General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Dates of dynamic updates only in Panorama, not firewall

Under General Information in Panorama, both the version numbers and dates for the installed dynamic updates are listed like this: Application Version 8172-5560 (07/17/19)Antivirus Version 3042-3552 (07/17/19)WildFire Version 367098-369809 (07/17/19) But when I logon to one of the firewalls (or change context in Panorama) only the version numbers...

Resolved! GlobalProtect client config fail

We have GP license for a smaller 220. Idea is to have 220 in DMZ and allow users to connect internall or externally to connect to GP. The issue i am having is that when trying to connect internally i am getting not authorized message from the client. It is an on-eman confiuration and i know the account works as i am using same ldap profile to lo...

image.png
image.png
raji_toor by L4 Transporter
  • 9312 Views
  • 1 replies
  • 1 Likes

Prototype for FS-ISAC

I understand that Soltra is part of the existing 3rd party intelligence feed, just wondering has anyone created a prototype from FS-ISAC? THe portal address is https://portal.fsisac.com/ Understand from FS-ISAC, they uses Soltra as part of their intel too, is FS-ISAC intelligence pool as subset of Soltra?

c_cong by L1 Bithead
  • 28929 Views
  • 27 replies
  • 0 Likes

Resolved! GlobalProtect VPN prelogon 2FA/MFA

Hello everyone, I have a question for which I can't find any documentation to solve it.Our security manager wants to increase security at the VPN prelogon.Since version 9.0 PANOS, its possible to make a VPN prelogon with 2FA or SAML authentication. -> GlobalProtect Prelogon PANOS 9.0 Is it possible that the 2FA/SAML authentication phase wil...

jk0neil by L0 Member
  • 7406 Views
  • 1 replies
  • 0 Likes

# of rules vs simplicity

Hi all, I'm currently reviewing our PA5250 security policy ruleset and I'm doubting the best way to handle it. We have about 800 rules and lots of those rules combine functions. For example a server is allowed to FTP to ip a.b.c.d and should be allowed to ssl to ip w.x.y.z. At the moment this is combined in one rule which means that servers is a...

tomdevos by L0 Member
  • 5528 Views
  • 5 replies
  • 1 Likes

Resolved! Decryption certificate validation issue

Hi Guys, I'm experiencing issue where one of the site is not accessible when the decryption profile is enable with no decryption for SSL forward proxy. After disabling the block untrusted issue I'm able to access the site. I'm facing this issue in PA 850 Platform PANOS 8.1.8. We have upgraded the PANOS from 8.1.7 to 8.1.8.Also would like to ad...

BlueKeep HIP policy

I've created a HIP policy to filter GP users if they are missing the security patches for BlueKeep. However, with monthly roll-ups I have to go in and generate a new HIP object each month. We currently patch our Windows machines 30 days behind Microsoft's rotation (with exception to some security patches) so I can't just do a carpet check for a...

advertising a default-route to a single eBGP peer in the Palo Alto.

Folks,we want to work on some specific BGP advertisements. Our aim is to propagate the deault-route to only on specific eBGP peer. So far what we have already done is configured a static route redistribution profile. This is done under "Redistribution Profile" under the particular virtual router. The we have attached this "Redistribution Profile...

nson2139 by L3 Networker
  • 4505 Views
  • 1 replies
  • 0 Likes

SPI Value in phase 2

I wanted to know that I could see the SPI value in the wireshark in site to site policy based VPN. So basically in base two there are two SPI value inbound and outbound, so if the attacker is capturing my traffic then he'd able to see my SPI value. that can be used by him to decrypt the traffic? Could you please explain why and how SPI are sent ...

Vpn access using GlobalProtect with AUTENTICATION TWO-FACTOR

We haveThe company want that all people accessing from GLOBAL PROTECT vpn CLIENT use the two-factor autentication. We have released an U2F USB security usb key for the email. Does PaloAltoNetork support an external Two-Factor Autentication for the VPN? If no there are plan to develop it? For us is very important the VPN GLOBAL PROTECT client ca...

panorama Device template HA setting error

Hello, I am getting an error pushing a template from panorama to a device as below Details:. High-availability ha1 interface needs a prefix length(Module: ha_agent). Commit failedWarnings: This is related to a HA settings. However i have manually set HA setting on each of the A/P PA pair so i have not configure any HA settings into the panorama ...

KarimSN by L1 Bithead
  • 4391 Views
  • 1 replies
  • 0 Likes

AD Server Showing "Connection Timed Out" So Captive Portal Redirection not working

Hi Team, I am having an query regarding the Captive Portal issue. Herewith, I have network flow diagram to understand better on the scenario. Network Schema: **** Both end Firewall are of same device Palo Alto only. => From Head Office Firewall, we are able to reach the AD Server residing on Data Center Firewall without any issues. However wh...

Network Schema.PNG
SahulH by L3 Networker
  • 5566 Views
  • 6 replies
  • 0 Likes
  • 24393 Posts
  • 123 Subscriptions
Top Solution Authors
Labels