This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About TomYoung

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
TomYoung
‎01-07-2026
Cyber Elite
since ‎11-15-2017
Cyber Elite
User Activity
User Profile
Latest posts by TomYoung
View All
User Badges
Community Statistics
Member Since ‎11-15-2017 11:37 PM
Date Last Visited ‎01-07-2026 04:02 PM
Posts 1,551
Total Likes Received 602

Re: GP Compatibility on Windows Server

by Cyber Elite in General Topics
‎06-07-2023 03:43 PM
‎06-07-2023 03:43 PM
Hi @Matlu_NN ,   This doc only mentions Windows workstation OSes -> https://docs.paloaltonetworks.com/compatibility-matrix/globalprotect/where-can-i-install-the-globalprotect-app#id7a3c3401-b233-43b0-8d78-dfceab88798f_id0204a5d9-4857-4979-8fa0-14809d8e697b.  So, it doesn't look like GP is supported on Windows server.   Thanks,   Tom ... View more

Re: Clarification on App Rule - I thought I understood this

by Cyber Elite in General Topics
‎06-07-2023 09:57 AM
‎06-07-2023 09:57 AM
Hi @TonyDeHart ,   Yes, that is strange.  Looking at the URL I posted with the ports, I would think you would need to allow SSL on 443 as well.   Thanks,   Tom ... View more

Re: Clarification on App Rule - I thought I understood this

by Cyber Elite in General Topics
‎06-07-2023 09:28 AM
‎06-07-2023 09:28 AM
Hi @TonyDeHart ,   The ssl traffic that you see being denied.  Is it port 443 or 3978?   Thanks,   Tom ... View more

Re: Clarification on App Rule - I thought I understood this

by Cyber Elite in General Topics
‎06-07-2023 09:12 AM
‎06-07-2023 09:12 AM
Hi @TonyDeHart ,   SSL is only implicitly allowed until the NGFW identifies the application as panorama.  Here are explanations of the cases from the URL you posted:   Case 1:  SSL traffic is allowed by rule and still alowed when it shifts to sharepoint-online. Case 2:  SSL traffic to www.example.com is allowed temporarily but denied because it never shifts to sharepoint-online. Case 3:  SSL traffic to www.facebook.com is allowed temporarily but denied after it shifts to facebook-base. This is the desired behavior as we do not want a L7 rule allowing also panorama to allow all ssl.  We want it to allow only the selected application.   Thanks,   Tom ... View more

Re: Clarification on App Rule - I thought I understood this

by Cyber Elite in General Topics
‎06-07-2023 07:35 AM
‎06-07-2023 07:35 AM
Hi @TonyDeHart ,   I had the same question. Is your ssl traffic on port 443 or 3978?  If it is on 3978, it should not be blocked and should application shift to panorama.  If it is on 443, then it is a separate app that will need to be allowed by rule.  I believe your current rule will only allow ssl on 3978 until it shifts.   PANW does not tells us what apps are required between Panorama and the managed NGFW, but they do give us this list of ports -> https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/reference-port-number-usage/ports-used-for-panorama.   There is a separate tcp/443 listed which seems to indicate to me that ssl needs to be added to the list of applications in your rule.   Thanks,   Tom ... View more

Re: SSL Inspection and SSL Labs

by Cyber Elite in General Topics
‎06-06-2023 01:04 PM
1 Kudo
‎06-06-2023 01:04 PM
1 Kudo
Hi @Claw4609 ,   I agree with you.  It would be nice if PANW had an index of decryption errors.  I found this -> https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs/decryption-log-errors-and-error-indexes but an index of every error and cause would be nice.   Thanks,   Tom ... View more

Re: Palo Alto NGFW: LDAP authentication with DUO MFA

by Cyber Elite in Next-Generation Firewall Discussions
‎06-05-2023 10:01 AM
1 Kudo
‎06-05-2023 10:01 AM
1 Kudo
Hi @jeromej ,   Both Duo and Okta support GlobalProtect through either RADIUS or SAML.   RADIUS would be easier, in my opinion.  It uses the Duo Authentication Proxy (DAP) or the Okta RADIUS Agent.  These services authenticate to AD. SAML will go direct to the Duo or Okta cloud.  It will need to be connected to AD somehow. Here is a simple diagram -> https://www.okta.com/integrations/mfa-for-vpn/palo-alto-networks/.   From experience the DAP is easy to setup and troubleshoot once you get used to it.  I have never done Okta.   You would think that you could use the Factors tab in the Authentication Profile.  Unless this table is old -> https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support/mfa-vendor-support-table that method is only supported for Authentication Proxy.   You can Google "globalprotect duo" or "globalprotect okta" and you will find clear docs on how to do it from Duo/Okta/PANW using RADIUS or SAML.   Thanks,   Tom ... View more

