About Claw4609

Hello,   The GlobalProtect clients will only do a version check when checking in with the portal so clients would need to connect, or be currently connected and have the config refresh timeout trigger. I dont believe the update control through the portal will apply to Android/IOS devices, presumably because by default neither allow sideloading applications. This would be controls by the respective app stores or by an MDM.   To echo @BPry point, we do not usually rely on transparent upgrades either and instead push out updates/deliver content via a central platform. Like @BPry you could also enforce HIP checks to stop a version thats two old from basically having any access.  ... View more

Hello,   On that page you linked, are you then going to the TOR exit node list thats linked towards the top? It looks like that list is only a few thousand, and if you remove the IPv6 IPs it looks liek the list of IPv4 addresses is pretty comparable, however is does still look like Palo has about 150 less in their list. ... View more

Hello,   What is your current setup for obtaining user-id information? For example, if you have the Windows/PAN-OS user-id agents setup to poll your DCs or a read-only DC, the most obvious way a renew happens is when the clients do a gpupdate (which I believe the default for that is 90 minutes +/- 30), that generates a login event as far as the DCs are concerned which refreshed the mapping. You would also set the frequency that your user-id agents poll the servers.   You can also obtain user-id mapping via GlobalProtect, either connecting do an external or internal gateway, where that generates refreshes more frequently based on if the client is active or not. You could also obtain user-id via an API, possibly from your enterprises NAC.   Each of those sources would have their own user-id timeouts, and each have some pros and cons so you could use a combination of them.    But also I dont believe this is relevant to that NIST control. The way Im understanding that is terminating inactive/dead sessions, which would be configured under Device>Setup>Session>Session Timeouts ... View more

Hello,   Yeah CDL was renamed to Strata Logging Service, its the same product.    But yes youre firewalls can log to CDL, you should just need the CDL storage license (assuming youre firewalls are in the same tenant as your prisma access)    Start Sending Logs to Strata Logging Service ... View more

Hello,   What does your split tunnel configuration look like? Is it just include 0.0.0.0/0? Under the app configuration of the portal there is also a flag for "Split-Tunnel-Option" what do you have selected for that?   ... View more

Hello,   If you have an example client, do a manually refresh on the clients GP, does it work then? The client may just not have grabbed the new client config yet.     If it still fails after that. Grab the debug logs from a clients GP application and look at the panGPS and panGPA files, itll show in there if it checked for a new version and if it failed or not. ... View more

Hello,   Is this before the logon where the machine certificate is used or after initial logon where a client cert is used? When you specify the OID, do you see that key appear in the Windows registry?  (ext-key-usage-oid-for-client-cert <oidValue>) ? App Behavior Options (paloaltonetworks.com)   If the cert you are looking to use is signed by a specific template you can specify this template in the cert profile as well.  ... View more

Echoing what @DylanSilves has stated. Initial testing of the version has looked promising.  ... View more

Hello,   I had a similar error message when upgrading to I think 10.2.8 a bit back. I had to open a tac case and they had to login to the device with the tac user to get this fixed. I would recommend opening a TAC case for this one. ... View more

Hello,   That should be the only spot where you should have to specify the IP range It sounds like it possible you may now have a return route on an upstream device (or maybe you have multiple VRs and they dont have a route between each other for the ne network. I would next look at doing a packet catpure on the Palo to see if you are getting return traffic at all. If you are and its being dropped I would then check the global counters to see why its being dropped. How to check global counters for a specific source and destinat... - Knowledge Base - Palo Alto Networks ... View more

That command just asks the management plane to reach out to Palo to grab a device cert . This cert is used for various Palo services such as telemetry and url db updates. The command, and cert fetch, by itself wont impact anything. The only thing to be mindful of would be incase you arent getting URL updates and a URL categorization changed since youre last update. ... View more

Hello,   How are you currently identifying vendors within Entra? If you have a vendor group you should be able to add that group to the conditional access in Entra to allow them to still be "compliant". ... View more

Hello,   If you log into the wildfire cloud do you see items there? Dashboard-WildFire Portal (paloaltonetworks.com)   Are you viewing these logs on the firewall itself or in Panorama? Do you have a log forwarding profile set with Wildfire log type to be sent somewhere?  ... View more