About Feldiasti

PAN-OS 7.1 Policy behavior change application-default In PAN-OS 7.1:     when a security policy rule is configured with the Application setting 'Any' and the Service setting 'application-default', the rule Action is now applied only on the standard ports for any application. For example, if a security policy rule is configured to allow any application traffic on the default application ports, web-browsing is allowed only on port 80. In earlier PAN-OS release versions, the Service setting 'application-default' was not enforced when configured with the Application setting Any.   As per my experiance i had changed all of  security policy rules were configured with the Application Service setting 'application-default' to any to.     https://live.paloaltonetworks.com/t5/Configuration-Articles/PAN-OS-7-1-Policy-behavior-change-application-default/ta-p/75664   https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-What-Does-Application-default-Under-Service-Mean/ta-p/54167   https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os-release-notes/pan-os-7-1-release-information/changes-to-default-behavior   ... View more

Is there a way to configure the firewall so that users can access internet without needing to install certificate?   Distribute Certificates to Client Computers by Using Group Policy This Video will help you install the PA SSL certificate as a trusted root CA on a Windows / Active Directory Group Policy Object (GPO). Certificates installed via Group Policy will be respected by all browsers which use the operating system's built-in certificate store — this includes Internet Explorer, Chrome, and Safari.   https://www.youtube.com/watch?v=5W96z46mKr0 ... View more

#L2 Interfaces In a Layer2 deployment (Layer3 VLAN Interfaces (SVI) created in Layer3 Switch)   the firewall provides MAC layer switching between two or more logical networks. The network provides L2 connectivity between networks where firewall segmentation is desired without changing the L3 topology. Each group of interfaces must be assigned to a VLAN, and additional Layer 2 subinterfaces can be defined as needed. Choose this option when switching is required.   Advantages: Visibility into network traffic o Device can take action on the traffic, such as block or perform QoS Disadvantages: The device does not participate in spanning tree     #L3 Interfaces In a Layer 3 deployment (Layer3 VLAN Interfaces (SVI)created in both Palo Alto Layer3 Switch)   the firewall routes traffic between multiple interfaces. An IP address must be assigned to each interface and a virtual router must be defined to route the traffic. Choose this option when routing or NAT is required.     Advantages: Full firewall functionality, such as traffic visibility, blocking traffic, rate limiting traffic, NAT, and routing, including support for common routing protocols   Disadvantages: Inserting device into network will require IP configuration changes on adjacent devices   https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/IntegrationArticles/29/1/PaloAltoNetworks-Designs-Guide-RevB.pdf https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-Subinterfaces/ta-p/67395 ... View more

To display route entries for any Virtual-Router that you have (for example Internal VR), run the following command: > show routing route virtual-router Internal VR   for more details find blow Palo Alto Firewall CLI Cheat Sheet: Networking. https://www.paloaltonetworks.com/documentation/71/pan-os/cli-gsg/cli-cheat-sheets/cli-cheat-sheet-networking ... View more

Hi chrislss,   which version of PAN-OS you'r using in PA 5260 firewall  ? ... View more

Dear Kang,   In PAN-OS 8.0 there are now 2 categories inside the URL Filtering profile where there was only 1 before. If you are not familiar with PAN-OS 8.0 URL filtering, for each URL category, you have "Site Access" and "User Credential Submissions". This is in the WebGUI under Objects > Security Profiles > URL Filtering > URL Filtering profile.   for more details kindly find below URL; https://live.paloaltonetworks.com/t5/Community-Blog/DotW-URL-filtering-with-PAN-OS-8-0/ba-p/157758 ... View more

Hi Kang_Han ,   You can see the overall URL filtering action when the URL Filtering license expires from the WebGUI go to Objects > Security Profiles > URL Filtering, then click on a profile name to see the above window. You will have 2 options, to either allow or to block URL filtering traffic when the URL License expires.  The action selected for Action On License Expiration will be applied for all web traffic handled by the rule that uses the security profile. If the action selected is block, then no web traffic would be allowed by this rule. Likewise, if the action is allow then the traffic would be allowed.   For further assestance kindly find below URL: https://live.paloaltonetworks.com/t5/Management-Articles/What-Happens-When-Licenses-Expire-on-the-Palo-Alto-Networks/ta-p/53918 ... View more

Dear Radmin_85,   You can use the ACC tap on the firewall to track user activity, kindly find the below screenshot:  # in global filter tabe select Source User/Source Address and wite the User-ID or IP address. for further assistance kindly find below URL: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/url-filtering/monitor-web-activity-of-network-users#_66891   BR ... View more

Yes you can configure custom reports that the firewall generates immediately (on demand) or on schedule it: #First goto Monitor--> Manage Custom Reports and add a new Custom Report . #Next press on run now.  #after that yo can expoert this repoer as a PDF, CVS or XML,   for more information kindly find this URL: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/view-and-manage-reports/generate-custom-reports#idb18675a2-f9d0-40d5-93b6-246a9b499747 ... View more