Checking admin users password expiration date

The customer wants to check the password expiration date of admin users. Is there a way to check this?

Does the Post-NAT Zone for security policy is for Source zone and Destination Zone?

I read the following from the palo alto study guide: A Security policy rule requires a source IP, destination IP, source zone, and destination zone. If you use an IP address in a Security policy rule, you must add the IP address value that existed before NAT was implemented, which is called the pre-NAT IP. After the IP address is translated (p...

Demystifying NAT Traversal with VPN IPsec

One of the biggest concepts in VPN Technologies is NAT Traversal, like NAT Traversal in VOIP deployment with SIP Protocol, the story is always inside the payload to solve the Incompatibility between NAT and IPSEC similar to the Incompatibility between SIP protocol and NAT. IPsec uses ESP to encrypt all packet, encapsulating the L3/L4 headers w...

Full Cone NAT, Restricted Cone NAT and Symmetric RFC NAT Terminologies versus Vendor NAT Terminologies.

When we talk about Stun Protocol used for NAT traversal in voip environment or SDWAN, the common term used when talking about the Type of NAT that is compatible with Stun is “Full Cone NAT”, then when we explain why Turn Protocol is developped to replace Stun Protocol, the most common reason is “Symmetric NAT is not compatible with Stun”. These ...

User ID - Igonere User list

Hi, I have added a few users to the "Ignore USer list" for user-id configuration. But when I checked the User-IP mappings I still see the user-id is mapping the username with IPs even though the usernames are in ignore list. Any suggestions on what to check here?

Can we configure Server monitoring using OpenLDAP

Hi All, Here i have an requirement to configure Server monitoring on Palo Alto firewall with an OpenLDAP server. Iam a bit confused on choosing the type & transport protocol under server monitoring tab. Is it possible to integrate the OpenLDAP with Palo Alto server monitoring..? Please help me to get a clarity on this. Thanks in adv...

How to decrypt ESP IPSEC packet using wireshark

Sometimes you want to see how the tunnel mode encapsulation occurs, especially when using GRE over IPsec and VTI IPsec and you would like to decrypt the ESP or IPSEC packet to see how packet is encaspulated on both scenarios (GRE over IPsec and VTI IPsec, especially for studying or may be for troubleshooting. Below how to do it: Configue the...

Undestanding GRE over IPSec and VTI IPsec Encapsulation with Wireshark Packet Capture

IPSec VPN Tunnel Interface with IP Addresses

I read the following example of Site to Site VPN IPsec with static routing : https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/site-to-site-vpn-quick-configs/site-to-site-vpn-with-static-routing In the figure the example shown that both Tunnel Interfaces on the peers VPN are 10.10.10.10 and 10.10.10.11 in the same s...

SNMP OID fan and power supply

Hello team, i have a PA3220 with PANOS 10.1.x and I would monitor FAN and power supply status via snmp. What are the oids for monitoring these components? Thanks for the support BR

Incidents contain many alert types... but why?

Hello, everyone. Our product suite now includes receiving alerts from the NGFW, in addition to XDR. It seems, though, that a single incident may include several different alerts. This seems like a strange behavior, because the list of alerts come from many hosts, or threat type, or threat vector. If the Incidents are grouping unrelated alert...

Shared IP in the WAN Side with HA Active/Active and ARP Load Sharing

Can we confgure the Shared IP in the WAN side in HA Active/Active? Because I read in the PAN OS Admin guide two things: Page 410: As illustrated in the floating IP address scenario, the firewall supports a shared IP addressfor ARP load-sharing only on the LAN side of the firewall; the shared IP address cannot beon the WAN side. In the sam...

How to deal with Zones, Layer 3 and 4 header with NAT Policy and Security Policy

suspended firewall in HA pair became active after reboot ( preempt not configured on either active or backup firewall )

Suspended firewall in HA pair became active after reboot ( preempt not configured on either active or backup firewall ). Does anyone have any thoughts i lost about 15 seconds to hosts behind the firewall. firewall PA-460 & version 10.2.7 thanks