General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Showing results for 
Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Resolved! How to disable Global Protect inside Firewall

Hi All,

I am looking for a way to have the GP client client NOT connect when I am inside the firewall of at a remote site with a VPN tunnel.  Basically I would like to make a rule that says do not connect when connected to certain subnets.

Is there a w

...

Ignoring Users in Mapping

Howdy,

 

Sorry if this has been asked thousands of times, but I cannot seem to locate something quite similiar.

 

We have noticed recently, that some users are logging in with a local computer account and then obviously being able to browse the internet

...

PIRSA by L0 Member
  • 1123 Views
  • 2 replies
  • 0 Likes

Import kerberos keytab from CLI?

Hi,

 

Is it possible to import the kerberos keytab file directly from CLI rather than using the GUI? 

 

I have noticed that if the keytab is imported via GUI, the command below is added to the config.

 

set shared authentication-profile my_profile single-s

...

Blocking TLDs with a URL filter

Hello all,

 

I'm attempting to block about 1340 TLDs with a URL filter.  However, I can't seem to get the URL filter to not block any URL where the TLD string is part.

 

For example:

If I want to block the .able TLD, I block "*.able" via a URL Category th

...

Radius & OTP Globalprotect VPN

So if I am configuring a a VPN to use radius & OTP (multi factor authentication) and LDAP. Do I add the radius authentication to both the portal and the gateway? and if so where and how does the LDAP authentication occur?

jdprovine by L4 Transporter
  • 3370 Views
  • 13 replies
  • 0 Likes

static routes remain valid even when ipsec tunnel down?

I discovered that static routes associated with ipsec tunnels that are down remain valid and continue to be redistributed by, in our case, OSPF. This is not the behavior we desire. We'd like the static routes to become invalid and not be redistribute

...

gmparis by Not applicable
  • 3240 Views
  • 3 replies
  • 0 Likes

ICMPv6 Custom Apps

 PAN-OS has a gap in AppID for ICMPv6 apps.  Working against RFC4890, I created custom apps for the recommended ICMPv6 types/codes.

 

Sharing here for other's benefit.

 

set application icmpv6-echo-request category networking subcategory infrastructure t...

DrJonBane by L3 Networker
  • 1779 Views
  • 2 replies
  • 1 Likes

Port mirroring

Can we send decrypt traffic to more than one decrypt mirror port.whats the limitaions of using a mirror port. Does it functionality is limited if the fw is in vwire mode. Also is there a way that in decryption broker deployment model the fw doesn't h

...

Sanssj by L2 Linker
  • 769 Views
  • 0 replies
  • 0 Likes

Dual ISP Global Protect Redundancy

Hi Team, 

 

I hope ye all are well. We recently worked a case for a customer that had dual ISP configuration and wanted the Palo Alto Networks device to provide redundancy for the Global Protect Portal and Gateways in the event one ISP went down. We ca

...

interfaces.PNG
loopback.PNG
natRules.PNG
VirtualRouters.PNG

Custom Syslog sender From Cisco WLC

We have wireless users.Cisco WLC directly sends syslog to PA.We have to parse it correctly.But after doing we get the following

We also implemented agentless AD integration.We want users authenticated through AD could connect to some internal resource

...

Screenshot_6.png
Radmin_85 by L4 Transporter
  • 963 Views
  • 2 replies
  • 0 Likes

Move zone and policies between VSYS

Hello,

 

One of our customer wants to implement VSYS. Currently, the current firewall is Checkpoint appliance (around 900 rules)..

The idea is to replicated the config from the Checkpoint to the PA with only one VSYS to avoid a big bang...

So I will crea

...

licenselu by L4 Transporter
  • 1634 Views
  • 3 replies
  • 0 Likes

SMB traffic identified as active-directory

From one of our management servers  (Windows Server 2016) SMB traffic is identified as active-directory, but from user clients it's correctly identified as ms-ds-smbv2. Anyone come across this? We have several storage solutions (NetApp filer, iSCSI,

...

SSL Inbound decryption and SMTP

Hi,

 

does anybody have issues with ssl inbound decryption and setting the smtp decoder in AV Profile to reset-both (antivirus + wildfire)? When the firewall receives an email (with ssl/tls enc enabled) and successfully decrypt the message and found a

...

iweltag by L2 Linker
  • 2632 Views
  • 1 replies
  • 0 Likes
Top Solution Authors
Top Liked Authors