General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Resolved! WAN interface Multiple IP addresses or sub interfaces?

Hi - Looking for best practices advice on WAN interface. Currently the WAN interface has a /26 with multiple IP addresses for incoming web servers translated to different subnets behind the PAN. Is there a default proxy arp working and is this the best practice or should the firewall have sub-interfaces? Thanks

stoff by L0 Member
  • 8911 Views
  • 3 replies
  • 0 Likes

Resolved! policy is clear yet traffic is still DENIED

hi all, we have a policy that clearly states FROM and TO objects and SMB_override (custom app, I presume, created earlier) as the application. The service is configured as Application-default. As per Monitor, it goes straight through to the deny rule ignoring our Allow rule. The application is correctly identified, the port is right. all looks g...

igs1917 by L1 Bithead
  • 8255 Views
  • 5 replies
  • 0 Likes

Resolved! PA sending TCP RST for a NAT rule

Hi everybody,Adding a bidirectionnal NAT rule for an ssl web server and the according security rule, connections from outside are dropped as "Incomplete". Traffic capture show that first SYN packet received is directly rejected by PA with a RST response. What does it mean ?Regards.

rodjeur68 by L1 Bithead
  • 10211 Views
  • 10 replies
  • 0 Likes

Want to Uninstall .bat file Terminal Server Agent.

Hi, While installing the VM the terminal server agent was installed through the .bat file.Now our requirement has changed, I don't know how to uninstall the terminal server through the .bat file.While Install the Terminal server agent this error is coming pan terminal services agent process id 22908. Actually, we want verbose debug logs troubles...

NAC VLAN Redirection failing

We are trying to implement a NAC solution. The basics are that the NAC is connected to the switch stack and upon sensing a device connecting, it checks it for authentication against the NAC and if it fail it quarantines it into a specific VLAN. That part is working. The next step WOULD be that when the device goes to make a connection somewhere ...

Nonaxium by L1 Bithead
  • 6363 Views
  • 6 replies
  • 0 Likes

Certificate chain not correctly formed

Hello, I am getting the warning below after importing a certificate. Is there a link/KB I can check to fix this? Warning: certificate chain not correctly formed in certificate dc1pa.abcd.com.au Thanks in advance!

Farzana by L4 Transporter
  • 10241 Views
  • 5 replies
  • 1 Likes

IKE Certificate Authentication Peer ID

Hi, Im trying to setup a VPN connection using certificate based authentication. When Phase 1 tries to establish I'm getting the following error Peer's ID payload ' IPv4_address:xxx.xxx.xxx.xxx' does not match certificate ID, Error: failed to get subjectAltName. I have added the peer's IP address to the IP(SAN) of the certificate and also tried ...

Are EDLs updating from passive device?

Dear community, We´ve configured a couple of external dynamic list (IP and URL) on a local minemeld server and the passive device fails to fetch those lists. Error obtained is: "Unable to fetch external dynamic list. Couldn't connect to server. Using old copy for refresh." Manually forcing the firewall to download the list then it works ok. Ser...

Carracido by L4 Transporter
  • 3405 Views
  • 2 replies
  • 0 Likes

HA1 and HA2 Links

Hi Guys,I have configured each of my HA links to have backup links. I would like to know, are the backup links also sending and receiving traffic like port-channel in which both ports are active? Especially the HA2 if we want to have 20G or more links for session sync.Thanks

Nikko by L1 Bithead
  • 3118 Views
  • 3 replies
  • 0 Likes

Resolved! GlobalProtect Split-Tunnel via cli.

I am trying to add the MS IP's via cli for split-tunnelling. the documentation states the following...set network tunnel global-protect-site-to-site <name> client split-tunneling access-route [ <access-route1> but this is not working on 8.1.9 I can get this far..set network tunnel global-protect-gateway "gateway-name" but cannot con...

Mick_Ball by L7 Applicator
  • 7097 Views
  • 3 replies
  • 0 Likes

Resolved! updates.paloaltonetworks.com connectivity

hi all,we have been trying to test our networks connectivityto updates.paloaltonetworks.com and have been unsuccessful.we tried ping to updates but it fails and also traceroute it also fails.and when we tried from different networks all the coonectivitytests to updates.paloaltonetworks.com failed also.is your updates down?because we can seem to ...

Resolved! EDL dynamic list is URL access error

i have created the new EDL with this URL (http://panwdbl.appspot.com/lists/mdl.txtbut unable to fetch We have changed the service route with outside interface but the same issue was happening.

Joshan_Lakhani_0-1583264831448.png

IPSec VPN and Dead Peer Detection (DPD) in IKEv1 and Liveness check in IKEv2

I have two different IPSec VPN tunnels between a PAN and two different Cisco devices, let call them R1 and R2, as folllows: PAN IPSec IKEv1 <<---->> Cisco R2 IKEv1PAN IPSec IKEv2 <<---->> Cisco R1 IKEv2 I enable Dead Peer Dection (DPD) in the IKE gateway between the PAN IKEv1 and Cisco R2 router. On the Dead Peer interva...

dtran by L4 Transporter
  • 11888 Views
  • 2 replies
  • 0 Likes

Resolved! Palo alto networks licence

Hello, I'd like to know if this fonctionnality need a licence GlobalProtect in PAN or not: * VPN client for MAC OS , Windows XP and Vista * The third party: Apple iOS, Android 4.0 I will be appreciated for all your helps Thank you

RCHAIBI by L2 Linker
  • 4676 Views
  • 4 replies
  • 0 Likes
  • 24393 Posts
  • 123 Subscriptions
Top Solution Authors
Labels