SSL Inbound Decryption Failing

hello, we are setting up SSL Inspection for inbound traffic but it is failing when clients try to access, we are getting unsupported protocol errors.  ssl labs shows the following issues around handshaking.

with SSL Inspection off we do not see thes

Panorama<->Firewalls connectivity issue

Hi all,

After I modify the route service and restore it to the state before the firewalls (2 HA firewalls  + PA220 ) are no longer connected to the panorama.

No changes are made on the network side between the two.

Panorama : VM (VMware ESXi) version

URL Filtering Issue Through GlobalProtect

We are facing a issue in URL Filtering while connecting Palo Alto PA-220 via Globalprotect.

When I am using broadband connection to connect to my laptop to vpn then all the configured url filtering sites are getting blocked but when we connect it thr

Static group, that has 2 dynamic groups as members, used in decryption policy?

I have a static group with 2 dynamic groups as its members, that is in turn used as the source object in a no-decrypt rule. I have discovered that this does not work; decrypt still happens. However If I use the dynamic groups directly as sources in t

External Certificate Renewal

I can't for the life of me figure out the process to renew a certificate issued from an external CA.  We have a cert purchased from Thawte for our Global Protect gateway.  It will expire shortly and Thawte wants a csr file for the renewal.  Selecting

can we generate report for tunnel interface in ACC

We are using proxy solution for url filtering for which we have deployed ipsec tunnel with cloud proxy server.

If we are filtering ACC report for interface and zone we are not able to get proper utilization report. Hence we are trying to export report

LIVEcommunity January Rewind

Hi everyone! 

We are excited to share our first LIVEcommunity monthly recap with all of you! There are a lot of exciting things happening around the community, so we put together this News article sharing everything that you might have missed durin

Force Authentication Policy (MFA) for known users (user-id agent)

Hi,

I had configured Authentication policy for one of the environments and everything worked fine as expected. While replicating similar setup for a different environment, the Authentication policy was not working. After some troubleshooting, I obser

Palo Alto image for demonostation shown in the video

Hi team,

I am looking for setting up the palo alto firewall as well panorama in VMware workstation as shown in below video. It seems to be pretty easy. Only thing I am looking for is palo alto image. How can I get the image ? I googled and got to kno

Are used PA 'for-sale' posts permitted

Hello - does Palo Alto support resale of hardware that is not End-of-Life, and are posts on resale permitted in LIVEcommunity?  I have been searching for pinned community rules and have not found anything related yet.  I don't want to post/ask more r

IP spoofing /source routing

Hi Friends,

I have nt enabled Zone protection for our palo alto firewalls as its connected to trusted zones. I want to know the whether IP source routing is disabled in the PA NG Firewall (Pan OS > 9.0) by default or not.  Also steps to protect again

SDWN and PAT

Trying to setup a LTE link as a backup link for an SDWAN deployment.  All of the LTE gateway devices do PAT as they get a single IP from the provider.  Will this work.  Don't think it will work in the hub but in the branches believe it will.  Just wa

upgrading from PAN OS 9.0 to 10 without internet connection

I need to upgrade from PAN 9.0.4 to 10 but without an internet connection where i have to upload the images manually, what im not sure about is that i read i need to make sure i meet the minimum content release for the target version which makes the

Palo Alto QOS - WRED drops

In Palo Alto firewall,  we observed WRED drops on QOS (150Mbps)  applied egress interface eth 1/11 – due to which DB sync/mirroring is randomly getting failed/dropped between DC & DR. Please let me know for any configuration changes/workarounds to av