About Metgatz

Hello @bigtone    Two things: It is one thing for the client to be behind a web proxy: There it is only enough that at the Proxy config level, allow or bypass the URL and/or subdomain of global protect, example: https://yourpublicIPoryourpublicsubdomainortheoneyouuse/* https://yourpublicIPoryourpublicsubdomainorwhicheveruses globalprotect/global-protect/* https://yourpublicIPoryourpublicsubdomainortheoneyouuse globalprotect/global-protect/login.esp Example: vpnglobalprotect.acme.com or la IP publica, si que usas la Ip publica y no un subdominio 200.200.200.200 por dar un ejemplo. Now if apart from the client be behind the proxy and at the same time behind Palo Alto itself. On Palo Alto you must configure a no NAT rule. A source zone rule, the internal zone(s), pointing to the external zone, untrust, the wan zone of the firewall and the public IP and/or FQDN subdomain of the firewall and not setting any type of translation, that is, no NAT and It will already allow you to connect to Global protect from the Internal network.   Also you can check, at level App Portal Global protect config, the option:    Detect Proxy for Each Connection (Windows only) Select No to auto-detect the proxy for the portal connection and use that proxy for subsequent connections. Select Yes (default) to auto-detect the proxy at every connection.   Best regards ... View more

Hello @lprasad , publishing the server is easy.   Now you must create a NAT. A destination NAT: Source zone Untrust/WAN, destination Zone WAN/Untrust ( The WAN or Untrust zone you have defined in your AP ). Destination Address: Here you must point to the public IP that you are going to use to publish your service, for example the IP of your Public Interface or another IP that you define. Then in Translated Packet Destination Translate there you set the Private IP, the internal IP of your server is 192.168.0.20 I understand, according to what you have mentioned in the Post. Now, after you have the destination NAT policy created, you must apply the security policy. Source Zone Untrust/WAN, in destination the final destination zone example DMZ or Trust or Internal or LAN, according to how you have it defined in your firewall. Then in address destination, you must put the public IP not the private IP, but the public IP that you are using to publish the server and service. Now in the service section, there, I recommend you only in the security rule/policy, put at Service level only the ports that you are going to publish, example Service-https ( if you are going to publish 443 ) and/or other services example Service-8080 ( You create the service example 8080/TCP ) or Service-8083 ( Same TCP/8083 ). The latter in order to only publish the strictly necessary ports and services. For example you do not want to publish RDP if it is a windows server, or 22 if it is a Linux/Unix server or some administration port that should only be limited internally. Depending on the level of subscriptions that your Firewall has, I recommend you to apply security profiles such as VP, Antivirus, Wildfire.   Support links: https://www.packetswitch.co.uk/palo-alto-nat-example/#:~:text=Source%20NAT%20is%20used%20for,private%20network%20to%20the%20Internet . https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/source-nat-and-destination-nat/destination-nat Best regards ... View more

Hello @kenanuenal    Good afternoon, did you try to update your Dynamic Content Updates ?   Best regards ... View more

Hello @mateuszga    Good afternoon, did you try to update your Dynamic Content Updates ?   Best regards ... View more

Hello @maniac72    OK ok, that's another thing. Yes I have implemented scenarios with DYNDNS, for example Palo Alto's Global Protect VPN service. So if for some reason, you need to expose your xbox among other equipment to be accessed from the Internet, but you don't have a Static Public IP.   I recommend: On the modem, configure the DYNDNS service so that the Modem, which has dynamic Public IP addressing, publishes and updates the IP.   Now with that done, in the same ISP modem, you can configure a DMZ or Port Mapping specific to a certain IP/Ports will be, the External interface of your Palo Alto, which I imagine has an IP in the same LAN range, of your Modem.   Well then it looks like this: IPdynamic-Internet----Modem ( Config DYNDNS user password host )-----Interconnection Palo Alto----Interface External Firewall Palo Alto--- DNATs on Palo Alto to your local resources and devices.   With that scheme, point everything to the Modem, to the Dynamica public Ip, then either use DMZ to forward all external traffic to the Palo Alto external IP or The Ip and certain Ports, then just do the DNATs you require on the Palo Alto and also a Source Nat, so that your devices can go out to the Internet through the Palo Alto and then they go out with an IP of the range of your LAN of the Modem and already, it is not complex at all, just make sure to configure DYNDNS in the modem, then point to the external IP of the Palo Alto and then in the Palo Alto configure the Destination Nats that you require, and that's it.   Best regards ... View more

Hello @AadidevArun    In a LAB we test the same options and settings, in especial force change password, gracetime, login account, and we have the same problem ... Unfortunately the only way, without login is ... Factory reset and load a previus backup you have on your laptop  an another device ... Sorry   I recommended test this kind of changes in a LAB enviroment.   Best regards ... View more

Hello @hasan-setiyawan    In my experience in tshoot, equal 75% or above, required atention   Check this KB, Maybe help you   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRTCA0   Best regards ... View more

Hello @mudvayne15    Check this KB, maybe help you   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLJ7CAO   Best Regards ... View more

Just validate that you do not have any conflict with the permitted IPs that you declare, remember, in the management profile that you are attaching to your WAN Interface, not in the MGT configuration, but in the management profile that you attached to the WAN interface.   Remember, they are public IP ranges, not private, if they are external, they have to be the public IP of the locations, from where you are allowing access to your web-gui. No, the service routes are used when for example your MGT interface, the MGT interface IP, does not have an exit to the Internet and for example you want to use some other interface for services such as DNS, dynamic updates, among others. Check if there is any policy that may be denying your traffic from the public IP where you intend to give access to your public IP, i.e. external zone to external zone (the default policy of Intrazone should allow it, but still better to check if there is such a setting). And well, global protect is the VPN Remote Access service, so it adds an additional layer of security to not fully expose your admin web to the Internet, but you connect through global protect and then reach the MGT IP to manage the firewall. A support link for global protect:   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFbCAK    Best regards ... View more

