# of rules vs simplicity

Hi all,

I'm currently reviewing our PA5250 security policy ruleset and I'm doubting the best way to handle it. We have about 800 rules and lots of those rules combine functions. For example a server is allowed to FTP to ip a.b.c.d and should be allow

How to write a script for backup of initial settings of Palo alto firewall

Hello everyone,

Please help me in writing a script for backup of initial settings of Palo alto firewall.

I am new in network security, requesting you to help me.

Br//

Ashutosh

BlueKeep HIP policy

I've created a HIP policy to filter GP users if they are missing the security patches for BlueKeep. However, with monthly roll-ups I have to go in and generate a new HIP object each month. 

We currently patch our Windows machines 30 days behind Micro

advertising a default-route to a single eBGP peer in the Palo Alto.

Folks,

we want to work on some specific BGP advertisements. Our aim is to propagate the deault-route to only on specific eBGP peer.

So far what we have already done is configured a static route redistribution profile. 

This is done under "Redistributio

SPI Value in phase 2

I wanted to know that I could see the SPI value in the wireshark in site to site policy based VPN.

So basically in base two there are two SPI value inbound and outbound, so if the attacker is capturing my traffic then he'd able to see my SPI value. t

Vpn access using GlobalProtect with AUTENTICATION TWO-FACTOR

We have

The company want  that all people accessing from GLOBAL PROTECT vpn CLIENT use the two-factor autentication. We have released an U2F USB security usb key for the email. 

Does PaloAltoNetork support an external Two-Factor Autentication for the V

Can I export traffic log more than 1 million lines in panorama M500?

Hello,

I was asked to export 3 month traffic logs.

I exported via gui but it has about 1 million lines and only contains less than a 1 day.

How can I export full 3 month traffic log in panorama M500?

panorama Device template HA setting error

Hello,

I am getting an error pushing a template from panorama to a device as below

Details:

• . High-availability ha1 interface needs a prefix length(Module: ha_agent)
• . Commit failed
• Warnings:

This is related to a HA settings. However i have manually set

Decryption profile DECRYPT-CERT-VALIDATION traffic denied

NA

AD Server Showing "Connection Timed Out" So Captive Portal Redirection not working

Hi Team,

I am having an query regarding the Captive Portal issue. Herewith, I have network flow diagram to understand better on the scenario.

Network Schema:

**** Both end Firewall are of same device Palo Alto only.

=> From Head Office Firewall, we a

Panorama logging quotas

Does anyone know if you can configure logging quotas per device group(s) or firewall(s)

My panorama is running 9.02 in legacy mode.

Source user column not populating

Source user column is empty under the monitor tab - traffic logs. We have checked all the settings from our end and couldn't see anything wrong with that.

It was working before, no changes been made. Noticed it stopped working recently.
No proxy server

Global Protect N-FACTOR authentication

Hello,

I have the following question is it possible to assign multiple authentication profiles to globalprotect.  I wan't to accomplishg the following:

Users of LDAP GROUP X.:  Use LDAP authentication only.

Users of LDAP GROUP Y:  User RADIUS auth with