@ehartcoghlin You are correct that the URL filtering will only work on client to server web traffic. It can only control users accessing particular domains, but not traffic initiated from those domain. The reason is that the firewall can only see the source IP in incoming traffic and URL filtering looks at the actual URL in the http headers.  Surely you can filter particular emails at the email server level or if you have the feed of IPs of NRDs, then you can import it as an dynamic IP list in the firewall and block SMTP traffic based on that list.  ... View more

@wahxwah URL is the url user is trying to access as taken from the HTTP header, or as in your case of encrypted traffic, from the SSL Certificate.  Destination is the actual destination IP of the session. I am not sure why you are getting the output in the below, but there will be more information if you can share the detailed log. I wonder if you have selected the "Resolve hostname" checkbox at the bottom of the screen and the firewall is trying to do reverse lookup for the IP.  ... View more

@blwavg The users need to be identified somehow at policy level, and the other option is to use Authentication Policy (preciously known as Captive Portal)  to grant access to the firewall management. This will allow you to configure very granular control of which use can manage the firewall from particular subnet.  ... View more

@blwavg You answered the question in your description, this can easily be achieved by using Global Protect and you shlould never really be exposing unprotected admin access to internet.   If you are using UserID and dynamic admin authentication, you can potentially create granular access policies for the internal network as you described. However you cannot do it from internet, as the firewall will need to know the user to ip mapping for the specific admin and the Internet admin can have any IP.  ... View more

@Taraka You can see details of supported platforms below. Looks like 3000 series will be supported , but 5000 ar not.  https://www.paloaltonetworks.com/services/support/end-of-life-announcements/hardware-end-of-life-dates ... View more

@Aashish74  Although in general this may work, there are a few points in the workflow that are not quite a best practice and can be misleading. Bi-directional is generally not recommended as you don’t have full control of the return traffic. Packets will be translated correctly from LAN to WAN, but in the opposite direction, they will match any zone to WAN , which could complicate things if you have multiple zones. I would always recommend having specific inbound destination NAT rule to your servers and a generic source NAT outbound if your servers need to connect to Internet. The second point is that you suggest adding a service to the bidirectional NAT rule, which means that the rule will match only this service port for both the  inbound and outbound translation. This kind of defeats the purpose of bi-direction, as you presumably want to configure it for outbound internet traffic for your server. Next, your security rule will match the inbound packets to the server, but not outbound from the server. Finally it is not a good practice to configure the same multiple zones in source and destination. ... View more

@rohit3120 You can run it it on endpoint, which has https connectivity to the firewall you need.  You can either use curl, or just paste the url in a browser.  ... View more

@AlexandroDelAngel All of your assumptions seem correct... ... View more