About Remo

Hi @cengasser   With panorama this can be done easily. Is the spare device running or powered off until it would be used? As these 2 devices should have the same configuration, you can simply add id to the same devicegroup and template(/stack) as the 3020. So if it is only you always commit also to the spare 220 or in case of failure you could export the device state from panorama for the 220. ... View more

If you do not block unknown apps from the beginning and start block it without taking the time to prepare for this, then yes it could be a very bad idea. But in general my opinion is this is a very good idea as it gives you more control and better visibility (with the configuration of custom apps and/or app overrides as proposed by @Laurent_Dormond) over traffic in your network. ... View more

Hi @Laurent_Dormond   Between legacy and panorama mode there were fundamental changes in the way the logs are stored, which could result in increased storage requirement but I am not aware of something like what you are seeing. Do you log denied traffic to panorama, specially from the internet? This could result in ups and downs of the actual retention time. ... View more

Hi @Laurent_Dormond   What do you mean with "recently upgraded"? Did you change from legacy to panorama mode? If yes, how much storage do you have attached to your VM and how many CPU/GB of RAM? ... View more

@hfregoso The greatest security benefit you will get if you drop unknown-tcp and unknown-udp towards the internet. If you want verify what I mean then go to this website: https://http-evader.semantic-gap.de/ Even if you have set even low severity vulnerabilities to block, there are still dozens and more ways how a website is able to transfer data/malware to your computer using http evasions - and a lot of them you could catch with this deny of unknown tcp. ... and yes, blocking this towards the internet will also generate some false positives where specific websites/webservers do not behave as described in an RFC... ... View more

Removed   Solution see below from @OtakarKlier ... View more

Hi @_slv_   Because of the way PaloAlto adds the actual login form into the captive portal loginwebsite, you probably need a little javascript. This is the html code for a checkbox: <input type="checkbox" name="terms" value="I accept Terms and conditions" required /> I know it is possible but because of the mentionned way paloalto adds the loginform I need to test this shortly in order to provide some html/javascript lines for your terms and conditions captive portal login. ... View more

Hi @_slv_   Why don't you simply solve this with an additional checkbox on the caprove portal website? With a little javascript you could also make this checkbox mandatory so a login won't be possible unless the user agrees to your terms and conditions.  Because paloalto gives you the ability to customize the loginpage there are theoretocally no limits for whatever you try to do (as long it is something webbased).   Edit: it doesn't even require javascript as there is an attribute "required" for html input objects. ... View more

Hi @_slv_   Do you want to use captive portal only to show terms of service or do you require your users to log in? ... View more

Hi @wicklunds   Try this: Boot mac os in recovery mode Execute de command "spctl kext-consent add PXPZ95SK77" in the terminal (PXPZ95SK77 is the unique identifier for Palo Alto Networks) Remove GlobalProtect for Mac OS Reinstall GlobalProtect for Mac OS   Do you use a macbook or Mac/iMac? ... View more

Hi @dkordyban   Does your IIS only accept connections with SNI or does it serve also a default website for connections without SNI? Did you capture traffic between the firewall and the webserver -> does the firewall send the SNI attribute? Did you open a support case regarding this issue? ... View more

Even if your list contains millions of IPs you could import that list as explained in the article that @BPry posted the link to. But if the list is really big you have to consider the hardware limitations (https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list) if you want to use thst list as an EDL. ... View more

Hi @raji_toor   There are two different databases behind there two features, which means that something that is categorized as malware in URL filtering does not need to be also in the DNS signatures. In addition with URL filtering it is possible that the domain is categorized as business-and-economy while a subfolder is categorized as malware. Another difference is also that the DNS signatures are more "static" than URL filtering. DNS signatures are updated with the antivirus updates and contain always the full list of DNS signatures which is  limited in the way this feature is designed. This DNS signatures simply cannot contain ALL malware, phishing, spyware domains as the list would simply be too big. With urlfiltering the firewall has a local cache of URL and if it does not know the category for a particular URL, it queries the cloud for the category. So what you saw in your logs is actually expected behaviour. If you want to request a change here for something like a cloud lookup for the DNS sinkhole feature, ask your SE to create a feature request for that.   Regards, Remo ... View more