This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About Brandon_Wertz

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Brandon_Wertz
Online
since ‎07-21-2014
L6 Presenter
User Activity
User Profile
Latest posts by Brandon_Wertz
View All
User Badges
Community Statistics
Member Since ‎07-21-2014 06:43 AM
Date Last Visited ‎11-25-2025 08:15 AM
Posts 1,144
Total Likes Received 310

Re: Mobile phones are bypassing the PA captive portal

by in General Topics
‎10-02-2025 08:46 AM
‎10-02-2025 08:46 AM
@Srinibas_09 captive portal only works over port 80/443.  When you're saying phones are bypassing CP, how are phones going to the internet?  A browser or an installed application? ... View more

Re: Android Samsung update doesn't work

by in General Topics
‎10-02-2025 08:41 AM
‎10-02-2025 08:41 AM
@G.Geraci -- Are you saying that your "samsung" rule updates work?  But the "guest" rule they don't?  I just have to say I hope you have fully vetted your fortinet, given the myriad list of root exploits they've had over the past year(s.)   To your issue, if it's what I wrote then it's probably straight forward.  You're not allowing everything needed in the more restrictive rule.  In the "working" scenario you're allowing SSL, but I'm not seeing SSL in the none-working.  A confusing part though, ssl&web-browsing are "implicit" use, which means they shouldn't need to be allowed.  This might be something you might need a support case on given the implicit use.           ... View more

Re: PA-445 stability?

by in General Topics
‎09-24-2025 06:57 AM
‎09-24-2025 06:57 AM
I wondered if Palo gave you something specific in the logs to check for this issue?  Got two different cases for this, one is for 11.2.7h1 so it looks like a good match.   ... View more

Re: When to use zone type Tunnel

by in General Topics
‎09-01-2025 09:19 AM
‎09-01-2025 09:19 AM
Hello,   You should use a L3 zone type for your VPN tunnel. The Tunnel zone type is not used for any interface, as it is intended for use in a feature named "Tunnel Content Inspection". More information here: https://docs.paloaltonetworks.com/ngfw/networking/tunnel-content-inspection/tunnel-content-inspection-overview   A snippet from the article above: You can configure a tunnel zone, which gives you the flexibility to configure Security policy rules for inside content that differs from the Security policy rules for the tunnel. If you use a different tunnel inspection policy for the tunnel zone, it must always have a maximum tunnel inspection level of two levels because by definition the firewall is looking at the second level of encapsulation.   Hope that helps. ... View more

Re: Unable to open TAC cases due to mandatory TSF file upload requirement

by in General Topics
‎08-12-2025 07:09 AM
‎08-12-2025 07:09 AM
I had same issue but found this where it says the file has to be archived in various formats. " If TSF required , please upload a TSF with file extensions .tar, .zip, .tgz, .tar.tz . Once TSF is loaded the back box on the right will disappear." https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008WANCA2 ... View more

Re: Ticket cannot be generated due to TSF file loading failure

by in General Topics
‎07-14-2025 10:56 AM
‎07-14-2025 10:56 AM
Same issue here.   This is frustrating and there does not seem to be any solution.  I've tried multipe browsers on both mac and windows from different networks.  It just does not alllow any tsf file upload and therefore cannot open a case.  Has anyone solved this?   ... View more

Re: Create SSL VPN on PA-500

by in General Topics
‎07-09-2025 06:26 AM
‎07-09-2025 06:26 AM
Hey! Since nobody can help me with Bitrix and WA dalaying seems to me we should close this conversation. Developers presents here rather know an answer I believe. ... View more

Re: mkv mov mp3 mp4 mpeg msi torrent apk avi avi-divx avi-xvid-this type of format file block

by in General Topics
‎07-02-2025 06:12 AM
‎07-02-2025 06:12 AM
@SJIT3124 wrote: how to block mkv mov mp3 mp4 mpeg msi torrent apk avi avi-divx avi-xvid-this type of format file block   Using a file blocking profile attached to your security policy matching the traffic, with an action set to block (In the file block profile) for these file extensions.  You will also want to ensure you have SSL interception enable and are decrypting most traffic. ... View more

Re: Customize Authentication Complete URL

by in General Topics
‎07-01-2025 06:41 AM
‎07-01-2025 06:41 AM
@BigPalo wrote: Many thanks Kiwi. Why is not available in 11.x 😞 ? So thats why PA doesnt recommend to customize that URL?   thanks I don't work for Palo, but there have been numerous CVEs relating to VPN portals in both Palo and Fortinet.  With a lot of the Fortinet ones being super egregious.  My guess is Palo made a tactical decision to remove the ability to modify the portal for security reasons to better harden the appliance.  (Just a guess though.) ... View more

