This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About TomYoung

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
TomYoung
Online
Cyber Elite
since ‎11-15-2017
Cyber Elite
User Activity
User Profile
Latest posts by TomYoung
View All
User Badges
Community Statistics
Member Since ‎11-15-2017 11:37 PM
Date Last Visited ‎12-31-2025 12:10 PM
Posts 1,549
Total Likes Received 602

Re: List NAT tables with static-ip translations

by Cyber Elite in General Topics
‎04-20-2022 11:26 AM
‎04-20-2022 11:26 AM
Hi @TigeRRR ,   Very cool.  Even 'show rulebase nat | match "source\|static"' would require some automation to filter.  Since you want to automate the process, the best tool to use is the API.   https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/explore-the-api   What automation tools do you know/use?   Thanks,   Tom ... View more

Re: List NAT tables with static-ip translations

by Cyber Elite in General Topics
‎04-20-2022 11:02 AM
‎04-20-2022 11:02 AM
Hi @TigeRRR ,   You can export your NAT rules from the GUI with the PDF/CSV button on the bottom.  Then you can open in Excel and filter the Translated Packet Source Translation column with "contains 'static'".  You could also Text to Columns the same column to break out the translated source into a separate column.   If you have destination NAT, do the same for the Translated Packet Destination Translation column.   Thanks,   Tom ... View more

Re: PA440 management interface doesn't take configuration

by Cyber Elite in General Topics
‎04-18-2022 07:52 PM
‎04-18-2022 07:52 PM
Hi @${userLoginName} ,   This is the CLI config I send my customers:   admin/admin set cli config-output-format set configure set deviceconfig system hostname HOSTNAME set deviceconfig system type static set deviceconfig system ip-address x.x.x.x set deviceconfig system netmask 255.255.255.0 set deviceconfig system default-gateway x.x.x.x set deviceconfig system dns-setting servers primary x.x.x.x set deviceconfig system dns-setting servers secondary x.x.x.x commit exit exit   Thanks,   Tom ... View more

Re: Multicast required for Intrazone policy?

by Cyber Elite in General Topics
‎04-18-2022 07:26 PM
‎04-18-2022 07:26 PM
Hi @CPatterson1 ,   Are host a and host b connected to layer 2 ports on the firewall?  Then all traffic is allowed between the two hosts with the intrazone-default rule as long as they are in the same L2 zone.  Also, the 5th paragraph implies that L2 ports do not forward multicast packets -> https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/ip-multicast-overview.   If the hosts are connected to a switch, then the switch will forward packets (including multicast) directly between the hosts and not to the firewall.   Thanks,   Tom   ... View more

Re: Application incomplete

by Cyber Elite in General Topics
‎04-18-2022 07:17 AM
1 Kudo
‎04-18-2022 07:17 AM
1 Kudo
Hi @p66976 ,   Thank you for the excellent screen shot.  "Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application."  Most of the time, this is a routing issue where the return traffic does not make it back to the firewall.  From your screen shot, you see that you are receiving no return packets.   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC https://live.paloaltonetworks.com/t5/blogs/discussion-of-the-week-application-incomplete/ba-p/286965   Thanks,   Tom ... View more

Re: Port Forwarding/NAT Issues

by Cyber Elite in General Topics
‎04-17-2022 03:21 PM
‎04-17-2022 03:21 PM
Hi @wallbert ,   Here is an article with NAT and security policy examples to show you how to do it. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping   Thanks,   Tom   PS In the security policy, pre-NAT IP and post-NAT everything else. ... View more

Re: Limiting Global Protect Logins (per user)

by Cyber Elite in GlobalProtect Discussions
‎04-11-2022 10:40 AM
‎04-11-2022 10:40 AM
Hi @DaveHartnett ,   There is no way to currently limit the GP sessions per user.  You could try the script in the 2nd URL below. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CligCAC https://live.paloaltonetworks.com/t5/general-topics/concurrent-global-protect-user/td-p/406974   There is a feature request 4603 -> https://live.paloaltonetworks.com/t5/general-topics/feature-request-list/td-p/209128.   Thanks,   Tom   ... View more

