How to allow a specific file extension

I work for a K-12 school district that uses a program that reads books to students.  The file extension is .kes (KES is a file extension that belongs to Text Files of Kurzweil Educational Systems) and is blocked in our file blocking profile as an Enc

PA config replication through Panorama

Hi All,

I am looking for a method to replicate the configuration of one of our virtual firewalls to a physical firewall through Panorama device-groups and templates.

Let me explain the setup:

We have a core firewall with multiple vsys enabled, and one

Feature requests - command line or API consistency with GUI actions please

In particular we discovered that methods of creating configuration backups are not consistent across the various management interfaces.  It appears as if the most restore-able version of the backup has to be done from the GUI.

The 'export'/'scp'/'tft

Vwire interfaces are flap

We have a Paloalto connected in vwire mode Cisco ASR1 is  connected on PA eth1/21 (Primary) and Cisco ASA (Primary)is connected on PA eth1/22. Same as Cisco ASR2(secondary) is connected on ethernet1/23 and Cisco ASA(secondary) is connected via Ethern

Overlapping Proxy ID"s

I have a IPSEC site to site VPN with a Check Point firewall.  In the Palo Alto I have networks / proxy ID's that overlap each other?  Can this cause issues?

For example I have:

Local                                                   Remote

192.168.50.

Broken SSL Inbound Inspection After July Windows Updates Enables TLS 1.3

I have been using SSL Inbound Decryption for over a year with options

1) Block sessions with unsupported versions

2) Block sessions with unsupported cipher suites

After applying Windows 10 updates to a reverse proxy server, it appears that connection t

DMZ server is not accessable by Global protect

Hello,

I have one server belongs from the DMZ zone.
Example:-
server ip- 2.2.2.2
source ip for VPN user - 1.1.1.1
VPN zone
DMZ zone

There is 2 scenerio:-
policy(1) - I have created a policy like:-
sourcezone- VPNzone
source ip - 1.1.1.1
destination zone - DMZ

Global Protect in Linux error

Hi,

We are trying to connect to our VPN using Global Protect client in a Fedora laptop. We have tested the following articles: https://docs.paloaltonetworks.com/globalprotect/4-1/globalprotect-app-user-guide/globalprotect-app-for-linux.html#

but we ar

what happens when in Palo Alto Firewall PA 3220 when licenses expire ??

Dear Valentin ,

The customer has several  firewall Palo Alto 3220  ;What will Happen when  the license expire  in November 2020 ?

Its very important to understand will be the limitations at that  moment .

The customer has  Premiun Support & Threat Pr

Best way to load balance to ISP with Global Protect

We have an active/passive 3020 and in from of them we have an A10 Load balancers. We want to change our current configuration so we can have a load balance between our two ISPs.

What is the best practice regarding the Palo Alto? Which would it be the

Walking into a new environment

Hello -

Just looking for ideas on the best way to get the lay of the land so to speak when walking into a new environment.  

Is windows VPN client and split tunnel supported?

Dear community,

I configured Windows 10 vpn client to connect to the globalprotect gateway and it works fine, the only thing that it´s not working is split tunneling.

Cannot see the Access Route For Third Party Client on the gateway like this example

CDL - Disconnect from log server

Has anyone else experienced many more "Disconnected from Log collector Server" alerts since the CDL Migration to GCP? I used to get one every now and then but since the change, it's increased dramatically.  Every time I check, the firewalls are loggi

display issue for filter user.src on different vsys(include all vision)

Hi Guys

We got the issue for display src.user of different vsys(include ALL),

for example, when I filtering src.user(abc.com\CDE) on traffic tab of vsys1, then unsuccessful displayed blank src.user on tab, but when I clear filter index, we can see spe

internet ipv6 to on-premise ipv4 nat

Hi all,

there is a domain abc.com and there is an ipv6 dns record for that.so when using ipv6 from cloud is it possible to destination nat this to the ipv4 server inside.

I know as a workaround we can add an ipv6 ip to that server but it is not possi