Consequences of replacing CBC encryption with GCM on IPSec and IKE profiles

I am looking to replace all existing CBC encryption with GCM within IPSec/ IKE crypto but need to be certain that functionality will remain. What if any impact would this have on the existing profiles if changed? Unfortunately could not find a definitive answer on the forums/ elsewhere. Many thanks.

Limit IP address range bandwidth during recurring time period

Need to limit residence hall users bandwidth to Internet monday-friday 8:00 a.m. to 5:00 p.m. The following is how it was done previously on Cisco ASA. Need to translate to PA5430. object-group network MV_NETWORKnetwork-object 192.168.0.0 255.255.0.0 access-list MV_TRAFFIC extended permit ip object-group MV_NETWORK any time-range RegularHours ...

Is there any way to bulk select dynamic group matches - when i filter i need to select over 21 different matches do i really need to select each one?

What is Certificate Pinning and how to deal with SSL Decryption

Certificate pinning was developped to help prevent man in the middle attack. But what is the Certificate Pinning? Traditionally, SSL Handshake consists on the validation of the server’s certificate, let’s say collab.com. The validation is done using the CA’s certificate located in the certificate store of the web browser. The certificate sto...

VPN Performance over Prisma Access : slow downloads

Hi, Can somebody tell met what you can expect from downloading a file over prisma access backbone. Our datacenter is connected to service connection and when I try to download a 200 Mbps file from the datacenter to a remote network located in the same region, I am getting a download speed of 500Kbps per second.(smb transfer) Within the remote ...

LACP LINK DOWN FW PALO ALTO

Hi, I have a customer who's firewall unexpectantly failed over recently, looking at the logs before failover LACP links appeared to fail negotiation right before which triggers failover. Unfortunately HA logs don't stretch back enough! Looking at the l2ctrid.logs (LACP log files on TSF) See the bellow error constantly thrown leading up to ...

end of life and support of Pa-410 device

end of life and support of Pa-410 device

Traffic hits policy with URL Category even though the traffic is not for that URL

We have several policies that permit traffic to 80/443 with no specific destination address, but with a URL category set for a specific URL. For example, we have a post-rule for VPN users to access our internal Splunk server via the URL. The issue I'm seeing is that I am trying to connect to another device using https://ipaddress and the traf...

Question about upgrading to PAN-OS 11.1.6-h14

Hi ThereWe are currently running PAN-OS 10.2.13-h7 and are planning to migrate to 11.1.6-h14.Before moving forward, I’d like to ask if this version (11.1.6-h14) is considered stable and safe to install, and if there are any known critical vulnerabilities that we should take into account.

Palo Alto QOS configuration question

created the below QOS configuration to limit the bandwidth to wasabi to 10 mbps on PA 440. When I checked the QOS statistics, the default group is getting used and not the one I created and also the default group is restricted to 10 Mbps. Please guide me how do I fix it.Interface Ethernet 1/6 has a subinterface Ethernet 1/6.201. Create the QoS P...

Script for pulling disabled rule in set format

Hi Team I am trying to pull the details of disabled rule in set format. I am using pan-sdk .I can pull the complete list but not able to retrieve only rule which are disabled.And is to possible to pull rule in "set" format or need to use XML API ?Any pointer will help here.Thanks, Deepak