This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About NikolayDimitrov

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
NikolayDimitrov
‎03-10-2022
since ‎06-15-2021
L3 Networker
User Activity
User Profile
Latest posts by NikolayDimitrov
View All
User Badges
Community Statistics
Member Since ‎06-15-2021 10:38 PM
Date Last Visited ‎03-10-2022 02:58 AM
Posts 49
Total Likes Received 15

Re: Template for Prisma Access to Cisco

by in Prisma Access Discussions
‎08-05-2021 03:26 AM
‎08-05-2021 03:26 AM
You are using the predefined templates for cisco right?     https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-for-networks/quick-configs-for-network-deployments/use-predefined-ipsec-templates-to-onboard-service-and-network-connections       If you have issues because Prisma access is just many Palo Alto CN series container firewalls or virtual firewalls in a cloud you can just review the normal article for connecting Palo alto to Cisco IOS device:   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ3CAK     https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLbCAK       There are also a lot of youtube videos and other documentation for VPN between Palo Alto and Cisco just modify your Palo Alto Template and Cisco configuration following the instructions. ... View more

Re: Prisma Access rules : how to calculate when used?

by in Prisma Access Discussions
‎08-05-2021 03:21 AM
‎08-05-2021 03:21 AM
I think that "-" means that the rule never matched but if the rule had a hit count but stopped being used then after time it will be placed in "unused"     https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/monitoring/view-policy-rule-usage.html ... View more

Re: Configuring Prisma Access Remote networks and Service Connections on the same device/site

by in Prisma Access Discussions
‎08-05-2021 03:14 AM
‎08-05-2021 03:14 AM
Why not just use Remote network SPN connection if you need firewall capabilities (this is needed if you don't have next generation Firewall in the data center otherwise the service connection is used) for filtering traffic going out of the Data Center ? With Remote Network again the internal DNS servers, Ldap servers and etc that are behind the Remote Network SPN can be accessed by Prisma Access or mobile users or other Remote Network Sites?       Just as an info If you need a service infrastructure/connection because of the mobile users routing you can create a fake one without the ipsec tunnel being up and use the SPN for filtering traffic comming from your DC and allowing traffic to your DC from mobile users or other SPN remote networks for services like internal DNS , LDAP etc. ... View more

Re: Is it possible for Prisma Access to split the traffic between the on-premise globalprotect gateways and the prisma cloud based on app/domain/ip_ad

by in Prisma Access Discussions
‎08-05-2021 03:07 AM
‎08-05-2021 03:07 AM
After talks with Palo Alto it seems that in the future if globalprotect app is used for VPN to the prisma access and also a PAC file is used for web filtering with Prisma Access then there will be seamless authentication (afrer authenticating the VPN connecton to prisma access there will be no need to authnticate the Explicit proxy connection) but if the globalprotect app is used for VPN connection to local on premise gateways and a PAC file is used for Explicit proxy connection then the user will need to enter their credentials 2 times (once for the VPN and once with SAML for the Explicit Proxy) and seems cumbersome to me as many proxy vendors use the agents to share the user Windows SSO credentials to the cloud based explicit proxy services, so should be possible to be done. ... View more

Re: content update job failed for user panorama

by in Panorama Discussions
‎07-27-2021 04:53 AM
‎07-27-2021 04:53 AM
Have you checked the hard disk if it is full as it can cause such issues:   https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-troubleshooting-and-investigating-full-hard/m-p/411960#M92779       Also see:     https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/app-and-threat-content-updates/content-updates-troubleshooting.html ... View more

Re: TCP Reset being dropped at firewall

by in General Topics
‎07-27-2021 04:49 AM
1 Kudo
‎07-27-2021 04:49 AM
1 Kudo
Please see my article for globalcounters, flow basic and pcap captures for such issues:   https://live.paloaltonetworks.com/t5/general-topics/knowledge-sharing-palo-alto-checking-for-drops-rejects-discards/m-p/402102#M91777 ... View more

Is the Best Practice Assessment (BPA) integrated with Prisma Access cloud managment interface?

by in Prisma Access Discussions
‎07-12-2021 12:48 AM
‎07-12-2021 12:48 AM
Is the Best Practice Assessment (BPA) integrated with Prisma Access cloud managment interface? I saw that there that BPA can be used for the Prisma Access if it is managed by Panorama by creating a tech support file and uploading it to the BPA but what about managing Prisma Access without Panorama then is there an intergration with the BPA or Heatmap? ... View more

