About Remo

Exactly, the possibilities you have are RADIUS or SAML. SAML is great but cannot be used for SSH login (compared to RADIUS). Or a completely different approach is if your PAN management interfaces are located behind a PaloAlto Firewall. This way you could enforce the integrated MFA with captive portal and only when a user is successfully authenticated there he will be able to see the admin webinterface. On the admin webinterface you can then stay with username/password as the additional factor was already entered. ... View more

As @Mick_Ball suggested the actual method you use does not seem to change something with your issue. The must be something wrong on one of these servers or with the configured timeout.   But regarding the actual topics question: ( @BPry@Mick_Ball please correct me if I am totally wrong here) In this case (highly distributed single forest domain) I would also prefer to use the agentless method because of low complexity (at least no added complexity with the log forwarding from DC to log server where the UIA reads the logs) and also because of low bandwith consumption over the MPLS links because the firewall only reads the required log events (compared to having the UIA connecting directly to all DC where it must parse the whole security log and not just the required events). Depending on the actual amount of users, whitch has an impact on the mgmt CPU, I would stay with the agentless solution. And as it is already set up I assume there aren't any problems with high mgmt CPU utilization. ... View more

Hi @Steven_Liefferinckx   So I assume the users computers are not managed by your company? ... View more

Hi @ToniE   Actually there is an option to exclude an application form TLS decryption ... ok, it is a creative workaround to achieve that goal but this solution here should work also in your case: https://live.paloaltonetworks.com/t5/Community-Blog/How-to-bypass-SSL-decryption-for-an-application/ba-p/170752   Instead of the application in the article, you have to use ms-lync-base and/or ms-lync-online. There probably the first connection attemt still fails as the firewall will add the IP after this attempt to that dynamic group, but it is a solution that could save you a lot of work and complaints from customers.   Regards, Remo   Edit: Of course only if the security policies of your company allow such a dynamic TLS decryption exclusion, cause this will add the risk of not decrypting misidentified connections. And thepotential risk that this configuration could be exploited to send data out of your network without decryption ... View more

Hi @Miroslaw_Iwanowski   Template (-stacks) and security rules (configured in device-groups) are two dirrefent things. But what you want to do is possible. Configure all the zones in one temlate, which you apply to all the devices you need. Then your standard rules you configure in a device-group and your specific rules you configure in specific device-groups where you configure the standard device-group as parent group. The firewalls you attach to the specific device groups.   Regards, Remo ... View more

The list with office 365 IP adresses is here (but ther are quite afew entries in that list): https://support.content.office.net/en-us/static/O365IPAddresses.xml   With that you could exclude these IP addresses in your gateway config. Or if there are too many entries your next possibility is with a script that gets executed on the client when it is connected to globalprotect. This script then manipulates the local route table and adds entries for these o365 IP ranges that connections to them will be routed directly instead of into the tunnel. ... View more

Probably not that helpful in your case, but already Panorama with PAN-OS 8.0.x runs perfectly on Hyper-V... ... View more

As per current upgrade recommendation: Download and install 7.1.0 Reboot Downloaf and install 7.1.14 Reboot   These steps are required to make sure that you don't run into problems with PAN-OS Upgrades that get too big because then the firewall does not need to combine the base and minor image into one upgrade package. ... View more

TLS decryption is definately needed when you want to do this. What does your security policy look like when your saying that you only see xyz.sharepoint.com? I assume that you have an URL profile applied to your securitypolicy where you have enabled the setting "Log container page only". Try to disable that and then check again your URL Logs (attention this could generate a lot more logs, so you might want to create a new rule for your IP only where you apply an URL profile with that setting disabled. But what you actually need is probably some more rules with custom URL profiles. Like the following: Allow rule with a custom URL category where you allow xyz.sharepoint.com/document Deny rule with another custom URL category xyz.sharepoint.com Probably your default web browsing policy In the first rule there are may be some other entries required for xyz.sharepoint.com to function properly and keep in mind that you want to configure these custom URL categories directly in your securityrule and not in an URL profile that you attach to that rule.   Hope this helps. If not, feel free to ask again 😉 ... View more

@JacobHustedwrote: Could Palo Alto Traps be used to block crypto mining ? Probably not. At least not yet, as this crypto mining is not a threat in the classical way. It does not really harm your computer as it "only" comsumes ressources.   @JacobHustedwrote: And will we see a Palo Alto URL category for crypto mining ? You can simply block the following threat ID's (Requires Threat Prevention Subscription): 18007 18010 11850 ... View more

If you want to use the management plane for HA2, then yes, you have to use HSCI. The other possibility is that you use a dataplane port and configure it as Type HA. As soon as you do that you could choose that port in the HA configuration. ... View more

Hi @Farzana   I am waiting for this since 2 years. Hopefully support for hyper-v is on the way, but an official statement you probably only get from your SE. (Hyper-V support for VM-Series is around since about 2 years already).   Regards, Remo ... View more

Hi @hshawn   What security policies do you have enabled for the pre logon user? Are all devices with this problem domain joined? Do you have the option "Require Global Protect for Network Access" enabled? Does it happen in the internal and external network? When this issue happend on a connected client from external, do you have dropped traffic in your logs?   ... View more