General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Resolved! 500 Internal Server Error - CAPTIVE PORTAL

Dears, PA220 with interfaces as per belowethernet1/4 19 1 Local-Network vr:RT-LAN 0 172.26.57.1/25ethernet1/5 20 1 Local-Network vr:RT-LAN 0 172.26.57.129/26ethernet1/7.105 269 1 Local-Network vr:RT-LAN 105 172.26.59.1/27ethernet1/7.106 270 1 Local-Network vr:RT-LAN 106 172.26.59.97/27Captive portal already configured and we double checked every...

ScreenShot640.jpg
ScreenShot642.jpg
ScreenShot644.jpg
ScreenShot646.jpg

Using MineMeld to build a list of IP addresses from a list of domains

Our current MineMeld instance is doing a great job of handling our Office 365 requests. Now I'd like to use it to solve a different problem, but I'm not sure how to go about it. We need to allow outbound app-specific traffic to *.somedomain.com. I tried a URL category but that's not working, probably because this traffic isn't HTTPS or HTTP. I...

efritz by L1 Bithead
  • 7767 Views
  • 4 replies
  • 0 Likes

PA 7.1.0 - IPSec SA goes into create delete loop after enabling tunnel monitor

Hi, I am facing a strange issue in IPSec connection with PA (7.1.0) and strongswan (5.6.2) where I see Paloalto starts sending CREATE_CHILD_SA rekey requests to strongswan when I enable tunnel monitor. Earlier we were using strongswan (5.3.5) and didn't have issue with tunnel monitor, but recently we upgraded strongswan to 5.6.2 and started see...

pa-logs.png

Resolved! Source NAT on a IPSec VPN tunnel due to overlapping IP space.

Folks, Our team has been tasked to work on a VPN tunnel from a customer premises to our corporate DC. The access would be unidirectional with the Customer accessing on-prem resources. The first challenge is that we have overlapping IP addresses at the customers end. Our team wants to use some NAT policies which will act like a 1:1 policy. i.e. w...

VPN tunnel.jpg
nson2139 by L3 Networker
  • 9931 Views
  • 1 replies
  • 0 Likes

Multiple ISP

Dear Team,I have a query. One of the customers wants to load balance their Internet traffic between multiple ISPs ( they have 5 actually). Can we do that ? I know we can do for dual ISP. But will this be feasible ?

PA3250 - L2 - L3 interface communication

Hi Team! I have simple topology ( pls see at the picture). I configured eth 1/1 ( for PC2) as L2 interface, but without Security Zone. I want to ping from PC2 - default Gateway (AE1.121) and PC1. Is it possible to set up Palo Alto like this? Pls, give me details, I can't find any use cases with the similar configuration. Thank you in advance.

PA_NX.JPG

Chromebook Global Protect failing

I have Setup Global Protect but my chromebook is failing to connect, I thought my config was dud but I have just tried to connect with my macbook and it works exactly as it should. I can't see why the chromebook wouldn't work, clearly the setup must be right. 3/17/2017, 5:06:44 PM: openDialog, type = 1 3/17/2017, 5:06:44 PM: pop up dialog after...

Resolved! Internet access

Hello all, we have installed proxy server to DMZ now I wants to allow internet access to LAN user . What would be my security policies for LAN user to access internet through proxy serverI have created two policies1. From trusted zone to DMZ Source as LAN user --------- Proxy server IP address as destination2. from DMZ to internet Source as ...

Source IP issue. *Urgent*

Hi team, I am facing the source IP mismatch region .This is the IP 41.139.156.142 which shows up from Kenya, i have confirmed from https://ping.eu & https://threatvault.paloaltonetworks.com/ but in firewall traffic log it show like this IP belongs to Germany.I have blocked this IP in policy but why it is happening ? Why firewall shows misma...

Palo Alto OSPF neighbor confusion

I have two down stream layer 3 switches both active running HSRP connecting to the active palo alto. Switch 1s interface connecting to the palo alto is set to ospf priority 10, switch 2s interface facing the palo alto is set to ospf priority 5. For some reason the palo alto is choosing switch 2 for the next hop. Does Palo Alto not understand pr...

Security policy Not process user-ID mapping after upgrade 9.0.4 to 9.0.8

PA-820FW: 9.0.8Check use-id mapping in CLI returned fine. Check user group mapping fine but security not process user-ID info.I have nine PA-820. After upgrade from 9.0.4 to 9.0.8, three of them act up. six of them are working fine. Tech Support still have no clue.Think about version bug. reinstall no help. Upgrade to 9.1.2h1 no help------------...

HNguyen_0-1591969110163.png
HNguyen by L1 Bithead
  • 2753 Views
  • 1 replies
  • 0 Likes

Upgrade OS from 8.1.x to 9.0.x Boot Loop

Upgrade PA-850 from 8.1.5 to 9.0.6 Boot LoopHi,I want to ask if anyone have experienced upgrading Palo Alto from 8.1.x to 9.0.x and worked it out, because i didnt.Last night was my nightmare, i tried to upgrade PA-850 straight from 8.1.5 to 9.0.x. For 10 mins it seems work fine, autocommit shows up and completed. But at a sudden, there was syste...

Resolved! Not Blocking EICAR June/2020

PA220, running 8281-6129 If I go to https://www.eicar.org/?page_id=3950 and try download test files using http, the firewall is not blocking of the download. If I go to the old site, http://2016.eicar.org/85-0-Download.html , the firewall will block it.

Migration of PAFW PA-5050 8.0.12 to PA-5220 Latest version

Hi,I have planning to migrate PA-5050 HA version 8.0.12 to PA-5220-HA to latest version. Constrains - The new PA-5220 cannot be downgraded to 8.0.12 to migrate the configuratoin. PA-5050 are in production so can't be upgraded to suitable version of PA-5220. Additional requirement - PA-5050 cfg has each interface for inside and ouside. New PA-...

  • 24396 Posts
  • 123 Subscriptions
Top Solution Authors
Labels