About Brandon_Wertz

@reaper wrote: Sounds like it's just misconfigured. - Is internal host detection enabled? this will, when configured properly, put gl;obalprotect to sleep whenever you are 'internal' (so no popups) - Is there an internal gateway, or are the external portal and gateway made accessible from the inside? that will also render globalprotect silent as soon as you've opted to not connect - Are you even allowed (by config) to disable globalprotect? if you try to 'kill' the process it will simply restart, that's how it is supposed to work. if the admin enables the ability to disconnect/disable (or set operational mode to 'on demand' for example) you will be able to be disconnected whenever you need to   It's not the software, it's the config 😉   100% agree the stated experience seems like the VPN software is doing what it's configured to do.  That said I've seen some weird buggy things with GP and MacOS especially on the 6.0.X and 6.1.X code ... View more

@itassetbenilde wrote: Good day,   Just got off a meeting with one of our users. We have a standing policy wherein Netflix is blocked within the campus premises. We explicitly created a rule to block all banned applications right on top of the security policy stack, netflix amongst them. Rule had been in place for more than a year.   It was reported that users were still able to access netflix.com(splash page). Weird thing is, when we received the ticket and tested, netflix.com could no longer be accessed. User doesn't watch Netflix, so we've ruled out possible browser caching.   i already checked, nobody made any changes that could possibly affect Netflix access. The logs also show that netflix-base is being blocked, and i am getting a blank list when i search for 'app eq netflix'.   Sadly i cannot reproduce the behavior, as Netflix is being blocked elsewhere in our campuses.   Taking the ticket details as is, What other possibilities are there that Netflix could be allowed, yet not logged on the firewall? Am guessing that somehow, for a split second, the firewall may have failed to identify Netflix traffic.   Any ideas? For now, we've added .netflix.com/ and *.netflix.com/ into our URL filtering block list.  Thanks         As others have mentioned it's possible some CDN variation of content delivery of netflix might have presented the homepage of netflix, but if you're blocking the netflix applications, the parent app:     And this blocking rule is above ANY allow rules AND you've also got a custom URL profile with the Netflix domains & potential CDNs then there should be no way for netflix to be accessible.  Also like mentioned before if you're not doing SSL decryption then it's possible from time to time weird scenarios like this may arise.     ... View more

@engineerwang wrote: Think you very much! one more question,how to remove application like FTP in ACC,I certainly sure it is safe ,and it is really annoying to see it every time in ACC besides, if users can not change the risk level of default application, why there is a interface,a and what it is use for? ACC is only showing you applications that are being seen (allowed or denied.)  If you're seeing "FTP" as an allowed application it's because you have a security policy that allows FTP.  If you want your custom application to be used instead of "FTP" then you will need to create a new rule with your custom FTP app and place that rule above the rule that FTP is being allowed on.  Or you can simply replace your custom FTP app on the rule that FTP is being allowed on.   You will need to be careful though, because if FTP is being allowed on a rule that doesn't define ANY application then adding your custom app to the rule will instantly not allow any other applications on the rule and only allow the apps that you have defined in the rule.   @engineerwang wrote: if users can not change the risk level of default application, why there is a interface,a and what it is use for? I'm not understanding what you mean by this.  Why is there an interface?  Like interface (physical network port) on the firewall?  Oh -- Do you mean why can administrators see the default application of FTP (but they're unable to modify it?)  If that's what you meant, my only assumption it's so that admins of the FW can understand the parameters of how Palo Alto has defined the applications that exist on the firewall. ... View more

@ssingh wrote: Thanks Brandon , but there's no 10.2.11 release as per the Palo Alto  Software Release Guidance   Correct...I'm staying put on what works now...Waiting for 10.2.11 is released and preferred.  Then riding 10.2.11 until there's a known / stable / released version of 11.1.X.  Once that happens I'll moved off of 10.2.11. ... View more

I found it and it's working. Thank you @Claw4609 ! ... View more

@EdmarFrancis wrote: @Brandon_Wertz  appreciate you sharing information. For your issue, is the user that is wrongly mapped both an AD user? Since in my case, it is a local firewall user. It was an AD mapped user (Both were AD mapped.)  I'm honestly not sure if this bug could be matched to local user account. ... View more

