This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About TomYoung

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
TomYoung
‎05-08-2024
Cyber Elite
since ‎11-15-2017
Cyber Elite
User Activity
User Profile
Latest posts by TomYoung
View All
User Badges
Community Statistics
Member Since ‎11-15-2017 11:37 PM
Date Last Visited ‎05-08-2024 08:20 AM
Posts 1,155
Total Likes Received 472

Re: How to download Panorama vm file

by Cyber Elite in General Topics
‎11-16-2023 02:47 AM
‎11-16-2023 02:47 AM
Hi @Fagani ,   You cannot access images on the CSP unless you have a license.  You can request a trial license from your PANW SE, and then you will see the images.   Thanks,   Tom ... View more

Re: 2 isps 1 for ipsec tunnel 1 for user internet advice on how to do this

by Cyber Elite in General Topics
‎11-16-2023 02:45 AM
‎11-16-2023 02:45 AM
Hi @din100 ,   The easiest way to accomplish your goal is to use a default route to 2.2.2.1 and host routes (/32) to 3.3.3.1 for each VPN peer.  Routing to each IPsec tunnel interface (static or dynamic) will ensure the tunneled traffic is routed correctly.   You mentioned that the IPsec peers only accept the 1 IP address.  So, you do not have to plan for IPsec redundancy.  If you want redundancy for Internet traffic, you could follow this guide.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO   Thanks,   Tom ... View more

Re: How do people manage certificates for the MGMT interface at scale?

by Cyber Elite in General Topics
‎11-16-2023 02:34 AM
‎11-16-2023 02:34 AM
Hi @Claw4609 ,   I use a wildcard certificate and push it from Panorama.  It is in my "Global" template.  So, I change it once and push it to every NGFW.   The most common enterprise CA server is Microsoft.  It supports SCEP.  If you want unique certificates for each NGFW, you can go that route.   Thanks,   Tom ... View more

Re: Source User missing users unless DC is rebooted--User Mapping

by Cyber Elite in General Topics
‎11-15-2023 01:22 PM
‎11-15-2023 01:22 PM
Hi @Winkmac ,   You may need to adjust your cache settings.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/user-identification/device-user-identification-user-mapping/user-id-agent-setup/user-id-agent-setup-cache   Thanks,   Tom ... View more

Re: EDL - unable to get local issuer certificate

by Cyber Elite in Next-Generation Firewall Discussions
‎11-15-2023 12:37 PM
1 Kudo
‎11-15-2023 12:37 PM
1 Kudo
Hi @orbcomm ,   Mine continues to work fine on 10.2.4-h2 and 10.2.5.   Thanks,   Tom ... View more

Re: API set up with global protect and infoblox

by Cyber Elite in General Topics
‎11-14-2023 01:11 PM
‎11-14-2023 01:11 PM
Hi @ADefeo ,   This works for me in the API browser.  <show><global-protect-gateway><current-user></current-user></global-protect-gateway></show>   It looks like you need to fix a couple syntax errors in your XML.   Thanks,   Tom ... View more

Re: CVE-2023-38802

by Cyber Elite in Threat & Vulnerability Discussions
‎11-13-2023 02:05 PM
‎11-13-2023 02:05 PM
For any drive-by browsers, you can secure your BGP connections only to/from specific IP addresses with an allow security policy rule followed by a drop rule.  Then your NGFW will only allow BGP packets from configured peers.   Thanks,   Tom ... View more

Re: GP stops working when ecmp is enabled

by Cyber Elite in General Topics
‎11-13-2023 02:15 AM
1 Kudo
‎11-13-2023 02:15 AM
1 Kudo
Hi @Raido_Rattameister ,   Thanks for clarifying the design.  I missed that part.   Hi @Dijesh ,   We are glad it is working!  Please mark @Raido_Rattameister reply as the solution.   Tom ... View more

Re: SAML Authentication - Users not prompted for password or MFA

by Cyber Elite in GlobalProtect Discussions
‎11-12-2023 04:40 PM
‎11-12-2023 04:40 PM
Hi @SethEfrat ,   When SAML/SSO does not prompt for creds or MFA, it is almost always an authentication cookie.  Check you IdP authentication cookie settings.   Thanks,   Tom ... View more

Re: GP stops working when ecmp is enabled

by Cyber Elite in General Topics
‎11-12-2023 04:28 PM
‎11-12-2023 04:28 PM
Hi @Dijesh ,   Enable Symmetric Return for ECMP and GP should work fine.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/network/network-virtual-routers/ecmp/ecmp-settings   Your scenario is the reason the Symmetric Return option is there.  We want the GP return packets to always go out the same interface they came in and not be load balanced.   Thanks,   Tom ... View more

Re: After connecting to Global Protect unable to use RDP

by Cyber Elite in GlobalProtect Discussions
‎11-12-2023 04:18 PM
‎11-12-2023 04:18 PM
Hi @Monicashree ,   If the NGFW captures packets in the drop stage, then it is dropping the packets. First, check the traffic logs to see the drops.  (Make sure logging is enabled for interzone default.)   If you don't see anything there, you may be able to see why with the last command in this article -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS.   Thanks,   Tom ... View more

Re: Using HA without a virtual mac possible?

by Cyber Elite in General Topics
‎11-08-2023 04:06 AM
1 Kudo
‎11-08-2023 04:06 AM
1 Kudo
Hi @Tim_Reckling ,   Could you provide more information?  Here is a good link for HA on VM-Series -> https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/about-the-vm-series-firewall/vm-series-in-high-availability.  For example, the original HA document for Azure does not use virtual MACs.  However, the Azure deployment guide https://www.paloaltonetworks.com/resources/reference-architectures/azure recommends using the Azure Load Balancer with 2 independent NGFWs for faster failover, in which case the virtual MAC is not required.   PANW has reference architectures for AWS, GCP, etc. https://www.paloaltonetworks.com.au/resources/reference-architectures   So, there may be some good documents for your virtualization platform to help solve your issue.   With regard to normal HA configuration, you must use the virtual MAC address.   Thanks,   Tom ... View more

Re: PAN-OS Xpath

by Cyber Elite in Panorama Discussions
‎11-08-2023 03:52 AM
‎11-08-2023 03:52 AM
Hi @ahmad_zubayr ,   Yes, and no.  The NGFW stores the Panorama-pushed configuration differently than local configuration.  For example, on the NGFW "show rulebase security" in configuration mode will not show the Panorama pushed security policy.  The API is the same.   On the CLI, you can use the commands "show config pushed-template" or "show config pushed-shared-policy" to view the Panorama config.  The same commands are available on the API.  I haven't played with it much, but I do not see a way to view only the security policy or specific objects.  You view the entire pushed policy.   I would love for someone else to jump in here to show a better way.   If you are using the API, you may have the automation tools to pull out the specific pieces you want.   Thanks,   Tom ... View more

Re: PCNSE - Private Access Code for Pearson Vue

by Cyber Elite in General Topics
‎11-04-2023 10:06 AM
1 Kudo
‎11-04-2023 10:06 AM
1 Kudo
Hi @Asogan ,   You do not need a private access code for the PCNSE.  The test shows up when you click the View Exams button.  When I registered for my 1st PANW exam, I had to create a new Pearson Vue account separate from my old one.  I don't know if that is still true today.  Here is a customer service page.   https://home.pearsonvue.com/paloaltonetworks/contact   Thanks,   Tom ... View more

Re: Creating user-ip mappings from the command line.

by Cyber Elite in General Topics
‎11-01-2023 04:10 AM
‎11-01-2023 04:10 AM
Hi @Diegogarcia1 ,   Have you tried Lynx, the terminal-based web-browser?  The user can open the page in Lynx, and it will render the HTML in text.  It should be redirected to the captive portal like a regular browser.  The user can navigate the rendered page and input their credentials.   Thanks,   Tom ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎05-08-2024 08:20 AM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks