SSL Decryption: SHA1-Intermediate certificate gets decrypted, even if not allowed to

Hi paloalto community,

I tested my new ssl decryption rules against the badssl dashboard ( https://badssl.com/dashboard/ ).

So far it looks good. Unfortunately the check for sha1-intermediate doesn’t pass. Our PA-850 (Firmware 9.0.5) does create a sec

what do we exactly mean by threat prevention throughput of firewall ?

Hi Experts,

I am always in doubt when someone asks how much PA 220 can support as far as throughput is concerned.

In datasheet there are 2 throughput , firewall throughput ( 560 Mbps) and threat prevention throughput ( 260mbps).

Customer has line of 2 a

Is it possible to integrate google authenticator with PaloAlto for device admin authentication (two factor)?

Hi All,

Is it possible to integrate google authenticator with PaloAlto for device admin authentication (two factor)?

If possible, how to accomplish the same. Share if any document is available.

Thank you,

Guru

Palo Alto Support Going down hill

Is it just me or is Palo Alto Phone support going down hill. It use to be when you called within 15 min you had a tech but over the last 2 years its getting worst to get a human on the phone and opening a ticket online is no better. I opened a ticket

Decryption changes v9.0.4

We upgraded the firewall to v9.0.4 from 8.1.11h2 this weekend and came in to our hosted exchange / outlook profiles failing to load. I added the mail host server in the do not decrypt policy and a percentage of the users reported services normal. It

Zone mapping in SDWAN

I find this document below hard to follow or understand. Can someone explain it to me in simpler terms? For example, suppose I have the following zones already: Trust, Untrust, VPN. What would this map to in SDWAN? What is zone-internal? Is that Trus

Wildfire statistics

Hi,

I have a question related to Wildfire: We need wildfire statistics during the year 2019, inspected files, files with malware, files with grayware and files with pishing. Is there any way to collect this info? from PA or wildfire web? I can not fi

Data Lake status SNMP monitoring

Hi everybody,

we are quite often have a problem with logging to Data Lake.

Mostly Data Lake certificate expires and is not being renew automatically, so logs are not being forwarded to Data Lake and XDR doesn't have info. 

Is there a way, how to moni

IKE gateway is not allowed

Hi all, 
I've just installed a PA 3220 and there're dynamics VPNs tunnel. IKEs are up. However,  phase 2 (tunnel) aren't coming up. 

Looking at the logs I see the following logs for all VPNs .
"initiate negotiation to dynamic peer from IKE gateway is n

Policy Based Forwarding PBF based on destination country or self defined region?

Can this be accomplished without something like a Performance Routing service or hybrid WAN systems a couple companies offer? Is it a roadmap feature of PAN-OS PBF? PBF seems to be one of few things that do NOT support Regions.

I'd like to PBF my con

Monitor > Logs > Traffic - App-ID 'ping' not logging from endpoints.

Good day everyone and thank you in advance. 

Just to be sure I'm not losing my mind entirely - I thought I'd post up here and see if any veterans have any ideas.  I was troubleshooting something earlier today with a re-IP on some printers traversing