About Brandon_Wertz

@naveed wrote: Can somebody confrim if palo alo firewalls supports these protocols "IEEE C37.94 or not need solid answer for industrial firewalls???   What you're asking is more akin to asking for firewalls that understand Ethernet (IEEE 802.3) versus an "industrial protocol."  Industrial protocols are more like CIP, modbus, DNP3, tinwcat.  Looking at IEEE 37.94 it's a standard for "physical media" in Optical fiber.     ... View more

I'm not saying it's the correct approach, but now even in the free version of AIOps you can set permanent exemptions from this menu:   ... View more

@VK9H13    This last part: You're not wrong, in how WF has been marketed before, they touted their "cloud analysis" for files sent to WF.    Essentially Palo the past ~2 years has released "advanced" Threat, URL and WF subscriptions that as I understand perform analysis in their cloud differently than the standard subscriptions.  I assume they use different ML models than the original subscriptions and are potentially tied into additional data sets that the "base" subscriptions are.  Essentially there are new ML models than are leveraged in these new subs.   At the end of the day even if you don't have this new license the threat sigs will eventually get to all customers, it's just how quickly do you want them in your company? ... View more

Thanks for the suggestion.  Meanwhile, i reinstalled a recent 10.0 version on the 10.1 gateway to try and resolve the issue. It did in that HA is now happy. However Panorama is now disconnected. I gather that is because 10.1 introduced a more secure link between Panorama and gateway. Since i have reverted to 10.0, that is no longer applicable. How would i reconnect Panorama to the now-10.0 gateway without impacting the working active 9.1 HA member?   EDIT: It turns out the 10.0 version i used is just a bit too old to receive the cert renewal that was recently done for Panorama. Ive applied the most recent 10.0 and that fixed the connection. ... View more

@filman1979 wrote: What command can I use to display the global protect version on a palo alto firewall. The command "show system info" will give you what you're looking for (These will be intermixed with a bunch of other info) :   global-protect-client-package-version: XXXX global-protect-datafile-version: XXXX global-protect-datafile-release-date: XXXX global-protect-clientless-vpn-version: XXXX global-protect-clientless-vpn-release-date: XXXX ... View more

This thread is a bit old, but I've found that using the support portal "Manage Your Case" is a good way to get movement on the case.     As with anyone the TAC resource you get will have their own experiences and greater abilities in certain technology areas.  The more information you provide at the start of the case the better.  I always upload a TSF, detailed explanation of my issue, what I've done to troubleshoot and any screenshots additional traffic log files which help the engineer get to where I think the issue might be.  TAC is manned by people too and giving them attitude will probably only hinder your interaction with them. ... View more

@ChandrashekharD wrote: Hello Friends,   We have a customer who is not able to connect Global Protect VPN from IPAD device with error "could not verify the server certificate of the gateway" I revived the configuration and selected connection method as on-demand in the app setting of GP Portal and did commit. After commit, we were getting error "the network connection is unreachable or the portal is unresponsive". Then again I revived configuration in IPAD device and found that root certificate is not imported in that device. Then we tried to import the certificate in the IPAD device, we were not getting install option, we tried by both formats like PSCK12 & PEM but no luck, also we were not getting option to enable this. I suspect, We are encountering this certificate error is due to the root certificate not being present in IPAD device.   According to customer, he tried to installed the GP app from the Apple AppStore, which is officially released by Palo Alto. There is no mention in the guidelines on GP gateways or the AppStore about needing to install an additional root certificate on the device. If this is necessary, the option should be integrated into the GP app itself.   We also refereed the document to install the root certificate in IPAD device but I could not find the options mentioned in the documentation, as it references iOS 12, while the customer currently using iOS 16.7, and those options are no longer available.   My concern, do we really need to install additional root certificate in IPAD device to access internal resources while connecting to GP VPN, if this is necessary then why we are not able to import and enable root certificate in IPAD device. If it is necessary to install additional root certificate in IPAD device then please suggest me how to import and enable root certificate in IPAD device   Regards, Chandrashekhar   Try following this KB:  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boSUCAY  ... View more

I know this topic is a bit old, but it seems that the web-based Applipedia does not show the full information about the applications compared to the Objects > Applications in WebUI  About Secure-Ports in App-ID, quoting from Beacon training:  "Starting with the PAN-OS 9.0 release, the application-default service setting has been extended to allow certain SSL-encrypted applications on their default SSL secure ports, in addition to the application’s standard ports." and https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/app-id/application-default ... View more

thanx, and what about "  If we have deployed panorama, will its syslog receiver stop if it was not licensed? Or it will keep on receiving the logs and reporting too even without licensing it?" ... View more

Hello,   Thanks fo rcommenting on this thread. I created the URL catogery adn added <ServerFQDN>/ecp and set a security policy to block it, but when we open <ServerFQDN>/OWA and once the link is opened and then replace OWA with ecp then the admin access page opens. Your support is highly appreciated.   Regards, ... View more

Thank you for your support!   ... View more

@Jameslee20 wrote: ISP <--> Cisco Router <--> palo alto firewall outside -- > cisco router than to Palo Alto Firewall When firewall see invalid port or our Public ip address it forwards ARP flood asking the router  where this ip address or this address with port  Palo Alto has default out to the Cisco Router and when we did packet capture 69% of was ARP flooding asking where is this  There are CLI arp commands that would be really useful to troubleshoot in this situation.  There's still a lack of IP infrastructure in your network so I'm not certain but I'll make some assumptions up.   Your border router owns 192.168.20.0/24 and it's the .1...We'll call this VLAN 20.     Your FW has an interface in VLAN 20?  This is either a single physical interface 1/14.20 or in an ae1.20.  The FW has an IP in .20.  The IP address here, is it a /32 or something different?  If there's no mask described then /32 is implicit.  If it is something other than a /32 and the FW doesn't own that network this is likely your problem.   When you say the FW is garping out looking for a host this is usually because the FW isn't on the same L2.  So I'd check the masks between the 2 networks and make sure something isn't off.  After this is confirmed get into the CLI and look at the ARP table of the firewall the FW should see the MAC of the neighbor it's looking for here, or there's a routing problem. ... View more

@SRNetwork wrote: Name a version of PAN-OS that does not have a vulnerability. Ya that would be great Is there something you're looking for specifically?  I would say it's generally impossible for ANY vendor for their product to NOT have a vulnerability.  It's pretty much how the industry works. ... View more