Failover whilst HA2 link is down?

Hi! We have two PA440 in A/P HA. We have HA1, HA1 Backup, HA2 and HA2 Backup configured.We are planning on eliminating HA2 Backup to gain one extra interface and we were wondering which would be the downtime if (for some very unlikely reason) our main HA2 link fails and, at the same time, something else triggers a Failover. I realize the HA2 lin...

UserID Redistribution Filters working weirdly

Hi thereI have a customer setup with a central "Hub"/HQ-Firewall (Pair) and a lot of smaller "Spoke"/Site firewalls connected via S2S Tunnels. Each Site and the HQ have local AD DCs and UserID-Agent Server to collect User/IP-Mappings locally. Also in some Sites and HQ ther is Global-Protect running (adds more mappings). The customer needs all th...

Upgrade 5450 to 11.1.6h10

I am currently on 10.2.10-h9 going to 11.1.6h10 (preferred). Has anyone experienced any issue with the new release on 5450 FW? In the past I upgraded to 11.1.4-h7 and it went horribly BAD. Not the upgrade process but that release 11.1.4-h7 has bugs. Non of the websites we are hosting were accessible. sometimes it works and other time so mu...

BFP with OSPF graceful restart causing outages during failover

Dear community! In a active/passive configuration with OSPF graceful restart and BFD enabled, when we do failover we experience a downtime 1 minute after the failover and it takes about 10 seconds to be fixed. Checking the logs it looks like the firewall builds the new BFD sessions with the core switch, but after 1 minute after the failover th...

About BUG PAN-226361 for PA-820 device running version 10.2.10-h9

HelloI wanted to ask you a question about a problem I just encountered, I have seen the BUG PAN-226361 reproduced in the PA-820 equipment is in version 10.2.10-h9 and yet this BUG has been corrected in the hotfix 7 of the same version, does anyone know if it has been re-activated in higher versions and what is the recommendation of Paloalto in t...

Paloalto firewall google drive blocking -- quic based problem

Hello,We are experiencing an issue with blocking Google Drive access through Palo Alto Firewall despite applying several mitigation steps.Current Setup:SSL Decryption is enabled and functioning.Security policies and URL filtering are configured to block:drive.google.comdrive.google**.drive.google.com*.google.com (selectively for Drive-related se...

MItre ATT&CK Mapping for Palo Alto NGFW

Hi Community, I am wondering if there's available Mitre ATT&CK coverage for types of data sources that a Palo Alto NGFW is mapped to?

Subject: GlobalProtect Connection Issue After SSL/TLS Certificate Renewal

Hello Team, We’re currently experiencing an issue where GlobalProtect is not accessible after renewing the server certificate associated with the SSL/TLS profile used by our GlobalProtect portal. Error message:GlobalProtect: Connection Failed. The network is unreachable or the portal is unresponsive. Check the network connection and reconnect. T...

Updating firmware with pending commit

What happens to pending commits if the firewall firmware is updated and the reboot occurs? We have made some interface changes for an upcoming project, but it has been pushed back. If I update the firmware, will the commit be completed or will it stay as pending?

Ansible Galaxy - panos - not ready for advanced routing

When will the Ansible Galaxy be ready for advanced routing? For instance on the module: panos_interface there is no option to choose the Logical router, only virtual router.

Can anyone give me suggestion for how to block only Linkedin Messaging but can access other Linkedin functions.

A commit is in progress. Please try again later

Running 10.2.13 on a PA-440. Current config issues mean a commit fails. The unit keeps trying to auto commit very frequently (which fails). If i try to change the config and commit, i get the message "A commit is in progress. Please try again later". If i try to install a different software version i get the same error. How can i disable auto co...

Application Shift and How to allow linkedIn but block specific linkedin-posting application

When you want to allow the linkedin-base application with a specific Security Policy Rule, for example Linkedin-Rule, the Implicit applications it depends to are automatically allowed by the firewall, this means that the Security Policy Rule Linkedin-Rule that matches the linkedin-base application will automatically allow the web-browsing and SS...