General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Resolved! Microsoft Windows Auto Pilot and SSL decryption

Hi Everyone, Seems the Microsoft Windows Auto Pilot does not work when SSL decryption is enabled.I tested see no drops on the global counters and nothing on PA PCaps. When disabled SSL decryption it worked fine. Any ideas? Mike

MP18 by Cyber Elite
  • 6910 Views
  • 4 replies
  • 0 Likes

Resolved! Partial Import of Address-Groups results in "Unexpected Here"

Anyone seen this before? currently testing in Panorama on version 7.1.5 and trying to import Address Groups. Addresses works fine and are present. command being run is:load config partial from test.xml from-xpath shared/address to-xpath /config/shared/address mode merge where test.xml is an untouched export from a PA firewall. Any thought?thanks

Resolved! Query on HA1 link

Hello, We have an Active-Passive setup. The HA1 link in the Active unit shows down (red) if the Link settings are set to auto/auto.If I change the settings to 100mb link, full duplex and link state to up, the port shows up (green).Shouldn't it work in auto/auto settings as well?

Auto.png
Full.png

Authenticating with Captive Portal

I just got off the phone with technical support and the technician said that the only traffic I can authenticate is http/https. Can someone confirm that the use case below is not valid? Here is what I want to do: Use HTTPS to authenticate a user After Authentication, user is allowed access to a server in a manner controlled by a security polic...

joynert by L1 Bithead
  • 10486 Views
  • 12 replies
  • 0 Likes

Exclude account(s) from authentication?

I know there is the allow list, but what about an exclude? We use Captive Portal for BYOD and have thousands of accounts we want to allow, but exclude our double digit generic accounts from being able to log in. What's the best way to achieve this?

QOS bypass traffic

is there any way to get more info about what kinds of traffic are being classified as "bypass" traffic?i have not found anything in cli, traffic logs or acc.

wlloyd by L2 Linker
  • 3180 Views
  • 1 replies
  • 0 Likes

Resolved! User ID mapping when switching between wired and wireless

A lot of my users login into their computers using the wired connection. Then when they are off to meetings, they switch to wireless (without logging out and logging back in). If I turn off client probing, this creates an issue where they switch to wireless, as the ID never seems to map. Is there a way to correct this? FYI....network bridging ...

MikeC by L3 Networker
  • 7130 Views
  • 4 replies
  • 0 Likes

Resolved! FQDN cache limitations

I wanted to reach out tot he community and see how people are handling FQDN cache limit issues. Example: * Internal DNS caches up to 8 IPs for each FQDN* PAN device will cache up to 10 (source: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHJCA0) If you have a security policy that allows traffic to blah.domain.com a...

hshawn by L4 Transporter
  • 8100 Views
  • 2 replies
  • 1 Likes

Multicast configuration for IPTV

Hi all, I'm lost configuring my PA-500 for IPTV using multicast. My provider has a new option for IPTV. They stated that in order to test the configuration one should try to open: https://www.fiber7.ch/documents/129/Big_Buck_Bunny_Stream.xspf So far I was not able to get this to work. I understand that one needs to enable multicast on the virt...

Resolved! Connecting PA820 to Cisco ASA HA

Hi All, I want to connect PA820 to ASA HA setup. ASA1 and ASA2 need to connect to PA820. Can I use link aggregation on PA820 for this scenario? If one of the ASAs fails will this setup work to pass on the traffic using the other ASA. Thank you.

sajidsil by L0 Member
  • 3929 Views
  • 2 replies
  • 0 Likes

Resolved! GlobalProtect VPN "Always On"

Hello, We are currently migrating from Cisco AnyConnect to a GlobalProtect solution that is hosted on an Azure cloud VM and really like the "Always On" feature. The only set back we have noticed is there is no way to manipulate it to only connect when not on an internal LAN. We had manipulated DNS in the past to disable internal users from conne...

file blocking profile but allow some apps

Hi We have recently enabled file blocking on all our web access rule and it works a treat, but looking at the data filtering logs i can see the likes of Google Chrome being blocked. I have played around creating a seperate rule, that is above the main web access rules, which has a seperate file blocking profile that doesnt and assigned this to ...

CRDF18 by L2 Linker
  • 4206 Views
  • 4 replies
  • 0 Likes

LSVPN Satellite Reconnection Time

Does anyone know how to decrease the time between LSVPN Satellite connection attempts? If one of our satellites drops off (e.g. reboot/power outage/etc), after it comes back up it will take up to an hour to connect to it's nominated Gateway. Also, if the Gateway is rebooted (e.g. after hours mainteance) it takes up to an hour before all of the s...

EDL- Predefined Paloalto IP Lists do not update

Hi guys, my PA is still with the initial set of roughly 500 IPs in the two predefined IP lists which do not update; it is said those lists are part of the AV signature updates which run well. I also have confirmed with the CLI that its is not a GUI problem. Am I missing something here? Can you take a look at your lists and the numbers of IPs wit...

pan219 by L2 Linker
  • 3597 Views
  • 2 replies
  • 0 Likes

Resolved! Getting error when committing more NAT rules "Total NAT DIPP rules 401 exceeds the capacity of 400"

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-rule-capacitiesdescribes the NAT Rule capacities as follows:-----The number of NAT rules allowed is based on the firewall model. Individual rule limits are set for static, Dynamic IP (DIP), and Dynamic IP and Port (DIPP) NAT. The sum of the number of rules used for thes...

  • 24393 Posts
  • 123 Subscriptions
Top Solution Authors
Labels