General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Custom HIP Check for Linux

Hey guys, I've been tasked to have Globalprotect only allow company owned devices over the VPN. I know I can create custom HIP checks for Windows/Mac (reg/plist value). How would I do the same for Linux clients? I have two end users that work remote, and are on a Linux machine. Still having issues with getting the GlobalProtect client for linux ...

PA-VM guest ethernet1/x in VMWare Workstation can't communicate with the host OS or any other hosts

My topology is as follows.Client (10.1.1.11) <--> (10.1.1.10) PA-VM (172.16.1.10) <--> (172.16.1.11) Server ethernet1/1 ethernet1/2 PA-VM-ESX-8.0.0.ova image was downloaded from PA support site and installed on VMware Workstation.I was able to ssh and accessing web GUI via management interface. No...

prenatip by L1 Bithead
  • 2588 Views
  • 1 replies
  • 0 Likes

Resolved! BlueCoat Proxy Health Checks Failing through Palo Alto - App-ID "incomplete"

Hi guys, We have migrated our production web infrastructure to run through Palo Alto (previously running through Checkpoint) and although we have no issues with production traffic we are seeing some intermittent failures on our health checks between Child and Parent bluecoat proxy devices. The health check is purely doing a TCP connection on por...

rds-r2d2 by L2 Linker
  • 9572 Views
  • 6 replies
  • 0 Likes

Unable to find interface configured in vm machine in vmware

I’m new to Palo Alto VM series deployment and it’s the new project .. we’re trying to deploy Palo Alto HA in VMware environment . Deployed ovf template and configured management interface . Connected to GUI and all looks ok . But I’m not able to configure any other data interface because there is no other interface available in Palo Alto . But i...

Hari007 by L1 Bithead
  • 8418 Views
  • 6 replies
  • 0 Likes

Resolved! DH group 15 IPSec tunnel

HiI must build up an IPSEC tunel between PA and Watchguard XTM. The other Side gives me ike phase where DH Group is 15. On PA I only can choose Group 1—768 bits, Group 2—1024 bits (default), Group 5—1536 bits, Group 14—2048 bits, Group 19—256-bit elliptic curve group, and Group 20—384-bit elliptic curve group Is there a way to build up a "custom...

PPTP VPN can not be connected to external devices

I have built a VPN server in company domain and I have tried to connect it in the domain computer. Now I need it can be connected to external computer. I have search many information in Internet to know how to do this setting in firewall. But it still not work. Please help me to solve this problem.below is the NAT rules and security rules I set ...

Jacky.Yi by L0 Member
  • 2958 Views
  • 2 replies
  • 0 Likes

Resolved! Radius authentication for Global Protect

Hi community! I have encountered a "problem" with our Global Protect authentication while we were doing some maintenance works.We have an Authentication Profile with 3 RADIUS servers for authenticating the users, and the number of retries is set to 5.So, according to Palo Alto documentation, after 5 authentication attempts against server 1, it s...

Feature request thoughts - around nat selection

Hi I have 2 NAT pools, actually 4, cause for HA each pool is doubled - does that make sense. 1 pool is on a.b.c.13 and the second is on a.b.c.113. All good. what I would like to do is say going out internet interface from src group "out via non prod" nat to a.b.c.113going out internet interface from src group "inside ip address" nat to a.b.c.13 ...

DNS Proxy in Active Active cluster setup

Hi I am looking to setup 2 IP address I want to use for DNS proxy - I was planning on having each ip as a HA VIP - in fail over mode - 1 priotised to one node and the other to the other node Then I tried to setup the DNS proxy - can't attach it to ip but to interface. so I bound it to the same interface I have the HA VIPS on. some times it wo...

Routing issues LDAP AD server profiles

Hi, Im trying to set up Group mapping and foudn an interesting issue that I wabnted to put out here see if theres any ideas that can help us out. This is the situation: Hardwareethernet1/12 is trunk with subinterfacesethernet1/12.2 vlan 2 tagged subinterface with IP = PAethernet1/12.3 clan 3 tagged subinterface with IP = YAD server is on vlan 3 ...

rcaduser by L0 Member
  • 2834 Views
  • 2 replies
  • 0 Likes

Resolved! Security Rule Behavior when Applications selected with Service select in same rule

I have littel confiusion, need to know about that what will happen if i have rule where i have seleted application and custom (home grown application port) port in service tab. Ex- in applicaiton tab i have- Ping,icmp and ssh. in Service Tab- port 8080 and 8081 (custom web services object) Will this work or traffic will Drop. Thanks in A...

PA220 routing issue

I have three PA220s, let's call them PA220-APA220-BPA220-C They are connected in the following manner: PA220-A ---- PA220-B ----- PA220-C All three have an Inside and Outside Interface. All the Outside interfaces are connected via a Layer2 network. My IP addressing, let's say it's the following: PA220-A - Outisde - 172.16.10.1PA220-A - Inside 19...

Palo Alto change source port with communication Cloud Meraki

Hello,We have a client with 300 branch that use Meraki. These branchs has DSL link on WAN 1 and MPLS on WAN 2.We have a follow problem.The meraki send a packet UDP each 10s by interface ip WAN 2, for example 10.200.2.10:3009 , the traffic goes to network MPLS and throght to datacenter of my client and before of out by internet on Palto Alto itse...

How can we troubleshoot high transmit utilization or high utilization issue on interface?

How can we troubleshoot high transmit utilization or high utilization issue on interface? we recieved alert from solarwind like below for our palo firewalls: Summary: itsg_GSOC-XXXXX-Priority:-P3 ALERT: | Hostname | ip address | PA-3020 | serial number | 7.1.18 | 2 | 83 % High Transmit Percent Utilization Description: Interface ethernet1/1 · In...

Old spyware signatures are not sinkholed

I have dns sinkhole in place but the issue here is firewall is not stopping dns resolutions of old spyware(previous dynamic update version) sihgnatures/domains at dns level. Palo threat databse shows the domain as malware but no sinkhole action is taking place. Is this a known behaviour?

  • 24395 Posts
  • 123 Subscriptions
Top Solution Authors
Labels