Hello @jeff_pawlowski , good afternoon.   So, from what I see you are trying to allow access through one of your Outside/Untrust/WAN interfaces. Question, so to this interface you attached a Management Profiles profile allowing certain Public IP ranges ( I imagine the Public not private ranges are the ranges... ), you enabled SSH/HTTPS and PING. Now from the public ranges you are allowing you have PING response to that Interface ( did you try removing the Permitted IP Addresses just temporarily to validate access and correct connectivity ? ). Now another doubt, do you have Internet access working correctly from that PaloAlto you mention ? did you add the default route to the virtual router routing ? and did you validate that you have Internet access at least outbound from the public IP, the Gateway and the Internet ( from CLI ping source the PUBLIC IP of the WAN host interface the public IP to validate, example 1.1.1.1.1, 8.8.8.8.8 and your own public gateway, ideally add a trace ) ? Did you validate , although as it is from zone to untrsut to untrust, it should allow it by default unless you have made some adjustment at policy level, but did you validate in Monitor-Log-Traffic if there is any policy that may be restricting access ? Now this is not the best practice, exposing your administration to the Internet, but if it is a requirement, the best thing to do is to apply the correct IP Permitted and at the same time restrict access to it from the outside adding a second layer of security with security policies. Now more importantly, I recommend the best practice is to use GlobalProtect, I recommend enabling globalprotect, and once connected to globbalprotect, reach your MGT IP. At the Global protect level, you can restrict the IP(s), user and ip at the policy level and also at the permitted IP level on the MGT interface to allow only certain segments to reach, for example certain segments or trusted IPs on your LAN and certain IPs or IP range that you use for global protect. Remember also that when you enable Global Protect, and you still want to reach from the outside directly to the public IP of your Firewall, the WEB-GUI HTTPS administration, port "4443" is used. So you must ensure that this SSL/HTTPS connection is allowed on port 4443 (Palo Alto Service).   How to Access the WebGUI when GlobalProtect Is Enabled: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8SCAS   Best regards ... View more

Hello @perumalj    Good evening, it all depends on the use.   Example if you have a firewall or a HA of a pair of PA 52XX series, you have the possibility to use virtual systems. That allows you virtual system, to be able to segment a Firewall in several, example: Thinking about a company, an enterprise, or a Holding company and you want each of the companies to have its own virtual firewall inside a physical hardware, is where in this use case ( there are more ) can make sense:   Example: Company 1: Will have the VSYS1 and will occupy the first 4 interfaces of the Dataplante. Company 2: Will have VSYS2 and occupy 2 interfaces (smaller network). Company 3: Will have VSYS3 and will occupy other 4 interfaces.   And so, you can segment the administration, changes, policies, among others.   Here are some docs with details and use cases:   https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/virtual-systems-overview/benefits-of-virtual-systems   https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/virtual-systems-overview/use-cases-for-virtual-systems   https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/virtual-systems-overview/virtual-system-components-and-segmentation   Support Platform Firewalls:   https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/virtual-systems/virtual-systems-overview/platform-support-and-licensing-for-virtual-systems Best regards ... View more

H @FCI i, did you check what I told you? If you have configured permited IP ? If so, remove or place the network segment of the IP of the laptop, that is from the same segment of the IP of the MGT, the IP that you place in your LAPTOP. Also check if something happens at the level of Duplex and speed of the MGT interface, so that you try to force.   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMVCA0    Best regards ... View more

Hello @FCI    By these coincidences, will you have IP Allow enabled at the MGT config interface level, which may be restricting access? Is Ping, SSH, HTTPS enabled in the MGT config? Did you try (Of course only Temporary, for security ONLY temporary) enable Telnet in the MGT interface and try?   Does it respond to ping? Another thing, you have tried, by CLI, enabling a connection through one of the Data Plane interfaces, one of your routed interfaces or configuring a routed interface, and adding a management profile to be able to arrive, also trying directly connected.   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGdCAK    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkVCAS   Best regards ... View more

Hello @raji_toor :   The section Logging and reporting its about local log space ( local PANORAMA PAN-OS and Log space ) the Collector Groups is the storage for the log of the firewalls.   Check this links: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMTXCA4 https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-log-collection/configure-log-forwarding-to-panorama    Best Regards ... View more

Hello: I understand more or less what you want or wish to do as a goal:   When you create as Address type FQDN, you place the subdomain and Palo Alto will be in charge of resolving at DNS level. That if the Palo Alto must be able to connect with one or two DNS servers, to be able to resolve these addresses. If the Palo Alto does not have DNS set up it will not be able to resolve these addresses.   I understand that what you want is that when traffic goes to a certain destination, example a FQDN, example: www.testingfqdn.com ----> 1.2.3.4/32   Well if that is what you want to do, when it goes to that destination apply a Source NAT, what you should do is the following: First, you must set the corresponding zones, source, e.g. your network/LAN zone, destination your outside/Untrust Internet zone. Now in the original packet section, in destination, instead of any, put your FQDN. Now in the translation section, in the "Source translation" section, enter the IP with which you are going to translate the traffic, e.g. the outgoing interface, if it were a public IP, then select the Untrust interface and the Public IP of your interface. Now if you are looking to do a DNAT or PortForwarding the configuration is somewhat different.   Here are a couple of sites/links to guide and support you:  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples  https://www.packetswitch.co.uk/palo-alto-nat-example/    Best regards ... View more