About ozheng

Hello M0tash,   Can you check the parameters of the certificate on the server side (LDAP server)? Increase the security level of the certificate (for instance : number of bits to 4096 bits // digest SHA512) and check if this works.   Olivier ... View more

Hello all,   Just a side note : make sure all DNS queries are seen by the firewall, not only the request on udp/53. (thinking about DoH / DoT, more info here https://live.paloaltonetworks.com/t5/blogs/protecting-organizations-in-a-world-of-doh-and-dot/ba-p/313171) Olivier ... View more

Hello Alexandro.Silva,   I think the best way to do what you are trying to do is to create a specific security policy with no logging action for those specific IPs. I am not aware of a way to remove the IP from the threat reports (assuming it is the pre-defined ones). If it is a custom report, you can edit your query to exclude the IPs using the filter builder.   Olivier ... View more

Hello AbdulGafoorPP,   I will not comment on TAC response. If you have SSL decryption, you can make sure that all the URLs required for youtube to be blocked (a google search "block youtube URLs" will give you a list). Olivier ... View more

Hello all,   I remember, there is a new documented behavior (I reviewed the KB) about some commit taking a long time due to a check during the commit. But I don't think this was in PAN-OS 9.1.   Need to check on Monday, I will update the post. Update: my bad, the KB is about the number of rules (not the number of objects), and it started from 10.1   Olivier ... View more

Hello Sidhardahtech,   Maybe you should open a case to TAC.   Olivier ... View more

Hello John_J,   Assuming you are referring to the Wildfire Inline ML (configured in the AV profile), I am not aware of some size limit : the file is checked real time by the firewall against its ML model. Then a file blocked would still be sent to Wildfire to check (update ML model if needed). At that stage, I guess you can have the size limit. Regarding the email, I guess you are more referring to the inline URL categorisation. I am not sure if the email is inspected, but the actual query (once someone click on the link) to the URL would be blocked by the firewall thanks to the URL filtering. Also, we have prepared a PANCast episode to discuss about phishing and the countermeasure on PAN-OS.   Update : https://live.paloaltonetworks.com/t5/pancast/pancast-episode-25-phishing-emails-and-relevant-threat/ta-p/550121   Olivier ... View more

Hello Alpalo,   You can update your certificate profile to block revoked/expired certificates.   Olivier ... View more

Hello SunilduttJ,   You have the list of the new features introduced in 10.2 here : https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/features-introduced-in-pan-os.   No big WebUI change between 10.1 and 10.2.   Olivier ... View more

Hello BBartik,   Have you tried to set the VPN Cluster to "full mesh" instead of "hub and spoke"? Olivier ... View more

That's normal, gmail has disabled SMTP (I used to use gmail to get email alerts). ... View more

Hello MYE-Support,   Do you manage the PA-200 using Panorama? If yes, you can add the PA-400, then put in the same template / DG as the PA-200.   Otherwise, you can export the config from the PA-200, import it to the PA-400, then commit / correct the errors (if any). Olivier ... View more

Hello Sidhardhatech,   For troubleshooting purpose, can you try to test using another email service (outlook.com)? If it works, you know you need to check with your email service provider. If it does not work, you need to review your configuration.   Olivier ... View more

You create a new user account on Panorama, you commit then you push the configuration to the firewall. ... View more

Thank you Jbusty, glad my answer helped you 🙂 ... View more