About Remo

Hi @A_Adamski  I assume you are already right with your assumption, that this issue is because instagram is owned by facebook and they probably share some parts of the infrastructure. Adding instagram- base is not required as you have already added instagram. Did you check the urls, that are opened in the sessions where the firewalls detect the application facebook base? With this information you could create a new security policy where you add the application facebook-base together with a custom url category where you specify only the urls required to load the images.  ... View more

@Laurent_Dormond  If you have already installed pan-os 9.1.x you can simply create a service object to increase the tcp timeout for that connection. (Doing this with an application override policy is no longer required) ... View more

Hi @Udana  As far as I know, you cannot create an ldap filter that gets all groups in a specific OU. For such a query you need to use the base DN in an ldap server profile. So in this case I recommend to create a new ldap server profile (or copy the existing one) and specify the base DN exactly as you need it to get the groups you need. ... View more

Hi @annielee  The reason probably is that this one application simply isn't enough. When you look at the application information, you will see thst there are other apps which active-directory-base depends on. What application did you see in the logs which was not allowed? If you try to allow domain communication from domain joined clients/servers, please take a look at this post: https://live.paloaltonetworks.com/t5/general-topics/allow-workstations-to-join-domain-controller/m-p/409235/highlight/true#M92431 ... View more

Hi @tcsmithh  Does accessing the internet in general work and only the downloads fail? ... View more

Hi @Support_info  What do you mean with "ldap group membership sync is not working anymore"? Did it once work? If yes, did you change something or installed a new version? Are both firewalls running the same PAN-OS version? Anyway even with the newest windows versions the ciphers shouldn't be a problem - as long as you did not manually disable some of them on the active directory server. Do you have the option configured, that the firewall verifies the servercertificate? If yes, do you have your issuing/root CA cert installed on both firewalls and also marked as trusted root or is this maybe only done on the internet firewall where the ldap sync is still working? ... View more

... or you create a group in active directory where you add these 100 groups to it and in the security policy rule you will then be able to use this active directory group. ... View more

Hi @Udana  You could create a custom group with which you can create a group based on an ldap filter. With this ldap filter you can create a filter with the member-of attribute to include your other groups and then use this one custom group in the security policy. ... View more

I was thinking about the HIP profile because of the topic here where you posted this comment. And also because in the screenshot everything is exactly the same. Another possibility would be an URL category in the rule which makes sometime match one and then again the other rule. ... View more

Hi @SurajN  Do you have installed the latest content update? Because the geolocation db is updated with these updates. You could also create a support case to tell this wrong IP to paloalto, so the could correct this information. ... View more

Hi @gvyskocil  Yes, you're right. For inbound inspection you can use the wildcard certificate. ... View more

Then it looks like the HIP profile does not match all the time. What do you check with that HIP profile? ... View more