This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About kiwi

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
kiwi
Online
since ‎03-24-2011
Community Team Member
User Activity
User Profile
Latest posts by kiwi
View All
User Badges
Community Statistics
Member Since ‎03-24-2011 01:31 PM
Date Last Visited ‎09-10-2025 12:02 AM
Posts 3,182
Total Likes Received 1681

Re: Problem with the DuckDNS certificate for the DDNS service.

by in General Topics
‎07-18-2025 01:41 AM
‎07-18-2025 01:41 AM
Hi @A.Kuszaj ,   Root and intermediate CA certificates expire, or new ones are issued, and the Palo Alto firewall's trusted CA store needs to be updated to reflect these changes. Since it was working for two years and stopped about a month ago, it's probable that a certificate in DuckDNS's chain either expired or was updated, and your firewall hasn't updated its trusted CA store accordingly.  Possibly you may have to install and set the Intermediate Certificate as a Trusted Route CA.  You may have to delete and recreate the Certificate Profile for this to take effect.   Here are a few things you can check:   Clarify which certificate chain you have installed to the firewall ? Refer to the article link to install correct intermediate CA on the firewall: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm66CAC    Validate the DDNS configurations referring to this document link: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-dynamic-dns-for-firewall-interfaces  Please refer to this article link providing resolution for Error message: Peer certificate cannot be authenticated with given CA certificates: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLz3CAG&lang=en_US%E2%80%A9   Hope this helps, -Kim. ... View more

Nominated Discussion: Configure Split Tunneling by Domain

by in General Articles
‎07-17-2025 08:23 AM
‎07-17-2025 08:23 AM
This Nominated Discussion Article is based on the post "Configure Split tunneling by domain" by @BigPalo and responded to by @Raido_Rattameister and @BPry  Read on to see the discussion and solution!   Hi, I just configured split tunneling by domain using this domain test: *.portal.microsoft.com (port 443) But i can not see this traffic going into the tunnel. how can I troubleshoot this?   Note: If you configure split tunneling for a domain then you effectively configure this domain not to be routed into the tunnel but directly towards Internet.   Some considerations:   Do you have a GlobalProtect license so that you can actually utilize this functionality? Have you verified for sure that the traffic isn't attempting to utilize QUIC? This functionality only works with TCP traffic and if your browser is using QUIC (which is UDP) it won't function properly. What agent version are you using.   As far as troubleshooting goes you'll want to set your client logging to debug and look in the logs for the domain in question and look for an entry in PanGPS.log that looks like what is denoted below:     (P6668-T26348)Dump (2039): 07/04/25 03:02:58:982 Domain name wxt-general-ingressgateway.acmhwxt-prd-1.prod.infra.webex.com matches exclude wildcard domain   This will tell you whether it's matching your rules or not.    ... View more

Re: decryption error with Anydesk

by in General Topics
‎07-16-2025 02:39 AM
‎07-16-2025 02:39 AM
Hi @Carracido ,   The error in question strongly suggests an issue with TLS/SSL negotiation, specifically related to the strength of the encryption ciphers or protocols being used. In the handshake you should be able to see what ciphers/protocols are being negotiated.   I believe the following discussion provides a solution to bypass decryption for anydesk: https://live.paloaltonetworks.com/t5/general-topics/solution-for-quot-ssl-decryption-bypass-for-anydesk-quot/td-p/385369/page/3   There was a different approach on reddit: https://www.reddit.com/r/AnyDesk/comments/1jm1xjg/issue_with_palo_alto_ssl_decryption_not_liking/   Hope these help. Kind regards, -Kim. ... View more

Re: Can ACC data really display data per user group?

by in General Topics
‎07-15-2025 05:19 AM
‎07-15-2025 05:19 AM
Hi @Carracido ,   While you might be able to achieve similar results through other means (e.g., by filtering on individual users within a group, or by applying device filters that include or exclude devices associated with certain user groups for policies), a direct "User Group" filter for ACC widget data itself seems to be a limitation.   Kind regards, -Kim. ... View more

Re: Global Protect 6.2.X, HIP Match and Fedora 41

by in GlobalProtect Discussions
‎07-03-2025 06:53 AM
‎07-03-2025 06:53 AM
Hi @LCMember4164 ,   I believe you might be running into bugID GPC-23405 which is related to a wrong location for the OPSWAT license, causing HIP to fail on Fedora 41 using GP 6.2.7 As far as I can see the fix versions is GP 6.3.3.   I'd recommend reaching out to TAC to confirm if you're hitting this exact bug and if it will be backported to GP 6.2.x   Kind regards, -Kim. ... View more

