About RREALICA

We are running into the same issue on iOS with Global Protect set to "On-demand" and using Per-app VPN from Intune. Haven't found a way to disable it yet. ... View more

Hi @KTompkins ,   The CLI command is :   > show system raid detail     Here's the full KB article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkxPCAQ   Kind regards, -Kiwi. ... View more

We are going through similar testing with Azure SAML conditional access policies - by no means I'm an expert; this are just my observations: You can be as aggressive in your sign-in frequency settings for the enterprise app for the portal and gateway and it will be honored, and can have different settings for different type of devices - the end experience (will the user get prompted for password or MFA?) really depends on your Azure SAML authentication setup. The good news is that you can follow the logs from the client to the firewall to Azure and see exactly what is happening and being requested- whether the GP client is requesting a full SAML auth, or using cookies, you can see also what Azure SAML has evaluated in the Azure portal, is the sign conditions for SAML met by a myriad of other conditions such if the machine is azure ad joined, has been unlocked using a work account, using another app, on a trusted network etc, on a compliant device, etc etc.   Hope that helps. ... View more

Issues has been resolved - that's the good news. We are going to push to get a RCA in this case since the problems encountered does not seem normal.   1. To fix the error " bind: Cannot assign requested address"- create a dummy/temporary L3 interface, commit, test and then remove the dummy/temporary L3 interface.  No amount of reboots, "commit force" by different levels of TAC did not make a difference. Also TAC mentioned there's a cli command to refresh the interface and zones but we did not try this.   2. Another problem came about where the IPSEC VPNs were not coming - this turns out the ISAKMP process is not properly starting up or not listening for IPSEC traffic.  Check for ISAKMP via "show netstat listening yes | match isakmp" to see if the firewall is listening for the traffic - restart of ISAKMP process resolved the issue - a reboot of the firewall also may have been best after fixing the interface related issues.   Thanks. ... View more

Yes, we are able to push the config by clicking the force template value. For somehow, there is a configuration error in the template that cause GUI for RMA unit cannot be access. We already log the ticket to RMA for this issue. Thanks all for your help. ... View more

I've created support cases with this issue in the past, for different versions of PANOS and different hardware, and each time I've gotten the same response that goes like "SMB creates a lot of packets, which will slow down traffic when we need to inspect it" .   As mentioned in my previous post, app override is not an option for us, and we've tried disabling DSRI for all the rules which are using SMB without any large benefits. We're seeing around 15-20MB/s on gigabit links onthe current TAC recommended 8.1 release.   If anyone has found any way to resolve this issue, please share. ... View more

Hi,   As there is an signature sinds a couple of days, i indeed see some hits, and reset actions.  But i wonder how the palo will detect this vulnerability, because we don't have ssl decryption enabled, and our citrix is only available on https.   Does anyone have some theorie ?   Best regards, Twan Hermans ... View more

On the dynamic ports, you have to use the standard sku LB.  The firewalls are set up in the backend pool, but aren't in an av set with each other.  As the last post here states, there are a lot of restrictions based on Azure not PA.   ... View more

Hi,   We also have a problem with the availability sets - there's no options to add the Palo Altos to an availability set. So we have 2 problems: the availability set and the load balancer sku.   I've opened a  case with MS support about the availability set in Gov and there reply was " "I did test the deployment in both environments using the same Marketplace image and was unfortunately unable to complete the Palo Alto deployment using Availability Sets. This limitation is on the Image itself and not the environment."   We are also working with Palo Alto directly to get answers/options for us.   The ARM templates also does not work 100% for us, it can create some of the structure but it's not fully successful so we are building the infrastrucutre manually - which is not bad but just running into issues with Gov limitations.   ... View more