About BenKnorr2

Before I changed the CIE to use outside interface to get it to work, I was seeing the 0 stats and never run under CLI commands. During the period where it showed this, I would select groups in security policies and then see them listed, but could never see a user mapped to it. I think it actually showed in "unmapped" section of the CLI. I put a user in a security policy and then could see the user in CLI but still not mapped to a group. I swore that I could see users and groups in the CLI. Changed to use outside interface to communicate to CIE and everything started working then I could see that previously I wasn't actually seeing info pulled from CIE. ... View more

Hi @BenKnorr2    Thanks. I have it configured for each device like that. I think the issue I am running into is the right way to get Panorama, the firewall and expedition to all work together. If I try this on a firewall not connected to Panorama, I have no issues.    ... View more

@BenKnorr2 The answer is no, current version of Expedition is not compatible with Prisma.  ... View more

How about dynamic IP tagging based on info from threat logs? https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions.html   In a nutshell, you have a log forwarding profile that hits on whatever threats you want (medium and higher, etc.), and it can do several things: forwards to syslog/panorama/datalake, sends admin an email alert, sends SNMP trap, tags the IP. You will make an address group based on this tag and create a security rule that blocks this traffic, sends to an alert page, etc. The duration of block is determined in the log fwd profile. ... View more

I think that "-" means that the rule never matched but if the rule had a hit count but stopped being used then after time it will be placed in "unused"     https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/monitoring/view-policy-rule-usage.html ... View more