About BPry

BPry · ‎06-06-2025

@Mitesh_Nandu, I don't have an answer to your question regarding how PAN-OS handles reaching the object limit for an EDL, but I have to question if a 50,000 object EDL is actually being used efficiently. Do you actually utilize an EDL that needs to be 50,000 objects that couldn't be condensed into ranges to help cut back on the object count (IE: do you aggregate and dedupe them?) Do you just keep every single address you've identified ever in the EDL without aging anything out? If you detail what these are actually being used for a bit more maybe collectively we would have some ideas to help you live within the limitation, or as @reaper pointed out your business requirements may just simply mandate that the 3420 wasn't a good fit and maybe your EDL usage needed a 5420 where you could have 150,000. 150,000 addresses really is the max regardless of platform as far as I'm aware however and I'm slightly concerned that you may essentially have 150,000 entries based off of your questioning. That is a big reason why I would maybe work on either trimming that down or putting something simple like an IP blocklist on your router(s) upstream from your actual firewall.

BPry · ‎06-06-2025

What version of Ubuntu are you actually running into issues with @Mebinbaby? I just ran a test on 6.2.6 which is the current build that I'm supplying for a limited subset of Linux users with Ubuntu 22.04.5 LTS and firefox functions perfectly fine. Linux is a bit of a second class citizen for GlobalProtect, but the application isn't even capable of excluding specific application traffic like it would be on macOS and Windows. Have you validated what you're seeing on a fresh installation isolated from any image customization or management solution that you may be using for these machines?

BPry · ‎06-05-2025

@Mebinbaby, If it's just Firefox that isn't working then it doesn't sound like it's a GlobalProtect issue at all. If this is just on a single machine I would recommend looking at any routing that could have been configured to route firefox around the tunnel interface. It's possible someone set something up to specify a route and has forgotten about it.

BPry · ‎06-05-2025

@cgloker, what device are you actually attempting to utilize? We have a couple people using 6.3.3 on the latest round of Surface Laptop devices from Microsoft and we aren't encountering any sort of issues. We had a plethora of issues with Surface Pro X devices when they were launched, but we didn't have very many of them.

BPry · ‎06-04-2025

@D.Maas, Honestly in my mind your company is looking at doing this improperly. While it might sound like a good idea in theory to have everything in place prior to migrating users to Prisma, you're introducing too much change at the same time. This not only creates a lot of various troubleshooting issues, but more importantly it damages the end-user reputation of the migration. I would recommend that you migrate to Prisma Access and view that as one "project" in itself. Then you would have a zero-trust "strategy" that you would need to actually design. Zero-Trust as @Brandon_Wertz mentioned isn't anything more than a strategy or policy; you won't really find any detailed information that someone can share because once you get to that level of planning information it becomes extremely centered to a particular organization. What I would recommend doing when looking at zero-trust is having an actual working group that contains individuals from each business unit that are well informed on everything that the business unit does. You need people that actually understand each of the individual business practices and what each role actually needs, otherwise you'll still be making things too generalized. Then you go business process by business process and actually include all of the required changes to actually say that you have a zero-trust network. Keep in mind that this isn't solely about network access here, but also permission to things like file directories, applications, individual application access, the whole kit and caboodle. This will almost certainly break things as it is built out since most businesses will have exceptions for certain people performing work outside of their role that even people working with them aren't necessarily privy to. If you haven't led a project like this before I actually work recommend working with someone that can help guide you through this process and ensure that you're actually accounting for everything. It isn't something that you can't do by yourself or in a small team, but generally smaller companies will have a harder time accepting that the journey to zero-trust won't be free of issues. They tend to start seeing issues and just thinking that you don't know what you're doing because you're actively breaking things, involving them as much as possible in identifying requirements will help lessen that impact.

BPry · ‎05-28-2025

@D.Verma502651, I'm probably an outlier with this, but I personally find it easier to not work with any of the available SDKs and just building out the API calls needed and parsing them myself. There's been multiple instances so far where the SDKs are slow to get updated to account for changes, and some things that they just don't account for very well where you might need to fallback to the actual XML API anyways. I personally feel like they get you into the door so to speak with using the API quick and easy, but you'll find instances where it just doesn't work that well. In my mind, if you're needing to build out API calls and parsing manually for a task then you mise as well be doing all of it.

BPry · ‎05-15-2025

@fhassan, Are these firewalls independent or part of an active/passive setup? If part of an active/passive pair, do you utilize the MGMT interface or do you have a service route configured to utilize a dataplane interface? If these are standalone make sure that ISE is actually accepting connections. Your error message indicates you aren't getting a return; I'm pretty sure that ISE won't respond to requests if the source address isn't included as a network device, so you'd want to check that the ISE side of this configuration is actually correct.

