General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

URL alerting without SSL decryption

Hello all! I've got a question on URL category alerting. I can set up alerting for malware and phishing categories, for example. I get the alerts if the site is HTTP only. I don't seem to get them if it is HTTPS. My question is this... Shouldn't the domain names still get flagged for those categories just on the DNS query? Not only that but doma...

Active/Active HA tentative state question

Let's say we have 2 firewalls in A/A HAeach firewall has 2 vWire (single interfaces, no aggregration)eth1/eth2 = vWire 1 and eth3/eth4=vWire2link monitoring is set such that if any of eth1/eth2 interfaces are down or any of eth3/eth4 are down the firewall will go into tentative state.Say I unplug eth1/eth2 on FW1. FW1 goes into tentative state. ...

PerryK by L2 Linker
  • 4737 Views
  • 3 replies
  • 0 Likes

Resolved! Cli command to test Authentication Profile requiring exact match

Hey All While working a support case for a customer, I've come accross an odd situation and before I go log to Palo TAC I wondered if anyone else had seen this/was aware of it: So Authentication profile configured with an allow list restricted for one LDAP group. I can use that Auth Policy in say GlobalProtect and sure enough- only users who are...

Resolved! Minemeld Mining IPv6 and IPv4 through AWS JSON script

Hi Minemeld Community, Can I check with the team which existing miner can I use to mine the IPv6 and IPv4 from URL https://ip-ranges.amazonaws.com/ip-ranges.json? Using just 1 miner if is possible. Or how can i customize the miner to mine it. Thank you. Regards Darren Koh

dkoh by L2 Linker
  • 4916 Views
  • 1 replies
  • 0 Likes

Monitoring Individual Dataplane CPU's

We are currently experiencing issues in our network environment with dp0 (specifically) being overutilized on the Palo Alto 5050 and 5060's, mainly due to the fact that IPSEC traffic is not offloaded from dp0 to dp1 and/or dp2. We can actively monitor (via CLI) the individual usage via the following: show running resource-monitor ingress backlog...

Wired and Wi-Fi network hopping and DHCP Server default gateway route metric increases

At my remote offices, I have users that want to leave WiFi and wired on at the same time. I have redundant PA-220's that serve as my local router and DHCP server for both wired and Wi-Fi. The wired and wireless connections are in different networks (/24's) and thus have different default routes. Some users have troubles with weird applications ...

Resolved! PA-850 Cluster Went Non Functional

My PA-850 Active/Passive cluster went non-functional last night causing an outage at our main corporate headquarters. I do have a ticket in with PA but they're being a bit slow to do a root cause on this so figured I'd post and see if anyone has ran into this before. Just before the cluster went non functional the logs looked like this for the...

850-2.PNG
850-1.PNG

Error exporting certificate: Failed to prepare certificate 'NAME_OF_CERTIFICATE' for export

Hi, I generated the certificates on the firewall for Global protect portal and trying to export the file no matter what format, I am getting the error message saying failedto prepare certificate. I am using windown 10 but another user accessing the same firewall can export with no issue, Just wondering if anyone else faced this issue ?

ganees by L1 Bithead
  • 7621 Views
  • 5 replies
  • 0 Likes

Resolved! Can I use PANOS software from a PA-220 on a PA-500?

I have new PA-220 firewalls that are replacing my old PA-500's. The PA-500's have v7.0.5-h2 of the PANOS installed. The Firewall Migration Guide states that I need to update the PANOS on my old firewalls to match the new firewalls at 8.1.0. The PA-500's are out of support, but I do have access to download the PanOS_220_8.1.0 (and earlier vers...

infoit by L1 Bithead
  • 4433 Views
  • 5 replies
  • 0 Likes

Resolved! asa to pan migration

i had a migration from asa to pan which failedcurent conectivity isasa (no change)<>switch (no change)<>asa (to be replaced)planned connectivity isasa (no change)<>switch (no change)<>pan (replacing asa) i reused ips from asa on new pan and cleared arp on no change asa but tcp sessions failed due to incomplete/aging out. ...

josggf by L2 Linker
  • 2291 Views
  • 1 replies
  • 0 Likes

Dynamic Updates only on Active HA Member.

Our active HA member failed last week, and that highlighted that the passive had a couple of minor issues with the Dynamic update configurationa and email configuration which we fixed. Howevr it's also highlighted another issue. Our "Content Updates" are set to update directly out of the firewall external interfaces, yet on the now "Passive" uni...

Resolved! 2 Step RADIUS Auth Reliability

We are trying to get 2FA RADIUS based authentication working with our Palo's and are seeing unreliable results. After much hunting and teeth gnashing we think we may have found the issue, but not the cause. The below is a debug dump from the RADIUS server (RSA AccessID) using Panorama GUI logon as the test case. The first shows a good 2FA auth...

apackard by L4 Transporter
  • 4396 Views
  • 4 replies
  • 0 Likes
  • 24396 Posts
  • 123 Subscriptions
Top Solution Authors
Labels