This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Start a conversation

Resolved! Global Protect Always On and stopping local network access in event of failure

Hi All, Is it possible to stop a device from connecting to the local network if the Global Protect Gateway fails? I have a question from a customer that has an Always On Pre-Logon environment and wants to ensure the connection defaults to a fail-closed mode with no access to the local netwok - although it must allow for initial connections to ne...

a.jones by L3 Networker
  • 3076 Views
  • 2 replies
  • 0 Likes

SWIFT ISAC TAXII Feed

Hi guys I’m’ just curious – SWIFT has offered recently for all members TAXII interface to poll IOCs via https://taxii.swift.com/taxii Feed is not open for everybody – each member must request access to it individually, so it’s not easy to test it. Has anybody already tried it? My simple attempt to use “minemeld.ft.taxii.TaxiiClient” class t...

Resolved! Can Panorama managed devices be configured via the CLI?

Hey folks. I'm adding a Panorama server into my infrastructure to enable zero touch SDWAN provisioning, and since I've never done Panorama before, I've got a question. Can panorama managed devices be configured via the CLI? The reason I ask this is that I do a fair bit of work with AWS and VPC's - and configuring a new VPC into AWS is mostly don...

darren_g by L4 Transporter
  • 7588 Views
  • 4 replies
  • 0 Likes

GlobalProtect IOS split tunnel routing incorrect traffic

PanOS 9.1.4, GP client 5.2.7-6. We have a split tunnel configuration with only 2 internal /32 addresses added to the access route include list. We regularly see traffic from GP clients destined for Internet IP addresses hit the Palo over the client tunnel. This is from several IOS clients - we don't have any other client O/S'es to test with. Is ...

Andy123B by L0 Member
  • 3573 Views
  • 1 replies
  • 0 Likes

Searching for rule with empty "description" field in the ruleset

Dear community I am looking for a way to filter all rules without any value in the description field. We use this filed to reference the incident number which has been raised to request a security rule. And by policy we are not allowed to have any rules in our set where there is not reference in the description field. So i have tried to use the...

TiborNad by L1 Bithead
  • 5999 Views
  • 4 replies
  • 0 Likes

Need assistance with fixing weak Ciphers via Panorama cli

Hi I wanted to update weak ciphers on a PA-VM using the document below, I wanted to apply the change via Panorama but I don't see the correct config to apply.I have tried the following: >set cli config-output-format set#set template "template name" config vsys vsys1 Is this the correct format? I am not sure where I can reference system ssh ...

Amin2 by L2 Linker
  • 2219 Views
  • 1 replies
  • 0 Likes

After upgrade Panorama from 8 to 9 Panorama stopped sending GP-logs to Qradar syslog server.

Before the upgrade everything was working just fine, now after upgrade still I can see the GP-logs sent from the Firewalls to Panorama, but Panorama still unable to sent those logs to Qradar syslog server. Connectivity between the 2 devices is good.I found the below document to review the configuration to see if anything is missing but the docum...

Data filtering - email issue

Hello all, i was configure data filtering and it works.But i face problems with the mailing. When the the fw match pattern it blocks it, but the email stuck in outbox queue , and the user can not send/receive other emails until the mail is deleted from the queue. Can we achieve some kind of silent drop, so for the client to look like the email ...

stef by L2 Linker
  • 2193 Views
  • 1 replies
  • 0 Likes

Resolved! PA 3050 web Gui access

I am working with PA-3050. I can log in using ssh, but i can not login via web Gui.http/https service are enable though.Can someone share some thoughts on how to proceed?

FIDELE by L1 Bithead
  • 4032 Views
  • 2 replies
  • 0 Likes

Minemeld Crashing, miner tab not loading, RPC timeout exception

Hi, we have an issue on our Minemeld instance in production. Similar to the issue reported in https://live.paloaltonetworks.com/t5/minemeld-discussions/minemeld-crashing/td-p/289998, minemeld randomly crashes with the following results: - the green loading bar keeps running across the screen - the nodes page won't load - TAXII output prototype i...

VCiverra by L1 Bithead
  • 5972 Views
  • 4 replies
  • 0 Likes

Different Actions for Security Rules

Hi Guys,I would like to know what are the difference between the following actions in the security rules for PA.1. Deny2. Drop3. Reset-client4. Reset-server5. Reset-bothWhich of these are the most preferred to use? Is deny or drop action also resets the connection for both server and client? Thanks

Nikko by L1 Bithead
  • 3998 Views
  • 4 replies
  • 0 Likes

Two IP address from same subnet on an 1 Aggregated Interface

Hello All, I am pretty new to Palo Alto, wanted to check if the an aggregated port in PA can be assigned with 2 IP addresses from same subnet, say 1.1.1.2/29 and 1.1.1.4/29. The Idea is the ethernet interfaces 1 & 2 that are be bonded to ae will be connected to the two core switches (port 1 to switch 1 and port 2 to switch 2). After configu...

Aithal by L0 Member
  • 3550 Views
  • 1 replies
  • 0 Likes

SMB URL File Logging acheivable or not?

Hi Palo Alto Experts, I want to know if we want to log SMB URL Blocked events then can we do in Palo Alto or not? Basically, the requirement is as below: Example URL if typed by compromise system is: smb://www.example.com/fileshare/malware.exe Right now I am only able to see Source IP, destination IP and Port, NAT information but full logging wo...

Add network to address group via CLI?

I am trying to add a network to an address group via CLI on PAN OS 9.1.X # set vsys vsys2 address-group XXXXXXXX static 108.61.41.0/24 Server error : static '108.61.41.0/24' is not a valid reference What is the valid syntax?

jsogla by L0 Member
  • 2316 Views
  • 1 replies
  • 0 Likes

Outside interface listening on HTTPS "502 Bad Gateway"

I have this odd issue whereas one of HA Pairs seems to be listening on 443 on its outside interface for GP but I don't use GP and never had. I have a interface profile that allows HTTPS but not from any IP and when I disable that it still shows that page. no GP portal configured either. How can I stop it from listening on 443 for any source IP?

drewdown_0-1612816320888.png
drewdown by L4 Transporter
  • 3343 Views
  • 2 replies
  • 0 Likes
  • 24379 Posts
  • 123 Subscriptions
Top Solution Authors
View All
Top Liked Authors
View All
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks