About Remo

Added FR ID 11211 - Forced Global Protect network rediscover after IP change   (This one is fo situations where the network is changed from external to an internal, Global Protect should do a network rediscover instead of just reconnecting to the GP Gateway) ... View more

@tszafalowicz  Just ask your SE. He can add you to the beta program or at least forward your request into the right direction. ... View more

Hi @tszafalowicz    @tszafalowicz wrote: I have our Trusted Root CA certificate (and key) imported on the firewall and leveraged that inAfter a failed implementation and a 4-hour support call with Palo, TAC determined that either A) the certificates need to be generated on the firewall or B) the machine certificates (all of them) need to be imported into the firewall. Wait? ... What??? If this is what TAC told you then this is A) totally wrong or B) I don't understand what you are trying to do. I can only speak about what I have done since years: I have never even imported a private key for global protect client cert authentication. For this only the cert is needed and this works for me since years. Our certs are managed by an internal PKI (not on a PaloAlto firewall) - probably like yours.   Are there some special requirements in your infrastructure with these certificates? As I wrote, normally this works like you have described it and is also how it is supposed to work.   Regards, Remo   PS: Feature Request need to be created by telling this to your SE. Here kn the community you cannot ask for feature requests.   ... View more

@tmcneil  When you have received the feature request ID by your SE, please post it in this topic: https://live.paloaltonetworks.com/t5/General-Topics/Feature-Request-List/m-p/209128#M61154 ... View more

Hi @Steve-Phillips    From your description it sounds like already configured it correctly. These events that are allowed are normal because these links were not known as phishing links by wildfire. With that email the url was forwarded to wildfire and the verdict was received by the firewall afterwards. The firewall allows the url/attachment if it is unknown at that time and the reason is that the firewall only does flow-based checks and does not operate in store-and-forward mode like a mailgateway.   Hope this helps, Remo ... View more

Added FR ID 11135 - Completely reomve Global Protect 4.0 Design out of Global Protect 5+ ... View more

thanks, @kiwi I have added FR ID 889 to the feature request list topic here in the community. --> https://live.paloaltonetworks.com/t5/General-Topics/Feature-Request-List/td-p/209128 ... View more

Added FR ID 889 - Mac Address as match criteria in security policy ... View more

Hi @BatD    Yes, you still need to configure the routes in the virtual router. ... View more

Hi @CARRIERJerome    First, I am not a paloalto employee but this sounds like you should buy the URL filtering license ... or why don't you us the decryption opt-out response page to inform the users about the decryption and maybe also **bleep** should reach out to you when the access a banking website that is decrypted? In general, I assume it could be difficult to find a list as keeping this list current is not that easy (which is why companys want you to pay money for this service 😛  ) ... or you simply start creating your own list 😉 ... View more

Hi @pradip1069    It depends on how you have setup your websense proxy. If you have configured it as explicit proxy then you need to do the exclusion in a peoxy.pac file. If your websense proxy is configured as tranparent proxy then there might be a way that you route some traffic directly bit without information about you actual setup this is difficult to say.   Regards, Remo ... View more

@kiwi wrote: Hi @rjdahav163 ,   Any application with a dependency on web-browsing.   Cheers ! -Kiwi.   May I add that you can use URL categories not only for web-browsing dependent applications. Actually also for almost every TLS encrypted connection like SMTPs. So if your connection is encrypted the solution with an URL category probably works as the firewalls also checks for hostnames in the SNI extension and also the CN of a certificate in a TLS connection. ... View more

 Looks like this topic has saved people from mischief 😉   (If this is true then this could have a negative impact on the first 9.0.x release that becomes recommended ... if fewer people who install 9.0.0 right away run into problems, less support cases will be opened, less problems are known and can be fixed and so it could take longer untill all critical ones will be solved 😛   ) ... View more