General Topics

Info related to license, support and signatures version over snmp

Hello Community,

Do you know if over snmp I can to have information about, license, support and signature info? Someone implemented snmp and can to see this information like cacti or other solution.

Best Regards

Andres

Packet capture

We have an issue with SIP sessions randomly hang on the firewall. We are trying to do packet capture on the Palo alto firewall. Since the issue is random, so we need to leave the packet capture on until it happens next time.

It seems the firewall aut

Prevent Global Protect connecting when on internal network

After some advice please. How can I prevent Global Protect client from trying to connect to an external gateway when the device is on an internal known corporate network ? My connect method is already set to On-demand (manual user initiated connectio

Error: "Detected another instance" An old GlobalProtect instance exists... (Mac 10.14.5)

New Macbook pro, MacOS 10.14.5 the user account and applications were migrated using migration assistant.

In the past this works fine. User is getting continual popups: 

Steps taken: uninstalled using globalprotect installer. Reboot. Reinstall. Same er

PA-5220 HA Configuration

Please can someone shed some light on the following issues which we are facing for PA-5220 HA Configuration:

1. We can see port lights on HSCI port but not on HA-1/HA-2 ports even when they are connected,. Should they be enabled somewhere because in GUI

Connection between two DMZ zone with MPLS

Hello,

We have a server on the DMZ zone and another server in the other DMZ site.

We need to allow traffics between the two DMZ zones with the MPLS connection.

I don’t know how can I put this configuration on my PA firewall or maybe I should contact my

IPSec / returning ESP packets dropped when terminating interface is in a different zone

Hi all,

I have an IPSec tunnel connecting to an old SSG. Tunnel came up successfully and SSG can see the traffic and is returning correctly into the tunnel. However PAN's decrypt counter remains 0. When i did a packet capture, the returning ESP packet

How to disable SSH weak algorithm supported

We used Nessus to run security scan on the PA-5220 we are trying out and it came back with the following medium vulnerability:

https://www.tenable.com/plugins/nessus/90317

The remote SSH server is configured to allow weak encryption algorithms or no al

Do I need SSL decryption to turned ON for Wildfire deployment ?

Can Wildfire engine detect & identify zero day or known threat if SSL decrption feature is off in Palo Alto firewall ? 

WildFire can discover zero-day malware in web traffic (HTTP/HTTPS), email protocols (SMTP, IMAP, and POP), and FTP traffic and can

HA1 encryption issues?

Hi

Random question but has anyone had any issues when enabling HA1 encryption?

I performed a BPA yesterday and noticed that we do not have HA1 encryption enabled. I looked into it and seemed like a very simple/quick win to do and after following step

Authentication Profile

SAML with RSA MFA authentication profile is getting synced on the HA active/passive firewall.  The issue is that each node needs it's own unique authentication profile.  As soon I change it on one node it sync's to the passive node.  Is there any way

BUG -106914

BUG -106914.

this is mentioned in 8.1.9 PAN OS as addressed issue.

  Please find the detail:

Fixed an issue on a firewall in a high availability (HA) active/passive configuration where HA1 and HA2 links stopped passing packets, which caused a split-brai

PA HA timers : Preemption Hold Time vs Promotion Hold Time

Hi!

What are the difference between in the Preemption Hold time and Promotion Hold time?

Dates of dynamic updates only in Panorama, not firewall

Under General Information in Panorama, both the version numbers and dates for the installed dynamic updates are listed like this:

Application Version 8172-5560 (07/17/19)
Antivirus Version 3042-3552 (07/17/19)
WildFire Version 367098-369809 (07/17/19)