General Topics

Discover LIVEcommunity Through Our New Animated Explainer Video!

We’re thrilled to unveil a brand-new animated video that highlights everything LIVEcommunity has to offer! This short and engaging video gives you a quick tour of the many resources available in our vibrant community — from interactive discussions and customer journey guides to the Cyber Elite program and Member Spotlight features. Whether ...

Resolved! GlobalProtect Access Route for a public website?

Hi folks, We are using a PA 3020 PANOS 7.1.14. We have entered all public IP addresses for Okta in our Global Protect Gateway Client Access route settings.Our intention is for Okta to only see client IP requests come from our one corporate public IP (instead of the client's ISP).We want split tunnelling except for when accessing <name>.okt...

Resolved! How to disable Global Protect inside Firewall

Hi All,I am looking for a way to have the GP client client NOT connect when I am inside the firewall of at a remote site with a VPN tunnel. Basically I would like to make a rule that says do not connect when connected to certain subnets.Is there a way to do that?Thanks!

Ignoring Users in Mapping

Howdy, Sorry if this has been asked thousands of times, but I cannot seem to locate something quite similiar. We have noticed recently, that some users are logging in with a local computer account and then obviously being able to browse the internet falling into a catch all rule for 'Known Users' which is required. It was suggested, as an optio...

Import kerberos keytab from CLI?

Hi, Is it possible to import the kerberos keytab file directly from CLI rather than using the GUI? I have noticed that if the keytab is imported via GUI, the command below is added to the config. set shared authentication-profile my_profile single-sign-on kerberos-keytab **** (actual value removed) But if I want to use this command directly o...

Blocking TLDs with a URL filter

Hello all, I'm attempting to block about 1340 TLDs with a URL filter. However, I can't seem to get the URL filter to not block any URL where the TLD string is part. For example:If I want to block the .able TLD, I block "*.able" via a URL Category that's linked to a URL filter that's linked to a profile on a policy. I expect the following resul...

Radius & OTP Globalprotect VPN

So if I am configuring a a VPN to use radius & OTP (multi factor authentication) and LDAP. Do I add the radius authentication to both the portal and the gateway? and if so where and how does the LDAP authentication occur?

static routes remain valid even when ipsec tunnel down?

I discovered that static routes associated with ipsec tunnels that are down remain valid and continue to be redistributed by, in our case, OSPF. This is not the behavior we desire. We'd like the static routes to become invalid and not be redistributed when the corresponding tunnel is down. I had a couple ideas, but trial and error is a difficult...

ICMPv6 Custom Apps

PAN-OS has a gap in AppID for ICMPv6 apps. Working against RFC4890, I created custom apps for the recommended ICMPv6 types/codes. Sharing here for other's benefit. set application icmpv6-echo-request category networking subcategory infrastructure technology network-protocol risk 1 parent-app ipv6-icmp description "ICMPv6 Echo Request" timeout 6...

Destination NAT is not working when PBF for dual ISP is enabled

Hi All, I followed the guide at this URL to setup the Dual ISP for outbound access. https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/use-case-pbf-for-outbound-access-with-dual-isps I have set the http/https services to use ISP 2 and other traffic to use ISP 1. It is working find and the redundancy also working fine. However...

Custom Syslog sender From Cisco WLC

We have wireless users.Cisco WLC directly sends syslog to PA.We have to parse it correctly.But after doing we get the followingWe also implemented agentless AD integration.We want users authenticated through AD could connect to some internal resources passing through FW.But when we type show user ip-user-mapping all type SYSLOGwe see the following

Move zone and policies between VSYS

Hello, One of our customer wants to implement VSYS. Currently, the current firewall is Checkpoint appliance (around 900 rules)..The idea is to replicated the config from the Checkpoint to the PA with only one VSYS to avoid a big bang...So I will create all zone (in the only one VSYS in the beginning) and policy between zone.Until now, everything...

SSL Inbound decryption and SMTP

Hi, does anybody have issues with ssl inbound decryption and setting the smtp decoder in AV Profile to reset-both (antivirus + wildfire)? When the firewall receives an email (with ssl/tls enc enabled) and successfully decrypt the message and found a virus the firewall is not sending a SMTP response code 541. The firewall just block/reset the ses...

How to factory reset VM firewall

I was downgrading the VM 500 firewall from 8.1.1 to 8.0.10 and booted the image with wrong config file. I am able to ssh firewall but maint mode username & password (serial #) is not working. How can I reset the password and bring VM 500 in factory default settings ?

DNS query to problematic web site

PA itself was generated the DNS queue of the domain that the management interfaceWhy would it come up with this action, and DNS proxy do not enabled.Please kindly advise. Log:This host was detected performing a DNS lookup for the domain en[dot]wt1[dot]pw. Although no traffic was detected with the IP behind this domain, this domain is used to buy...

Redundant Interface

Is there a good way to make an AE act like an ASA redundant interface? Basically all traffic goes through one interface unless it fails, then goes to the other interface.I'm looking for the same functionality that the ASA redundant interface provides but don't see a good way to do it.Thanks.

Discussions

Discover LIVEcommunity Through Our New Animated Explainer Video!

Resolved! GlobalProtect Access Route for a public website?

Resolved! How to disable Global Protect inside Firewall

Ignoring Users in Mapping

Import kerberos keytab from CLI?

Blocking TLDs with a URL filter

Radius & OTP Globalprotect VPN

static routes remain valid even when ipsec tunnel down?

ICMPv6 Custom Apps

Destination NAT is not working when PBF for dual ISP is enabled

Custom Syslog sender From Cisco WLC

Move zone and policies between VSYS

SSL Inbound decryption and SMTP

How to factory reset VM firewall

DNS query to problematic web site

Redundant Interface

Support Down??? Unable to Open tickets.

Foward Trust Cert and MacBook Pro

Where can I find learning resources for PA net sec pro cert.

Change to Applipedia

SSL Connection Error During Panorama-Orchestrated HA Upgrade

Re: Beginner Question Best Way to Structure Policy Design in Palo Alto Firewalls

Re: First-time poster exploring best practices for security design in PAN-OS environments

Re: Beginner Question Understanding Basic NAT and Traffic Flow in Palo Alto Firewall

Re: Beginner Question Best Way to Structure Policy Design in Palo Alto Firewalls

Re: First-time poster exploring best practices for security design in PAN-OS environments

Unlock your full community experience!

Resolved! GlobalProtect Access Route for a public website?

Resolved! How to disable Global Protect inside Firewall