones

I want to reuse a pre ruleset because all firewalls of a type get these firewall rules. The issue is the inside interfaces are different zone names. Whats the best way to handle that situation while using the "no any zone" best practice? I am alreadly overriding an object-group to specify these zones networks. We cannot override the zones of a p...

trial license for pa-220

Hello guysI m trying to get a trial licence for lab purposes for my personal pa-220Not familiarized with palo alto environment (thats why I bought the pa-220 btw)I don t have an account manager or a ce because I m not a company.More experienced users know how to do it? Regards,

alexwirz by L0 Member
  • 3072 Views
  • 1 replies
  • 0 Likes

Issue With DNS Suffix

Dear Team, The challenge was that we need to do commit with wildcard in dns suffix ie. *.xyz.com but it failed ( PAN OS 9.1.7).For workaround we have removed wildcard. You seen in other firewall with panos 9.1.5 its having dns suffix with wildcard. For resolving dns suffix issue with wildcard, After upgrading to panos from 9.1.5 to 9.1.7 why wi...

Packet capture hitting specific security policies?

I would really like the capability to setup packet captures for traffic that hits specific security rules. For example, we have rules that block outbound connections to Palo's dynamic IP list for known malicious IP addresses and would like packet captures taken when traffic hits that rule. I've not seen that capability and haven't seen a forum p...

Resolved! GlobalProtect Pre-Logon VPN WITHOUT using Machine Certificate for Authentication

Hi, I currently have my lab PA-220 where its configured for prelogon and then on demand for the VPN, and it works just fine with saving cookies for the authentication and authenticates at the windows login screen without any issues. Move to our production PA-220 and we cannot seem to get the pre-logon to connect, and I have mirrored the same set...

Azure CDN (Edge Nodes) list

Hi,I have been asked to import a new IP list within Minemeld; the Azure CDN (edge nodes list).To retreive the list, I have the API documentation here: https://docs.microsoft.com/en-ca/rest/api/cdn/edgenodes/listI am only a beginner when it comes to python programming so I was looking for code examples; is there anything class that implements AP...

dennisss by L1 Bithead
  • 3987 Views
  • 1 replies
  • 0 Likes

Resolved! Palo alto decryption issue

We have an issue with a thick client application (AWS Workspaces client) connecting successfully to the AWS workspace over the internet. The palo alto firewall logs shows the traffic is allowed but the type is 'deny' instead of 'end'. Also session end reason is "decrypt error". Now we think we understand that the URL’s the client application is ...

Revoked Machine Certificate still able to Connect Global Protect Gateway

It appears possible to configure the firewall to be an OCSP responder to itself/clients from the posts below? Is that correct? (Specifically referring to self-signed certificates generated on the firewall) If so, is there any risk to having this service run on an external interface, in order to control/revoke machine certificates? If the need...

Sec101 by L4 Transporter
  • 7919 Views
  • 2 replies
  • 0 Likes
  • 24397 Posts
  • 123 Subscriptions
Top Solution Authors
Labels