General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Resolved! Service Route Help

Hello, I need to create a source service route for LDAP on one of our PANs due to MGT interface IP being unable to access the LDAP servers (I am unable to change this). I have gone into Device, Setup, Services, Service Route Configuration, selected customize and then changed LDAP to use ethernet1/1 and the source of that address. I then com...

COlson by L2 Linker
  • 4639 Views
  • 3 replies
  • 0 Likes

Resolved! OSPF - preventing Ext1 inter-area route redistribution

I am trying to minimize some router's routing table, in a multi-area OSPF setup. As you can see in the attached diagram, my PA firewall is an ABR. It's also the core router of the entire network, DR on each OSPF area with no BDR (it's an HA active/standby setup). PA Firewall's routing table is built by the routes advertised by each area, with ve...

OSPF-trim.png

Resolved! Choosing user certificate when you have multiple such as multiple company VPNs

If a user has multiple user certificates, how can I ensure that the firewall chooses the correct one to use?For example, a user might have a VPN to two different companies that both have PA firewalls. I'd strongly prefer not having to have a separate windows user account depending on which useraccount and portal I want to connect to. Thanks

Avaya RTP UDP traffic dropped

Hi AllTrying to get a path working for an Avaya solution. I can see in the log that SIP traffic is flowing without issue. When the user tries to make a call I should see some UDP traffic within a specified range but I do not see it in the logs. I have performed a packet capture and I can see that the UDP traffic, showing as RTP, is being dropped...

a.jones by L3 Networker
  • 3775 Views
  • 2 replies
  • 0 Likes

wild card certificate.

Dears, i am using a wild card certificate for global protect. when i tried to connect global protect agent. i am facing the below issue:- Certificate description:-I have imported the wild card certificate that is sign by digicert.firstly i have imported trusted root CA.Then intermediate CA.After that the server chain certificate. Configuration d...

Jafar_Hussain_0-1607017194770.png

several IKE Crypto Profiles on the same interface for SITE-to-SITE VPN

Hello dear colleagues, according to the documentation, there is a limitation for IKE gateways:All IKE gateways configured on the same interface or local IP address must use the same cryptoprofile. (c) The same restriction is mentioned in the PANOS v8.1 course. First of all, it seems strange that we cannot use different IKE options for different ...

Panorama plugin for VMware vCenter

Hello Everyone,I would like to use custom tags from VCenter in dynamic address groups. We are using VM information sources, but this method isn´t able to fetch these tags. It seems that VMware vCenter plugin can do this thing. Is it good idea to use this plugin? It hasn´t received any update since it was created and I don´t want to risk any prob...

Dynamic Address Group (DAG) PAN-OS / DAGPusher prototype

Hi guys, I'm trying to use the the DAGPusher prototype but, unhappily, I'm dealing with some problems. May be some of you could help me with it. My scenario: I use a generic miner to extract IPv4 (/32) from a specific location (that is working). Then it is sent to the DAGPusher node (that is working). Now I want to push them to Firewall/Panorama...

How work App-id when trafic is not inspected

Good morning all,I have a question regarding the relationship between Appid and Ssl Decryption. How can the Fw recognize an application when the traffic is not inspected?Example user request https://www.youtube.com/watch?v=2zB2jiCxxuQ. What is the Fw going to see? The source ip, the destination ip for www.youtube.com 142.250.74.238 the Fqdn www....

IPSec SA rekey failure

Hello,I am not an expert on IPSec and its terminology, so I apologize if I write something inaccurate, but I try to do my best. I have an IPSec s2s tunnel between Palo Alto PA-220 and Mikrotik RB4011. The RB4011 is behind NAT so it initiates the connection, Palo has a public IP. The tunnel works, but from time to time the rekey of IPSec keys pro...

ipsec_failure_1.png
ipsec_failure_2.png
jjurica by L0 Member
  • 17006 Views
  • 2 replies
  • 1 Likes

Traffic logs not shown the recent logs for particular source IP

Hi Guys One of our customer facing issue that unable to see recent traffic logs for particular source and destination in gui. But we could see the live session on cli by the command "show session all filter source 192.168.x.X destination 172.17.X.X". Session working as expected. but we need to see the traffic logs on gui. restarted the mgmt serv...

Issue with traffic on specific proxy id

We have VPN between Palo Alto and Cisco FMC/FTD.There is user and server traffic on VPN. VPN status is stable. I don't have any user complaining about disconnection.But I am seeing disconnection on specific proxyid. All of sudden I am getting ICMP request time out on working connection.Facing request time out when ping is from Server which is be...

yshaikh by L1 Bithead
  • 5908 Views
  • 5 replies
  • 0 Likes

Resolved! Way to see hardware type installed on 7080?

Is there somewhere in the GUI (or more likely a CLI command) that will show me the hardware type of the cards I have installed on my 7080? Specifically, I am trying to see if I have an SMC or SMC-B. Thanks.

Resolved! Path Monitoring for Alerting Only

Hi, I'm interested in using path monitoring for alerting. I'm aware that it can be used with PBF, static routes, HA, etc, but that's not quite what I'm after. I have BGP to manage that side of things. I would like to monitor the path to the internet. Perhaps pinging the provider's gateway IP and looking for responses. If the link goes down or if...

Luke_R by L2 Linker
  • 3890 Views
  • 2 replies
  • 0 Likes
  • 24393 Posts
  • 123 Subscriptions
Top Solution Authors
Labels