Re: Understanding Static NAT

by Cyber Elite in General Topics
‎06-05-2023 06:24 AM
‎06-05-2023 06:24 AM
Hi @Sanjay_Ramaiah ,   That looks good.  The 2nd NAT entry is not needed because you configured the 1st one as bidirectional.   Could you give me the IP address/mask on the DMZ and LAN interfaces?  I am curious why the traffic is going to the LAN interface also.  Do you have other NAT rules above the ones you listed?  I wonder if the traffic is hitting another rule.   Thanks,   Tom ... View more

Re: file blocking profile not working for SFTP

by Cyber Elite in General Topics
‎06-05-2023 06:08 AM
‎06-05-2023 06:08 AM
Hi @sumit_mame ,   Does your server support FTP over SSL, or FTPS?  If so, use that and configure SSL Inbound Inspection on your NGFW.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-inbound-inspection   Second, please submit a feature request to your PANW SE to decrypt and decode SFTP.  I think a lot of customers would find that useful.   Thanks,   Tom ... View more

Re: file blocking profile not working for SFTP

by Cyber Elite in General Topics
‎06-04-2023 03:27 PM
‎06-04-2023 03:27 PM
Hi @sumit_mame and @InfoSecPro ,   SFTP is SSH File Transfer Protocol.  https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol  You can verify this by looking at the application identified by the NGFW.  It should be ssh.   While the NGFW can decrypt SSH, I believe it is only for the purpose of identifying the ssh-tunnel application.  So, I don't think SFTP can be identified or decrypted, which would be required to identify the file.  In addition, "SFTP is not FTP run over SSH" (URL above).  The protocol is different, and if the SSH session were decrypted, it would not be identified as ftp.   If the application is FTPS, then the NGFW will identify it as ssl.  Then you could decrypt it, and the NGFW should identify the traffic as FTP.  Then the file can be identified and blocked.   Thanks,   Tom ... View more

Re: Query for routing table

by Cyber Elite in General Topics
‎06-02-2023 01:10 PM
‎06-02-2023 01:10 PM
Hi @Matlu_NN ,   If the source interface is not specified then "ping host x.x.x.x" will be sourced from the management interface.   https://live.paloaltonetworks.com/t5/blogs/tips-amp-tricks-how-to-ping-from-the-cli/ba-p/468784   Thanks,   Tom ... View more

Re: Best practice for Active/Passive HA and OSPF

by Cyber Elite in General Topics
‎06-02-2023 12:54 PM
1 Kudo
‎06-02-2023 12:54 PM
1 Kudo
Hi @inssider ,   That is a great question.  The FIB is synchronized between A/P HA pairs, but the OSPF LSDB is not -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/reference-ha-synchronization/synchronization-of-system-runtime-information#id098eb97b-79a9-4cfb-bace-cb9338c9af7d.  You can confirm this by running the commands "show routing route" and "show routing protocol ospf lsdb" on the passive NGFW.   The purpose of OSPF GR is for the NGFW to tell its neighbor that there was a failover and to resynchronize the LSDB without taking the neighbor down.  OSPF GR is recommended for HA, but it should be enabled on inside router (OSPF neighbor) also -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5ZCAS, at least in helper mode.   If the OSPF LSDB is empty, the NGFW probably will form a new adjacency to build it again.  I would check the system logs to see if OSPF flaps.  If failover takes longer with GR than without, I would check to see if it is enabled on both sides and check the timers.  The dead interval should not be less that the time needed for the passive control plane to take over.  Failover should be faster with OSPF GR than without, but use whatever works for you.   Thanks,   Tom ... View more

Re: Enable Device Telemetry with error message : Send File to CDL Receiver Failed

by Cyber Elite in General Topics
‎06-01-2023 06:50 AM
‎06-01-2023 06:50 AM
Hi @Fariq_Zaidi ,   Mine was the paid CDL.   Thanks,   Tom ... View more

Re: Multiple vsys share one pair of WAN circuits?

by Cyber Elite in Next-Generation Firewall Discussions
‎05-31-2023 07:19 PM
‎05-31-2023 07:19 PM
Hi @ZNetEng ,   You could try a shared gateway -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/virtual-systems/shared-gateway.   Another idea is to use QoS to limit the bandwidth on the sub-interfaces, but I can't remember if you can apply QoS to sub-interfaces.   Thanks,   Tom ... View more

Re: Strange behaviour via Palo Alto Firewall.

by Cyber Elite in General Topics
‎05-30-2023 02:48 PM
‎05-30-2023 02:48 PM
Hi @Mick_Ball ,   In the decryption rule that excludes that site, do you have the same decryption profile applied?   Thanks,   Tom ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎01-07-2026 04:02 PM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks