General Topics

Fuel Workshop - Watch Now: Managing Your Palo Alto Networks Assets and User Accounts

In case you missed it, check out this new Fuel Workshop series, which covers the following topics:

Customer Support Portal Overview
License Management
RMA Best Practices

Dive into the three-part Fuel Workshop video series and learn how to efficient

...

Ensuring a Safe and Secure Community: How You Can Help

Dear LIVEcommunity Members,

Ensuring a top-tier experience on LIVEcommunity and protecting our members’ safety and security is our top priority! To this end, we have implemented additional security measures to safeguard our vibrant global commun

...

Introducing the LIVEcommunity Support FAQ: Your Valuable Customer Resource

LIVEcommunity is thrilled to introduce its new Support FAQ section, designed to help Palo Alto Networks customers quickly resolve their common queries.

You'll find this new area under the Articles section of the main menu:

Our goal is simple:

...

Destination nat not working.

I have security policy untrust -trust(webserver publicip) and nat policy - untrust -untrust.

Wheni try to access web server public ip it is not hitting the security policy and is considering the destination in untrust zone

and denies the traffic.

Pa200

...

Resolved! Enabling OCSP in mgmt profile also allows http management

PA-220, 9.0.0, AV2899-3409, Content 8127- 5316

I've enabled HTTP OCSP on the management profile attached to a loopback interface. HTTP and HTTPS are NOT enabled under Administrative Management Services (in fact, none are checked).

Nonetheless, the

...

Default Application ID change in 8.0?

We are migrating from some 200's running 7.1.x code to 220's running 8.0.x code. We had a rule that was working fine, allowing any traffic from a server to another server. We didn't define any apps or tcp ports. We have that rule in the new firewall,

...

Split DNS

Hello

We would really like to see a "split DNS" configuration for Global Protect, where you can specify certain domains that are sent to the internal DNS Server (or DNS Proxy), and all other domains get handled by the user's normal DNS servers.

Thank

...

Issue with WLC Radius request to NPS Server

Hi all,

I have an issue with the radius request through the firewall,

The radius request come from an cisco 1852-ME WLC and goes to an Windows 2016 NPS Server, both in different zones.

An simular setup with an firewall works fine.

The NPS Server does not

...

Resolved! Running config not synchronized problem

Hey all!

there are two pa 3020 with 8.0.7 in HA active passive.

Three days ago, I switched the passive fw to active.

Yesterday I switched back. I stated that the running config isn't synchronized, but I switched nevertheless.

So I think I should "sync to

...

Resolved! Proxy Configuration

Hello,

Before switching to Palo FW from Cisco one of our customers could use proxy (http://10.x.x.x/optusproxy.pac).

Can you please confirm how can we set this proxy setting in Palo because couldn't find any option on GP to put proxy?

I tried using i

...

ecmp

Hi community,

Does anybody clarify my following doubts about preferred path in ECMP.

I am able to see * mark in one of ECMP route ?. what is that means?.

I have balanced round robin, so that each new sessions should take one path alternatively right ?

...

Resolved! show deviceconfig setting url - dynamic url filtering

When i run below command

show deviceconfig setting url
[edit]

i see no output.

I read that if above output is blank then we are not doing the dynamic url filtering on the PA?

Need to know should i enable this and how it can effect the performance o

...

Resolved! Merlin board mode?

Hello, everybody,

I have come across a Palo Alto firewall that cannot normally boot up and remains in "Merlin board mode". I cannot find much information on the internet regarding this. Can someone clarify what this "Merlin board mode" is? And what i

...

Resolved! Route Decision in Palo Alto firewall without interface mentioned in virtual router

Hi There,

Can we configure static routes in virtual router without mentioning what interface to use? Can Palo alto smart enough to identify the right interface based on the nexthop IP address? I am believing yes, could you please confirm me. especial

...

Resolved! Block Wetransfer Upload

I was doing a test on allowing wetransfer download, but not allowing upload. Ran into some issues. I have TLS decryption enabled. I have removed the *.wetransfer.com decryption exclusion.

My security policy is looking for applications "wetransfer" an

...

5000 Series not supported on PanOS 9

I'm quite disappointed in Palo Alto's approch to not make 9.0 supported on the 5000 (i.e 5020, 5060, etc.) For a customer that purchased their equipment right before th 5200s came out it seems we (and probably many others) were screwed over on this

...

Response Page working or not for url filtering

We have configured the url filtering response page for one of our sites.

Is there any way from CLI or GUI i can confirm that users when they go to blocked site are actuall getting response page?

I see on GUI url filtering logs that they are blocked.

...

IPv6 & User-ID

Hi guys, can anyone point me in the right direction to find out if User-ID supports IPV6 address and if so how does that work.

I assume that the only the primary IP address which gets authenticated on the domain gets logged and therefore reported to t

...

Discussions