Hello For the same application, I have several links and ports (https://application.intra.mydomin.corp:8530/toto, https://application.intra.mydomin.corp:8130/titi, https://application.mydomin.corp:8530/toto,..) and I would like to create a rule and specify the application and not a rule based on the protocol.    How I can create a custom application who match with my example ?   BR ... View more

Hi I have a firewall configured with different zones (users, servers-prod, servers-dev). At network configuration level, 4 network interfaces are linked to 1 aggregate  group and under this aggreate group, I have on subinterface linked with each secuirty zone (ae1.1 for users, ae1.2 for servers-prod, ae1.3 for servers-dev). The 4 interfaces of the Palo Alto are connected on a Cisco stack with aggregate configuration on the Cisco.   My problem is : when I start a copy between 2 servers hosted in servers-prod zone, 1 have a good speed for the copy but when I try to copy the same file between users to servers-prod, the speed of the copy is bad. Do you have an idea about this performance issue ?   BR   ... View more

Hello   I would like to have advices regarding firewall rules. I'm deploying a PA-3220 on my main site (site A). On this main site, I have several zones configured on my PA3220 (user, servers, dmz Intranet,). I have also 5 remote sites.   I must create a rule to allow small sites and users & servers zone configured on my main site (site A) to reach our DMZ Intranet zone . What is the best approch to create a rule ? Is-it to create a first rule (wich rule name ?) to allow remote site to Intranet zone on site A  and a second rule to allow the the local zone (user, server) to reach Intranet ?   Is-it to create a single rule with, in source zone, the WAN zone (remote site) and local zone (user, servers) and destination my DMZ network in the Intranet zone ? And is-it a problem if in source zone, I have a mix of WAN access (for traffic coming from my remote site) and local site (user, servers) for traffic coming from these local zones ?   BR   ... View more

Hello   Is Userd Identification feature works only whith Active Directory users account or also with Computers accounts ? I would like to create a security rule who allow access on our internal ressources only for computer with an active computer account in our AD and for computer without an valid computer account or disable account, the traffic must be blocked.   BR   ... View more

Hello   I plan to put in place a SSL decryption rule to decrypt ssl traffic (SSL forward proxy). But I don't want decrypt traffic for several categories of website such as financial (bank website). I haven't the URL filtering license. I create a first rule "Do not decrypt" where I specify "Financial-services" in the URL category but when I test and reach a bank website, the certificate has been replaced by the certificate confiuged for decryption. Is-it because I haven't the URL filtering licenses ? And if I create on PA an URL category "Do-not-decrypt" with bank website used for the test and add this custom category in the rule "Do not decrypt", the website is not decrypted.    Do you know where I can find a list of bank site to be imported in the URL category created ?   BR   ... View more

Hello   I try to configure the ssl decryption on my cluster of PA-220. I have an internal PKI based on Microsoft solution. On the first node, I'm able to generate the request, the csr has been validated by the PKI server and I'm able to export from the PKI  the certificate (base-64 encoded). I'm able to import the certificat in my PA-220 device without error but when I try to enable " Forward Trust Certificate" and "Forward Untrust Certificate" options, I can't select these options.    Why these options are not available ?   BR ... View more

Hello   I start the Panorama configuration and I created Device Group. My device group are based on our site location :   FR   - Paris   - Toulouse   I would like to know the best way for the configuration. If I create objects in Paris DG (object to define Paris's local networks and servers) and I create also objects in Toulouse DG (object to define Toulouse's local network and servers), I can create a rule in Toulouse for exemple to allow LAN network to request server in Paris. In destination, I can't select the objet define in Paris to define a network located in Paris's site.   What is the best way to manage this type of configuration ? Create all objects in share DG ?  BR Jerome ... View more