General Topics

Connection between two DMZ zone with MPLS

Hello,

We have a server on the DMZ zone and another server in the other DMZ site.

We need to allow traffics between the two DMZ zones with the MPLS connection.

I don’t know how can I put this configuration on my PA firewall or maybe I should contact my

IPSec / returning ESP packets dropped when terminating interface is in a different zone

Hi all,

I have an IPSec tunnel connecting to an old SSG. Tunnel came up successfully and SSG can see the traffic and is returning correctly into the tunnel. However PAN's decrypt counter remains 0. When i did a packet capture, the returning ESP packet

How to disable SSH weak algorithm supported

We used Nessus to run security scan on the PA-5220 we are trying out and it came back with the following medium vulnerability:

https://www.tenable.com/plugins/nessus/90317

The remote SSH server is configured to allow weak encryption algorithms or no al

Do I need SSL decryption to turned ON for Wildfire deployment ?

Can Wildfire engine detect & identify zero day or known threat if SSL decrption feature is off in Palo Alto firewall ? 

WildFire can discover zero-day malware in web traffic (HTTP/HTTPS), email protocols (SMTP, IMAP, and POP), and FTP traffic and can

HA1 encryption issues?

Hi

Random question but has anyone had any issues when enabling HA1 encryption?

I performed a BPA yesterday and noticed that we do not have HA1 encryption enabled. I looked into it and seemed like a very simple/quick win to do and after following step

Authentication Profile

SAML with RSA MFA authentication profile is getting synced on the HA active/passive firewall.  The issue is that each node needs it's own unique authentication profile.  As soon I change it on one node it sync's to the passive node.  Is there any way

BUG -106914

BUG -106914.

this is mentioned in 8.1.9 PAN OS as addressed issue.

  Please find the detail:

Fixed an issue on a firewall in a high availability (HA) active/passive configuration where HA1 and HA2 links stopped passing packets, which caused a split-brai

PA HA timers : Preemption Hold Time vs Promotion Hold Time

Hi!

What are the difference between in the Preemption Hold time and Promotion Hold time?

Dates of dynamic updates only in Panorama, not firewall

Under General Information in Panorama, both the version numbers and dates for the installed dynamic updates are listed like this:

Application Version 8172-5560 (07/17/19)
Antivirus Version 3042-3552 (07/17/19)
WildFire Version 367098-369809 (07/17/19)

Prototype for FS-ISAC

I understand that Soltra is part of the existing 3rd party intelligence feed, just wondering has anyone created a prototype from FS-ISAC? THe portal address is https://portal.fsisac.com/

Understand from FS-ISAC, they uses Soltra as part of their in

# of rules vs simplicity

Hi all,

I'm currently reviewing our PA5250 security policy ruleset and I'm doubting the best way to handle it. We have about 800 rules and lots of those rules combine functions. For example a server is allowed to FTP to ip a.b.c.d and should be allow

How to write a script for backup of initial settings of Palo alto firewall

Hello everyone,

Please help me in writing a script for backup of initial settings of Palo alto firewall.

I am new in network security, requesting you to help me.

Br//

Ashutosh