About Brandon_Wertz

Brandon_Wertz · ‎01-29-2018

Thanks for circling back on this and sharing the info!!

jerryv · ‎01-29-2018

Hi, no, we're running 8.0.7.

Brandon_Wertz · ‎01-25-2018

Looks like the KB points out a Win7 registry setting. Win10 is in this directory: browse to... Computer Admin Templates windows components internet explorer Internet control panel security page on the right - open Site to Zone Assignment List Enable it and click SHOW enter the IP address as the Value Name the Value should be 1 for Intranet zone

LocBaoNguyen · ‎01-24-2018

Yup, I got your point. I have tried with PBF by using FQDN - DNS Proxy but I'm facing with an issue (I don't know this is affected by my wrong configuration or this is a bug on PaloAlto). Ex: I have 2 WAN interfaces (ISP1 and ISP2) - The primary interface is ISP 1, and I want youtube and facebook traffic will be forwarded to ISP2 interface. - I tried to nslookup URL youtube.com to an IP address, and I got 20.20.20.20 on PaloAlto. - Then I tried to nslookup URL yotube.com to an IP adress and I got the same IP: 20.20.20.20 on User machine. - Meaning, If the traffic from User machine access to youtube.com, the PBF feature must be forward this traffic to ISP2 interface, but it's not. Do you have any experience for that one? @Brandon_Wertz

Brandon_Wertz · ‎01-24-2018

Here are two screenshots. One of the EDLs Review of current security logs which take the intended security policy (Of note you can see one of the entries has an obfuscated user so you can see both "known" and "unkown" user match our intended security policy.

OtakarKlier · ‎01-11-2018

Bummer dude, it always sucks. But at least you caught it and stopped it.

nicford · ‎01-11-2018

thanks for everyone feedback! I'll defintiely look into Firemon and also some scripts some of you have shared.

Brandon_Wertz · ‎01-08-2018

@sandeep.paul wrote: Thanks, is there any command that we will know if sec policy is not being used from Day it was configured? Unfortunately no

jdprovine · ‎12-11-2017

@BPry Well I am also using the global search to verify if the services are really being used. I guess it would be just as easy to go through the services one by one and do the global search. One thing I do know is I have too many services and it would be good to replace them as much as possbile with applications

Brandon_Wertz · ‎12-08-2017

A max timeout for user IP mapping is 24hrs so you don't need to worry about anything beyond that.

ET · ‎12-03-2017

Once the failover condition is met(failure is detected), the time it takes for failover should be same, manual or automatic. The time to detect the failure may be different depending on the type of the failure and your configuration if applicable in case of automatic failure. Depending on the failure that creates the failover, automatic failover might cause more packet loss. If the link failure happens on the firewall port, meaning that the port on the firewall is disconnected (not the remote port connected to switch router), I would say firewall would detect it fairly quickly. In such a case the failover should be triggered immediately, just like suspend. If your network does not tolerate potential latency during failover, we would recommend you to do a failover test to make sure what would be the exact delay in case a failover triggered by link failure will happen. The overall end-user impact may be affected by surrounding L2/L3 network design as well. But if you need to failover due to a maintenance activity we recommend to use suspend functionality. It is easier to control the failover via suspend and the failover will be initiated immediately.

Brandon_Wertz · ‎11-30-2017

Via CLI you can see how many users the firewall knows about and via what process (SSO=NTLM because of a PAN-OS code upgrade): me@firewall(active)> show user ip-user-mapping all option count type UIA Total: 12380 users me@firewall(active)> show user ip-user-mapping all option count type SSO Total: 16 users me@firewall(active)> show user ip-user-mapping all option count type CP Total: 8 users

BPry · ‎11-28-2017

@Joel_Abney, What @Brandon_Wertz is proposing should work perfectly fine. The only thing that might take into account is that the MAC will likely revert to the original interface MAC address if using L3 interfaces. The device would send out multiple gratuitous ARPs just like it does the first time though, so the MAC/IP listing should be updated fairly quickly.

Brandon_Wertz · ‎11-27-2017

@Radmin_85 wrote: Any other suggestions? it was working until 4 days ago I looked through my old cases...Just for clarity the bugs were in 7.1.6 and 7.1.10: 7.1.10 - Bug - PAN‐75337 7.1.6 - Bug - PAN-76535 *Edit* -- (I'd still suggest a case with TAC) I'll bet you're hitting Bug - PAN-76535. The summary of my case on 7.1.6 is below: " Session end-reason "decrypt-cert-validation". Client browser receives "ERR_SSL_VERSION_OR_CIPHER_MISMATCH". Reboot fixes the issue."

Brandon_Wertz · ‎11-27-2017

@cdevlin wrote: I am looking for a base 5050 configuration to help speed up the process of getting the firewall up. Does anyone have a config file they could share? I'd be very cautious with using another person's / company's "base" config. You could be importing a config you didn't know about having unintended (unknown) consequences. Also if you "build" that base stuff yourself you're more apt to be capable to troubleshoot things quicker. IMO...the base stuff you wouldn't be able to import anyway... LDAP Syslog SNMP Group-Mapping et al Are all going to be unique to every company. The "basic" config palo already has built for you in the pre-defined security profiles and security rules, but you'll need to build to suit your own use case.

Member Since	‎07-21-2014 06:43 AM
Date Last Visited	‎12-24-2025 09:43 AM
Posts	1,145
Total Likes Received	310

Online Status	Offline
Date Last Visited	‎12-24-2025 09:43 AM

About Brandon_Wertz

Re: Windows-Remote-Management & Implicit Use of Web-Browsing

Re: Cloud NGFW Credits issue

Re: Cloud NGFW Credits issue

Windows-Remote-Management & Implicit Use of Web-Browsing

Re: High Availability Latency / Bandwidth Requirements

Re: Building Cybersecurity Strategies: A Game of Digital Mahjong

Re: Restrict Individual Administrators by Interface or IP

Re: Palo alto 1410 software update

Re: LGTV and Netflix bugs out when going through Palo Alto

Re: Palo alto 1410 software update

Re: High Availability Latency / Bandwidth Requirements

Re: trustsec plugin

Re: Is there a way to disable response page for interface?

Re: Global Protect and Bandwidth Considerations

Re: Changes to SSH communication method and ARP output format during upgrade

Re: Windows-Remote-Management & Implicit Use of Web-Browsing

Re: PA-NGFW Sizing

Re: LGTV and Netflix bugs out when going through Palo Alto

Re: Global Protect application blank screen

UserID periodic empty groups issue

Nominated Discussion: Cannot Change Application Risk Level in ACC

Re: PA-850 Default MTU

Re: VPN passthrough

Re: User-ID with Azure AD

Re: Forward Youtube and Facebook traffic to specific WAN interface

Re: Use of computer ldap groups in source-user policy field on palo alto

Re: Cryptocurrency Mining?

Re: Tag Unused Rules

Re: CLI command to get the unused/zero hits security policy.

Re: Services list

Re: User-ID mapping

Re: Failover methods Manual vs Link Down (traffic loss)

Re: Authentication policy

Re: Removing peer from HA cluster

Re: SSL decryption error

Re: Help with configuration for a test network going through our live environment 5050's

Cloud NGFW for Azure

Unlock your full community experience!

About Brandon_Wertz