About BPry

@PIRAMAL, As @PavelK mentioned the PA-400 series is still current and does not have any EoL/EoS announcements. Once the End-of-Sale/End-of-Life dates are announced, you have five years of support between the EoS date and the EoS date so you'll have plenty of time to plan for hardware replacement procurement and budgeting. If you already own PA-410(s) and are wondering when you should be budgeting to replace them, you don't have to worry about that yet.   The being said, PAN is re-releasing the PA-500 series with the launch of PAN-OS 12.1 Orion which would be something I might personally hold out for if you're looking to purchase the PA-400 series devices today. The PA-400 was announced four years ago and with the PA-500 being announced I would expect the PA-400 series EoL/EoS announcement to be coming somewhat soon. https://www.paloaltonetworks.com/blog/2025/08/paves-way-for-quantum-ready-security/ ... View more

@ChandrashekharD, Create a new custom URL category to match the desired website and create a new security rule above your social-networking deny entry to allow the traffic for the user utilizing the custom category as matching criteria under the URL Category criteria.    Ensure that the profile that you are using will actually allow the traffic appropriately. If you have a rule using the URL category to match the traffic, but continue to utilize a url-filtering profile that has the website blocked, you'll continue to block the traffic.  ... View more

@S.Jayathunge, You would only want to have the two app-ids that you are looking to block [ bittorrent bittorrent-sync ] and you don't include web-browsing in the deny rule. You generally don't want to include any depends-on listing in a deny rule, you would only want to include them if you're attempting to permit the traffic if they aren't otherwise accounted for.     I would recommend reviewing your URL categories that you are allowing and think about creating an application or just application groups that you attempt to maintain for blocking access to certain applications.  As an example, we have a list of applications that we deny externally for remote access applications (IE: Chrome Remote Desktop, Teamviewer, RDP, etc.) that we wouldn't want to allow externally. You might create an application-filter for encrypted network tunnels as another example excluding things like SSL that you wouldn't want to necessarily block. You just want to be careful and actually validate any dynamic filters that you look at configuring. While you likely want to utilize application filters and URL categorization so you don't need to constantly update your list, you also want to be at least a bit conservative in rolling it out. That way you aren't suddenly blocking access to something legitimate that you haven't thought about.  ... View more

@OrkhanM, I would generally telling most people that this isn't the path that you want to go down from a management aspect. It would be easier to manage if you started (or have) serial numbers assigned and use an LDAP server profile to be able to utilize the 'Managed' option to verify that the serial number is present in AD. This will allow the firewall to pull the list of serial numbers from active directory by looking at the computer objects and the serialNumber attribute to validate whether or not a computer is actually present in AD or not.    If you can't do that for some reason, you'll ideally have automation in place to create individual HIP objects for each entry that you want to allow and then utilize a profile to group all of the individual objects. I don't believe that you can match multiple different strings with a single object, so unless you can make them all fit with a Contains operator (which effectively would only allow a single manufacturer and doesn't actually prevent much) you're going to need to utilize a profile to group all of the individual objects which doesn't really scale.   ... View more

@James.Rodgers, Official support will likely take a while past public release like it usually does. I don't know why they don't utilize the developer previews to validate functionality and support the official release quickly, but they never have. I can tell you that I haven't experienced any issues with 6.3.3 so far in our testing on the macOS 26 developer previews.  I get PAN not wanting to announce official support until the public release candidate; Apple has been known to put relatively major changes into the betas relatively late into the release cycle, but they do indicate when the betas are done and release candidates are sent out where major changes are no longer being made. Even if PAN decides to wait until official public release, they tend to take an unnecessarily long time before granting it official blessing.    You would likely have better luck raising this as an issue with your account team and asking for more timely official support once a new major OS has been released.  ... View more

Oh hey look, 90% of my reply got eaten. I guess lets try that again with less formatting.   The answer to your question is it depends on if you're using API Key liftetime or not. Out of the box you wouldn't be, which means none of the previously generated API keys are being invalidated and you can utilize the previously generated keys for as long as you want. You can actually utilize the same API across multiple devices assuming that the username, password, and master key are the same across the devices without having gone through the key generation process at all. Out of the box this works more like phash value than a traditional API key. The way that you would ensure that you have invalidated previously generated API keys would be by changing the user's password which would invalidate all of the API keys.    When you setup API key lifetime simply regenerating the API key still doesn't invalidate previously generated keys, but they would invalidate themselves depending on what you have the lifetime minutes set to. You also gain the ability to utilize the 'Expire All API Keys' option available under Device -> Setup -> Management -> Authentication Settings to immediately expire all of the previously generated keys in the event that you have privileged employee turnover or expect a key has been compromised without changing the user's password (although that would likely be a good idea anyways).    I would recommend using something like Hashicorp Vault if you do a lot of scripting against the API so that you can store the key (whether using key lifetime or not) and only have a single location to update all of your keys when you rotate them. This way you aren't storing credentials directly within scripts and you don't have a heavy overhead to maintaining keys. If you want to use the same API key across multiple devices, you would need to keep the default setup and just be careful about who has access to the key and what permissions you are granting said associated user. Once you put key lifetime in place that capability goes away and you would need to have a key per device. If you're just trying to utilize it in automation of some sort and want it to be stable so it isn't changing, than I would kind of question the intent behind that. You can automate against something like Vault to facilitate automatic key rotation if you're doing lifetime on your keys, or you could have a schedule to have your lifetime be something like every 10 days and know that you'll need to update your key value pair for the API key within that 10 day period so they aren't staying the same. All kind of comes down to what you want to do and what your own risk appetite is for key re-use.    ... View more

@n-tomo, If you have made no other modifications to the configuration of the device, simply generating an API key does not invalidate the previously generated keys. In fact, you can utilize the same API key across multiple devices assuming that the following are configured exactly the same:       ... View more

@cmramosfors, https://live.paloaltonetworks.com/t5/certification-articles/what-is-replacing-the-pcnse/ta-p/1227937   The four different specialists really focus on different areas and I would say that the collection of Network Security Analyst and Next-Generation Firewall Engineer collectively would have given you enough to pass the old PCNSE certification.    ... View more

@SoongNyeongKim, As far as I'm aware, this is still not possible upon session timeout. PAN simply closes the session for aged-out traffic and that can't be modified from a behavior standpoint.  ... View more

@moorek, You will want to upgrade seeing as your 5410 will not be a part of the extended support since it can update. While I don't support PAN pushing this 'limited support' change when they had previously extended PAN-OS 10.2 support, the EOL policy was previously 42 months of support post release which is where the Aug 27 2025 date comes in. It was previously extended and you likely documented the Feb 28 2026 EOL date that was previously published before PAN implemented this 'limited support' policy change, with the new Sep 30 2026 actually being extended past that termination. Not trying to defend what happened here in the slightest, I think the lack of communication of this change and introduction of 'limited support' is rather appalling, it's not completely out of left field.   Now if we wanted to have a completely separate conversation about PAN implementing this change silently in the background for the community to discover and plan around without broad conversation from PAN, I'm all for that stress relief session. I think this is going to cause a ton of people to fall into the BS 'limited support' period because they weren't informed of the change in status or what 'limited support' actually means. The way that PAN has went about this change is absolutely not acceptable from a security company to date; I think the majority of customers will never even notice they fell into this new 'limited support' tier. Even those of us that pay attention to this sort of stuff likely discovered this through Reddit instead of PAN itself. Tie in the fact that 'limited support' is only fixing CVSS > 9.0 exploitable vulnerabilities on a security appliance and this is one of the biggest fails that PAN has made in a while.    ... View more

@DanielPullen, Is this specific to iOS or is that just the only device that you are trying to connect?  ... View more

@dylan.a.gauch, That setting in itself doesn't prevent me from connecting with a brief test here at least on Windows 11 24H2, I would also be shocked to see that as any sort of a dependency unless you were running Windows 11 ARM and weren't using the ARM agent.    Your IT will need to look at the agent logs and see where things are actually hanging. In the event that you are using an ARM Windows machine, you need to have the right agent to get this to work properly.  ... View more