Best Implementation of PA 8.0

Dear All Expert,

Do anybody can share Best Implementation of PA-8.0 ?
https://www.sans.org/reading-room/whitepapers/auditing/palo-alto-firewall-security-configuration-benchmark-35777 


Best Regards,
Chhayheng

Block SSL urls for BYOD student users- Maintain Cert trust chain

Hello all...

I find myself in a bit of quandary on how to deal with blocking\inspecting various SSL based urls for our student BYOD users.

I realize I need to decrypt the traffic in order to take action on it... but our problem lies with how to deal

Is it possible to export the private key from the forward-untrust certificate to view in wireshark ?

I want to check a specific HTTP request that is send to a webserver and which is currently blocked by one of our vulnerability checks to verify if the signature is correct.

But I need to be able to view the decrypted data on the exported capture, ther

dismiss global protect download link From GP Portal

hi Guys,

well, i m running on version 8.03 and have done all necessary clientless configuration but one thing is a bit weird to me.

-  Once a user log in  via the Portal,  he is able to use or see  the GP download link, has anyone any idea on how to

FTP weird behaviour

Hi,

We realised that our PA is doing something strange with FTP app

We have create and above rule (Servidores a INET 1). All our FTP connections involved should match this rule but we see connections which are jumping this rule and mathicng in another

Global Protect bug/loop - Playstore App version 4.0.4(10)

Hi Guys,

We're experiencing issue with GP app version 4.0.4(10) with Android 7.0.

-------------------------------

1. User inserts credentials

2. Seems logged in

3. Returns to the app home page

4. Promted again with insert credentials

----------------------

Skype for Business - Send files

Hi,

Having some issues with Skype for Business and file sending. When i have SSL Decryption on, I cant recieve or send files over SfB (Works when I turn it off).

Does someone know what URL`s i should add to the "NoDecrypt" url list to make it work?

GlobalProtect & User-ID

Hello,

I am trying to find some information on how to configure GlobalProtect with User-ID but haven't been able to. What I am trying to do is to enforce a new policy where when some of the users, who have laptops that aren't joint to the enterprise

GlobalProtect HIP not identifying products.

Hi.

I have two different HA-pairs with GP VPN configured on them. I'm trying to get HIP to work on the client, but I'm running into issues.

First issue is there are a number of applications we're checking for including Dell Kace and Comodo AV Suite a

Migrating FW HA Pairs from Panorama -to- Panorama

Due to some organisational restructuring a requirement has come about to migrate existing FWs which are managed and associated to Panorama-A  over-to  Panorama-B with minimal amount of pain or change in terms of policies.

So essentially Panoram-B wil

Group Mapping

Included Groups under Group Include list showing full LDAP distinguished name. Would someone be able to advise how to configure a firewall to display "DomainName\GroupName" instead? 

Thank you

Marek

Incorrect URL Category Displaying In Syslog

Hello,

Since we have enabled Insufficient-content (PAN-DB) as a URL category a few weeks ago, some of these URL category logs are displaying in Syslog as an old Brightcloud category called Unconfirmed-Spam-Sources. We have not used Brightcloud for ye