About BPry

@Stevenjw0728, How did you build out the profile and what did you actually want it to do? If you included every OS in the profile and denied access through the security policy, the firewall did what you told it to do. If you're just trying to prevent Windows 7 clients from connecting, include only the Windows 7 HIP-Object in the associated profile and make a Deny entry. You wouldn't want to group everything together in some overarching allow entry.   As to why your traffic stop flowing, did you give any time between the creation of the HIP-Object/Profile and putting it into effect on the security rulebase at the same time? Generally speaking whenever you build out a new Object/Profile, you're going to want to validate using the HIP logs that it's actually matching clients as expected before you ever include it in a policy. That ensures that your order of operations is actually correct, and it ensures that the clients active at the moment actually have time to send the update in their next HIP report.    ... View more

10.1.9-h1 was just released to the public, however it doesn't look like the release notes have been published just yet.  ... View more

@kfelixdeft, I'm not sure that you can do this anymore like you used to be able to. You could build out a web portal that uses the firewall's API to gather the generated password hash however, then simply have them send you the output so that you can add it to the configuration.  ... View more

@Chris_Atkinson, You could add an alias to the users account instead of changing the actual email address, that way it would let you continue immediately. Properly fixing this will require that you open an admin support ticket with TAC and have them manually remove it from the backend. Generally admin requests like this don't take long to get fulfilled, but could take 24 hours to get it removed.  ... View more

@Metgatz, "Is it worth it" is an extremely broad conversation to have without knowing anything about the company or environment that would be looking to implement XSOAR or any other SOAR product. For a SOAR product to be really useful, you are going to need someone that can build out the workflows and remediation playbooks to make the investment make sense. No SOAR product can just be dropped into an environment and asked to run properly, but with XSOAR PAN is trying to get it closer to that sort of product. I personally don't think it's near that level of simplicity.   If you have someone that can actually build out workflows and build the playbooks, then you have to ask yourself if they have anyone working beneath them and how skilled they themselves are. If the security team is Bob/Karren, and Bob/Karren is amazing at scripting and building things out themselves, Bob/Karren might not get any benefit from a SOAR product. The benefit then is that if the team expands and Bob/Karren is forced to switch over to an actual XSOAR product, it's easier to train new personnel and get them running if the security response is wrapped up a bit nicer than a whole lot of scripts sitting in a repository. The business might see benefit in that, and they may not.   When you have an environment where you have an actual security team, that's going to be where you'll likely see the most benefit of a SOAR product. Having the ability to build out workflows and playbooks empowers your analysts to handle detections at a level they likely couldn't previously. It grants the SOC architects/engineers the ability to setup guiderails on what they want done within a workflow, while still giving more power to the individual analyst.  There's some workflows where you might unlock the ability for an analyst to quarantine and isolate off an endpoint through the workflow, but you aren't giving them the ability to do that globally across all of your endpoints. Maybe under certain workflows you're giving them the ability to isolate an entire network segment, but they otherwise wouldn't ever have that capability. SOAR products give you the ability to do that sort of thing.   ... View more

@Metgatz, I'd recommend engaging your account team if you were trying to put something like this together. One of the things you'll run into is that you need to have something new whenever you're trying to show off the ML engines; so you'll need something that is constantly changing with each new test. The same thing goes with URL filtering ML; you'll need to be dynamically creating updates domains and ideally modifying page content with every example.    Now you could obviously just run a bunch of samples in a lab environment of previously identified malware and take malicious code samples and phishing pages and build out some web pages. That doesn't really show of the ML capabilities that well however, and if you're showing it off as a demo to a client it looks incredibly staged. I always recommend modifying things on the fly so that it looks "real" and not part of a rehearsed show.   ... View more

@jgardner150, You can setup log forwarding from CDL and setup filtering if required so that it isn't sending all logs unless you need it.    https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server#id186BM029099 ... View more

@Shruthi123, Do you have experience scripting in any language? There's plenty of libraries that exist that may make this easier, but not knowing what you have experience in the API is going to be the default suggestion from people that we expect the requester to have some experience with. If you have a preferred scripting language you're used to working in, that may be easier.   As for the REST API, that documentation is available directly on the device at https://<firewallip>/restapi-doc/ You're looking to disable the rule which would be an edit, so you'll look under Policies/SecurityRules under PUT. Keep in mind that if you use the REST API you'll still need to use the XML API to actually commit the change if you want this process to be automated. The REST API still isn't feature complete, which is why any API discussion is going to generally default to the XML API. ... View more

@spendl16, This message can be set to anything the administrator sets up, it doesn't necessarily mean that automatic updates aren't actually enabled. If I would have to hazard a guess, you have an update that isn't applied at the moment. Open up GlobalProtect Settings by right-clicking on the agent, and then navigate to the 'Host Information Profile' tab. If you expand everything listed there you'll find one that should say 'Missing Patch' with every patch that GlobalProtect thinks your missing. Install those, manually if you have to. ... View more