About Brandon_Wertz

I agree with you, and TAC is wrong. If I configured a rule as below:   The rule on the box is recognized as below: )> show running security-policy "test; index: 1" { from any; source any; source-region none; to any; destination any; destination-region none; user any; source-device any; destination-device any; source-advanced-device any; destination-advanced-device any; category any; application/service [0:windows-remote-ma/tcp/any/5985 1:windows-remote-ma/tcp/any/5986 ]; application/service(implicit) [0:web-browsing/tcp/any/5985 1:web-browsing/tcp/any/5986 ]; action allow; icmp-unreachable: no terminal yes; }   As you know, "web-browsing/tcp/any/5985" is "application/protocol/source-port/dest-port".   By the way, I found issue from release note. === PAN-194408 Fixed an issue where, when policy rules had the apps that implicitly depended on web browsing configured with the service application default , traffic did not match the rule correctly. ===   Even I don't know which version you are using, you should check you are hitting this or not. I can find this bug-id on 10.1.6-h3, 10.1.7,10.2.3 release note ... View more

@M.vyas  -- Follow these steps to convert from market place to private offer:   https://docs.paloaltonetworks.com/cloud-ngfw-azure/reference/cloud-ngfw-for-azure-credit-distribution-and-management  ... View more

Perfect. Thanks! ... View more

Thx I would expect this to appear in official documentation (stable, low-loss, and not congested.) ... View more

Hi @dsebalj ,   You cannot submit your FR directly on the LIVEcommunity. Your SE or reseller can submit a feature request (FR) on your behalf through the proper channels.   Once they have done that and you receive the FR ID, you can return here and ask others to add their vote to the ID in question.   Kind regards, -Kim. ... View more

Hello @Brandon_Wertz   thank you for reply.   I completely agree with you. In my post, I was replacing inaccessible link (DOC-8042) with a new link for KB and not referring it as a solution to original post.   Kind Regards Pavel  ... View more

@eender405 wrote: Hi everyone, Lately, I’ve been thinking about how designing a strong cybersecurity strategy feels a lot like playing a complex game of Mahjong: every move matters, timing is crucial, and one wrong tile can shift the entire outcome. With AI-driven automation and increasingly dynamic threat landscapes, our “tiles” — firewalls, threat intelligence, and endpoint defenses — are getting harder to align. How do you balance speed, adaptability, and reliability in your security infrastructure without creating blind spots or unnecessary complexity? Would love to hear insights from others who’ve been dealing with similar challenges. @eender405  -- Kinda a cool topic. I think it comes down to not complicating your firewall design/policy, using native feature functionality where at all possible and using AI/automation where it makes sense.   Consuming an OEM's native threat services and leveraging them to the highest degree possible.  A recent example in the Palo/Strata product.  We had a recent test where C2 call back was leveraged and the tester expected that callback to be successful, but it wasn't.  The C2 callback being a "low" threat, it's default action is "alert" proactively setting these types of events to a blocking action is needed into today's cyber threat landscape.   Having a secure network is more than just deploying to security tool or feature you need to understand it and tune it to your environment.  However deploying some overly complex design or a something that's hard to maintain will likely mean things will be overlooked and that's where intrusions occur. ... View more

@GhislainB -- Unfortunately what you're asking for no one here can/will give you.  My best suggestion is to stick to a code that's first "preferred" and second what you've found to be stable.  Only upgrade when necessary for a feature or an impactful bug/fix. ... View more

@AntonHS  -- To go along with what @reaper said when you upgraded from the 415 to the 440, did you change software versions?  If so, from what to what?  To try to get an answer you should try to have your 440 running the same PANOS and content packages. ... View more

@Alpalo  -- Not directly answering your question, but is there a reason you're still running 10.2.X?  Technically EOL, but does have limited support.  If your issue is software related, maybe running 11.1.X you'd find better performance?  While you CAN troubleshoot an application performance issue on your current code you're more than likely better off upgrading.  Seeing how things perform, then troubleshooting if needed.       ... View more

@phampx wrote: What is the best practice method to block iCloud relay without impacting iOS users too much? Apple says to NXDOMAIN the following below.  mask.icloud.com mask-h2.icloud.com Prepare your network or web server for iCloud Private Relay - iCloud - Apple Developer For the PA though,... should we... create a policy to block, deny or use a URL custom block object rule? These are some other domains/FQDN I have found: configuration.Is.apple.com gateway.icloud.com gsp85-ssl.Is.apple.com iphone-Id.apple.com mask-api.icloud.com mask-t.apple-dns.net mask.icloud.com mask-h2.icloud.com   @phampx -- This is actually a threat in an "Anti-Spyware" profile, as a "low" alert.  If you can block low, that should be all you need to do.  if you can't block it (Low threats in spyware) you can also follow what Apple says:   https://developer.apple.com/icloud/prepare-your-network-for-icloud-private-relay/ ... View more

@zacht5476 -- On the Customer Support Portal:   ... View more

@andrew.vlasek -- Hrmm, it's been fixed for us for over a year now, on multiple versions.  This is what we're currently running.  Maybe try deploying this GP client version?     ... View more

We pay for support and this is the only way to get it?? Having to wait hours for a TSF to be uploaded. I understand it helps with case resolution, but let's make it much faster to upload. ... View more

The issue only truly went away for me after a factory reset of the device, unfortunately. That's unrealistic for most environments so not a real solution imo, but the only one I've found that worked permanently. Even Palo Alto support scratched their heads and basically ghosted my ticket when I opened it, lol. I'm assuming you've tried restarts on both devices, OS upgrades, access through CLI, etc. What OS are you on and does this issue persist across all browsers? Have you tried disabling the KeePass browser plugin entirely and testing? When my issue was still present Firefox always worked, thankfully. ... View more