This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.
About General Topics
Post a discussion here if you have general questions regarding configuration and troubleshooting for Palo Alto Networks products. Use this forum to collaborate with like-minded security professionals to improve your security posture.

Discussions

Start a conversation

App-id not working on some Apps

I am seeing a number of applications which have definitions, but are not being identified correctly: kaokatalk, league of legends, battle.net and guild wars to name a few. these are showing the correct ports but showing as "unkown-tcp". Is there some way to update these, reset the definitions, etc.?All of my App-ids are up to date.ThanksBob

BobW by L4 Transporter
  • 7928 Views
  • 3 replies
  • 0 Likes

Resolved! GlobalProtect Enforce Connection for Network Access Captive Portal detection

Hi, We are using global protect with the following agent features : GlobalProtect Enforce Connection for Network Access enable and Captive Portal detection enable with timeout of 3600 seconds. Howver we can see many cases at some hotels, and airports where the actual portal detection is not being recognised by Global Protect agent. Hence user ca...

Traps - Permit .exe file with specific certificate

Hi, We would like to add a specific certificate ("Exacq Technologies, Inc") to the TRAPS database so that it recognizes all the ".exe" with this certificate as correct and it is not necessary to upload them to Wildfire, since due to the size limitation of the files to be sent configured in the TRAP console itself, these are not analyzed and ther...

Removing peer from HA cluster

I have a pair of PA-3020s running 7.1.x in HA configuration. I need to remove the passive switch from the rack to be used in another location. What is the best way to disable the HA and delete the config from the active switch without risk of service interruption. Thanks in advance.

Resolved! Re-creating a specific routing configuration.

Hello folks,I am trying to reproduce a configuration from work where we use a Metro Line to connect our two sites. It's working at my job, but not at home. It seems like a simple setup and I think I am close, but having an issue. Checking if anyone may have a comment? My test is trying to connect to my esxi server from vsphere client, but una...

metrof.jpg
metroc.jpg
metrob.jpg
metrod.jpg
OMatlock by L4 Transporter
  • 4830 Views
  • 5 replies
  • 0 Likes

Interface in vsys

Hello this may sound like a stupid question but i could not somehow find a definitive answer to this in the PAN OS Guide: We have to configure a 3050 iun multi-vsys configuration. We would be needing 2 interfaces per vsys and we wil be having 2 vsys only. All the interfaces wil be L3. Regarding "physical" interface assignment, what is ALLOWED an...

Resolved! Is Zone Protection on Shared Gateways Supported

I have a question regarding Zone Protection on Zones in a shared gateway. Is it supported. When I try and configure it it seems to be valid configuration. However as a shared gateway does not generate logs where do the the ZP logs go? Also when I run the command "show zone-protection zone ?" the SG zones do no show in the list so I can't col...

CHammock by L2 Linker
  • 5197 Views
  • 4 replies
  • 0 Likes

Unstable ipsec detection for ipsec-esp-udp application when connecting Globalprotect VPN

We have a setup with a primary PA firewall 1 that pass through Globalprotect VPN traffic to a second PA firewall 2. We've seen sporadic connection problems when connecting a Globalprotect client. Sometimes it can spend up to 2 minutes to establish the VPN. When these connection problems occur firewall 1 will log unknown-udp on port 4501. Besides...

GlobalProtect install restrictions

Hi allI was wondering if there was a way to restrict who can install the GlobalProtect client ? As an example, at the moment if any user launches the gateway page can download and install the client on their own computer albeit they need an active account, but the thought of them being able to install it on an infected home computer does worry m...

djh3003 by L0 Member
  • 3431 Views
  • 4 replies
  • 0 Likes

SSL decryption error

I had configured SSL decryption on PaloAlto VM-50 before 6-7 months ago. There was working normally till today. Today some users get below error when they want to enter site. There is shown “decrypt-cert-validation” message on PaloAlto traffic logs. There isn’t shown any error on PaloAlto and on user computer When I disable SSL decryption rule.

image005.jpg
Radmin_85 by L4 Transporter
  • 5940 Views
  • 4 replies
  • 0 Likes

Help with configuration for a test network going through our live environment 5050's

Just mainly need direction on where to go with this. We have 2 PA5050's in our environment and no test network for the main network. We do however have a new test satellite network where some of our DB's and others want it to have access to live environment servers. My idea is to use the 5050's to keep the devices on the test network talking to ...

JeffTQT by L2 Linker
  • 6506 Views
  • 6 replies
  • 0 Likes

Help with IPSEC VPN with overlapping subnets

I'm working with a vendor to setup an IPSEC VPN but we have an overlapping host address. My side has a PA500 and their side is a Sonicwall. Palo Alto Side: Source server: 192.168.100.20Their Server: 192.168.100.85 My server NAT address: 10.0.0.20Their Server NAT address: 10.0.1.85 I've configured a NAT rule that goes from Trust to Tunnel Zone: D...

High memory usage PA 3020

Hi, can someone help me? I have PA-3020, about 900 security policies, about 50 vpn tunnels (low traffic), I noticed high memory usage , What could be the reason for this? How can i relaease this? soft: 7.1.4-h2 Cpu(s): 0.5%us, 0.5%sy, 0.0%ni, 98.8%id, 0.0%wa, 0.0%hi, 0.2%si, 0.0%stMem: 3850716k total, 3520216k used, 330500k free, 1...

Unused Services

Is there a way to tell if a service is being used? I am trying to verify that the services the migration tool lists as unused can be deleted. It might be enough to go by what the migration tool says but I usually like to verify it a couple different ways.

jdprovine by L4 Transporter
  • 4760 Views
  • 3 replies
  • 0 Likes

Resolved! Oversize Microsoft RADIUS Response Packets

Oversized MS NPS radius response for EAP authentication request is dropped from the Firewall.Is there any solution on this? Customer do not want to make any adjustment or modification from the server end. Apart from enabling Jumbo frames and "adjust TCP MSS", are there any other options which can enable the large packet size only for a particul...

  • 24381 Posts
  • 123 Subscriptions
Top Solution Authors
View All
Top Liked Authors
View All
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks