This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About TomYoung

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
TomYoung
‎01-21-2026
Cyber Elite
since ‎11-15-2017
Cyber Elite
User Activity
User Profile
Latest posts by TomYoung
View All
User Badges
Community Statistics
Member Since ‎11-15-2017 11:37 PM
Date Last Visited ‎01-21-2026 09:42 AM
Posts 1,557
Total Likes Received 602

Re: Template stack override clear pending change

by Cyber Elite in Panorama Discussions
‎09-05-2023 10:27 AM
‎09-05-2023 10:27 AM
Hi @Clint_UICCU ,   Under Panorama > Setup > Operations, you can select "Revert to last saved Panorama configuration".  That should get rid of everything.   Thanks,   Tom ... View more

Re: Host certificate check HIP objects configuration

by Cyber Elite in GlobalProtect Discussions
‎09-04-2023 02:35 AM
1 Kudo
‎09-04-2023 02:35 AM
1 Kudo
Hi @FranklinV ,   Got it!  I understand your question now.  I do not configure Certificate Based Authentication only.  It is recommended to use 2FA for GlobalProtect (RA VPN) because if you use one factor and it is compromised, then threats have access to your network.  RA VPN is a commonly exploited means of gaining access.   With regard to SAML+MFA without a u/p prompt, I know the portal can be configured to accept authentication cookies, but I have never configured it or seen it on the 1st login.  GP also can use HW/SW tokens, although I have not seen a lot of documentation on it.   Another possibility is to use RADIUS/EAP-TLS and have the RADIUS server extract the username from the certificate and communicate with the MFA software.    Thanks,   Tom ... View more

Re: Host certificate check HIP objects configuration

by Cyber Elite in GlobalProtect Discussions
‎09-03-2023 07:14 PM
‎09-03-2023 07:14 PM
Hi @FranklinV ,   Under the Client Authentication config, you can choose certificate only or certificate and username/password.  The username/password can reference many Authentication Profile types including SAML.  MFA can be built into many authentication methods.   Thanks,   Tom         ... View more

Re: Remove Template mode in panorama

by Cyber Elite in General Topics
‎09-03-2023 01:42 PM
‎09-03-2023 01:42 PM
Hi @kevinospf ,   Those buttons are on the NGFW, not on Panorama.  They are used to remove a NGFW from Panorama.  Is that what you want to do?   If all you want to do is delete an unused template and device group, you can do that from Panorama > Templates or Panorama > Device Groups.   Thanks,   Tom ... View more

Re: No Logs for DMZ zone

by Cyber Elite in General Topics
‎09-02-2023 10:27 AM
2 Kudos
‎09-02-2023 10:27 AM
2 Kudos
Hi @ChandrashekharD ,   Do you have logging enabled in your security policy rule?  If not, you will not see the logs.   If you have enabled Log at Session End (recommended), then maybe the session has not ended.  Check Monitor > Session Browser to see your active sessions.   Thanks,   Tom ... View more

Re: Response status error code 403 while using api

by Cyber Elite in Next-Generation Firewall Discussions
‎09-02-2023 07:23 AM
1 Kudo
‎09-02-2023 07:23 AM
1 Kudo
Hi @ssovee ,   That's a good start!  I have a couple of observations:   Invalid Credential most likely means the key is wrong.  You may want to double check the key. You have too much in your 2nd URL.  You should get rid of the "<request cmd="op"><operations>" and "</operations></request>".  Those were not in your 1st URL and not needed. Have you tried the XML API Browser?  You can drill down in the menu and get the exact URL syntax you need.  You can also add the "all" keyword (which is correct) and click Submit to test.  You can fully test your XML syntax before using it in curl. The command curl -k -X GET "https://a.b.c.d/api/?type=op&cmd=<show><virtual-wire>all</virtual-wire></show>&key=CorrectKey" works for me. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/explore-the-api/use-the-api-browser   Thanks,   Tom ... View more

Re: Multiple remote site firewall commit errors/failures after Panorama 10.2 upgrade

by Cyber Elite in Next-Generation Firewall Discussions
‎09-01-2023 12:41 PM
1 Kudo
‎09-01-2023 12:41 PM
1 Kudo
Hi @NeonNetSec ,   I have not seen this before.   To answer #2, to push template values to a newly imported NGFW, you need to select Force Template Values.  I would definitely have Automated Commit Recovery enabled before this as it will override your network values.   With regard to #1, it looks like most of your errors are Network related.  Open up the GUI, override and check the config, then save.  Sometimes this will fix the syntax error in the XML.  Do this everywhere you get an error.  You could also try looking at the config in the CLI.  Sometimes the syntax errors are easy to spot and fix there.   I try not to keep my NGFWs and Panorama versions too far apart.  A bigger difference between versions means a bigger chance of a commit error.  I upgrade Panorama and then upgrade NGFWs for each version.  I know this is not much help for you now.   Thanks,   Tom ... View more

Re: Exclude a Application behind Clientless VPN from decryption

by Cyber Elite in GlobalProtect Discussions
‎09-01-2023 08:28 AM
‎09-01-2023 08:28 AM
Hi @Martin.Shemon ,   The NGFW will decrypt clientless VPN because it is designed to do so.  The client creates an SSL session to the NGFW, and it creates a new SSL session to the internal server.  This happens even if you do not have decryption enabled.  It is, essentially, a man-in-the-middle.   You have 2 solutions, in my opinion.   Fix the decryption issue.  For example, if you put the IP address in the Hostname field of the General tab and your certificate does not have the IP address in it, you will get decryption errors.  Many times the issue will come down to supported and non-supported technologies.  Please see the links below. Use the GlobalProtect client.  That traffic will abide by the decryption policy and can be excluded. https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-clientless-vpn/supported-technologies   https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vpn/supported-technologies   Thanks,   Tom ... View more

Re: HA active/active dual ISP load balancing

by Cyber Elite in General Topics
‎09-01-2023 05:33 AM
1 Kudo
‎09-01-2023 05:33 AM
1 Kudo
Hi @nw-rogox ,   Active/active does give you the advantage of doubling your NGFW throughput.  However, in a failure scenario the throughput is cut in half which may not be desirable.  The additional complexity of active/active is generally not recommended.  Designs that are too complex tend to not only be a pain to configure as you are feeling now, but they also tend to be a pain to maintain, i.e., new problems may come up in the future.   For example, you cannot use a floating IP address in NAT unless you have a common BGP public IP across both ISPs.   I do not know of any documents to help you.  I did do a quick Google search and saw a couple videos you may look at.  They both used the switch to connect the dual ISPs to both NGFWs.   Sorry!  That is all I have.   Thanks,   Tom ... View more

Re: Palo Alto Registration and Authorization Codes

by Cyber Elite in General Topics
‎08-31-2023 05:42 PM
‎08-31-2023 05:42 PM
Hello @David_Patterson ,   You need to create a support account, register the NGFW, and activate the auth codes.  Please see the step-by-step instructions below.  Once complete, you can retrieve the licenses on the NGFW.   https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/getting-started/register-the-firewall   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClNACA0   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNO4   Thanks,   Tom ... View more

Re: Static route to IPSec peers with dynamic IPs

by Cyber Elite in General Topics
‎08-31-2023 09:56 AM
1 Kudo
‎08-31-2023 09:56 AM
1 Kudo
Hi @Carracido ,   If your VPN peers will be dynamic, you will need a default route to send traffic to them.  If you only want to use eth1/2 for VPN traffic, the following solution may work.   Enable ECMP with Symmetric Return. Select Weighted Round Robin with weights of 100 for eth1/1 and 0 for eth1/2. Configure your dynamic IPsec peers to connect to eth1/2. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/ecmp/ecmp-load-balancing-algorithms   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0   Thanks,   Tom ... View more

Re: Per-user exception to pre-defined URL filtering categories

by Cyber Elite in Next-Generation Firewall Discussions
‎08-31-2023 07:49 AM
‎08-31-2023 07:49 AM
Hi @ghughes ,   You can create a separate security policy rule for the user allowing web-browsing and/or ssl to the destination URL.  Since you are only allowing traffic to one URL, you do not need to put the URL filtering security profile on that rule.   Thanks,   Tom ... View more

Re: HA active/active dual ISP load balancing

by Cyber Elite in General Topics
‎08-31-2023 05:49 AM
‎08-31-2023 05:49 AM
Hi @nw-rogox ,   I would configure active/passive HA.  It is less complex than active/active.   You can create 2 VLANs on your existing switches - one for each ISP.  (As long as you do not create a L3 IP address for the VLANs, the switches will not be accessible from the Internet.) Then you can connect each ISP to both NGFWs and use active/passive HA. Enable ECMP with Symmetric Return. Configure 2 default routes. Configure NAT normally for each ISP. You can tune the ECMP hashing if you have weird issues.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/ecmp/ecmp-load-balancing-algorithms Thanks,   Tom ... View more

Re: EDL - How to find out if its updated automatically

by Cyber Elite in General Topics
‎08-30-2023 06:42 AM
3 Kudos
‎08-30-2023 06:42 AM
3 Kudos
Hi @Ismailsh ,   That is a great question!  EDIT:  Sorry!  I thought you were asking about custom EDLs.  The built-in EDLs are updated through content updates.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/built-in-edls  I don't think the NGFW logs those changes.   To check the status of custom EDLs, you can check Monitor > Logs > Systems for EDL messages.  Use the filter ( description contains 'EDL' ).  The logs will let you know if the refresh succeeded or failed, if there were updates or not, etc.   You can also examine the contents of the EDL itself under Objects > External Dynamic Lists > [edit list] > List Entries and Exceptions.   EDIT2:  It looks like the built-in EDLs are updated with the AV updates.   > request system external-list stats type predefined-ip name panw-known-ip-list Predefined IP list available in AV content   I checked the List Entries of "Palo Alto Networks - Known malicious IP addresses" before and after an AV update, and the number changed.  I am currently getting an AV update everyday, although I do not know if the built-in EDLs change with every update.   Thanks,   Tom ... View more

Re: Host certificate check HIP objects configuration

by Cyber Elite in GlobalProtect Discussions
‎08-30-2023 05:48 AM
‎08-30-2023 05:48 AM
Hi @ngd-netsec ,   You can configure GlobalProtect to authenticate the client with a certificate and/or username/password.  You do not have to configure HIP checks.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIICA0   You can also Google "globalprotect client certificate authentication" and you will find more docs and videos.   I have configured GP certificate authentication for a few of my customers, and it is easy once you get the hang of it.   Thanks,   Tom ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎01-21-2026 09:42 AM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks