About Astardzhiev

Hi @Shadow , - You can install virtual PA firewall for lab and use it without licenses. BUT there are lot of limitation:    - You will have very low limit of concurrent connections and throughput (not big of a deal right)    - You will be limited to 1-2 concurrent GlobalProtect (remote access VPN) users    - You will not be able to enable any of the additional NGFW inspection (IPS, AV, URL, DNS etc, non of that)    - Your FW should still be able to apply application identification and filtering based on application (not layer4 port), but you wouldn't receive automatic updates, so you will need to upload such dynamic update package manually. You can use build, but it is possible that non applications will be identified correctly. To sum up you should be able to test most (or even all) features of layer4 firewall - VPN (RAS and site-to-site), networking, routing, High-Availability, basic security rules, I believe even user identification (not sure about that)   - If you want to learn more you will definitively need to contact account/sales and request evaluation license - which is valid for 30 days. - Apart from hands-on-lab you have the option to go over the self-paced training on https://beacon.paloaltonetworks.com/student/catalog/list?category_ids=25389-strata Beacon is Palo Alto learning portal with ton of free online self-paced training. You can search for "Strata" product there - is the "code" name for all firewall related.     ... View more

Hey @reaper , - The firewall that is generating the URL allow rule, doesn't have any decryption rule at the moment. - Matching rule is actually around the bottom, but moving it higher, shouldn't make difference, because the matching source and destination objects are matching only that rule.   Hey @kat3xx , Indeed the log forwarding is set to forward any log   But this still doesn't explain why rule with no security profile will generate URL log? ... View more

Hi @Brad_Teige, One note you need to remember for PAN DHCP relay is that once FW receive the DHCP request  and try to forward it to the DHCP server this traffic becomes inter-zone. Meaning the DHCP request from interface/zone pointing to the users needs to be forwarded to another interface/zone pointing to DHCP server. For that reason you need to have rule allowing dhcp traffic from one zone to another. Step2 from this guide - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFXCA0 Above guide define any as destination, I would suggest you to restrict to only your trusted DHCP server.   I would also suggest to try to eliminate DHCP relay issues by: - Set static IP address one of the problematic machines, try to ping PA FW interface in that network (if don't have interface zone protection ping will fail, but) important part here is to check if you have ARP entry on the laptop for FW IP. Check if you have ARP on FW interface for that laptop. If no ARP you probably have issues with the VLAN config . - Set a packet capture on PA interface pointing to the users -  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0 Important for the filter is to set : inbound interface, and non-IP include. Leave the capture running and try ipconfig /renew to trigger new DHCP request (don't forget to switch back from static ip to dhcp if you are testing from same laptop) ... View more

Hi @r_buchwalder , Have you checked XDR API reference documentation - https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-API-Reference/Get-Distribution-URL If I understand your question all information should be already there. Just reading the docs it seems the flow should be as follow: - Make Create distribution API call (Create Distributions • Cortex XDR API Reference • Reader • Palo Alto Networks documentation portal), which will return distribution ID - Make Get Distribution Status API call providing the ID from previous call. This will tell you if package is ready for download or still creating. You probably need to loop this until status is ready - Make Get Distribution URL API call providing the same ID. This will return URL from which you can then download the package. ... View more

Hi @Sanjay_Ramaiah , PA-3020 latest supported version is 9.1, while PA-460 support only 10.1 and above. Based on this first first shot in the dark would be possible miss-configuration during firewall config migration. How did you perform PA-460 config preparation? Did you manually configure PA-460 while looking at the old PA-3020? Have you used any tool or Panorama?   I don't expect the problem to be specific for PA-460 device, but I would first start troubleshooting the network configuration. It is really hard to troubleshoot without knowing details for your environment. You can start with: - Does your GP user IP pool used on PA-460 exactly the same as it was on PA-3020? If it is different, can you confirm it is routed and allowed everywhere the same ways the old GP pool on PA-3020 - Are you using GP full tunnel or split tunnel? If you are using split tunnel, do you see route for the problematic network on client machine when connected to GP? - If you run traceroute from GP client to the problematic destination where is the last hop? Try to run traceroute from FW using GP tunnel interface as source, does it follow the same path as the one from GP client? What about if you run traceroute from FW, but using the inside interface as source, any difference with the other two? ... View more