Re: Migration Cisco to PAN

by Cyber Elite in General Topics
‎04-06-2022 04:32 PM
‎04-06-2022 04:32 PM
Hi @mamuhopo ,   These IP protocols need to be changed to applications.  You are correct that ICMP should be changed to ping.  Be aware that non-ping ICMP is now blocked but previously allowed on the ASA.  The protocols ipsec-esp and gre have applications of the same names in PA.  https://applipedia.paloaltonetworks.com/   Typically, these changes need to be made in the security policy in Expedition.  I clone the L4 rule and create a new L7 rule with the new applications.  Check out the "Replace Services by App-ID" section here -> https://live.paloaltonetworks.com/t5/expedition-articles/expedition-user-guide-v1-2/ta-p/285157#toc-hId-1689743346.   Thanks,   Tom   ... View more

Re: Recommended PAN-OS version

by Cyber Elite in General Topics
‎04-06-2022 04:02 PM
‎04-06-2022 04:02 PM
The link is the very 1st post works for me. ... View more

Re: Is it possible to DDoS/DoS a public IP which has only outbound traffic and ipsec tunnel. No DNAT configured and ping disabled.

by Cyber Elite in General Topics
‎03-23-2022 03:13 PM
‎03-23-2022 03:13 PM
Hi @Kandarp_Desai ,   Traffic from the Internet to the public IP (same zone) is allowed by the default intrazone-default rule.  You could create an intrazone drop rule to block the traffic, and no DoS should be possible.  Remember to create an allow rule for your IPsec tunnel first.   Thanks,   Tom ... View more

Re: How to renew Global protect certificate

by Cyber Elite in GlobalProtect Discussions
‎03-23-2022 12:42 PM
‎03-23-2022 12:42 PM
Hi @saifali.m ,   You should be able to access the management interface through the cloud management platform.  If you cannot upload a cert file via that method, you can enable management on the outside interface temporarily.   Thanks,   Tom ... View more

Re: software update for PA-820 without support contract

by Cyber Elite in General Topics
‎03-23-2022 12:00 PM
‎03-23-2022 12:00 PM
Hi @S_Hiebert ,   Online images are on the support portal under Updates > Software Updates.  Is "PAN-OS for the PA-800 Platform" available in the drop down?   Thanks,   Tom ... View more

Re: clean up unused objects within Panorama using expedition?

by Cyber Elite in Panorama Discussions
‎03-23-2022 11:54 AM
‎03-23-2022 11:54 AM
Hi @S_Hiebert ,   Expedition can work with Panorama.  https://www.youtube.com/watch?v=r_l_NjGHv90   Another way to find out is to delete the object.  If it is used, you will get an error.   Thanks,   Tom ... View more

Re: Advanced URL Filtering - help me understand it please?

by Cyber Elite in General Topics
‎03-21-2022 06:22 PM
‎03-21-2022 06:22 PM
Hi @roma ,   "Malicious URLs can be updated or introduced before URL filtering databases have an opportunity to analyze the content; this lag time gives attackers an open period from which they can launch precision attack campaigns on the firewall" The lag time is the time between when a malicious URL is introduced and when the URL filtering database [companies] are able to analyze the content and assign categories to it.   PAN-DB updates are not done as part of application and threats or any configurable dynamic update.  "PAN-DB does not have daily updates, instead the URL entries are retrieved from the cloud server as needed. The Palo Alto Networks firewall automatically checks for the updates, and system logs are generated every 8 hours indicating if the latest URL-filtering database was downloaded or not." https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpMCAS   With regard to "risky" URLs, these have not been categorized yet.  They are recommended to be blocked with the "unknown" category.  https://docs.paloaltonetworks.com/best-practices/10-0/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles.html  Blocking unknown may occasionally cause valid web sites to be blocked, but exceptions can be made.   Finally, The URL Filtering subscription is no longer orderable.  When it is time to renew, the only option will be Advanced URL Filtering.   Thanks,   Tom ... View more

Re: Cisco ASA PA ipsec issue

by Cyber Elite in General Topics
‎03-21-2022 11:45 AM
‎03-21-2022 11:45 AM
Hi @ITforacompany ,   Mine is still proxy-based.   Thanks,   Tom ... View more
Register or Sign-in
Contact Me
Online Status
Online
Date Last Visited
‎12-31-2025 12:10 PM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks