Next-Generation Firewall Discussions

Where to add Proxy ID with multiple tunnels?

Hey all,

We have 3 firewalls:

C1 = Cisco FW - Policy based S2S VPN -- subnet behind it 10.1.0.0/24

P2 = Palo FW - Route based S2S VPN -- subnet behind it 172.16.50.0/24

C3 = Cisco FW - Policy based S2S VPN -- subnet behind it 192.168.20.0/24

We hav

...

PAN-143485

It says that it was fixed in the 10.0. version, but 10.0. What version did it solve?

I searched the realease note but couldn't find it.

refer https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm68CAC

PAN-1434858.1.0-8.1.18...

Windows User-ID Agent Disconnect After Failover

Hi All,

I have a customer who had an issue with the WMI using agentless User-ID due to Microsoft security update.

We decided to move to Windows User-ID Agent installed on a domain member Windows Server 2016.

PAN OS 10.2.2 and installed agent version

...

Palo Alto and Forescout

Hi,

I have both Paloalto firewall and Forescout in our organization. This is my current setup.

1.) Forescout handling the grouping for our wireless devices (BYOD).

2.) Paloalto policy is incorporated through user mapping (Active Directory)

4.) I al

...

Resolved! what is the Latest app and threat version after 8671-7826?

I would like to know what is the latest app and threat version after 8671-7826.

When I do dynamic updates , It doesn't show any new version after 8671-7826.

It seems Palo alto didn't release any new version last week.

Could you help me make s

...

Resolved! URL Filtering Error

Hi All,

We are getting an error as "Hmmm... can't reach this page" site's server ip could not found.

And other page is also getting the same error.

Is this a known error? I can see the logs with the IP resolved so i dont think this should be DNS issu

...

bundle gre tunnels and distribute internet traffic across them

Has anyone had a location with more than 1Gbps internet link and also have Zscaler? The limitation to Zscaler is 1Gbps gre tunnel. We have a 10Gbps link and this doesn't work. We have to create 5 nats across 2 routers behind a firewall to build 10 GR

...

Integration of Palo Alto Firewall with Cortex XDR

Hello All,

I need to integrate Palo Alto Firewall with Cortex XDR to get better insights of threats on Cortex console. Please help me with the documentation and what are the license requirement.

Cortex XDR

Thank you.

Regards,

Ninad Ghadigaokar

Resolved! Palo Alto in Virtual wire vs TAP mode.

Hello,
Just wanted to confirm my understanding on the different modes of deployment in PA.
Virtual Wire is an INLINE mode ( similar like IPS) and TAP mode is a passive monitoring mode.
So does that mean if I find an unlocked rack somewhere and I were

...

Outlook web excessive bandwidth usage

Hello,

We recently noticed starting last few weeks that application (outlook-web-online) had a massive data being sent and saturating our internet link.

This looks to be across the network as we can identify multiple users with same application t

...

Resolved! Firewall whitelist

If I add whitelist for firewall, will IPS not defend against the IP or URL in the firewall whitelist?

The customer accesses a Website, HTTPS 443, and the traffic log finds that the application is identified as QUIC, not SSL

Have you encountered this phenomenon and how should you solve it?

OID for network bandwidth usage in kbps

Hello,

Would you please provide us with the OID for the network bandwidth usage in kbps for specific interface using SNMP v3 in below Firewall:

Firewall Type: Palo Alto
Firewall Model: PA-440

Thank You,

Nassim

User insertion fail with keep alive header enable

Hi team,

I have inbound ssl decryption enabled with User Insertion feature enabled too. It is working fine, however when I make a POST request from Postman Application with header "Connection" and value "keep alive" is present the user insertion fa

...

Site to Site RSA_verify failed , error rsa routines (PaloAlto to checkpoint SMB)

trying to establish S2S VPN between Palo Alto 850 and Checkpoint SMB

Certificate based authentication (MS enterprise CA)

The ikev2 is complaining :

====> Initiated SA: XXX.XXX.XXX.XXX[500]-YYY.YYY.YYY.YYY[500] SPI:dcb4c37f6f955782:0898ce67edab9913

...

Discussions

Where to add Proxy ID with multiple tunnels?

PAN-143485

Windows User-ID Agent Disconnect After Failover

Palo Alto and Forescout

Resolved! what is the Latest app and threat version after 8671-7826?

Resolved! URL Filtering Error

bundle gre tunnels and distribute internet traffic across them

Integration of Palo Alto Firewall with Cortex XDR

Resolved! Palo Alto in Virtual wire vs TAP mode.

Outlook web excessive bandwidth usage

Resolved! Firewall whitelist

The customer accesses a Website, HTTPS 443, and the traffic log finds that the application is identified as QUIC, not SSL

OID for network bandwidth usage in kbps

User insertion fail with keep alive header enable

Site to Site RSA_verify failed , error rsa routines (PaloAlto to checkpoint SMB)

upgrade FW (PA-3420)

Alternative Way for IPsec Tunnel in Palo Alto 850

How to find available firmware for a particular model

Upgrade path from PANOS 10.2.8-h3 to 11.1.2-h3

We would like to get the complete list of URLs used by palo alto for Artificial Intelligence URL category

Errors and commit warnings after 11.1.2-h3 upgrade

Re: palo alto pa220 pan os 8.1.5

Re: Upgrade path from PANOS 9.0.17-h5 to 10.1.13-h1

Re: "Let's Encrypt" and geoblocking issues

Re: How to find available firmware for a particular model

Unlock your full community experience!

Resolved! what is the Latest app and threat version after 8671-7826?

Resolved! URL Filtering Error

Resolved! Palo Alto in Virtual wire vs TAP mode.

Resolved! Firewall whitelist