This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Start a conversation

Discover LIVEcommunity Through Our New Animated Explainer Video!

We’re thrilled to unveil a brand-new animated video that highlights everything LIVEcommunity has to offer! This short and engaging video gives you a quick tour of the many resources available in our vibrant community — from interactive discussions and customer journey guides to the Cyber Elite program and Member Spotlight features. Whether ...

kiwi_0-1745308399217.png
kiwi by Community Team Member
  • 4111 Views
  • 0 replies
  • 0 Likes

Resolved! PA inbound decryption

PA drop (decrypt-error, policy-deny) packet when client present a certificate (SMTP STARTTLS). PAN OS version: 8.1 Test cases 1) Client cert TRUSTED, TLS 1.2 with ECDHE-RSA-AES256-GCM-SHA384 Client send Certificate Verify TLS payload openssl s_client -starttls smtp -crlf -tls1_2 -cert trusted-cert.pem -key private.key -cipher 'ECDHE-RSA-AES256-G...

decrypt-error.jpg
decrypt-error2.jpg
decrypt-ok.jpg
decrypt-ok2.jpg
blabla by L2 Linker
  • 8190 Views
  • 8 replies
  • 0 Likes

Dataplane increment from 07/03/2018

Hi, We realised that we have had an increment in dataplane from 07/03/2018. Before this day the normal value was 42% aprox. After that day the normal value is incremented to 58%. So we would like to know the reason for this increment.I check "resource monitor", sessions, cpus, etc.... and i dont see anything about what it could cause this increm...

Resolved! Panorama fails to deploy PanOS to Firewalls

We have a Panorama (M-100) managing several PA5020 firewalls. We need to update the PanOS from 6.1.7 to 6.1.10 (don't push for higher this is all we can do for now). I've updated the Panorama to the 6.1.10 version. Now i try to use the deployment software option and upload the 5020 PanOS but nothing shows after the status bar finishes. Isn't it...

Resolved! Any 'Bards' up for a poetic challenge?

It doesn't always need to be hard work and no play, some fun distractions should be part of the job 😉 Therefore I'm calling on all the bards among you (poet warriors in case you never played AD&D 🙂 ) to have a swing at a geeky or funny limerick and show us your best To keep things interesting, I'll be handing out loot to the top contribu...

reaper by Cyber Elite
  • 3493 Views
  • 2 replies
  • 6 Likes

Resolved! User ID agent user-IP mapping refresh evets

Hi Experts As you know the default cache time for user-IP mapping in user-ID agent is 45 minutes. If I am not using WMI or netbios or server session monitoring then: 1- How user-IP mapping can be maintained by user-ID agent? This means user has to logout and login again after every 45 minutes? Can I increase this to 10 hours to cover the office ...

Resolved! how to add PA forward decryption certificate to Minemeld

Dear all, first of all, thanks a lot to all contributors for this great project. Quick question: I configured my Minemeld instance in my local network and I also have SSL interception configured on my PA. For the moment I had to exclude the IP of the Minemeld instance from SSL interception because of error messages. I assume that's because M...

Resolved! Certificate Error on Miner Refresh

Currently Running MineMeld Version 0.9.40 on Ubuntu 14.04. I am getting the following certificate error. I have tried updating the self-signed cert, restart, ubuntu reboot. with no change.

iheredia by L1 Bithead
  • 11181 Views
  • 6 replies
  • 0 Likes

Resolved! Certificate is expired and is shown in the browser

Good Morning, System: PA-3020SW Ver: 8.0.6 we are trying to implement a certificate on our Test Firewall and have encountered the an expired certificate.We have created the certificate (self-signed); however, when I go to the Palo Alto GUI, the browser says 'Not secure.' The information from the certificate shows that the certificate was valid f...

Certificate Error.png
jasfree by L1 Bithead
  • 5375 Views
  • 4 replies
  • 0 Likes

Resolved! URL classified as Malware but not sinkholed

Hello, Quick question for a specific URL (cia.toh.info) This URL is classified as malware in PAN-DB but doesn't show ip in the AV release notes as a malware site so it doesn't get sinkholed when we do a DNS lookup for that url. We've noticed other URLs exhibiting the same behavior. Has anyone else seen this? Is there a disconnect between the ...

epeeler by L2 Linker
  • 2538 Views
  • 1 replies
  • 0 Likes

Virtual Wire

Hello! Is possible to have configured Antispyware with DNS Sinkholing and External dynamic lists (URL filtering) in virtual wire envirnoment.Is it working if I configure only one L3 port on PA and put on fake IP , all other interfaces remain on virtual Wire mode?I'm using PA-3020. Thank you very much for your answerAles

ales by L0 Member
  • 1958 Views
  • 1 replies
  • 0 Likes

Resolved! I've bought 1 more public IP range but cannot use it

Dear all,I've 2 internet lines connected to 2 different ISP: ISP-1 and ISP-2. Default route to internet is the connection to ISP-2I just bought 1 more public IP range from ISP-1 that belong to a different subnet with my current ISP-1 public IP range.Now I want to NAT my server using an IP in the new public IP range, but server cannot connect to ...

Hongson by L2 Linker
  • 4854 Views
  • 5 replies
  • 0 Likes

OSPF adjacency flapping - normal?

While trying to track down the cause for 3 recent Internet outages we've experienced at one of our schools (which we still haven't determined the cause to yet), we've noticed that our OSPF adjacencies are flapping up and down across the district. Multiple times per day, across multiple sites, going back to the beginning of last month (that's as...

fjwcash by L4 Transporter
  • 21824 Views
  • 21 replies
  • 0 Likes

Resolved! URL block message

We are getting this message, when opening websites sometimes. My suspect is the unknown category which was set to be blocked recently. But i don't know what is the source page of this message and it is the same message everytime, with business name on top of it. Although it has nohing to do with streaming. I have seen this message before too but...

image.png
raji_toor by L4 Transporter
  • 7223 Views
  • 4 replies
  • 0 Likes

Resolved! Permissions of user-ID service account for wmi and netbios probing

Hi All As I know to read the logs from DC, "Event Log Readers" permission is required for service account. For WMI probing to clients, I need all below (please correct me if I am wrong) 1- Service account permission should be "Server Operators" in AD to read the CIMV2 namespace on the client systems2- Give proper permission to the service accoun...

  • 24332 Posts
  • 124 Subscriptions
Top Solution Authors
View All
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks