This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About TomYoung

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
TomYoung
‎01-23-2026
Cyber Elite
since ‎11-15-2017
Cyber Elite
User Activity
User Profile
Latest posts by TomYoung
View All
User Badges
Community Statistics
Member Since ‎11-15-2017 11:37 PM
Date Last Visited ‎01-23-2026 10:52 PM
Posts 1,556
Total Likes Received 602

Re: SSL Decryption Certificate Self-Signed vs Public Trusted CA

by Cyber Elite in General Topics
‎08-29-2023 09:11 AM
1 Kudo
‎08-29-2023 09:11 AM
1 Kudo
Hi @Shahlar ,   You said, "we just obtained CA certificate for SSL decryption for testing purposes".  Was this a public certificate and did you also get the private key?  I have never heard of a public certificate authority issuing a CA certificate to a user.  Then the user could issue certificates on their behalf, defeating the whole purpose of a trusted CA.   The issue is not that there is no point to using public CAs for SSL Forward Proxy.  You can't get a public CA certificate and private key.  If you have one, I am very curious how you got it.  Maybe I am missing something.   Thanks,   Tom ... View more

Re: Management server failed to send phase 1 to client sslvpn

by Cyber Elite in Panorama Discussions
‎08-29-2023 04:47 AM
‎08-29-2023 04:47 AM
Hi @Ankit1Singh ,   Please run the commands on the managed NGFW.  The commit is failing there.  As long as you have not reverted the configuration, the Panorama pushed configuration is still part of the candidate configuration.  You can still try to commit it.   Thanks,   Tom ... View more

Re: Management server failed to send phase 1 to client sslvpn

by Cyber Elite in Panorama Discussions
‎08-28-2023 05:23 PM
‎08-28-2023 05:23 PM
Hi @Ankit1Singh ,   Could you run the CLI command "show system software status | match sslvpn" and confirm the process is running?  If not, you can restart the process with the CLI command "debug software restart process sslvpn".  Then commit again.   Thanks,   Tom ... View more

Re: PAN-OS NGFW - LDAP Authentication via Group Membership - Admin UI

by Cyber Elite in Next-Generation Firewall Discussions
‎08-28-2023 02:25 PM
2 Kudos
‎08-28-2023 02:25 PM
2 Kudos
Hi @JeffH-SecBBQ ,   There is a way to set up the NGFW to authenticate administrators based on group membership so you don't have to create unique admin user objects.  It is done under Device > Setup > Management > Authentication Settings.  Notice that it supports only RADIUS, TACACS+, or SAML.     The reason, I believe, is because those protocols can also specify the role to be used in addition to authenticating.  With local admins, you specify the role.  With centralized admins, the authentication server needs to specify the role.  You could have one group for superusers, one group for read-only superusers, etc.   With RADIUS, the roles are configured with VSAs.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIxCAK   Here is the dictionary.  https://docs.paloaltonetworks.com/resources/radius-dictionary   Thanks,   Tom   ... View more

Re: Panorama-Local Config Merge in HA

by Cyber Elite in Panorama Discussions
‎08-28-2023 11:26 AM
‎08-28-2023 11:26 AM
Hi @shawnmuas ,   Hear is an article on how to migrate an HA pair to Panorama.  https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management  I have used it many times.   It is similar to your process, but a little different.   Panorama will not overwrite the Mgmt interface settings, even if you check Force Template Values. I am pretty sure a local sync config will NOT sync the Panorama pushed settings, only the local configuration.  So, you will need to do steps 8 and 9 for each NGFW as mentioned in this document. With regard to the HA settings, you could (1) click the Remove All button under the template and manage it locally, (2) use template variables, or (3) override locally. Thanks,   Tom ... View more

Re: Trying to understand how a certificate profile is used for External Dynamic Lists (EDL)

by Cyber Elite in Panorama Discussions
‎08-28-2023 07:45 AM
‎08-28-2023 07:45 AM
Hi @SteveBallantyne ,   Probably because the only CA certificates on your NGFW contain private keys.  It only allows CA certificates to be installed.  You can add public CA certificates with no private key.   Thanks,   Tom ... View more

Re: Template Variables for Global Protect

by Cyber Elite in Panorama Discussions
‎08-28-2023 07:40 AM
‎08-28-2023 07:40 AM
Correct.  Last time I checked, I could not use variables for items 1, 4, and 6 listed above.  Those do not have an asterisk. ... View more

