This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Start a conversation

Discover LIVEcommunity Through Our New Animated Explainer Video!

We’re thrilled to unveil a brand-new animated video that highlights everything LIVEcommunity has to offer! This short and engaging video gives you a quick tour of the many resources available in our vibrant community — from interactive discussions and customer journey guides to the Cyber Elite program and Member Spotlight features. Whether ...

kiwi_0-1745308399217.png
kiwi by Community Team Member
  • 4449 Views
  • 0 replies
  • 0 Likes

Zones

Is it possible to use DG layering to solve DaaS Zone issue??1. Can we create a DG-DaaS whose parent will be ‘DG-AWS_DQA’.2. Assign Seattle DQT firewall to DG-AWS_DQA3. Assign Ashburn n future Chicago to DG-DaaS (since it has DG-AWS_DQA as parent, it will have both DaaS and DQT rules attached)Not sure if this will work or I’m missing basic config...

kpotru by L1 Bithead
  • 2634 Views
  • 3 replies
  • 0 Likes

Is it possible to use DG layering to solve DaaS Zone issue??

Is it possible to use DG layering to solve DaaS Zone issue??1. Can we create a DG-DaaS whose parent will be ‘DG-AWS_DQA’.2. Assign Seattle DQT firewall to DG-AWS_DQA3. Assign Ashburn n future Chicago to DG-DaaS (since it has DG-AWS_DQA as parent, it will have both DaaS and DQT rules attached)Not sure if this will work or I’m missing basic config...

kpotru by L1 Bithead
  • 1884 Views
  • 1 replies
  • 0 Likes

IPSec Tunnel from vsys1 to vsys2

Hello All, I have a design issue to mull over, and one of the options is to look at having ipsec tunnels between vsys isntances on the same box. So, I have vsys1 as my default vr, what I may need to do is turn up vsys2 and have certain traffic in vsys1 'hop' over to vsys2. Sounds problmeatic so my first instinct is to encap it between vsys inst...

Resolved! Configure IPSec between Palo Alto devices

We have two vpn Palo Alto devices.One in our HQ departement and one in a remote location.I need to setup an IPSec VPN tunnel between these sites with the Palo Alto devices but I never did this before.On the Palo Alto website I found this article which was helpfull https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-IPSec...

ZEBIT by L3 Networker
  • 4121 Views
  • 4 replies
  • 0 Likes

Rule base documentation

PA Best practice says you should have your rules documented on the rules and some where other than your rule base. Anyone doing that? and if so how

jdprovine by L4 Transporter
  • 6858 Views
  • 15 replies
  • 0 Likes

Resolved! Redistributing Tunnel interface into OSPF no longer working

Hi,I have a strange scenario here. To summarize, I had previously configured GlobalProtect on a Palo firewall and configured the Palo to redistribute that network range on the tunnel interface into OSPF. This worked without any problem. Now, the IP address range for GlobalProtect users needed to change so I had to go and change the IP pool for G...

Bocsa by L3 Networker
  • 4495 Views
  • 3 replies
  • 0 Likes

Monthly Graph Reports (Pie&Line Charts)

Hi,we have to build monthly PDF reports with nice graphs like Pie&Line Charts for the management. Unfortunately PDF summary reports are the only one which contain graphs (despite the ACC Widgets) and are generated only everyday. Is it possible to generate them monthly? Best Regards Juergen

Resolved! HA Sync with different Configuration

I have two firewalls previously on HA (Active-Passive mode). We had to shutdown the passive device due to some troubleshooting. Then we had to roll-back the config of the active PA. Here's the current setup. (HA links not yet cabled)Active PA - lower config version (e.g. version 207)Backup PA - higher config version (e.g. version 210) If I conne...

User-ID Policy not being used

We have an agentless User-ID setup. Firewall is able to pull user accounts from the AD.User-ID based policies were created on top of IP-Based policies. However, some user traffic can be seen using the user-id based policies, some users can be seen using the IP-based policies.This happens on all of my sites. Is this a normal behavior? Or is there...

Resolved! Subinterfaces and Policy based routing

Hi, so I've configured a new L3 subinterface on an existing L3 interface, both with IP addresses and I thought it was going to work. I've got a PBR rule in place on the previous hop, a HP switch, which diverts some traffic to this new subinterface. I can see the selected traffic allowed out from the Palo's traffic monitor logs but, from the clie...

Library network PBR plan.jpg
2018-02-27_161058.jpg

GlobalProtect Certificate auth debug

could anyone please advise a good way via cli to debug certificate authentication. I have followed most of the log files but cannot find one related to GP authentication. many thanks in advance...

Mick_Ball by L7 Applicator
  • 2461 Views
  • 1 replies
  • 0 Likes

API - list just device groups in panorama

Hi All, Does anyone has any idea on how to list just the name of device groups in panorama using the api if i do the following path: https://mypanorama/api/?type=config&action=get&key=<my key>/config/devices/entry[@name='localhost.localdomain']/device-group it lists the complete configuraiton of all the device groups. thanks for a...

Harshit by L3 Networker
  • 3411 Views
  • 1 replies
  • 0 Likes

Managing single pair of VM firewall with and without Panorama

Hi Palo Alto Community I wanted to ask what are the pro's and cons of not using a Panorama for managing a single pair of VM-300 firewalls. From reading documentations etc, the main benefit of Panorama would only be if this was a distrbuted deployment managing 10's or 100's of firewalls. If in this case it was only 2 VM's to be managed a Panorama...

Resolved! How does the PFS Inbound Inspection work?

Hello Team, I am wondering how exactly the Inbound Inspection with PFS works? Diffie-Hellman per definition has the functionality that a key agreement is happening without transfering the key through the "unsecure" channel. All passively listening instances are not able to determine (calculate) the key used for the encryption. Well with this inf...

tisc by L1 Bithead
  • 3920 Views
  • 1 replies
  • 1 Likes
  • 24375 Posts
  • 124 Subscriptions
Top Solution Authors
View All
Top Liked Authors
View All
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks