VPN up but traffic not matching outbound policy, inbound policy is working

Recent new VPN tunnel is up with Azure.  I can see traffic matching zone VPN-S2S > trust but anything from trust > VPN-S2S zone is not matching that specific policy.  The oubound traffic is matching the blanket outbound policy and I can't figure out

Block layer 4 traffic for destination blocked on URL filtering

We have a very peculiar situation. There is Azure public PaaS environment connected over express route and we have a Palo inline. Now the destination ip/subnet range is dynamic but we just end to allow few specific URLs. It was all fine where we had

PAN-OS 9.0 URL DB manual Download not available

Hi,

not sure if I to stupid to find it, but after upgrading to PAN-SO 9.0 there is no more option under Licenses URL DB to download the URL DB manually. 

In an Active/Passive Cluster the Active Firewall downloads the URL DB every few hours, but the p

Why do unused rules show traffic hits?

I am doing cleanup of old unused firewall rules. Using the UNUSED policy optimizer I noticed that some rules are showing Traffic usage but 0 hits? Can someone explain why this is? I am wary to trust the HIT count until I understand the correlation. B

Block Tor application traffic.

Hi

We are planning to block Tor application traffic in our PA device , so do we need to write security policy in both the direction  and also share the steps to block the traffic in Palo Alto device.

Thanks,

Yusuf

radius authentication issue

After the device PA-500 is upgraded from 7.1 to 8.1.15, the radius authentication of the user name and password of the device fails, and we can only log in to the device through local authentication. After performing Radius-related configuration acco

PAN-OS 8.0.15 issues X SNMP

We updated the 2 pair of Firewalls on last sunday to 8.0.15 and after that our CACTI stop to show the interfaces statistics from PA-5020.
Cacti is monitoring the updated PA-3020 correctly.  The issue only happen with PA-5020.


Did anyone experience some

PBF with nat

Hi

So I have 1 internal address that when it goes out via the PA to the internet (SNAT) i want it us a specific route - net hop.

So it looks like I can't set pBF on source address (SNAT). has to be on the original address.

and I can't specify outbound

Global Protect new Linux UI

I have the GP Linux CLI client working without any issues, however I wanted to test the UI client that just came out (5.1.0) Does anyone know how to actually use this? The PAN documentation has not been updated to mention this new version or the Linu

Getting PAN FW logs to Azure Sentinel

I'm currently sending FW logs to Azure Sentinel, via syslog over SSL to an r-syslog server with the Azure agent on the syslog server forwarding logs to Sentinel. I followed the documentation, format is BSD header with custom CEF format for the logs a

Microsoft Direct Access - is user Identification possible?

Hi,

We have user identification working nicely using user ID agents on a few of our active directory domain members.

I've been looking at MS Direct Access (and formerly UAG) and it seems that a DA implementation would show all connected users as having

Palo alto not blocking a URL

Hi All,

I hope all are doing well.

I am trying to block a URL on palo alto firewall using custom URL category but firewall is not blocking the traffic and its passing through allow SSL/Web-browsing rule just below it.

This is the rule i created:

Rule