Re: Queries regarding .crx3 chrome extension

by in General Topics
‎07-01-2025 12:11 AM
‎07-01-2025 12:11 AM
Hi @Purushotham ,   The LIVEcommunity is not the right area to submit feature requests (FR). You should reach out to your local Palo Alto Networks representative and submit the FR.  They'll provide you with a FR-ID and you ask the LIVEcommunity users to add their vote to your FR to give it more weight.   https://live.paloaltonetworks.com/t5/community-blogs/how-to-use-palo-alto-networks-new-feature-request/ba-p/409590   Kind regards, -Kim. ... View more

Re: Cdb process not running on PA firewall

by in General Topics
‎06-30-2025 05:27 AM
‎06-30-2025 05:27 AM
Hi @hpdiy168 ,   You'll need someone to gain root access on the device and make the necessary changes on the db. Please reach out to TAC for this.   Kind regards, -Kim. ... View more

Re: Customize Authentication Complete URL

by in General Topics
‎06-30-2025 05:16 AM
‎06-30-2025 05:16 AM
Hi @BigPalo ,   The SAML20/SP/ACS customization feature was first introduced for future PAN-OS versions and was later backported to version 10.2.11. It has been available in the 10.2 OS code from version 10.2.11. Unfortunately, this feature is not available in versions 11.0, 11.1, or 11.2 as of now.  I do not have information on when this will be available in these major versions.   Kind regards, -Kim. ... View more

Re: block geo location IP version 6

by in General Topics
‎06-30-2025 04:59 AM
‎06-30-2025 04:59 AM
Hi @joe.tseng ,   This is not yet implemented but is planned in a future release based on the feature request (FR) information. You can check with your local SE to have your vote added to the FR (NSFR-I-19119).   Kind regards, -Kim. ... View more

Re: Connection Failed unreachable macbook

by in General Topics
‎06-30-2025 04:51 AM
‎06-30-2025 04:51 AM
Hi @rahulfinaviapatel ,   There's not enough info to help you. Please do some troubleshooting and/or check the panGPA logs for more information. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkBCAS   Kind regards, -Kim. ... View more

Re: Palo Alto FW and Panorama Requirements for 11.1 or 11.2 version

by in General Topics
‎06-30-2025 04:42 AM
‎06-30-2025 04:42 AM
Hi @filman1979 ,   Here are the PA-VM system requirements: https://docs.paloaltonetworks.com/vm-series/11-1/vm-series-deployment/license-the-vm-series-firewall/vm-series-models/vm-series-system-requirements   Kind regards, -Kim. ... View more

Re: Does the last version of Expedition support Panos 11.1.x code?

by in Expedition Discussions
‎06-30-2025 02:40 AM
‎06-30-2025 02:40 AM
Hi @JoshBolin ,   As far as I know there's no such list or a compatibility matrix.   Taking the timeline into consideration the last PAN-OS versions that Expedition could reliably and generally support would likely be PAN-OS 10.2 or earlier stable releases that were well-established before the EOL announcement in June 2024 (for an EOL in January 2025).  These versions were generally well-supported by Expedition during its active life. If you were using Expedition for migrations from these PAN-OS versions, it would have worked as intended.   Expedition likely had some level of compatibility with PAN-OS 11.0 for importing configurations, as this version was released before the EOL announcement for Expedition was imminent.   Any functionality with PAN-OS 11.1 would have been experimental or problematic given the lack of further development.   If you need to work with PAN-OS 11.1 or newer for migrations or configuration analysis, you should absolutely look into the new tools Palo Alto Networks is providing as replacements for Expedition's functionalities. https://pan.dev/expedition/docs/expedition_apiint/   Kind regards, -Kim. ... View more

Re: Cursor - The AI Code Editor

by in GlobalProtect Discussions
‎06-30-2025 02:11 AM
‎06-30-2025 02:11 AM
Hi @KimKyungMok ,   For roadmap questions please reach out to your local SE. For new feature requests you can also submit them with your local SE.   Kind regards, -Kim. ... View more

Re: Export Codes - HS/ECCN/CCATS

by in General Topics
‎06-27-2025 06:12 AM
‎06-27-2025 06:12 AM
Hi @Brid.Nolan ,   Here's the info for the PAN-PA-455:   ECCN: 5A002 US HTS: 8517.62.0020 EU HS: 8517.6200.00 EU ECN: 5A002a.1   Kind regards, -Kim. ... View more

Re: Flood Attacks: Configuration & Troubleshooting Best Practices

by in Support FAQ
‎06-27-2025 01:01 AM
‎06-27-2025 01:01 AM
This article is awesome !   Those troubleshooting steps and commands are super helpful. ... View more
Register or Sign-in
Contact Me
Online Status
Online
Date Last Visited
‎09-10-2025 12:02 AM
Likes Given To
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks