General Topics

Discover LIVEcommunity Through Our New Animated Explainer Video!

We’re thrilled to unveil a brand-new animated video that highlights everything LIVEcommunity has to offer! This short and engaging video gives you a quick tour of the many resources available in our vibrant community — from interactive discussions and customer journey guides to the Cyber Elite program and Member Spotlight features. Whether ...

IPSec VPN with cert authentication: RSA_verify failed

Hello community! Created a VPN Palo Alto - Cisco Asa with certificates for Ikev2 gateway authentication. Cannot establish the VPN. Did a debug and get the following error when the palo alto is trying to validate the ASA´s certificate [PERR]: RSA_verify failed: 1099255804384:error:04091064:rsa routines:INT_RSA_VERIFY:algorithm mismatch:rsa_sign.c...

session time-out need some understanding

We hare seeing some oracle session being aged-out. When i checked session info tim-out it says 120sec. But the application time-out itself is for 14400 sec . Where does this value of 120 sec come from. Session 2071980 c2s flow: source: x.x.x.x [SERVER2] dst: y.y.y.y p...

mtr

Hi, from the above output the second hope is the pa firewall , the loss is 98.2% , What does it mean ,I dont have traffic shaping in firewall Thanks

Screen Shot 2019-09-12 at 10.17.31 PM.png

Resolved! PA-820 & LACP

HiJust wondering if anyone here has successfully gotten LACP to work on a PA-800 series FW (set to passive) and Cisco Switch (set as 'channel-group X mode active')?No matter what I try (fast/slow/active/passive/1 eth/2 eth) I always get "LACP currently not enabled on the remote port" in the Cisco console output.I saw this twice this week at two ...

Resolved! Changing the /

We currently have one outside interface on the firewall and is connected to our Edge Router. The interface has the IP address of 10.10.10.10.5/24 (for example). This is the only port available for inbound and outbound data to the internet. We would like to create a new outside interface on the firewall and start using it for other services, such...

GP RDP and User-id

Hi I recently upgrade to GP client 5.x. now when i login into my laptop say 10.10.10.10 as alex.samad GP logs me in as well and the PA's know 10.10.10.10 as alex.samad when i rdp to 20.20.20.20. and login as peter pan.. the PA assign peter pan to 10.10.10.10 This didn't happen under 4.1 is there an option to turn this off - i believe there is ?

User-ID LDAP syntax in rule

In the group mapping UserID template, we use LDAP syntax (CN=...., OU=...), but in rules, I have always seen Source User expressed in lanman syntax, Domain\User or ...\Group. Is it possible to use the LDAP syntax in the rule as well, and is there and advantage either way?

Resolved! Need to understand session time-outs

We hare seeing some oracle session being aged-out. When i checked session info tim-out it says 120sec. But the application time-out itself is for 14400 sec . Where does this value of 120 sec come from. Session 2071980 c2s flow: source: x.x.x.x [SERVER2] dst: y.y.y.y p...

What is the requirements to take the ACE examination

I want to take the ACE examination and I had completed the Firewall 8.1 Essentials: Configuration and Management (EDU-110). But still i cant take the exam.

Resolved! GlobalProtect Client not connecting from google cloud instance

Hi, I am not able to connect GlobalProtect Client from google cloud instance. Whenever I try to connect Globalprotecct client my connection to the machine breaks. Can someone help how to resolve this issue?

Resolved! Firewall Policy Dump.

I have about 50 VSys and I need to pull all the firewall rules for a few different sources. Is there an easy way to pull a dump of these policies or do I have to manually go through the GUI for each VSys and filter for those sources?Thanks.

ignore users for IP subnet

Hi, with the risk that this was already discussed, I have a question regarding ignore users with User-ID. I configured User-ID for our clients, also for the IT department.In the IT, we also using admin accounts. So when I started a programm in admin mode, the firewall registered this in the DCs. So my client gets the adm account linked with my c...

Resolved! Static Routes not updating Panorama to Firewalls

firewalls are not receiving the Static Routes added to Panorama.Do these need to be entered manually in the Firewalls or how do we propagate these changes? The Firewalls and Panorama are synched and other changes to Panorama are synched to the firewalls when I commit.The Static Routes are not synching even though I have committed the change. No ...

Upgrade Logs

I am trying to capture all the logs related to any upgrade and downgrade. I understand the firewalls download the firmware from updates.paloaltonetworks.com. This then points to the nearest PA Server to download the code from the CND infrastructure. My requirement is to have a log generated indicating the "EXACT" URL the firewall/panorama woul...

Resolved! Decrypt Mirror Port and Performance

Hi Everyone, We already have ssl decryption enabled.Now need to config decrypt mirror port. Need to confirm when PA sends raw packets to server will it cause any performance issues on the PA? RegardsMike

Discussions

Discover LIVEcommunity Through Our New Animated Explainer Video!

IPSec VPN with cert authentication: RSA_verify failed

session time-out need some understanding