BlueKeep HIP policy

I've created a HIP policy to filter GP users if they are missing the security patches for BlueKeep. However, with monthly roll-ups I have to go in and generate a new HIP object each month. 

We currently patch our Windows machines 30 days behind Micro

advertising a default-route to a single eBGP peer in the Palo Alto.

Folks,

we want to work on some specific BGP advertisements. Our aim is to propagate the deault-route to only on specific eBGP peer.

So far what we have already done is configured a static route redistribution profile. 

This is done under "Redistributio

SPI Value in phase 2

I wanted to know that I could see the SPI value in the wireshark in site to site policy based VPN.

So basically in base two there are two SPI value inbound and outbound, so if the attacker is capturing my traffic then he'd able to see my SPI value. t

Vpn access using GlobalProtect with AUTENTICATION TWO-FACTOR

We have

The company want  that all people accessing from GLOBAL PROTECT vpn CLIENT use the two-factor autentication. We have released an U2F USB security usb key for the email. 

Does PaloAltoNetork support an external Two-Factor Autentication for the V

Can I export traffic log more than 1 million lines in panorama M500?

Hello,

I was asked to export 3 month traffic logs.

I exported via gui but it has about 1 million lines and only contains less than a 1 day.

How can I export full 3 month traffic log in panorama M500?

panorama Device template HA setting error

Hello,

I am getting an error pushing a template from panorama to a device as below

Details:

• . High-availability ha1 interface needs a prefix length(Module: ha_agent)
• . Commit failed
• Warnings:

This is related to a HA settings. However i have manually set

Decryption profile DECRYPT-CERT-VALIDATION traffic denied

NA

AD Server Showing "Connection Timed Out" So Captive Portal Redirection not working

Hi Team,

I am having an query regarding the Captive Portal issue. Herewith, I have network flow diagram to understand better on the scenario.

Network Schema:

**** Both end Firewall are of same device Palo Alto only.

=> From Head Office Firewall, we a

Panorama logging quotas

Does anyone know if you can configure logging quotas per device group(s) or firewall(s)

My panorama is running 9.02 in legacy mode.

Source user column not populating

Source user column is empty under the monitor tab - traffic logs. We have checked all the settings from our end and couldn't see anything wrong with that.

It was working before, no changes been made. Noticed it stopped working recently.
No proxy server

Global Protect N-FACTOR authentication

Hello,

I have the following question is it possible to assign multiple authentication profiles to globalprotect.  I wan't to accomplishg the following:

Users of LDAP GROUP X.:  Use LDAP authentication only.

Users of LDAP GROUP Y:  User RADIUS auth with

enabling interface ping

Hello,

We have a vlan.101 interface with profile permiting ping (ping service selected) enabled on it.

However, hosts on this vlan.101 cannot seem to ping this interface.

Arp entries of some of the hosts are seen.

Appreciate all help.

Thank you.

Default deny logging question

I notice that if a connection comes in and does not hit any policy correctly I do not see the deny in the logs. I think this is because the default behavior of the intrazone-default  rule is not to log anything. Is there a down side to setting this t