This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About PavelK

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
PavelK
‎02-26-2026
Cyber Elite
since ‎09-03-2021
Cyber Elite
User Activity
User Profile
Latest posts by PavelK
View All
User Badges
Community Statistics
Member Since ‎09-03-2021 06:13 AM
Date Last Visited ‎02-26-2026 01:27 PM
Posts 1,174
Total Likes Received 472

Re: TLS version for WEB UI

by Cyber Elite in General Topics
‎05-16-2022 05:28 AM
‎05-16-2022 05:28 AM
Thank you for the post @DeepakVerma   could you have a look at below links? This might be one way to do TLS version auditing https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBGLCA4 https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html   Kind Regards Pavel ... View more

Re: Url problem

by Cyber Elite in General Topics
‎05-16-2022 05:14 AM
‎05-16-2022 05:14 AM
Hello @Fagani   would it be possible to get more details? What are you seeing in URL and Traffic logs?   Kind Regards Pavel   ... View more

Re: Prisma SD-WAN application SLA setup?

by Cyber Elite in General Topics
‎05-16-2022 05:05 AM
‎05-16-2022 05:05 AM
Thank you for the post @JoeKwok   when you login to Prisma SD-WAN portal, you will land on this page: https://portal.hood.cloudgenix.com/#home If you change the URL from #home to #advanced https://portal.hood.cloudgenix.com/#advanced you will see on the left hand side a menu with advanced setting. These options are hidden from the regular user interface. From here you can view and change default values for all applications. Take a look at: "App Performance Thresholds".   Kind Regards Pavel ... View more

Re: PAN-OS 10.2 : filter incoming OSPF routes

by Cyber Elite in General Topics
‎05-14-2022 07:19 AM
1 Kudo
‎05-14-2022 07:19 AM
1 Kudo
Hello @EmilienRichard   with OSPF, the filtering of prefixes is typically done on device that is either ABR or ASBR. I have to admit that I have no hands on experience with Advanced Routing Engine, however by looking into documentation: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/advanced-routing/create-filters-for-the-advanced-routing-engine under section: Prefix Lists, there is below point: From the screen shots you provided, it is not clear whether ACI is in a different OSPF area or the same area. If both devices are in the same area, then this would be my first guess that this is a reason why inbound filter does not work as Palo Alto firewall is not ABR.   If I would be in your place and OSPF area re-design would be an option on the table, I would place ACI into non backbone area and used the same filter you already created.   Kind Regards Pavel ... View more

Re: Different between Data Filtering and Enterprise DLP

by Cyber Elite in Enterprise Data Loss Prevention Discussions
‎05-13-2022 03:31 PM
1 Kudo
‎05-13-2022 03:31 PM
1 Kudo
Thank you for the post @JoeKwok   Enterprise DLP is a separate product that goes much beyond traditional Data Filtering profile in Firewall. Enterprise DLP is a cloud based service that can integrate with Firewalls, Prisma Access, Prisma Cloud. What Enterprise DLP is aiming to do is to provide a single DLP platform a across all products/platforms/workloads. You can configure and run Data Filtering profile on the Firewall without Enterprise DLP. With Enterprise DLP you would gain a benefit of Advanced Data Filtering profile that has pre-defined a huge list of data patterns + all the cloud based analytics, however if you have only Firewall and no other product, then it might be overkill. Regarding your question whether Data Filtering is a part of Threat Prevention Subscription. All of my production Firewalls are running Threat Prevention, so personally I would not know, however I just looked into one of my lab Firewall that has no Threat Prevention license (only support is activated) and I can configure a Data Filtering profile and pull up all pre-defined Data Patterns, so I do not think that Threat Prevention license is a must to get Data Filtering up and running. Regarding your question whether Enterprise DLP requires Panorama, the answer is yes, one of the pre-requisite with Enterprise DLP is to have Firewall running at least 10.0.2 and be managed by Panorama.   If you are seriously considering what option to choose, I would recommend to request demo of Enterprise DLP and ideally get a trial to get more hands on test scenarios of data leak to see it is worth to invest.   Kind Regards Pavel ... View more

Re: Panorama Upgrade from 9.1.12-h3 to 9.1.13-h3

by Cyber Elite in Panorama Discussions
‎05-13-2022 02:11 PM
‎05-13-2022 02:11 PM
Hello @JohnSmock sorry to hear you are facing an issue.   I have upgraded my 6x M-200 (2x Panorama and 4x Log Collectors) units to 9.1.13-h3. None of them faced any issue. I do not believe that there is any know issue in 9.1.13-h3. I also do not think, it is worth to downgrade and then make upgrade to 9.1.13, then to  9.1.13-h3. Personally if I face this issue before downgrading/reverting image, I would just reboot Panorama to see this issue is fixed by reboot or not. Based on this I would make a decision whether it is worth to dig further or downgrade.   Kind Regards Pavel ... View more

Re: TCP 179 BGP port exposed to non direct neighbour or multi-hop neighbor, no rules in place allowing such traffic - still reachable

by Cyber Elite in General Topics
‎05-13-2022 03:03 AM
‎05-13-2022 03:03 AM
Thank you for the post @ColinCant   my best guess is that BGP traffic is hitting rule: intrazone-default which by default has action allow. If your firewall is configured to build BGP peer with a BGP neighbor on internet by using local interface then this is not crossing two different zones, so unless you have a rule to block a traffic within zone this will be allowed.   In order to mitigate this, I would place a rule on the top to allow TCP 179 between your IP on Firewall and IP address you are peering with, then place another rule below that to block everything else. Before I put this configuration in, I would also check log to see there is no legitimate intra-zone traffic. For example ipsec tunnel terminating session on untrust interface.   Kind Regards Pavel ... View more

Re: High Availability - Passive Link State

by Cyber Elite in General Topics
‎05-12-2022 06:01 AM
‎05-12-2022 06:01 AM
Hello @Hamid.Saffarzadeh   when it comes to BGP convergence during failover, then it is fairly quick. It is approximately 1 second or less.   Kind Regards Pavel ... View more

Re: Syslog connection broken to server Palo Alto every 20 min

by Cyber Elite in Log Forwarding Discussions
‎05-11-2022 11:30 PM
‎05-11-2022 11:30 PM
Hello @LeeSeeman   thank you for the comment. Since the passive Firewall does not actively process any traffic, syslog connection will not be sending any Traffic, URL, Threat logs,... The only log that is being generated on passive Firewall is System and Configuration logs. If this log is being sent by syslog out to your server, then as a next thing I would be looking into packet capture to see what side is closing connection.   Kind Regards Pavel ... View more

Re: Prisma access without panorama

by Cyber Elite in Prisma Access Discussions
‎05-11-2022 03:37 PM
2 Kudos
‎05-11-2022 03:37 PM
2 Kudos
Thank you for the post @smshafek   without Panorama you can use the option: Prisma Access (Cloud Managed). This is where you manage Prisma Access through a web-based interface using the Prisma Access app in the hub. Please refer to this document: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-release-notes/release-information/why-cloud-managed-prisma-access   Kind Regards Pavel ... View more

Re: Panorama - log settings validation error

by Cyber Elite in Panorama Discussions
‎05-10-2022 05:24 PM
1 Kudo
‎05-10-2022 05:24 PM
1 Kudo
Thank you for the post @Kathiravan_R   the issue you reported is hard to troubleshoot over forum. Myself when I face issues like this, I sometimes narrow down the root cause by try & error approach, however the first thing that comes to my mind is the dependency between Device Group and Template Stack configurations. The syslog server: Live_Log_Collectors is configured in Template while log forwarding profile is configured under Device Group. The first thing I would try is to roll back the change and first push the Template Stack where you configured the syslog server: Live_Log_Collectors. If this does not give any error, then in the Device Group add Live_Log_Collectors to log forwarding profile and push Device Group to firewall.   Kind Regards Pavel ... View more

Re: PANorama won't see 5250 connected on "Managed Devices"

by Cyber Elite in General Topics
‎05-10-2022 05:57 AM
‎05-10-2022 05:57 AM
Thank you for the post @WilderG   the Alert 21 is most likely close notify. Since you already opened a TAC case you are probably in better hands than anything what I can advice, however as a next thing I would check fragmentation issue between Firewall and Panorama: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNC8CAO   Kind Regards Pavel ... View more

Re: High Availability - Passive Link State

by Cyber Elite in General Topics
‎05-10-2022 02:59 AM
1 Kudo
‎05-10-2022 02:59 AM
1 Kudo
Thank you for the post @Hamid.Saffarzadeh   based on my experience with Passive Link State set to "auto" the convergence is approximately 1 second or less with "shutdown" it is in the range 3 to 5 seconds.   Kind Regards Pavel ... View more

Re: Does HA2 link failure trigger failover

by Cyber Elite in General Topics
‎05-07-2022 02:52 PM
‎05-07-2022 02:52 PM
Thank you for the post @aijazkhan06   the HA2 link failure does not trigger a Firewall failover. If the HA2 Link fails and there is no HA2 Backup configured, HA members will not synchronize session and state information. Any runtime information that is normally synchronized over the HA2 link will stop synchronizing. In A/P deployments, no state transition will take place. If you enable the HA2 Keep-alive option, then you can get with default action a critical log that ha2-keep-alive failed. Please refer to documentation: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/device/device-high-availability/ha-communications   I would recommend to configure HA2 backup interface.   Kind Regards Pavel ... View more

Re: Cancel/undo/revert/delete some Local-overrides that were generated directly in the firewall

by Cyber Elite in Panorama Discussions
‎05-05-2022 11:05 PM
1 Kudo
‎05-05-2022 11:05 PM
1 Kudo
Thank you for the post @Metgatz   if I interpreted your question correctly, then enforcing Template configuration or in reverting to local configuration is fairly easy.   Every time, you see solid green gear, the configuration is coming from Template. If you want to revert it to local configuration, you click on the gear icon and icon changes to orange overlay green gear icon. This indicates that configuration is local. After you commit it, it is using local configuration. The same logic applies if you want to enforce Template over local configuration. You can do this one by one for almost all configurations under Network and Device.   Here is the KB explaining meaning of gear icons:  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMj1CAG   Kind Regards Pavel ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎02-26-2026 01:27 PM
Likes Given To
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks