About Remo

Hmn ... does your vsys administrator have the permission to change this? Do you have other administrators with thw same permission where this is possible to change? ... View more

Hi @MP18    Is this a firewallcluster? If yes, how does it look like on the passive node? What PAN-OS version is the firewall running? Did you try this already: reboot? Did you notice this after a change in the group mapping settings? If yes, does it show again correctly if you remove the group again? ... View more

@MP18  On what PAN-OS version did this happen? What was changed in the configuration? Does it work again if you revert this/these change(s)? ... View more

@Retired Member wrote: I just want a client over GP to hit local networks off the PANOS.  Did you configure routes in your internal network that route the GP IP pool to the firewall? When you try ro reach something in your internal network what does the log show you - are there sessions with 0 byter received?   (I don't know if this does cause any problems but the static route that you configured for the IP pool with the tunnel interface as destination I would remove as it is really not necessary) ... View more

Hi @afnogueira    No, the windows client so far does not have an interface to automate such things. With linux your chances are better ... ... View more

@SThatipelly  Unfortinately in your case, the DNS proxy is not a transparent proxy. So in your situation you have to configure the forwarding on your internal DNS server. ... View more

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/network/network-dns-proxy/dns-proxy-overview   https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/network/network-dns-proxy/dns-proxy-settings.html ... View more

@SThatipelly wrote: Please let me know if configuring a DNS proxy with 192.168.10.10 as Primary and creating DNS proxy rules with fqdn *.amazon.com-pointing to 8.8.8.8 will work Yes, this will work with the DNS proxy feature of Paloalto.   @SThatipelly wrote: In short, for all the other requests, users should see their DNS server as 192.168.10.10 and their queries should be resolved by that and only for *.amazon.com,they should be directed to 8.8.8. For the DNS proxy you need to configure an interface on the firewall that listens for DNS queries. This can be the interface of your guest zone, a loopback interface or an other L3 interface. On the clients the ip of the L3 interface has to be configured as DNS server. The clients will then send the queries to the firewall and depending on the forwaeding configuration the firewall forwards the queries to the internal DNS or 8.8.8.8.   ... View more

Did you add an interface management profile to the external interface?   --> https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/configure-interfaces/use-interface-management-profiles-to-restrict-access.html ... View more

Hi @BatD    For automating these tasks to whatever vendor you can imagine: use CBC to be (more) sure that it will work.   Edit: ... but when you already automate it, why not using both as GCM is more secure? ... View more