ACC not showing after upgrade from 9.1.10 to 10.2.7

I just upgraded our PA 3220 from 9.1.10 to 10.2.7 last night and noticed that there is no current data under the ACC tabs. How do I fix this?

How to decode palo alto netflow app-id from hex value

Hi,I am sending Palo alto netflow to a Linux server. While I capture NetFlow from the server and open it on Wireshark I cannot see appid in plain text format. I only see the hex code. I have attached some screenshot below here. Is there any way to decode this hex code to a plain text app-id?

SCP import file without accept host key

Is it possible that we import file using "scp import" without accept the host key? In ubuntu(UNIX), we can add "-o UserKnownHostsFile=/dev/null" in connection string to avoid storing host key in local machine. I understand that PA's NGFW CLI is not a fully functional shell(bash) as we have in ubuntu. Could we do something similiar to avoid st...

SSH\SFTP Proxy

Hello, I'm currently managing an SFTP (SSH) server. I'm attempting to implement file blocking using the NGFW. I've configured a decryption profile that includes "SSH Proxy". According to the traffic logs, the "decrypt" option appears to be activated. However, I'm not observing any files in the data filtering logs, even though logs for other file...

Routing and NAT Order precedence

In palo alto firewall. What is done first routing or nat for : Inbound traffic Outbound traffic In cisco routers, for outbound, Routing first then NAT, for inbound traffic, NAT first then Routing.

Understanding Packet Flow in VPN Site to Site with Overlapping Subnets

get-ldap-data-failure - LDAP Failover doesn't work

-I had two LDAP servers configured with a firewall, the primary LDAP server had an issue with high CPU and memory due to which the firewall lost the group membership though the firewall has L3 reachability. During the log analysis found that get-ldap-data-failure from Primary LDAP. We manually failed over the LDAP to a secondary one and this r...

How to show the auditing process of objects during policy auditing

Hi Everyone, I'm a new member FW Palo Alto,Currently, I have done a dump of the rule checking process, but I cannot show the process of checking each object against the rules in the firewall, so that I can clearly see the rule checking and the matching of objects before and determines which rule will be selected to handle traffic.For checkpoint ...

Unable to connect GlobalProtect

GlobalProtect Unable to connect and the web portal showing err_empty_response. Certificate is already installed in the client. PANGPS log: (P2832-T9964)Debug( 929): 12/15/23 09:43:34:892 SSL connecting to x.x.x.x(P2832-T9964)Debug( 487): 12/15/23 09:43:34:892 socket send buffer old size is 65536(P2832-T9964)Debug( 511): 12/15/23 09:43:34:892 soc...

Policy match either XFF or layer 3 IPs?

We have load balancers proxying traffic back through a pair of PA5250s and recently started extracting X-forwarded-for data to match in our traffic policies. Is it possible to have rules that match EITHER the XFF IP or the load balancers' proxied IPs at the same time? That is to say, if the load balancer's source is 10.10.10.1 but the XFF sour...

Fragmentation over IPSEC tunnel

when the packets are fragmented and transmitted over the IP Sec tunnel, does PA-FW accept the packets in both of the following options Fragment first then encrypt and forwarded to FW Encrypt first then fragment and forwarded to FW

Web GUI is not working in chrome and mozilla, but working in microsoft edge

Hi team, Starting today, accessing the firewall login via HTTPS is generating an error on both Chrome and Mozilla browser But in Edge its working firewall I kindly request your assistance with this issue. with regards, Wagner Sam Network Security Engineer

Destination Static NAT vs Source Static NAT with Bidirectional

Static Destination NAT: This NAT Rule allows users on Internet to initiate traffic to access internal or dmz server with a public IP of the server let's say 13.1.1.10. The inbound request has a Layer 3 destination IP 13.1.1.10, the firewal then applies a Destination NAT to translate the this destination IP 13.1.1.10 to the private IP of the serv...

Site-to-Site VPN with Static and Dynamic Routing

I read the following article about Site to Site VPN With Static and Dynamic Routing. https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/site-to-site-vpn-quick-configs/site-to-site-vpn-with-static-and-dynamic-routing The article says that the Satellite Site uses static Routing so the VPN Peer A has a static routes to...