About reaper

that's where a choice actually pops up: since this is ssl encryoted traffic, there can't be a 'signature' to identify it and the only identifier is the SNI on the certificate maybe forti chose to blanket all the traffic using the sni whereas palo identifies this as a web category but not necessarily an application   you can easily create a custom app for an SNI by the way ... View more

you can check if a daemion is still running with the following command: show system software status you can troubleshoot if your system is 'struggling' with resources by running the following command to spot any daemon consuming too much resources show system resources       ... View more

are both devices added to the same device group on panorama and are you pushing the config to both devices at the same time? ... View more

app-id does not solely rely on SNI to identify some applications which may be the case here. have you enabled ssl decryption so the content/payload can be identified by app-id? ... View more

latency for HA1 is not as critical as HA2 or HA3 since you're not synchronizing live session data. The most important data sent over HA1 is the user-ID table and DHCP leases which in most cases will not cause immense havoc even if there is high latency If you're worried about your FIB, you could consider running Active/Active without routing sync    https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/high-availability/reference-ha-synchronization   ... View more

There is no direct internet communication through the CBL. All public internet needs to be redirected into the CBL by configuring traffic steering for the desired FQDNs or URLs ... View more

tl;dr at time of writing 6.3 is not a preferred release yet ... View more

Have you tried reloading your browser? i've seen it get 'stuck' simply because the browser didn't want to update the status for some reason If you tried this and it's still stuck, your only recourse will be to reach out to support (or your local SE) ... View more

omg we've been doing this for 10 years .... 😛   ... View more

just a few seconds usually the management server will appear to take longer as it will also directly impact your connectivity (ssl or ssh) as an admin and kick you out when you restart it ... View more

Hi @arun.yadav    This is a public forum, for any TAC related communication please use support.paloaltonetworks.com FYI TAC does not monitor this forum ... View more

according to https://security.paloaltonetworks.com/CVE-2023-48795 1) 11.2 is not affected 2) 11.2 is not affected so no mitigation required 3) it looks like this issue was either fully addressed by the time 11.2.0 came into GA hence the whole train is not affected, or a library causing this vulnerability in previous versions is not present in 11.2 4) according to the article, 11.2.0 is already unaffected, so later versions will also be unaffected. relapse to vulnerability in 11.2 would have been documented as such 5) if you believe the above information is incorrect, please open a support case for an authoritative answer from a source inside palo alto ... View more

no, that is not how portals in GlobalProtect work unfortunately, each portal is considered a standalone entity. only gateways can be set up to have preference     ... View more

yes, this functionality has now been added! ... View more

if you just run a continuous ping against your public IP, are you then seeing new sessions being created for ping? could be yourVPC hasn't been set up correctly, or your SG is blocking inbound connections ? ... View more