Re: Trying to understand how a certificate profile is used for External Dynamic Lists (EDL)

by Cyber Elite in Panorama Discussions
‎08-28-2023 07:37 AM
‎08-28-2023 07:37 AM
Hi @SteveBallantyne ,   The phrase "certificate profile" in my opinion is not a very good description.  Certificate profiles contain the CA certificates that were used to create the certificate being verified, in this case the EDL server.  It is a way to verify no one has tampered with the EDL site.   For an EDL, you would browse to the site, examine the certificate, and download the CA certificates in the chain.  Install them on your NGFW, and add them to your certificate profile.  When the NGFW goes to the EDL, it says, "Yep.  That is the correct certificate."  I don't see it as a critical security feature, but I like to get rid of my commit warnings.   Some versions of PAN-OS have had issues with the EDL certificate profile working.  I am on 10.2.4, and they are working fine.   Thanks,   Tom ... View more

Re: Template Variables for Global Protect

by Cyber Elite in Panorama Discussions
‎08-28-2023 07:27 AM
1 Kudo
‎08-28-2023 07:27 AM
1 Kudo
Hi @YannickMaes ,   I configured a bogus interface in the Global template.  I then overrode that interface in the template stacks with the correct interface.  Trying to use the same interface in the Global template led to problems as it interfered with the templates.  You can send me a PM if you want to see the config.   Thanks,   Tom ... View more

Re: Configuring DNAT on PA-820

by Cyber Elite in General Topics
‎08-27-2023 11:13 AM
‎08-27-2023 11:13 AM
Hi @KGH0511 ,   Thank you for the feedback.  That is the opposite of what I saw in the documentation, also.  It does make sense the a NAT lookup is done on ingress, but the NAT is applied on egress.  The NAT lookup is why the destination zone in the security policy rule is toward the server.   Have a great day!   Tom ... View more

Re: Configuring DNAT on PA-820

by Cyber Elite in General Topics
‎08-26-2023 11:23 AM
1 Kudo
‎08-26-2023 11:23 AM
1 Kudo
Hi @KGH0511 ,   I am glad that we got it working on the Zoom call.  In hindsight, I think the culprit was the VNC service object was incorrect.  That is used in the NAT rule.  Once we fixed it, then the NAT started working fine.  You should be able to remove tcp/2485 from the security policy rule now.   Thanks,   Tom ... View more

Re: Configuring DNAT on PA-820

by Cyber Elite in General Topics
‎08-26-2023 08:01 AM
1 Kudo
‎08-26-2023 08:01 AM
1 Kudo
Hi @KGH0511 ,   Good!  This is progress.  As I mentioned before (and is mentioned in the doc I linked), the destination address in the security policy rule should be the public IP address from the NAT rule.  Please try making that change and let me know if it works.   With regard to no traffic logs, did you enable logging for the interzone-default rule?  You will need to use the Override button.   Thanks,   Tom ... View more

Re: Configuring DNAT on PA-820

by Cyber Elite in General Topics
‎08-25-2023 12:24 PM
1 Kudo
‎08-25-2023 12:24 PM
1 Kudo
Hi @KGH0511 ,   It is strange that you are getting hits on your security policy rule.  The destination IP address should be the public IP address (pre-NAT).  The service should be 5900 (post-NAT).  Please see this doc.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping   You could also try changing the destination interface to any in your NAT rule.   Thanks,   Tom ... View more

Re: BPA CIS/CSC Report missing, where do I find it in AIOps?

by Cyber Elite in AIOps for NGFW Discussions
‎08-25-2023 11:53 AM
‎08-25-2023 11:53 AM
Hi @NilsGab ,   Every section of the PDF has the following counters:   Failed CSC checks Failed non-CSC checks Failed CSC and non-CSC checks So, there is some info.  I understand the format is not the same as the previous report which is shown in your screen shot.   This is a community forum, and I don't work for PANW.  You asked if you could get CSC info from AIOps BPA, and there it is.   Thanks,   Tom     ... View more

Re: Template Variables for Global Protect

by Cyber Elite in Panorama Discussions
‎08-25-2023 08:03 AM
‎08-25-2023 08:03 AM
Sorry!   I forgot to mention that he/she never responded.  Maybe not familiar with personal mail in the community. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎01-23-2026 10:52 PM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks