Two IP address from same subnet on an 1 Aggregated Interface

Hello All, I am pretty new to Palo Alto, wanted to check if the an aggregated port in PA can be assigned with 2 IP addresses from same subnet, say 1.1.1.2/29 and 1.1.1.4/29. The Idea is the ethernet interfaces 1 & 2 that are be bonded to ae will be connected to the two core switches (port 1 to switch 1 and port 2 to switch 2). After configu...

SMB URL File Logging acheivable or not?

Hi Palo Alto Experts, I want to know if we want to log SMB URL Blocked events then can we do in Palo Alto or not? Basically, the requirement is as below: Example URL if typed by compromise system is: smb://www.example.com/fileshare/malware.exe Right now I am only able to see Source IP, destination IP and Port, NAT information but full logging wo...

Add network to address group via CLI?

I am trying to add a network to an address group via CLI on PAN OS 9.1.X # set vsys vsys2 address-group XXXXXXXX static 108.61.41.0/24 Server error : static '108.61.41.0/24' is not a valid reference What is the valid syntax?

Outside interface listening on HTTPS "502 Bad Gateway"

I have this odd issue whereas one of HA Pairs seems to be listening on 443 on its outside interface for GP but I don't use GP and never had. I have a interface profile that allows HTTPS but not from any IP and when I disable that it still shows that page. no GP portal configured either. How can I stop it from listening on 443 for any source IP?

URL wildcard Pattern

Hello everyone, I need to block URLs that have a word pattern/string, It is possible to restrict certain strings inside the name of a URL?? for example the word "good" inside the website "www.goodwill.com" to be blocked ? I already try with Wildcards, any ideas on how to achive this ? block keywords for web browsing is this possible and how to d...

Data copying over Global protect VPN

Hello, I have one query:-If, I am connected with GP VPN and. I want to prevent the users can not copy files or data from the shared folder and server.is it possible?

Destination NAT for Route base VPN

We have an requirement to set up a route base VPN, but remote proxy IP subnet clash with an existing remote subnet. We are planning to use destination NAT, but not sure, how the routing will be controlled. Please help to solve this problem.

Palo alto routing query

Incompatibility Acrobat-GlobalProtect

Hi, Customer upgrade Adobe to versión 21.001.20135 and Global Protect stopped working. Issue is th esame like this:https://community.adobe.com/t5/acrobat/adobe-acrobat-reader-21-001-20135-preventing-users-to-connect-to-global-protect/td-p/11823885?profile.language=es Do you know if there is anything to do in Global Protect for this?

SSL Inbound Decryption Failing

hello, we are setting up SSL Inspection for inbound traffic but it is failing when clients try to access, we are getting unsupported protocol errors. ssl labs shows the following issues around handshaking. with SSL Inspection off we do not see these errors can anyone advise what we can do to address this? we are running PAN OS 9.0 Thanks Ryan

Panorama<->Firewalls connectivity issue

Hi all, After I modify the route service and restore it to the state before the firewalls (2 HA firewalls + PA220 ) are no longer connected to the panorama. No changes are made on the network side between the two.Panorama : VM (VMware ESXi) version 8.1.17Firewall: 2 HA FW version 8.1.17 and PA220 8.0.17Changing the IP address of panorama in the...

URL Filtering Issue Through GlobalProtect

We are facing a issue in URL Filtering while connecting Palo Alto PA-220 via Globalprotect. When I am using broadband connection to connect to my laptop to vpn then all the configured url filtering sites are getting blocked but when we connect it through mobile internet connection then only facebook and instagram is opening. While we can get tho...

Static group, that has 2 dynamic groups as members, used in decryption policy?

I have a static group with 2 dynamic groups as its members, that is in turn used as the source object in a no-decrypt rule. I have discovered that this does not work; decrypt still happens. However If I use the dynamic groups directly as sources in the no-decrypt rule it works as expected. This same static group DOES work fine in the security po...