Decryption Broker with Policy Based Forwarding

Hello,

I'd like to know if it is possible to use decryption broker with policy based forwarding on the same interface of the policy based forwarding as the scenarios is as the following :

We have a Bluecoat proxy connected to Palo Alto firewall using

Palo Alto - GPVPN - IPSEC b2b

My current role is as a Network Architect and I am working with our security team to get some Palo Alto firewalls setup to provide

GPVPN access and also IPSEC b2b connectivity.

Our initial design has a single external public address to host the GPVPN

Limit Download per IP

In NG firewall, is there a way to limit the download per IP per day.

For eg, One Ip should have only total 1GB download/upload usage a day.

It's like somewhat ISP does.

unable to access internet from vlan

Hi,

i am configuring PA-220 software version 8.0.9. i wan to create a vlan and allow them to access the inter net i have seen some video but i am unable to access the inter net i am even unable to ping my vlan gateway. is there any thing i can do ?

Error after upgrade of panos 8.0.17 - 8.1.0

After doing an upgrade I get the following error.

 Error: Max. user groups used in policy 1117 exceeds capacity (1000)
(Module: device)
Commit failed

I hope you can help me

Thanks.

Alan VG

TACACS Timeout

TACACS Server timeout currently has a max setting of 20 secs.  We have implemented Duo MFA on our TACACS server and 20 secs is really tight for receiving and approving the push notification from Duo.  Is there any way to override the max timeout?

We

MineMeld into Proofpoint TRAP

I am trying to integrate MineMeld and Proofpoint TRAP. It should be relatively simple and feel I am overlooking something. 

The first step was easy. Create an output using stdlib.taxiiDataFeed. 

Because this is the community edition auth is turned off

Kill Login Sessions

Hi,

Is there a way I can kill or log out other administrators that is authenticated in Palo Alto Management? Hoping for your assistance.

Thanks,

Xer

MineMeld mining IBM X-Force TAXII/STIX2 source feed

I have MineMeld setup to poll my IBM X-Force TAXII feed, however no indicators are being retrieved.  At this point, I simply want indicators from a specific X-Force collection to feed into a mirror copy within MineMeld.  The collection has indicators

Windows based user ID Agent Setup

Hi Everyone, 

Hope everyone doing well. 

we have setup a windows based User ID. but one problem I saw with that is, it is receiving accounts with $ sign in the last. I believe these are service type accounts and if yes we would like to exclude them on

Global Protect 5.0.4 portal not found

hello team,

we have this client running his ISP thru E1/3 (secondary ISP service), he wants to allow the Global Protect client thru this conection, however, after configure the portal and gateway in the PA-500, we test in the agent installed and we g

Template Variables

I didn't find the documentation that helpful regarding template and template stack variables, so I'm writing this post that will hopefully help someone out with creating their first variable. In my example below, we used a template variable to change

Users connect to Global Protect even with expired certificate.

Hi.

I've been detecting that some users have their VPN certificate expired and still manage to connect to the Global Protect VPN.
The Global Protect settings are correct, since most users if their certificate is expired do not let them connect.

Globalpr

Queries for DUAL ISP link

I am following this KB link to set this up https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK

1/ So the documents says i have to setup 2 source NATs for each interface. Can we getaway by using the interface as ANY in NA