About BPry

@SeanDeHarris, Since it's encrypted you would need to do the submission manually after decrypting the archive or otherwise automate that process through the WildFire API as long as you're able to programmatically grab the file and the password.  ... View more

@Adnan_SA, How do you have the associated authentication policy configured? What do you have the timeout value set to within the associated policy? ... View more

@Karthi_N, Not enough information is given to really help troubleshoot this. Ensure that you have logging enabled on the interzone-default policy (or another logged deny policy) so you can validate that you aren't denying any of the traffic would be a starting point from a troubleshooting aspect. ... View more

@zji, First and foremost, PAN-OS 9.1.7 is severely dated. I'd advising your customer to upgrade to 9.1.15-h1.   Lastly the detail that you're giving doesn't really specify how the "Deny All 2020-URL" is actually configured. If the traffic was denied due to URL you'd expect to see the URL recorded in the logs as it is in your first example. If the traffic was denied before the URL was analyzed however, the firewall won't record the URL that the client requested. So from what's been provided and the action being reset-both with no further information provided, it appears as though this is expected behavior and the URL shouldn't be recorded.  ... View more

@Carracido, Do you have tunnel monitoring configured, and if so how do you have the monitor profile configured?  ... View more

@Charlie80, One thing you could do is apply it solely to a subset of users at once and see if anything breaks, instead of doing it in a maintenance window or worrying about testing everything before people get back into the office. That way you can limit the impact to known individuals and potentially just a "pilot" group of users if you have that setup in your environment.  ... View more

@mohammedsalhis, Can you describe your question a bit more? From a dataplane CPU aspect and a traffic standpoint the firewall will manage all of this on your behalf when you create an aggregate interface. There's no tuning or anything like that you would ever need to worry about.  ... View more

@James_Son, Do you just want a Panorama VM to mess around with, or do you need a full lab? Consigas offers a reasonable offering if you're looking for a full lab environment, otherwise if you just want a panorama instance it's generally cheaper to go to one of the public clouds and pay by the hour; shutting it down when you aren't actively using it.  ... View more

@LAS, I don't use Symantec to validate this, but they made a couple fixes for Symantec products in 6.0.5 when it comes to polling protection status information. From your report it sounds like they managed to break definition detection. I'd report it to TAC so that they're aware it's broken, but it's likely a bug in the release. ... View more

@dogepec114, I'm not sure that I've ever seen hardening or best practice information for XDR. Might want to reach out to your SE if you require this information and have them do a configuration review if you're already using the product.  ... View more

@mcrodri55, Whenever you're troubleshooting URL issues ensure that you have an "alert-all" URL-Filtering profile that you can assign to a client temporarily. What this does is ensure that you see the URL that your firewall is seeing when you visit the website in question, and ensure that you can actually validate that the domain is being identified properly. My guess off-hand would be that the firewall simply isn't seeing the domain as you've included in your custom category. Do that and verify what your firewall is actually seeing when you navigate to that site.    ... View more

@Keerthigav, Just taking a look at sep-endpoints-info, if you filter by computerName it only allows a single name within the query. So it makes sense that you're not having success trying to include multiple names with how this actually functions. You'd need to make multiple calls for all of the machines, or create a temporary group and assign the machines to it and use it with groupName and it will return all endpoints belonging to the group.  ... View more

@NguyenDucThanh, The thing that's going to fix this in most cases is restarting the management server, and if that doesn't work scheduling a restart when it makes sense to do so.  ... View more

@raji_toor, If you look at the decrypt logs and you're logging all inbound traffic's URLs you can sometimes actually decipher or at least see the base URL even when you have a proxy failure. I'm assuming that you're using a wildcard certificate since you're having a hard time identifying the actual requested resource, so if that's not recorded in your logs you may have to attempt to "trace" the traffic and see if you can't see a link or something that they hit from another one of your resources. It can also be helpful if you have the same public IP constantly pinging the resource to, if policy allows, just temporarily exclude it from inbound decryption after ensuring that all URL categories on the allowing security entry is set to at least 'alert' so it gets recorded. This will at least give you the base URL requested, as I assume that will let you identify the resource that isn't getting decrypted properly within your environment.  ... View more