BPry · ‎05-15-2025

@romen54, Did this start out of the blue or after you applied 11.1.6-h3? I've had multiple instances where recent PAN-OS releases have caused a split-brain scenario and reverting has immediately resolved the issue across multiple different models in active/passive setups. As for the LACP issue causing a split-brain scenario, I think your LACP issues are more than likely a consequence of your split-brain scenario than the issue causing your split-brain scenario. Do you have HA1/HA2 directly connected between the two units or are you passing it through a switch? If you're passing it through a switch, is it the same one handling your aggregates?

BPry · ‎05-15-2025

@SA.Kushal, Assuming that you've taken packet captures and verified that you aren't seeing any return traffic, the next step is looking at the upstream. It could be that the resource you're attempting to access has just blocked all of Azure's IP ranges due to past malicious activity that they just don't want to deal with, or it could be that Azure itself is dropping the outbound traffic. Off hand, I'm not sure that Microsoft actually blocks any outbound traffic natively and have never heard of it doing so. I would assume that the issue is simply that the resource has either blocked your outbound IP specifically for some reason, or just has some wider blocks against Azure in general. Depending on your relationship with that service you may or may not have any true recourse here.

BPry · ‎05-13-2025

@SyafiqBharudin, This is all possible through the XML API. The structure follows the same sequence as it would if you're working directly with the CLI and you can use the API browser (https://<myfirewall>/api ) to figure out exactly what command you need to send and validate that you're doing things properly. I'm unsure if these specific actions are supported by the newer REST API; personally due to the REST interface not having feature parity with the XML API or complete access to PAN-OS for even relatively basic functions (like a commit) I generally just ignore the REST API is a thing that exists.

BPry · ‎05-07-2025

@jstricker, PAN-PWR-180W-AC (180W Power Adaptor for PA-450R) is supposedly what you are looking for, however I don't see anywhere that actually has stock or even has availability. I'll note that the 450R doesn't come with a power supply, it's expected that you supply your own DC connection.

BPry · ‎05-07-2025

@Kenya5115, This functionality wouldn't be backed into PAN-OS at all. There's ways that you can get this to function by just segmenting everything via multiple gateways assigned to the same zone and setting and overriding the intrazone-default policy behavior with a dedicated rule or just by changing that policy form allow to deny, but there's not a magic way to get this to function and without a good handle on automation such a deployment could be a major inconvenience to the rest of your infrastructure team.

BPry · ‎05-07-2025

@D.Martinez136027, The only thing that I can offer is that I have not seen any sort of increase in any of my environments and it actually isn't a signature that we even encounter in the vast majority at all.

BPry · ‎05-06-2025

@brock.shelton, Since this isn't really an issue with GlobalProtect, but rather the operating system actually starting the installation process normally, there's limited help that can actually be provided. As @kiwi mentioned it could be that the version of GlobalProtect you're attempting to run is simply too old to support macOS 15, but I would suspect that the installer would be progressing past this point. You can find updated packages for the GlobalProtect agent for macOS online easily. THIS link will give you a current installer that supports macOS 15.4 without issue. Just note that your organization may mandate certain agents to actually access organization resources, so blindly installing a newer agent that potentially supports your OS doesn't guarantee that it will actually be supported within your environment.

BPry · ‎05-06-2025

@inSync-MarkValpreda, I would utilize app-id for this and do away with your any application and service rule that you have currently. Also note that if you're security profile is only accounting for 40017 you're missing 16 other signatures related to GlobalProtect. I don't much see a point in maintaining a profile specific to GlobalProtect and trying to manually specify IDs that should be active. Can you limit the sources that you're allowing to hit your portal/gateway? You can cut back exposure and scanning/probing by limiting to the regions that you actually need active; while this doesn't prevent a targeted attack by any means it at least cuts back on noise. @inSync-MarkValpreda wrote: I do have my home IP address whitelisted on the interface management as a 'just in case' sort of thing....so I don't want to inadvertently kill that. Maybe put my emergency IP addresses into a different security group? Why? Do you have a static IP at your house or are you just relying on it staying the same? Personally this is never something that I would facilitate or allow any of my staff to implement. The risk analysis for this would never have the benefit of this outweigh the risk that is introduced. Things either wait until someone can be onsite and restore things properly, or you implement a proper out-of-band connection.

Member Since	‎05-26-2016 07:16 AM
Date Last Visited	‎02-24-2026 02:19 PM
Posts	6,520
Total Likes Received	2296

Online Status	Offline
Date Last Visited	‎02-24-2026 02:19 PM

Unlock your full community experience!

About BPry