About TomYoung

Hi @H.Thiam ,   You only put your domain name in the box.  Please take out the \user.   Thanks,   Tom ... View more

Hi @R.Naylor ,   Here is an Overview document that is a very good place to start.  It has links to Snippets and Variables.  The Snippet doc shows you how to associate a snippet with the folder hierarchy.  https://docs.paloaltonetworks.com/strata-cloud-manager/getting-started/configuration-scm/manage-configuration-ngfw-and-prisma-access/configuration-overview   Thanks,   Tom ... View more

Hi @J.Yeleti ,   The recommended standard in the documentation is to monitor and determine which ones you should block.   https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/transition-safely-to-best-practice-security-profiles/transition-vulnerability-protection-profiles-safely-to-best-practices   However, if you run a Best Practice Assessment (BPA) from Strata Cloud Manager (SCM) (formerly AIOps) (There is a free version.) or if you download a Day 1 Configuration from the Customer Service Portal (CSP), then you will get more specific guidelines.   Below is a screenshot of my Vulnerability Profiles from the Day 1 Configuration fine-tuned with recommendations from the BPA.  Medium vulnerabilities are blocked for inbound and outbound traffic, but alerted for internal traffic.     Thanks,   Tom       ... View more

Hi @H.Thiam ,   I had a similar problem with my GP SAML username format user@domain.com and my LDAP group mapping domain\user.  The users were not matching the groups.  Changing the User Domain under Device > User Identification > Group Mapping Settings > [edit group mapping] > Server Profile > Domain Setting caused the GP SAML usernames to change from user@domain.com to domain\user so that the LDAP groups would work.  All other fields remained the default (except the Update Interval).     Thanks,   Tom ... View more

Hi @Austin_Mascarenhas ,   I see that no one has replied to your question in a few days; so, I will give it a shot.   Is there any way in PAN-OS to completely withdraw all BGP routes and bring down ISP1 session when the Internet behind ISP1 fails but the peer IP is still reachable?   Not that I know. This is where the full BGP routing table comes into play, but the PA-Series cannot handle that many routes.  Purchasing a couple of BGP routers may simplify the process.   With regard to oubound traffic, I doubt you can rely on your ISP to withdraw the default route if they have Internet connection problems.  In most cases, the route is not withdrawn and the traffic gets blackholed.  If all you are receiving is the default route, you could tell the ISP not to send it and use path monitoring with a static default route.    Would combining conditional advertisement / AS-path prepending achieve practical failover for both incoming and outgoing traffic?   I have never seen AS path prepending achieve 100/0 load balancing for incoming traffic even with the max prepends.  I don't see any advantages to combining it with conditional advertisement.   Outgoing traffic would be load balanced by BGP weight or local preference.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClszCAC   Are there any recommended workarounds in PA for this scenario that don’t involve extra hardware or ISP cooperation?   I think path monitoring with default static routes would be more reliable than BGP for outgoing traffic.  For incoming traffic with BGP you would have to assume the ISP would withdraw the default route if they had internet issues.  With regard to conditional advertisement, how can 0/0 be the withdraw prefix if it is received from both ISPs?  I think the best way is to use ECMP and allow the outbound and inbound traffic to load balance.  You definitely want to check the Symmetric Return box under ECMP so that return traffic for incoming connections is sent out the same interface.   Thanks,   Tom ... View more

Hi @N.Mitchell270065 ,   This is a recent change.  Thank you for letting us know!  Thank you also for the savvy workaround!   I am creating my 1st case now since the change, and I noticed this option.  Maybe they have added after you opened your case.     Thanks,   Tom ... View more

Hi @N.Mitchell270065 ,   I have opened plenty of cases without a TSF.  Simply tell TAC that the NGFW won't boot up.  They will either help you fix it or send you a new one.  If the TAC engineer still insists on a TSF, ask to escalate the case.   Thanks,   Tom ... View more

Hi @RomainSalmon ,   That sounds really good!  I don't see why you couldn't "commit that within an HA pair."  I wonder if these steps would be a little quicker?   Disable config sync on the standby.  Commit. Make the change on the standby NGFW. Commit.  Wait that the process restart etc. Force HA failover to the ECMP standby. Enable config sync on the same NGFW (now active).  Commit. If the config doesn't automaticlly sync, do it from the dashboard. That's a cool idea.  Please let us know how it goes.   Thanks,   Tom ... View more

Hi @nikakakhiani93 ,   You could try the FUEL User Group lab.   https://live.paloaltonetworks.com/t5/community-blogs/how-to-access-the-virtual-test-lab-vtl-from-fuel-user-group/ba-p/1236075 https://live.paloaltonetworks.com/t5/fuel-resources/virtual-test-lab/ta-p/1001081   I don't know a lot of people downloading PAN-OS for lab use.  Another good place for you to start is here -> https://learn.paloaltonetworks.com/learn/courses/3414/pan-os.  It has very good content and good videos of the GUI.   Thanks,   Tom ... View more

Hi @R.Lemaitre ,   There is no Global Find option in the API.  If you have some sort of automation tool that uses the API to pull data, why not use the same tool to pull the configuration and perform searches on it?  Cyber Elite @BPry posted a cool Python example in this post -> https://live.paloaltonetworks.com/t5/general-topics/xml-api-for-global-search/td-p/1232224.   That is one example, but you could go 50 different directions with automation.  Another way you could do it is through "show | match <object-name>" on the CLI (1) in configuration mode and (2) with output format = set.  If the object shows configured but not used, you can delete it.  If you have mastered a particular automation tool, explore the options it provides.   Thanks,   Tom   Thanks,   Tom ... View more

Hi @PMorendage ,   You can identify weak ciphers with a decryption profile for non-decrypted traffic.  Create a decryption rule with the action of no-decrypt and assign the decryption profile to it.  Since you do not want to block weak ciphers at this time, allow everything.   https://docs.paloaltonetworks.com/network-security/security-policy/administration/objects/decryption-profile#create-a-decryption-profile-pm   When a lot of traffic runs through the decryption profile, you can use cool tools to analyze the traffic.   https://docs.paloaltonetworks.com/network-security/decryption/administration/troubleshooting-decryption/identify-weak-tls-protocols-cipher-suites#identify-weak-tls-protocols-and-cipher-suites-pan-os   After you have analyzed the traffic, you can choose to block weak certificates, ciphers, or protocols by unchecking the boxes in the decryption profile.   Thanks,   Tom ... View more

Hi @D.Davis329631 ,   Here is what I have seen.   1. How do we create a package to distribute Global Protect that sets the Portal and forces it to use a specified browser (Windows - Edge and for Mac - Safari) and not use the default browser that is set up on the OS?   You can set the portal via command line options.  https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-apps/deploy-the-globalprotect-app-software. Click on the Deploy App Settings Transparently link to dig into it.  I believe that you can only set the default browser, and not a specific browser.   2. How can we prevent Global Protect from automatically connecting the first time the user logs in if we use the switch on the MSI to include the portal by default?   I don't believe that is possible.  The default mode for the GP client upon reboot/restart is always on.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhZCAS   3. On Windows are their registry settings that can be used to configure Global Protect to always use a specified browser for authentication?   I did not see one, but you can dig through the links.  All I saw was the default browser.  That makes sense because otherwise they would have to add a LOT of browser support.   4. On Mac is their configuration file that can be updated specify settings like portal and specified browser use for authentication.   The portal, yes.   If you were going to deploy GP via software manager such as you could also set the default browser for the OS and possibly lock it or instruct the user not to change it.   Thanks,   Tom ... View more