General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Resolved! Implicit Applications with cotp/ms-rdp in security policies

Hello everyone, Been testing some PA firewall functionality and noticed that ms-rdp has the implicit use of "cotp" defined, but the cotp application matches to a rule further down the policy list. When I review the logs, it looks like this Am I misunderstanding having cotp as implicitly allowed by the ms-rdp application? Not sure why ms-rdp is a...

PAFWRDPCOTP.PNG
MathewRD by L0 Member
  • 7469 Views
  • 1 replies
  • 0 Likes

Up gradation of PANOS 8.0 to 8.1

We have PA-820 deployed in Active-Passive HA mode running PANOS 8.0. Today i received a notification that PANOS 8.0 will be End of Life on 31st Oct 2019. Hence I have to upgrade the PANOS of both firewalls, preemption is enabled on both firewall. Please share the procedure / best practices of upgrading OS in HA (Active-Passive) with no traffic o...

Resolved! Pushing updates from Panorama to PA220 uses incorrect IP address

We have Panorama installed in our DMZ, behind a PA5220. Management interface for Panorama has a 10.10.10.x IP, which gets NAT'd to a public IP. Currently running Panorama 8.1.10 in panorama mode. All of our firewalls (currently PA200/PA500 with PanOS 7.1.x) connect to Panorama using the public IP. All of the firewalls have private 10.x.x.x IP...

fjwcash by L4 Transporter
  • 4804 Views
  • 2 replies
  • 0 Likes

Resolved! RADIUS MFA Enrollment Message

I have successfully deployed MFA for my Global Protect users using PingID. Using RADIUS and LDAP I am able to have a user challenged every time they want to fire up the Global Protect gateway. However, this functionality only happens when a user has their device pre-enrolled into the PingID portal. If the user doesn't have a PingID account with ...

Resolved! IPS Running Active/Active after reboot.

I upgraded a few pair of IPS/IDS devices last night and ran into an odd issue I haven't seen when upgrading other devices before. They run, typically, in Active/Passive mode, so when I upgrade I suspend one, upgrade, reboot, unsuspend it, and then repeat the process on the other device. Last night after I walked through this process the devices ...

Destination NAT with Port Range

Hi ! We are trying to configure Destination NAT rule for a VC device on Palo Alto 820 NGFW. we need to allow range of TCP ports(Ex:3000-3050) but we could not find the option to configure the port range under the translated tab. find the below requirement for your reference.Original Packet: Src.IP:Any, Dst.IP:1.1.1.1, DstPortrange: 3000-3050Tran...

Tulasi by L0 Member
  • 6483 Views
  • 1 replies
  • 0 Likes

log to Kiwi Syslog

Hi,I've configured all the necessary in my PA-500 but I can't view logs Kiwi Syslog v8 in my PC. Is there some special configuration I missed? I've configured the firewall for UDP sessions. I've some DMZ configured, maybe I forgot to open some ports?

s_quasar by L3 Networker
  • 8305 Views
  • 5 replies
  • 0 Likes

Decryption policy and SNI

Hi,I activated a decyption policy but my site is configured with SNI. If I apply the policy, the other site with the same IP is blocked with error SSL_ERROR_NO_CYPEHR_OVERLAP (this in Firefox). Which is the correct configuration with SNI?

s_quasar by L3 Networker
  • 10857 Views
  • 8 replies
  • 0 Likes

Global Protect says it is updating but it isnt

Using Client version 5.0.1-9. I have set the Portal update settings set to Allow Transparently.I have downloaded 5.0.5 on the portal and activated it. Wait 5 min.. connect with GPClient externally. After a few minutues I get a popup "GlobalProtect Agent upgrade is in progress".. ..40 min later.. I am not disconnected/reconnected and help about s...

Andrew.C by L0 Member
  • 6749 Views
  • 1 replies
  • 0 Likes

Resolved! GlobalProtect connection problems

GlobalProtect version 3.1.6-19. Windows Server 2012 R2 ver 6.3 (Build 9600) Hi there,We' ve a server in the remote network that we reach with GP, we regularly (mostly hourly) pull data from that server. There is a windows service that we wrote to do this pull data process. The GP is must be running and connected in order for the service to pull ...

Problems accessing Google Play Store while connected to GlobalProtect

Have just noticed that having connected to GlobalProtect on Android (client version 5.0.3-13), I can browse the Google Play Store but can no longer download any apps or app updates. The status will say "Downloading" but never starts. The security policy on the appliance is allow outbound and everything is being allowed as far as I can tell. Disc...

Traffic from GP interface

Hi Team, I am seeing some traffic initiated from GP interface to outside using source port udp/4500 to public IPs of clients( GP uses 4501 and I have xauth configured). Are these traffics are because of GP xauth configuration.. anybody has noticed it before ?.I dont have any Ipsec tunnels configured from this interface.thanks in advance.

  • 24403 Posts
  • 123 Subscriptions
Top Solution Authors
Labels