We did just that and it worked magical. Thank you for your response.   ... View more

@JordanRamos wrote: Good morning, I hope you can support me, do you know how long it takes for an RMA team to arrive, with a premium license? RMA Team?  -- You mean RMA replacement gear?  A new piece of equipment typically arrives next business day (NDB) with premium support. Premium License?  -- You mean premium support?  Licenses are features or subscriptions for the various Palo Alto products.     If you have a support case, the TAC person assigned to your RMA should be able to give you the tracking number which should give you an estimated delivery date. ... View more

I would agree with @reaper and where he is likely going.  You mention the advertised throughput capacity of the 3260 being substantially lower than the 40Gb transceiver speed, but just because you have network connectivity of 40Gbps doesn't mean there's actually traffic coming to the FW of that or even close to it.   While Palo Alto advertises a certain throughput limit for it's hardware that number is a factor of probably 100+ different variables.  In some situations the hardware might be able to do double the advertised throughput or in some cases you might only get 1/4th.  The max throughput number is simply a guide customers can use to help gauge the relative performance they could expect from a certain hardware model.     --edit-- shared the hardware specs of the 3200/3400     As an FYI the 3200 hardware platform is being EOLd and replaced with the 3400s.  You can see from the specs the 3400s performance is substantially greater than the older 3200 generation.         ... View more

I've gotten confirmation in my TAC case that embedded browser isn't supported with Prisma currently. No ETA available   ... View more

@SuperMario wrote: I experienced a similar issues in two scenarios 1) while using GP 6.1.x. 6.2.2 has been very stable. 2) When a proxy intercepts the connection.  You might need to check if there is a proxy and the proxy logs or take a pcap to check if something is intercepting your traffic. If none of the above, the pcap and gp logs should help TAC to figure out what is going on. For your 6.1.X code were you using 6.1.5?  We have some Mac users that were on 6.1.1 that experienced issues, but pushing them to 6.1.5 has been stable for our Mac users. ... View more

@Nileshapatil wrote: Ok thanks, Will update you once we attempted the swap I want to clarify something @OtakarKlier mentioned. IMO, you do NOT want to move the cables one at a time.  Doing so will likely split an active port-channel leaving 1 cable behind connected to the 3020 you're replacing (Which means both the 3020 and the 3410 will be active creating a split-brain scenario):     I'm currently going through a hardware swap of 3410s for 3220s.  To accomplish this we're taking the passive 3220 offline.  Then when ready taking all active connections away from the "active" 3220 and moving them to the corresponding 3410 all at once.  Doing this will create a brief outage for the service provided for the 3020/3220, but it's the cleanest and quickest way.   There might be a scenario where you can move a cable one at a time from the hardware being replaced by new, but that will involve a lot more detail than a high-level plan any of us have shared here. ... View more

@ChrisDean wrote: When I go to Updates --> Software Updates --> I don't have the PAN-OS for VM options. I only see PAN-OS for the actual FW hardware that I have in my DC's.  I want to setup a lab and need a VM, where do I get it? On the customer support portal, although you'll probably need virtual credits or an eval license to get the VM to work.  (There's a whole process to get VMs to work, it's more than just downloading VM software):     ... View more

@Sarou22 wrote: Bonjour, Pour accéder au ressources internes il faut configurer un portail sur global protect. Pour monter un tunnel ipsec, il faut d'abord se connecter à une gateway qui se trouve dans le cloud prisma ( la gateway la plus proche de ta localisation) C'est pour cela que je demande quelle IP doit on renseigner comme IP de gateway lorsqu'on configure le portail global protect dans prisma? This sounds like something that should have been known to you when you stood up your Prisma Access connection.  Your typically don't connect to an IP address, but rather a DNS entry in front of an IP.   From my experience the customer gives Palo Alto the desired DNS entry and Palo Alto assigns the IP address.  With that said the IP address you're looking for should be given to you from Palo Alto.  No one on this community site can know or give you the Prisma Access IP assigned to your company. ... View more

I'm talking about Cortex XDR, I didn't mention it, but there's a tag. The new requirement is to not export incidents, logs etc to the cloud because it'd be too expensive and also that place, where we'd like to store all data related to incidents should have search engine. ... View more