About TomYoung

Hi @N.Mitchell270065 ,   I have opened plenty of cases without a TSF.  Simply tell TAC that the NGFW won't boot up.  They will either help you fix it or send you a new one.  If the TAC engineer still insists on a TSF, ask to escalate the case.   Thanks,   Tom ... View more

Hi @RomainSalmon ,   That sounds really good!  I don't see why you couldn't "commit that within an HA pair."  I wonder if these steps would be a little quicker?   Disable config sync on the standby.  Commit. Make the change on the standby NGFW. Commit.  Wait that the process restart etc. Force HA failover to the ECMP standby. Enable config sync on the same NGFW (now active).  Commit. If the config doesn't automaticlly sync, do it from the dashboard. That's a cool idea.  Please let us know how it goes.   Thanks,   Tom ... View more

Hi @nikakakhiani93 ,   You could try the FUEL User Group lab.   https://live.paloaltonetworks.com/t5/community-blogs/how-to-access-the-virtual-test-lab-vtl-from-fuel-user-group/ba-p/1236075 https://live.paloaltonetworks.com/t5/fuel-resources/virtual-test-lab/ta-p/1001081   I don't know a lot of people downloading PAN-OS for lab use.  Another good place for you to start is here -> https://learn.paloaltonetworks.com/learn/courses/3414/pan-os.  It has very good content and good videos of the GUI.   Thanks,   Tom ... View more

Hi @R.Lemaitre ,   There is no Global Find option in the API.  If you have some sort of automation tool that uses the API to pull data, why not use the same tool to pull the configuration and perform searches on it?  Cyber Elite @BPry posted a cool Python example in this post -> https://live.paloaltonetworks.com/t5/general-topics/xml-api-for-global-search/td-p/1232224.   That is one example, but you could go 50 different directions with automation.  Another way you could do it is through "show | match <object-name>" on the CLI (1) in configuration mode and (2) with output format = set.  If the object shows configured but not used, you can delete it.  If you have mastered a particular automation tool, explore the options it provides.   Thanks,   Tom   Thanks,   Tom ... View more

Hi @PMorendage ,   You can identify weak ciphers with a decryption profile for non-decrypted traffic.  Create a decryption rule with the action of no-decrypt and assign the decryption profile to it.  Since you do not want to block weak ciphers at this time, allow everything.   https://docs.paloaltonetworks.com/network-security/security-policy/administration/objects/decryption-profile#create-a-decryption-profile-pm   When a lot of traffic runs through the decryption profile, you can use cool tools to analyze the traffic.   https://docs.paloaltonetworks.com/network-security/decryption/administration/troubleshooting-decryption/identify-weak-tls-protocols-cipher-suites#identify-weak-tls-protocols-and-cipher-suites-pan-os   After you have analyzed the traffic, you can choose to block weak certificates, ciphers, or protocols by unchecking the boxes in the decryption profile.   Thanks,   Tom ... View more

Hi @D.Davis329631 ,   Here is what I have seen.   1. How do we create a package to distribute Global Protect that sets the Portal and forces it to use a specified browser (Windows - Edge and for Mac - Safari) and not use the default browser that is set up on the OS?   You can set the portal via command line options.  https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-apps/deploy-the-globalprotect-app-software. Click on the Deploy App Settings Transparently link to dig into it.  I believe that you can only set the default browser, and not a specific browser.   2. How can we prevent Global Protect from automatically connecting the first time the user logs in if we use the switch on the MSI to include the portal by default?   I don't believe that is possible.  The default mode for the GP client upon reboot/restart is always on.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhZCAS   3. On Windows are their registry settings that can be used to configure Global Protect to always use a specified browser for authentication?   I did not see one, but you can dig through the links.  All I saw was the default browser.  That makes sense because otherwise they would have to add a LOT of browser support.   4. On Mac is their configuration file that can be updated specify settings like portal and specified browser use for authentication.   The portal, yes.   If you were going to deploy GP via software manager such as you could also set the default browser for the OS and possibly lock it or instruct the user not to change it.   Thanks,   Tom ... View more

Hi @HungTrinh ,   Have you seen this document -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRTCA0&lang=en_US.   Thanks,   Tom ... View more

Hi @A.Choughule ,   @BPry is correct.  I can't think of any changes you would need to make except interfaces.  Even those are the same except 1/17 and 1/18 are 10 Gbps on the PA-3220 and 1 Gbps on the PA-1410.  The best way to change those would be search and replace in the XML.  The GUI will take too many clicks.   https://docs.paloaltonetworks.com/hardware/pa-3200-hardware-reference/pa-3220-series-overview/front-panel-3200-series https://docs.paloaltonetworks.com/hardware/pa-1400-hardware-reference/pa-1400-series-overview/front-panel-1400-series   Thanks,   Tom ... View more

Outstanding research! ... View more

Hi @cdcirexx ,   I am sorry that no one has responded to you on this topic.  I see that you have also asked this question on other posts.  It also appears that you are using MS NPS for local RADIUS.  From this discussion, I see that you have looked at PAN RA Proxy.  https://live.paloaltonetworks.com/t5/general-topics/user-id-issues-with-mapping-from-juniper-mist-wireless/td-p/649844   There are a couple of other tools mentioned on this post -> https://live.paloaltonetworks.com/t5/general-topics/user-identification-using-windows-nps/td-p/46276.   Is Juniper MIST a cloud WiFi controller?  If so, then it probably can't integrate with your local FW.  I think your only solution is to integrate your MS NPS server using one of the methods above or possibly send syslogs from the AP itself to the NGFW.  I use syslogs for my User-ID, and it works great.   You could also look at a different RADIUS server.  Here are a couple below.  I am not recommending a specific solution, only pointing out that there are options.   https://packetpushers.net/blog/radiuid/ https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5sCAC   Thanks,   Tom   Thanks,   Tom ... View more

Hi @R.Moth ,   Yes, the existing peer sessions will continue to work.  The username and password is needed for initial establishment.  After that, the portal (or hub) issues a certificate to the satellite, and the certificate is used for authentication.  You can use the existing tunnels to connect to the management interface of the satellite and change the U/P.  I would recommend it just in case something happens and it needs to reestablish the session.   Thanks,   Tom ... View more

Hi @amgad.yousry ,   PANW has changed the NextWave program as of August 2025.  The Strata Pro has been replaced by NetSec Pro.  https://www.paloaltonetworks.com/services/education/palo-alto-networks-netsec-professional   Please get with your distributor or PANW to get the updated partner requirements.   Thanks,   Tom ... View more