Re: Can the internal DNS server be behind SPN not a CAN?

by in Prisma Access Discussions
‎07-12-2021 12:43 AM
‎07-12-2021 12:43 AM
I think that also Authentication servers like LDAP and other services can be behind an security processing node if the Data Center does not have a good firewall (this is why service node seems a bad idea). As the Prisma Access is full mesh iBGP I will consider this the case as every source may connect to every destination (only for mobile gateways a  CAN even if it is without active ipsec tunnels is needed for routing) till someone says that this is not possible.         Edit:       Palo Alto confirmed that this is the case. ... View more

Can the internal DNS server be behind SPN not a CAN?

by in Prisma Access Discussions
‎07-07-2021 09:12 AM
‎07-07-2021 09:12 AM
Can the internal global or specific   internal DNS servers for mobile users or remote networks be behind SPN and not a CAN as the CAN is just there for routing for mobile users without a real active ipsec tunnel?     Basically I mean the internal DNS servers to be in the remote network address space that is connected to the SPN, because the SPN provides policy check and ssl decryption as the Data Center firewalls is old layer3/4 with no ssl decryption, better use SPN than a CAN.     https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-for-users/quick-configs-for-user-deployments/dns-resolution-for-mobile-users-and-remote-networks ... View more

Re: DNS license expired.

by in General Topics
‎07-07-2021 09:05 AM
‎07-07-2021 09:05 AM
You can find article easily if you just check in google:     https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXoCAK     Also read this for if a reboot happens what will happen to the database:     https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/pan-db-categorization.html ... View more

Re: not able to disable packet-capture for DNS security from panorama 10 to firewall 9.1

by in Panorama Discussions
‎07-07-2021 02:36 AM
‎07-07-2021 02:36 AM
You may also check the free trainning for Panorama edu-120 (free registration to Palo Alto beacon is needed https://beacon.paloaltonetworks.com/student/catalog ... View more

Re: When specifying the AD group in the Authentication profile, admin login is not working

by in General Topics
‎07-07-2021 02:31 AM
‎07-07-2021 02:31 AM
You can check if you match group:     https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVcCAK       Also if you hace not added the domain you will need to do <domain>/<group> as if you added the domain it will be just <group>     https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-authentication-profile/configure-an-authentication-profile             I also recommend to learn Palo Alto for you to take the Palo Alto free digital learning palo alto edu-110 and edu-120 (free registration to Palo Alto beacon is needed https://beacon.paloaltonetworks.com/student/catalog😞     https://live.paloaltonetworks.com/t5/blogs/edu-110-and-edu-120-available-for-pan-os-9-0/ba-p/260257     Also CBT nuggets and INE have good palo alto trainning.     ... View more

Re: When specifying the AD group in the Authentication profile, admin login is not working

by in General Topics
‎07-07-2021 12:22 AM
‎07-07-2021 12:22 AM
Have you followed the article below as maybe your user is not in the correct Microsoft AD group and this is why you have issues?     https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/troubleshoot-authentication-issues.html       Also read this and confirm that you have settup your firewall to do group resolution/mapping:     https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGOCA0     https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/authentication/enable-group-mapping.html ... View more

Re: DNS license expired.

by in General Topics
‎07-07-2021 12:13 AM
1 Kudo
‎07-07-2021 12:13 AM
1 Kudo
The two licenses are not related:     https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/subscriptions/all-subscriptions.html     Check your URL filtering license:     https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-licenses.html       I also recommend to learn Palo Alto for you to take the Palo Alto free digital learning palo alto edu-110 and edu-120 (free registration to Palo Alto beacon is needed https://beacon.paloaltonetworks.com/student/catalog😞     https://live.paloaltonetworks.com/t5/blogs/edu-110-and-edu-120-available-for-pan-os-9-0/ba-p/260257     Also CBT nuggets and INE have good palo alto trainning. ... View more

Re: not able to disable packet-capture for DNS security from panorama 10 to firewall 9.1

by in Panorama Discussions
‎07-07-2021 12:03 AM
1 Kudo
‎07-07-2021 12:03 AM
1 Kudo
Why it shouldn't work? You just disable the "single-packet" capture for the categories on the correct profile under the correct device group in Panorama and commit and push the config to the firewalls:         https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/objects/objects-security-profiles-anti-spyware-profile.html ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎03-10-2022 02:58 AM
Latest Tags
Likes Given To
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks