About mivaldi

Some sites are listed in the HSTS list, which means that even if you're trying to browse to the HTTP site, your browser will force it to go to the HTTPS version, which requires ssl application to be added to the policy.   Not all browsers will process HSTS, so different browsers may yield different results. Those that don't push you to HTTPS will work, and you'll fail as long as you don't add application ssl to the list. ... View more

This solution is actually incorrect if your intention is to have the Email notifications generated *from* Panorama. What the mentioned profile will do, is to commit configuration from Panorama, to ask each individual managed firewall in the Device Group to generate an Email alert *from* the firewall.   If you forward the logs from the managed device to Panorama, and you want to 'centrally' generate the email *from* Panorama, then refer to:   https://paloaltonetworks.com/documentation/70/panorama/panorama_adminguide/manage-log-collection/configure-log-forwarding-from-panorama-to-external-destinations.html#82318 ... View more

If you go to youtube, the content is delivered "to" you, so the traffic comes in from untrust, and exits trust towards your workstation. The correct interface to be configured is trust. We are not looking at the direction of the session, but which interface are packets egressing from. The stream is from the YouTube server to your Workstation. The egress is clearly your Trust interface. ... View more

Yes, that is correct. Enable WMI Probing: No User Identification Timeout (min.): 720 ... View more

That wouldn't be a problem because the Gateways don't host a login page. ... View more

Your UIA mappings are most likely timing out at the default of 45 minutes, and you're most likely relying on WMI Probes, which are failing, because your hosts are not correctly configured to respond to the WMI Probes. Once the Probes fail, the user-ip mappings are deleted. Once they are deleted, Captive Portal will trigger. If the Captive Portal is set to its default Expiration of 60 minutes, then users will have to validate to CP every hour. By default, User-ID Cache timeout is set to 45 minutes. If users would be on site for a maximum of 12 hours, you can set the timeout to 720 minutes, and disable Probing. Note I'm making a lot of assumptions based on similar cases I've worked. Your settings may differ, in that case, I recommend you open a Support ticket and we can take a closer look. I also recommend checking out these documents: Best Practices for Securing User-ID Deployments User-ID Best Practices - PAN-OS 5.0, 6.0 ... View more

The login page is presented by the GlobalProtect Portal, and not by the GlobalProtect Gateway. The GlobalProtect Portal login page can be disabled by following the instructions in this document: How to Disable the GlobalProtect Portal Login Page ... View more

I couldn't find any Feature Request on record to support HTML files. The best way to request these be supported is to file an FR through the Palo Alto Networks SE. If you didn't know who your SE was, please contact your sales representative or Support to find who the right contact for your account is. ... View more

Although you need a GlobalProtect Gateway license if you want to use the App for Android, you actually need both, GlobalProtect Portal, and GlobalProtect Gateway license for HIP Checks. If you didn't have a Gateway license, you can alternatively use X-Auth authentication using the native IPSec VPN with Android, but then you won't be able to set up HIP checks. ... View more

The "packet (5) shorter than isakmp header size." messages are generated by those ISAKMP messages of length 47. These are VPNC NAT Keep Alive messages, and are sent every 10 seconds by each VPNC connected client. A workaround would be to turn off NAT Keep Alives for VPNC, though I have not found a way to do this. The solution would be to have the ability to suppress these alerts on the logs. For this, an FR needs to be filed. Please contact your Palo Alto Networks SE to have an FR filed. If you didn't know who the SE for your account was, please contact your sales representative, or Support, to assist you in finding the correct SE for your account. ... View more

When you say "streaming 'on' internet", you are not offering enough information to get an answer. Are you streaming "to" the internet, or are you streaming "from" the internet ? QoS is applied on the egressing interface. If you are streaming "to" the internet, the relevant interface is untrust (WAN). If you are streaming "from" the internet, the relevant interface is trust (LAN). ... View more

+1 on HULK's info. I wanted to add that, It depends on the FQDN. Don't use FQDN's for large corporations, where they either use CDN's or round robin DNS. Because the frequency is a 15 minute refresh, there's no real time DNS resolution for FQDN's. This may lead to incorrect or unexpected behaviors. There's also another practice, that is, to give you a long list of possible IP's on a single A record. The firewall will only grab the first ten provided on that long list. ... View more

It sound like you had this firewall managed from Panorama and commit is failing. When there's an invalid reference, you usually have objects in the candidate config pointing to other objects that are supposed to be created from Panorama. If the referred-to object is created locally, or if it didn't exist, you may get the "is not a valid reference" error. What you can do is locate the object that is referencing the Panorama object and delete it. If Panorama had connectivity to the device, a commit to Template and Device Group should resolve the issue. You can explore the candidate config with commands: > set cli config-output-format set > configure # show ... to see lines including references to 'LDAP Authentication Profile' you could issue command: # show | match "LDAP Auth" Once the invalid references are cleared, you should be able to commit. If you don't know how to delete them, please contact Palo Alto Networks Support. ... View more