This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Start a conversation

Discover LIVEcommunity Through Our New Animated Explainer Video!

We’re thrilled to unveil a brand-new animated video that highlights everything LIVEcommunity has to offer! This short and engaging video gives you a quick tour of the many resources available in our vibrant community — from interactive discussions and customer journey guides to the Cyber Elite program and Member Spotlight features. Whether ...

kiwi_0-1745308399217.png
kiwi by Community Team Member
  • 4135 Views
  • 0 replies
  • 0 Likes

Resolved! Split-Brain Enable HA Config Change

We are setup as active/passive and have intentionally caused a split-brain with our firewalls (5050's) by removing one from vwire mode and removing all cables except mgmt port to perform some migration activities. We left the "Enable HA" checked on both the primary and secondary. Question: We want to uncheck the "Enable HA" (primary first with ...

PA firewall with unknown master key and recovery procedure

Hi Team We have a firewall working in Active/Standby configuration. The firewalls has been configured with Master Key .We lost the master key secret ( in other context we not sure the current master key is default or custom configured but noticed its going to expire in 50 days) and would like to know how to restore the device before the master k...

Resolved! 3200 and 5200 Series New Interface Types

Can you please help us with the new 3200 and 5200 interface types, because it is not very clear in the hardware documentation? The firewalls now have HA1 and HA1-Backup dedicated ports. The 5200 also have AUX-1 and AUX-2. Can we still use any other data or management port for HA1 or HA1 Backup?The HSCI interface can be used for high speed HA2 di...

BatD by L4 Transporter
  • 2701 Views
  • 1 replies
  • 0 Likes

Resolved! Problem of PA-220 behind another router

Got a PA-220 to test.Want to setup something like below:Internet <-> Juniper SSG-140 (GW:192.168.1.1) <-> PA-220 <-> user's device (172.16.1.0/24) 1. The SSG-140 can reach internet2. The PA-220 external port (192.168.1.100) can reach internet too3. The PA-220 internal (172.16.1.0/24) cannot reach internet4. The PA-220 internal ...

jeremylo by L3 Networker
  • 2598 Views
  • 2 replies
  • 0 Likes

Resolved! [Minemeld 0.9.48] - Some prototypes not available in the GUI

Hello team! I hope you are doing alright ! It looks like that since the last update (0.9.48), I am no longer able to setup new nodes with the prototypes: stdlib.localDB OR stdlib.aggregatorIPv4Inbound Moreover, a couple of my miners/nodes now have an "unknown" type. Any idea of what could be the cause of that ? Thanks in advance f...

camsad by L1 Bithead
  • 8126 Views
  • 11 replies
  • 0 Likes

Resolved! PA-3260 hardware specification

Hi All, Does anybody know what CPUs are used and how many ram is installed for PA-3260?Our potential customer wants the hardware specification including CPU/RAM information but I cannot find those information. What I only found is following which only shows dimentions, power and etc; no cpu/memory https://www.paloaltonetworks.com/documentation/p...

Resolved! GlobalProtect Access Route for a public website?

Hi folks, We are using a PA 3020 PANOS 7.1.14. We have entered all public IP addresses for Okta in our Global Protect Gateway Client Access route settings.Our intention is for Okta to only see client IP requests come from our one corporate public IP (instead of the client's ISP).We want split tunnelling except for when accessing <name>.okt...

OMatlock by L4 Transporter
  • 5176 Views
  • 5 replies
  • 0 Likes

Resolved! How to disable Global Protect inside Firewall

Hi All,I am looking for a way to have the GP client client NOT connect when I am inside the firewall of at a remote site with a VPN tunnel. Basically I would like to make a rule that says do not connect when connected to certain subnets.Is there a way to do that?Thanks!

Ignoring Users in Mapping

Howdy, Sorry if this has been asked thousands of times, but I cannot seem to locate something quite similiar. We have noticed recently, that some users are logging in with a local computer account and then obviously being able to browse the internet falling into a catch all rule for 'Known Users' which is required. It was suggested, as an optio...

PIRSA by L0 Member
  • 2613 Views
  • 2 replies
  • 0 Likes

Import kerberos keytab from CLI?

Hi, Is it possible to import the kerberos keytab file directly from CLI rather than using the GUI? I have noticed that if the keytab is imported via GUI, the command below is added to the config. set shared authentication-profile my_profile single-sign-on kerberos-keytab **** (actual value removed) But if I want to use this command directly o...

Blocking TLDs with a URL filter

Hello all, I'm attempting to block about 1340 TLDs with a URL filter. However, I can't seem to get the URL filter to not block any URL where the TLD string is part. For example:If I want to block the .able TLD, I block "*.able" via a URL Category that's linked to a URL filter that's linked to a profile on a policy. I expect the following resul...

mbrownnyc by L1 Bithead
  • 15644 Views
  • 11 replies
  • 2 Likes

Radius & OTP Globalprotect VPN

So if I am configuring a a VPN to use radius & OTP (multi factor authentication) and LDAP. Do I add the radius authentication to both the portal and the gateway? and if so where and how does the LDAP authentication occur?

jdprovine by L4 Transporter
  • 9115 Views
  • 13 replies
  • 0 Likes

static routes remain valid even when ipsec tunnel down?

I discovered that static routes associated with ipsec tunnels that are down remain valid and continue to be redistributed by, in our case, OSPF. This is not the behavior we desire. We'd like the static routes to become invalid and not be redistributed when the corresponding tunnel is down. I had a couple ideas, but trial and error is a difficult...

gmparis by Not applicable
  • 8559 Views
  • 3 replies
  • 0 Likes

ICMPv6 Custom Apps

PAN-OS has a gap in AppID for ICMPv6 apps. Working against RFC4890, I created custom apps for the recommended ICMPv6 types/codes. Sharing here for other's benefit. set application icmpv6-echo-request category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Echo Request" timeout 6...

DrJonBane by L3 Networker
  • 3758 Views
  • 2 replies
  • 1 Likes

Destination NAT is not working when PBF for dual ISP is enabled

Hi All, I followed the guide at this URL to setup the Dual ISP for outbound access. https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/use-case-pbf-for-outbound-access-with-dual-isps I have set the http/https services to use ISP 2 and other traffic to use ISP 1. It is working find and the redundancy also working fine. However...

hosting not ok when isp 1 up OK.png
hosting ok when isp 1 down OK.png
  • 24340 Posts
  • 124 Subscriptions
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks