About sraghunandan

Can you try using app-override to see if it improves performance https://live.paloaltonetworks.com/docs/DOC-2816 ... View more

You can refer this too https://live.paloaltonetworks.com/docs/DOC-2021 ... View more

can you verify if the user mapping shows up the user, use following command to check the same > show user ip-user-mapping all If the user is present can you try manually type in the username i.e first couple of letters ... View more

Can you make sure to see if there isn't a clean up/deny all/same zone deny rule at the bottom. ... View more

what software version are you on ... View more

Incomplete in the application field Incomplete means that either the three way TCP handshake did NOT complete or the three way TCP handshake did complete but there was no data after the handshake to identify the application. In other words that traffic you are seeing is not really an application. So to explain a little clearer, if a client sends a server a syn and the Palo Alto device creates a session for that syn, but the server never sends a SYN ACK in response back to the client, then that session would be seen as incomplete. Insufficient data in the application field Insufficient data means that there was not enough data to identify the application. So for example, if the 3-way TCP handshake completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, you would see insufficient data in the application field of the traffic log. So if the service is set to any we will end up catching insufficient/incomplete traffic since  we haven't seen any application traffic to identify the application and port is wide open.So I would suggest restricting the policies by configuring ports. ... View more

The user can be know using 3 diff ways User-id agent, captive portal and gp. So if the user not know either by user-id agent or Global Protect(ssl vpn client) they should be hitting your Captive portal rule. following docs will help:- https://live.paloaltonetworks.com/docs/DOC-1159 https://live.paloaltonetworks.com/docs/DOC-1040 ... View more

Following options are available:- for http please create a url profile by navigating to object-security profile -url filtering -create an object and set the action for all categories to block. for https traffic https://live.paloaltonetworks.com/docs/DOC-4901 In order to edit/import  the response pages please navigate to device-response pages-url filtering and category match block pages. ... View more

How does the session look like for ex:- show session all filter source (source in question) then do a show session id (id)  and look to see if it shows captive portal session : True. You can also turn on debug for captive portal by using the command:-  debug l3svc on debug and look for logs ... View more

So are you looking for a way to block access to the gp gtwy from certain subnets, you can create a rule with the source zone from where the traffic is coming from to the gp ip and set the action to block. For example if your gp gateway is on the untrust and the subnet is on the trust, you can write a rule from trust to untrust with source ip as ur subnet/dest ip as gp gateway. Please let me know if this is what your looking for. ... View more

1 log might be due to log suppression can you please verify the count against it.the following doc might help:-https://live.paloaltonetworks.com/docs/DOC-4686 ... View more

So when you choose HA sync while downloading and installing updates does it sync over to the other device or no? If not can you manually download them on each device and see. ... View more

Any interface errors show interface ethernet1/2 have you tried changing the cable. If all of the above does not work please open a support case with us. ... View more