General Topics

Resolved! Management CPU keeps 100% usage

Hi experts,

We are using PA-2020 in our environment and its firmware version is "4.1.6"

PA-2020 was working smoothly but now it appears very slow process when we click commit action. We have searched and followed many reference such like 1) disable e

...

FYI: Epic Cloud Security Event Feb.6

I haven't noticed anything one this actually come out, and haven't seen any love for it here. However just so everyone is aware Palo Alto is holding an online event February 6th at 9-10:15 PST. You can find further information about the event at the

...

MineMeld - how to prevent age out of DShield in a TAXII output DataFeed

Here is the basic setup that I'm having trouble with:

Miner:

dshield_blocklist: output: true prototype: dshield.block

Aggregator:

aggregator_dshield: inputs: - dshield_blocklist output: true prototype: minemeldlocal.ag...

Modify application

One of the applications (a default one in the Palo Alto) sometimes connects over an other port than the defined standard port for the application. Since I defined the plicys service as 'application default', this traffic gets blocked.

Its the applica

...

Resolved! Difference between pkts/sec vs conns/sec

Hi All,

In Zone Protection Profile, a unit of rate changed from packets/sec to connections/sec when I upgrade into PAN-OS 8.0.

It sounds defferent thing, though is this only changes on GUI and nothing changes on this feature, I mean way of counts is s

...

Recommened PAN-OS as of April 2017 (Q2)

What PAN-OS are people running these days? I am currently 7.0.8 and it is time for the care-and-feeding of the firewall code at my company. I am looking at upgrading to 7.1.8 (but 7.1.9 just came out today).

I do not use any SSL Decryption features.

...

Upgrade virtual firewall to PAN-OS 8.0

Hi,

We are running a number of virtual firewalls on VMware and according to the documentation you are required to add a new hard drive when upgrading to version 8. Moving from 40 GB to 60 GB.

The upgrade itself goes smoothly and the firewall is runni

...

Resolved! ike2 and globalprotect VPN

Can you configure a globalprotect VPN with ike2?

Resolved! BGP filtering question

Hi

Quick question, pretty sure I know the answer.

But I want to redistribute some of the OSPF routes I have into BGP.

So I create a redist profile, say the source is OSPF

then I can use the BGP export filtering to stop what I don't want out.

So lets s

...

Proxy ARP

Hi

I have a 5220 in the DC and a 850 in the office

On the 5220 I have an interface onto network 2.7.3.0/24
On the 850 I have a NAT for 2.7.3.129/32
the 5220 get this via OSPF

How can I make the 5220 response on the interface 2.7.3.0/24 for arp requests f

...

Resolved! CLI command to get the unused/zero hits security policy.

I see unused check box on GUI, what is the command to get similar results on CLI

How does one create an output filter to exclude IPv4 indicators in a CIDR range?

I have various miners. Various miners are connected to various aggregators which are inturn connected in various ways to different types of output.

Some of these miners receive RFC1918 IPv4 indicators. These are aggregated and send to outputs.

...

OSPF and Cisco Routers

Greetings all,

I was doing some Core routing work during an outage this last week and ran into a repeat of some issues we had when we initially put our PAN boxes in to place. The original scenario:

A subinterface existed on the Palo Alto with the ta

...

PA-820 Firewalls Won't Come Back up After Upgrade to 8.0.7

I have two PA-820 firewalls that won't come back up after upgrading to 8.0.7. We have power-cycled to no avail. Support doesn't really have any answers beyond that at this point. We also upgraded an 850 that was fine. Any help?

Resolved! NAT Security rule

I'm used to working on Cisco ASA and I'm having a hard time understanding why the security rule states Untrust-L3 for both the source and destination zone. Typically wouldn't that be Untrust-L3 to DMZ? Is there a specific reason for this behavior?