About Remo

Remo · ‎08-11-2020

Hi @dttech Are you asking for the firewalllogs? Do you have a virtual panorama? Anyway, for the logs, the oldest ones simply get overwritten to store the new incoming logs. The capacity of 1.6TB is already the maximum per 2 TB disk. On these 1.6TB the logs will be stored as you define it in the logquotas. The other ~400GB are raw logs, but these cannot be accessed and actually are logs which are stored in an "old" format prior to be indexed in the new format in the remaining 1.6TB. The maximum of log capacity on a virtual panorama in panorama mode or a virtual log collector is 2x2TB (usable space is 12x1.6TB=19.2TB).

Remo · ‎08-11-2020

Hi @RichardHum I would recomment the option with the script that queries the firewalls API (mainly because I did it already this way with a check on the installed content updates). Do you automatically install the content/antivirus/wildfire updates on the firewall? If yes, then ypur script could periodically query the firewalls and generate an alert for example when the content updates are older than 8 days or when the antivirus updates are older than 2 days. If you are using panorama the query would be even easier aso you do not have to connect to every firewall to see the installed versions. With a log forwarding it would probably work also. When you forward the system logs they will see the logs of the last installed updates and could then generate an alert when there is no such log entry during the last days. So as I wrote, I would prefer the API but you are right, the easiest way for you probably is the logforwarding.

Remo · ‎08-11-2020

Hi @Rajendranahak In your case - unfortunately - there is no way back*. When you activated once a global protect version, you cannot deactivate it. Only re-activate. *with a factory reset you might be able to get back to a state where no global protect version is activated

Remo · ‎08-11-2020

hi @Swetang If your clients are registered in DNS, you could use FQDN objects for this. But why not using userbased firewallpolicies? This way no matter where a user is logged in, the correct policy is applied.

Remo · ‎08-11-2020

So the next somehow obvious question: Is your panorama allowed to connect to iot.services-edge.paloaltonetworks.com:443 or is there another device/firewall in place that blocks this connection?

Remo · ‎08-11-2020

Hi @Padmin7 You don't have to worry about these entries when you click to manually sync the configuration. For some reason there is something that make the firewall show that it is no longer in sync even while it looks like there is everythinh good (as long as thats all on your screenshot). To have them in sync again you need to click this sync button. The management IP and HA settings aren't synced between active/passive firewalls. The full list of configurations and settings that aren't synced between the firewalls you can find here: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/high-availability/reference-ha-synchronization/what-settings-dont-sync-in-activepassive-ha

Remo · ‎08-10-2020

In order to use a custom URL category to restrict smtp traffic it need to be smtps. This way the firewall is able to filter on the certificate used for the connection. If you are using unencrypted smtp, you have to use fqdn objects to restrict the connection as there the firewall will not see anything that could be used for URL filtering.

Remo · ‎08-10-2020

as you only changed the template order, the 'setting" should still be there, so if your still interested you could check in CLI if something is there. At least you have a solution for your environment 😉

Remo · ‎08-10-2020

Hi @marcelocampos The chance that it is queried by PAN-DB actually isn't very high - as long as these are individual URLs for every user. If it is PAN-DB someone would have to enter the URLs to the request category change website or a user has to open the url in the browser and as long as the category is still unknown, then the URL is automatically queried by PAN-DB. So wildfire is the likely the reason, as the firewalls forward the links in emails to wildfire when an email passes the firewall. So in your case there could be another firewall that forwards the urld to wildfire right? You could write a custom app-id for these test-spam/phishing-emails and for these emails do not assign a wildfire forwarding profile. With this solution you do not have to disable wildfire completely for smtp traffic.

Remo · ‎08-10-2020

Another way probably would be to delete the user-id configuration from the upper template completely (at least if it is no longer used). Then the configuration from the template that you wanted to use should be applied. (In cases like this, deleting this from cli could help)

Remo · ‎08-10-2020

Did you recently updated panorama to PAN-OS 10?

Remo · ‎08-09-2020

@marcelocampos just that I understand correctly: even if you completely remove wildfireprofiles from securityrules that affect your mailflow, the full unique URLs (not only the domain) are still analyzed by a public IP address that belongs to paloaltonetworks?

Remo · ‎08-09-2020

Hi @snimshad What hardware do you use and what software version? Did you try to reboot? I had a firewall where I had the same issue, everytime I did a qos related configuration change in the network tab, the change required a reboot to take effect.

Remo · ‎08-09-2020

Hi @SThatipelly What PAN-OS version do you have installed? It could be related to the protocol http/2 and because of that the firewall does not unterstand it and cannot see and block/log files. Maybe it is the same with a case that I have opened some months ago where a firewall on PAN-OS 8.1 was not able to block files on a specific website. What the exact reason was I would have to check again, but at least this one isn't fixed in PAN-OS 9.1.

Remo · ‎08-09-2020

Hi @rolinger A: In the templates you need to specify the name of the vsys and when you apply that template to a template stack and a firewall the configuration of that vsys is applied to the vsys with the same name on that firewall. If there is no vsys named like that, a new vsys will be created - as you have seen on fw-pair 1 B: delete the vsys in the template and commit and push the configuration to the firewall. After this step you can delete the vsys locally on the firewall to have panorama and the firewalls in sync again.

Member Since	‎03-20-2013 04:23 AM
Date Last Visited	‎11-26-2025 01:29 PM
Posts	2,247
Total Likes Received	813

Online Status	Offline
Date Last Visited	‎11-26-2025 01:29 PM

About Remo

Re: Certificate Expired Warning in Deploy but all certificates are good

Re: How to request a URL filtering change to High-Risk?

Re: Template vs Device Group

Re: sorting question

Re: Panorama Disk

Re: Cortex XDR on Citrix non-persistent multi-user server

Re: Bad support from plaoalto

Re: Activate Firewall with Expired License / Unknown Auth Code

Re: Wait time

Re: Cortex XDR on Citrix non-persistent multi-user server

Re: Captive Portal with custom images

Re: Active-Passive pair takes long to show the status when one is rebooted.

Re: sorting question

Re: Deal Registration End Customer Details not Include

Re: Enable Qos on sub-interface

Re: Admin console unreachable/cant remote in or ping - PA support wont let you submit a ticket without a TSF file - which you get via admin console

Re: How to request a URL filtering change to High-Risk?

Re: Log Container Page Only - impact?

Re: Stop wsc files

Re: Customer Support Portal error

Nominated Discussion - Sorting Question

Nominated Discussion: URL Filtering in TLS v1.3

How to Add Log Forwarding Profiles in All Security Policies

Re: Panorama

Re: Dynamic Content updates

Re: Dashboard we don't want to see global protect client version

Re: Policy Configuration hostname

Re: Panorama messages.

Re: Strange behaviour of HA pair active passive

Re: How can strict mail-server with url-category

Re: PAN-OS User-ID Issue and Workaround

Re: Authorized pishing scenarios, issues with Pan DB Url filtering

Re: PAN-OS User-ID Issue and Workaround

Re: Panorama messages.

Re: Authorized pishing scenarios, issues with Pan DB Url filtering

Re: Qos statistics tab does not show class for multicast traffic

Re: How to inspect email contents within outlook.office365.com?

Re: Assigning a template to a specific vsys within a Template Stack?

Seattle Beta - GlobalProtect (ELK)

Unlock your full community experience!

About Remo