About Brandon_Wertz

TomasMedina · ‎05-09-2025

Ok the it's a Firewall then hehe. Yeah there are a lot of Lenovo laptops and it can be the issue. We only have dockings in the office, but this problem is happening when people are working at home. I'm going to ask IT support for them to update lenovo's firmware. I'll let you know.

kemeris · ‎05-08-2025

Looks like my reply with Palo Alto debug logs has been removed by stuff. Thank you #Kiwi for your help!

G.Varkey · ‎05-08-2025

Well when the user connects via the US gateways the traffic doesn't work however it works via the UK gateway. Thats the only way I can the tell something is up with the US gateway. The intrusive option is the last resort I rather not go that route as its excessive to do that while no other traffic is impacted. It doesn't fly when you explain it to others.

Brandon_Wertz · ‎05-06-2025

@O.Pavlyk wrote: It dosen`t work!!!!!! Saying "it doesn't work" to a 3 year old post, and a 5 thread doesn't really help solve your problem, or the OPs. If you're having an issue and were looking for some help if you shared some details maybe we can help determine how to resolve your issue?

Brandon_Wertz · ‎05-05-2025

@quocthinh.9666 -- Since the management interface can be pinged from outside of the subnet I'm going to assume everything is good from the management profile perspective, but check that. Are there other hosts in the same management network on the same nodes (A or B?) Can VM from node A ping something in node A? Does the node A switch see the MAC of both the VM and the firewall? The management interface isn't using a unique service route? I would also confirm the subnet mask and default gateway value are correct.

Brandon_Wertz · ‎04-28-2025

@Sally47Mac wrote: Hello! The "Authentication Complete" browser page after your firewall upgrade to PAN-OS 11.1 with consistent GlobalProtect versions likely stems from a change in default SAML authentication behavior. Check the "Use Default Browser for SAML Authentication" setting in your GlobalProtect Portal configuration and try toggling it. Also, review your client configuration and consult the PAN-OS 11.1 release notes and Palo Alto Networks Knowledge Base for any relevant changes. Investigating authentication override cookie configurations might also help. As a test, consider upgrading to the latest compatible GlobalProtect client version. @jonathanb I would agree with @Sally47Mac's recommendation. Based on what you described it's exactly what's been shared. For SAML auth you can either use the GP client itself (embedded browser), which is what you previously had configured, or the OS "Default Browser" which would be the Internet browser the user has set as their native browser. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-release-notes/changes-to-default-behavior/changes-to-default-behavior-in-pan-os-11-1

Brandon_Wertz · ‎04-25-2025

With it being EOL, there's really not much to do. You're only going to have 2 options; pay for PS to migrate the config or do it yourself, working through any config hiccups. All that said the expedition download is still out there. Not sure if it's still functional. While the tool might be EOL, if it's available for download and still works I'd suggest still using it: https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool

459768405 · ‎04-22-2025

Hi, Thanks for your help! But I think these two way can't let me achieve my goal. Maybe it will work if i can use these two way together. I mean that I want to find the security policies which not only use a address-group include a particular address like 1.1.1.1, but also conform to other filters like from A zone to B zone, is there any way can let me do this? Thanks!

shoot0267 · ‎04-22-2025

Yeah, I'm not decrypting any of the Signal traffic. About a month ago, I did see in my logs app-id "signal-file-transfer" but never saw "signal-base". Now, I'm only seeing SSL/443 for chat messages. I guess the Signal application on the iphone may have changed.

Brandon_Wertz · ‎04-22-2025

@OtakarKlier -- OPs issue is the secondary/passive FW isn't being seen by PAN in AWS. The passive firewall using a service route on the DP. The issue is since he's using an inline data port and the DP is down in a passive state the service route won't work. (I think this is his issue)

muhammadumairfareed786 · ‎04-21-2025

I was looking for the same thing, but could not find any good solution, so I managed to create my own. Here's the extension that you can use: https:/ /suzagear. com/safetube or simply search safetube on the Chrome Web Store. This allows for whitelisting channels, and only videos from those channels can be played. You can still scroll through other channels, but can't play their videos if it's not whitelisted. I hope this helps.