Re: Automated backups from Panorama

by in General Topics
‎06-23-2025 08:41 AM
‎06-23-2025 08:41 AM
Hi, Buddy. The goal is to be able to export the BACKUP of the configuration to an external server either by FTP or SFTP. What we want is that this task is done daily at 2am, but what we want to be clear, is what would be the most “recommended” option, whether to do this task only from the PANORAMA, or do it from the FW? In any of the 2 cases, is this objective possible? Export the config by a BACKUP to an external server? Thanks ... View more

Re: Filter Certain Search Strings using URL Filtering stopped working

by in General Topics
‎06-20-2025 08:47 PM
‎06-20-2025 08:47 PM
Hi @HWAAcademy  can you please guide me how to achieve this? I also have same requirements, however, I couldn’t not find any article for the same.   @VinceM @Brandon_Wertz @kiwi @kiwi @ ... View more

Re: Technical Inquiry – Does PA-400 Series Support USG/BSG Functionality?

by in General Topics
‎06-16-2025 11:41 PM
‎06-16-2025 11:41 PM
Hi @huulamid ,   I agree with @Brandon_Wertz statement.     True USGs are hardware-enforced devices that physically prevent data flow in one direction. The PA-400 Series (or any standard NGFW) does NOT offer physically enforced one-way data transmission like a true data diode. It's a bidirectional device by nature. While you can configure highly restrictive security policies, this is a software-defined policy, not a physical enforcement.   The PA-400 Series can achieve strictly controlled two-way data transmission through its NGFW capabilities, but it's not a purpose-built "BSG" appliance in the sense of a dedicated, high-assurance industrial gateway from a vendor specialized in that area. Kind regards, -Kim.   ... View more

Re: Administrator Login using Azure Groups through Cloud Identity Engine

by in General Topics
‎06-12-2025 11:50 AM
‎06-12-2025 11:50 AM
@K.Saucier I'm not familiar with what Admin-UI Enterprise App is, can you explain this to me?  We don't use SCM we have a "Panorama Managed" Prisma deployment.    If I understand what you're saying in a normal scenario to log into a FW you need to have the account name (shortname / maybe first.last?) configured as a user and you associate this ID to an auth profile.     Your issue is that using Entra ID it uses a UPN format username@domain.com, and you're saying the FW doesn't like the @domain being in the user name field? ... View more

Re: Modify Security Policy rule - application depends on

by in General Topics
‎06-12-2025 11:31 AM
2 Kudos
‎06-12-2025 11:31 AM
2 Kudos
@JasonFerris wrote: Hi Brandon, Example: traffic from source1 to say internet with specific app IDs like ms-update etc. What I'm after I guess is that when adding apps to the rule you see the depends on - ssl, websocket. But if you don't go and add those to the existing rule its possible that traffic or some of the traffic won't hit that rule for ssl or websocket correct? Hitting a more general rule afterwards or a deny all rule.  To make sure that ms-update application traffic works as expected "should" ssl and websocket be applied to that rule? I'm trying to be granular in our rules so only necessary traffic is allowed.  @JasonFerris -- let me clarify what I meant.  To account for the "depends-on" like you mentioned.  You have 3 options, but really only 2.  The 2 I previously mentioned.    1.  You can create a general rule that allows the "you should probably allow these applications so web pages can work" rule.  These would be App-IDs like web-browsing, stun, websocket, SSL...et al.  2. Or they could be only included in the specific rules associated to their "depends-on" App-ID.   Option 3 is the one you just mentioned is "do nothing with it" let it hit a default deny rule and hope for the best.  In some instances not allowing the depends-on App-ID  won't really impact the core App-IDs functionality.  That particular app may generally be ok with some one-off scenarios where the traffic behaves weird for the user with things not working right.  There are other App-IDs where not allowing the depends-on App-ID will me the primary application just won't work. ... View more

Re: Where did the critical issues page move?

by Cyber Elite in General Topics
‎06-10-2025 03:18 PM
1 Kudo
‎06-10-2025 03:18 PM
1 Kudo
Hello @MasaW   I can see that KB is available again. My guess is that someone in Palo Alto has marked that KB as private temporarily that prevented public view.   Kind Regards Pavel ... View more
Register or Sign-in
Contact Me
Online Status
Online
Date Last Visited
‎11-25-2025 08:15 AM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks