About BPry

@Rene_Boehme, The CLI can handle spaces fine, you just have to group them properly so its not escaped. So in the example that you have you would actually need to have it like so.   test security-policy-match   from untrust source 1.1.1.206   to "Zone Internal"   destination 2.2.2.226   destination-port   22   protocol 6   ... View more

@starplat, On older releases (not sure if you mentioned which release you are actually running) it wasn't uncommon to have to install the initial package before you could actually update through dynamic updates. Manually download each dynamic update from the support portal and manually install them on your device; once installed, you should be able to schedule the dynamic updates properly and have it actually function.  ... View more

@GSMC-Support, It looks like you've included a few file types that 8.1 doesn't actually support, which could very well be causing your issue. I'd also take a look at the actual configuration (CLI, API, XML) and see what it's actually saying in the config instead of looking at the GUI.  This should be giving you an error about invalid file types if you attempt to validate the configuration. ... View more

@jesuscano, verify that you actually have an include network configured on the agent. Client Probing really isn't a recommended configuration anymore, and you definitely don't want to allow sending those probes externally. ... View more

@benlangberg, Correct, if you rename the zone the firewall will update your rulebase as required with the new zone names.  ... View more

@benlangberg, This really comes down to administrator preference. Renaming the zones so that make sense in either location would be a logical thing to do, but in the end the name that you give the zone is nothing more than an identifier. Generally speaking, I like to keep my zone names really simple so that anyone who walks into the environment knows exactly what it is when they look at the configuration.  ... View more

@jesuscano  This sounds like you have Client Probing enabled, and if you've verified that User-ID is disabled on the untrust interface you'll also want to go through and verify that it isn't included in your Include Network listing.  ... View more

@pmchenry, You are correct, this is a known limitation within AWS. The only interface type that you are allowed is layer3, and VLAN and subinterface isn't supported at all. There's really no way to workaround that issue that I'm aware of, at that point you would be having more of a design discussion about how the environment is being built out and isolated. ... View more

@FWPalolearner, As long as the certificate is imported into the machine store and GlobalProtect is configured to search the machine store this will work perfectly fine. Keep in mind that windows will generally keep anything with a private key in PFX format, but really all PFX means is that it's using PKCS#12. This is really easy to deploy, and as long as you have the certificate in the machine store and the firewall has a properly configured certificate profile assigned it'll "just work".    The only gotcha that you should keep in mind with this change is that by default the agent option is set to search both the machine and user certificate stores. If you aren't setup to handle users will user certificates, you'll want to ensure that you have the agent configured to look solely at the machine store.  ... View more

@lee.curtis, As @Abdul-Fattah  alluded to, you're going to want to build a separate security rulebase entry to allow the traffic. You can programmatically add an exception relatively easy, but it is simply just building an IP address exception for each signature. Just build out a new security rulebase entry and remove it when the penetration test is done.  ... View more

@btolsta, This is not possible . ... View more

@jesuscano, This won't be an issue and will work perfectly fine.  ... View more

@gvyskocil, What does the URL log actually say that denied the traffic?  ... View more

@gleduc, You can grab the addresses reported in the EDL from the firewall via CLI or SSH and script checking logs against them individually easily enough. By itself the logs don't have any knowledge of the EDLs and the search function will only search for address or address-group objects, it completely ignores EDLs. This is primarily due to the sheer size supported by the EDLs. You wouldn't want the firewall to search through thousands of addresses when you attempt to pull search results.  ... View more

@batd2, As long as the firewall is running PAN-OS 8.1 or higher, the Policy Optimizer will function from Panorama without issue.  ... View more

@muhammadblibla, The best way I know of  to do this is busting out fiddler and creating custom threat signatures. The downside is that you need to analyze every single game that Google comes out with and build a custom threat signature for every single game. You're users are also likely to just move to built-in browser games, so it doesn't really fix anything.   Probably already saw the last post about this. I agree with the OP of that post in his final update; chop this up to managing users or teachers monitoring students and move on. https://live.paloaltonetworks.com/t5/general-topics/blocking-google-games/m-p/255435#M72479 ... View more

@S7anislav, There's currently no way to get this information out of the firewall in an exported format. ... View more

@Efrain_Olmos, That error is primarily due to permissions, but it can also be caused by WMI not being enabled on the client, becoming corrupt, or the MGMT interface simply not being able to reach the client. Are you positive that the MGMT interface isn't getting dropped somewhere when it attempts to probe the client?    ... View more

@brian.saloum, There's a ton of little gotcha moments when you enable FIPS-CC, but the only one that really changes with a HA pair is the requirement to utilize encryption on the HA setup. You'll definitely want to ensure you have that configured prior to actually changing the operational mode to avoid longer downtime and potential split-brain scenario due to the requirement not being met.  I would really try and get your config loaded onto a lab box and verify that you have everything setup properly to FIPS-CC standards (proper cipher suites, ect) prior to actually making this cutover. This will make sure you don't have any extended outage re-configuring things to standard.   ... View more

@herman2018, Could be an issue with the CDN node that you are connecting to, or it could just be an issue with your internet connection. You haven't really given any information outside of that fact that it was slow and failed once. What happens if you try again? What if you change your update server setting to utilize staticupdates.paloaltonetworks.com and try to update directly from PAN instead of the CDN network?  ... View more

@DarBis, No, this is definitely not isolated to just you. Throughout the beta period and now with the production release multiple people (including myself) were noticing the same thing. I would expect the performance to improve a bit with future maintenance releases, but I think were getting to a point where PAN-OS 10.0 is just asking a lot more from the PA-220 hardware. ... View more

@RamBalaji, if the OTP isn't being accepted by your instance you'll need to contact TAC. ... View more

@Jimmy20, I'm hoping that you meant 9.1.4 and not 9.0.4, if not you should really consider updating to the latest supported maintenance release as you're multiple versions behind at this point.  I'm assuming that you are more comfortable with the GUI; enter tunnel.50 in the search box and verify that you aren't referencing tunnel.50 in the rest of your configuration, because it sounds like you are. You can otherwise export the running-config.xml and simply search for tunnel.50 and verify that you don't have it referenced and if you do remove it. ... View more

@DF2020, So you've gotten to the portal, but you haven't been able to actually verify the gateway access. You need to start focusing on the gateway configuration and making sure that the gateway is accessible. You'll also want to double check that you have a policy that would match any denied traffic to the portal/gateway IP address or enable logging on the interzone-default policy so that you can verify that your security rulebase is actually correct. Are you using the same address for your portal/gateway, or are you seperating those out?  ... View more