Brandon_Wertz · ‎04-21-2025

@salvador.meza wrote: I found a flow chart on the PAN portal earlier this that showed the customer's path to receiving support for both Direct and Partner Enabled, but I can't find it anymore. Have you seen it? Yeah, not sure what exactly you're looking for. Can you share more details about what you're wanting to know? In general I dislike the practice of going through a 3rd party for support, but in Palo's case it might be better to have initial triage go through a partner, if that 3rd party is going to be more responsive and have more technical expertise in their frontline support. You'll want to be careful though in how escalations work. If the partner can't fix your issue escalation to Palo TAC might have you rework all those initial steps. Just make sure you know what type of support you're getting yourself into.

Brandon_Wertz · ‎04-21-2025

@apiche1 wrote: Bump for an old thread, however I found more relevant information. 1.) 3rd Gen firewalls (PA-800s, PA-3200s, PA-5200s) did NOT come with the Device Certificate. You have to fetch it using the OTP method (from Device Certificate in Support Portal). "request certificate fetch otp ##############################" 2.) Run the "request logging-service-forwarding status" If you are missing the Logging Service Certificate (see screenshot), then run "request logging-service-forwarding customerinfo fetch" 3.) Port TCP/444 has to be open for the firewall to fetch server certificate when doing the "request logging-service-forwarding customerinfo fetch" command (see screenshot) I found this helpful trying to get IoT Security working on a PA-3220. We were not seeing any devices make it to the IoT dashboard until the Device Certificate and the Logging Server Certificate was fetched successfully. GL, trying to stand-up IoT. I've been evaluating it at my company for ~6ish months. We did finally get it added to our ELA. It seems like a great feature, but still has a lot of quirks we're working through with them.

nohash4u · ‎04-14-2025

@AY_FASAR did you ever get a resolution? I thought I would provide an update from my end. The TAC case unfortunately fizzled out as dump level debugging was not enabled, and it was deemed unwise to leave this level of debugging on until the issue reoccurred given the strain it puts on the firewall. That being said, a senior engineer I work with noticed two things: An unusual frequency of IKE rekeying. The source IP of the IKE rekeying not aligning with the expected configuration on the firewall. This was attributed to an issue with the ISP, and is being investigated. I hope this helps.

V.Singh504229 · ‎04-09-2025

Hi all, I tried to do the same but after doing all the configuration i am not getting the GP notification popup. I tried on different Software version but no luck. Could you please help.

Member Since	‎07-21-2014 06:43 AM
Date Last Visited	‎11-25-2025 08:15 AM
Posts	1,144
Total Likes Received	310

Online Status	Online
Date Last Visited	‎11-25-2025 08:15 AM

About Brandon_Wertz

Re: Cloud NGFW Credits issue

Re: Cloud NGFW Credits issue

Windows-Remote-Management & Implicit Use of Web-Browsing

Re: High Availability Latency / Bandwidth Requirements

Re: Building Cybersecurity Strategies: A Game of Digital Mahjong

Re: Restrict Individual Administrators by Interface or IP

Re: Palo alto 1410 software update

Re: LGTV and Netflix bugs out when going through Palo Alto

Re: Palo alto 1410 software update

Re: Problems with mail queues after updating PA-5410 from version 10.2.7-h8 to the preferred version 10.2.13-h7

Re: High Availability Latency / Bandwidth Requirements

Re: trustsec plugin

Re: Is there a way to disable response page for interface?

Re: Global Protect and Bandwidth Considerations

Re: Changes to SSH communication method and ARP output format during upgrade

Re: PA-NGFW Sizing

Re: LGTV and Netflix bugs out when going through Palo Alto

Re: Global Protect application blank screen

UserID periodic empty groups issue

Re: Zero-Trust Strategy for Prisma

Nominated Discussion: Cannot Change Application Risk Level in ACC

Re: Global Protect lose internal resources access

Re: Client-to-Site IKEv2 IPSec without GlobalProtect

Re: Strata Cloud manager gateway traffic on cloudfront.net failing

Re: Custom URL Issue

Re: Can not ping Management interface

Re: GlobalProtect SAML Authentication Complete

Re: Migration from Juniper to PANOS

Re: How can I search a particular source&destination address in lots of security policys？

Re: Question regarding Signal messaging application

Re: How to onboard passive PA440 firewall to Panorama using dataplane interface

Re: Block YouTube in general, but allow videos from specific YouTube channels?

Re: Direct vs Partner Enabled support flow chart

Re: Result: Failed to validate server certificate for endpoint api.paloaltonetworks.com

Re: IPSec intermittent disconnection issue

Re: GlobalProtect to Facilitate Multi-Factor Authentication Notifications

Cloud NGFW for Azure

Unlock your full community experience!

About Brandon_Wertz