General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

DNS Sink Hole not working

8.0.4 I am trying to get SinkHole to work... Not having any luck, using a dns from the release notes of 2520-3016 nslookup gefndb.com returns the real address All looks correct, just does not seem to work ----------------------------------------------------- set rulebase security rules "Rule 1" from TRUSTset rulebase security rules "Rule 1" to U...

Do I need Logging Turned on on TAP security rule?

I am implementing a tap interface to listen to our internal network traffic. I don't want all the non THREAT traffic loged, if I turn of loggin in the security rule will the threats still go to the threat log? (I am presently listening only on a very quiet interface which has generated only one "informational" alert in 24hrs. Thanks Robin

Determining if PAN might be introducing Skype video problems

Skype video calls are often described as choppy. The sysadmins who admin skype for business onlineare point the finger at the PAN 5060. It is not configured for QoS but it's only processing 600Mbpstops and typically around 400Mbps. What might be some means to rule-in, rule-out the PAN? Thank you.

Resolved! IPSec Tunnel performance tips?

Hello folks, I've seen a this article about improving performance by enabling this Adjust TCP MSS. Ours is not enabled.https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Improve-Performance-for-IPSec-Traffic/ta-p/53301 Would this be enabled on the public internet facing interface?I do see some TCP retransmission and reassembled mes...

ipsec_performance.jpg
OMatlock by L4 Transporter
  • 5577 Views
  • 1 replies
  • 0 Likes

Determining if PAN might be introducing Skype video problems

Skype video calls are often described as choppy. The sysadmins who admin skype for business onlineare point the finger at the PAN 5060. It is not configured for QoS but it's only processing 600Mbpstops and typically around 400Mbps. What might be some means to rule-in, rule-out the PAN? Thank you.

debug Palo alto firewall rule

we maintain one PA security policy rule and give ip 192.168.0.11 to access server UTP01, the user is using ip 192.168.0.11, and he can't access the server, we can't find any security log for this. may i know how to debug this rule?

palolili by L0 Member
  • 2798 Views
  • 2 replies
  • 0 Likes

Firewall analyzers

Can anyone let me know about their experience with firewall analyzer tools? I work at a university and we have 20 PANs, but we're expanding to new campuses in a few cities in the US and one in Italy. It's going to be tough to manage double the number of devices, but I can't find anyone with good experiences with these tools. Gartner and Forres...

Global protect timeout

Here is a peculiar situation. We have some field users who use their hotspot to connect to global protect. Sometimes,they loose internet intermittantly for couple of minutes so they are being kicked out of vpn session on their machine. But in fact firewall is still having the session running on portal/gateway. They are being required to enter t...

Source Translations

I'm trying to find out how to get all the static source translations for a perticular subnet on our Pan 7050. I'm trying to make a spreadsheet to keep up to date static ip's being used. Can do such a command cli on the Pan. I was able to do on a Cisco ASA. But still new to palo alto. Any Ideas. Thanks

Resolved! GlobalProtect Inactivity Timer - is HIP Profile required?

So in the configuration of GlobalProtect ( v8.0.5, under Network > Globalprotect > Gateways > (gateway name) > Agent tab > Timeout Settings) There's an 'inactivity logout' setting, that has a description of 'Users are logged out of GP when the gateway doesn't receive a HIP check from the GP app in the time specified'. My questio...

Resolved! SYSTEM ALERT : high : User Group count of 2358 exceededs threshold of 1000

According to the New Features Guide in 7.1 PAN-OS the User Group Capacity was increased to a max of 3,200 groups IF you are following their note below: Do not add entries to the Group Include List or Custom Group list—doing so limits the number of groups that policy rules can reference. Populated lists can have a combined maximum of only 640 gr...

bspilde by L4 Transporter
  • 21506 Views
  • 9 replies
  • 0 Likes

Multiple ISP PA5250

Hi I have been asked to purchase a new PA 5250.It will potentially have 20GB throughput to the internet.i am looking at an active active setup, with Aggregate interface inside to each FW.On the Outside i have been asked to connect to 4 x ISP 5GB Bandwidth on 10GB Bearer to each ISP. (this is for resilience / redundancy)To share the traffic acros...

Resolved! Site to Site VPN Tunnel - NAT

Hello everbody, I am most likely struggling with a NAT problem in a site to site VPN tunnel, hoping you have an idea or tip to this topic.The setup is a site to site VPN tunnel between a PAN and a Cisco ASA.There is a host (172.16.2.20) behind the PAN which should be reached through the VPN tunnel.The problem is that the service provider behind ...

  • 24395 Posts
  • 123 Subscriptions
Top Solution Authors
Labels