GP certificate differences in 2.3 and 3.1

Hi,

We have an internal CA, we have a certificate generated and it is used for GP portal/gateway only, clients are authenticating via usual credentials. Nothing fancy overall. So there are external clients who do not have CA cert installed, so they a

Interface traffic utilization report for multiple VSYS device

Hi all

So I'm trying to generate a very simple report on the interfaces showing what the max, min and Avg interface utilization was for the PAN device.

So I have two interfaces inbound and outbound, they have multiple subinterfaces created and config

Global Protect Portal and ECN

In PanOS 7.x the Global Protect Protals drops TCP-Connects with ECN Flag set silently. 

This can only be seen in the drop-PCAP.  

Also proxy_offload_check_err counter increments with each SYN.

This  is a behavior which differs from most Webservers we s

Recommended MineMeld System Requirements

What are the typical system specs folks are using for their production MineMeld instances?  Are there any minimum system requirements documented anywhere?  Thanks for the help!

Removing interfaces off a VM-series HA pair

As per title, functionally, this is easy to do.

1. Shut VM down.

2. Remove interfaces from virt solution configuration for the VM

3. Power up. 

4. All is well.

But, in a PAN VM-series HA pair... I'm worried that I might have to shut both down AT THE SAME

Import from xml of a 2 vsys system

I have an xml config export from a PoC system that had 2 vsys configured. Is there a way to peel out one of the vsys configurations from the xml and import vsys1 only?

url-filtering

Hi,

In url filtering adult-and-pornography blocked . But la-xxx.com can accesible
xxx.com not blocked

1)
test url la-xxx.com

la-xxx.com adult-and-pornography (Dynamic db)

2)
test url xxx.com

xxx.com adult-and-pornography (Base db)

other info
----------

show ur

Two L3 interfaces on One Zone

 Hi,

in the setup of the above diagram , I need to run OSPF on Paloalto between two Core-SWs, so I have to create two L3 interfaces  Point to Point with the two SWs.

the two core-SW is considered as inside for me , so from the prespective of routi

how to add my own bulk IOCs into Minemeld

Trying to find a way to do this with some of the miners but it seems that you can only add 1 indicator at a time.

Syslog Miner different confidence values.

Is there the way to separate traffic and threat logs from syslog miner to be directed to diferent outputs based on confidence. What i mean is something like that in rules:

conditions:
  - type == 'THREAT'
fields:
  - misc
  - url_idx
indicators:
  - src_tra

Troubleshooting ipsec tunnel setup.

I have setup ipsec between PA200 and cisco device. When trying to bring tunnel up not even able to establish phase1.

Getting following errors in logs. I have keyed in pre-shared key again on both the sides.

ikev2-nego-child-start:'IKEv2 child SA negot