Demystifying the SSL Decryption on Palo Alto Firewall

On Palo Alto Firewall there are two ways to do SSL Decryption (two actions in the Decryption Policy).

SSL Forward Proxy: for outbound connection (from an inside PC to an external server).

• Used for traffic to external servers
• PA Firewall splits the

Interzone Default Logging not logging

I have enabled logging but it doesn't work.

default-security-rules {
rules {
interzone-default 22c86a38-051f-4d34-9fba-e1867d4830a3 {
action deny;
log-start no;
log-end yes;

It shows it was hit twice. (see attached image)

URL Filtering to block Facebook

Hi all,

I been testing to do URL filtering with whitelist approach (allow some URL and block everything) and also create SSL decrypt policy. As I was checking, it seems like not working to block facebook. I check in the test a site, Facebook fall u

Commit job was not queued. Client logrcvr not connected. All daemons are not available. in 11.1.0

I tried to commit a change to a pa440 and now getting Commit job was not queued. Client logrcvr not connected. All daemons are not available.

has any one else had this. 

Urgent action required: PAN-OS certificate expiration advisory

I recommend reviewing the customer advisory linked above in detail in order to understand the next steps and applicability. Essentially, the root and default certificate on PAN-OS will expire on December 31, 2023 - if not renewed before that date,

MSIntune All IPv4 missing IPs

Hi,

what can i do when i find IPs in PA Log thats missing in the official in the EDL Hosting Service IP/ URL Lists?

The following  IPs are not in die Microsoft 365 "Worldwide Any IPv4" and not in the "MSIntune All IPv4" Lists.

URL:

intune.microso

NFR & LAB

What is the difference between NFR and LAB equipment?

HA Implementation using existing device with autofocus license

Scenario:
Client wants to implement HA setup. Currently have 1 exisiting device.

Problem:
Autofocus license is still active in the exisitng device. No more sku for autofocus license as it is already eos since September 2022.

Question:
Will the HA wo

DLP on PAN-OS Firewalls

Question about the DLP on the NGFW's. I have a customer that's interested in enabling the feature but it looks like this is a cloud based DLP (reports back to Palo Alto's cloud and you manage the DLP features from the cloud), is that correct?

Locally

Team call issue after Failover

We have a dual ISP setup.

Both ISP's terminate on single firewall.

We are doing ebgp with both ISP's and having default route accepted from both.

We advertise our public IP to both Peers and use 1 ip from that subnet as egress IP for all internet tra

High latencies after HA failover

MS-Update identified as a threat, there are no corresponding entries in the threat logs, URL filtering log or data filtering logs

Hi team,

Although MS-Update was flagged as a threat, there are no corresponding entries in the threat logs, URL filtering logs, or data filtering logs explaining the basis for its classification as a threat

The first three logs indicate that the

SSH and console login blocked

cannot login to Palo Alto SSH and console using super admi user. From console it shows error = "user not known to the underlying authentication module"

From SSH it shows error - " Access Denied".

SSH screenshot attached.

Palo Alto syslog service/daemon restart

Hi,

I have three PA-7080 firewalls that have Log forwarding cards (LFC) for forwarding logs using a syslog profile. I use the "debug log-receiver statistics" command to show log statistics. In the output, I found two fields 'log incoming rate' & 'log