GlobalProtect IOS split tunnel routing incorrect traffic

PanOS 9.1.4, GP client 5.2.7-6. 

We have a split tunnel configuration with only 2 internal /32 addresses added to the access route include list. We regularly see traffic from GP clients destined for Internet IP addresses hit the Palo over the client t

Searching for rule with empty "description" field in the ruleset

Dear community

I am looking for a way to filter all rules without any value in the description field. We use this filed to reference the incident number which has been raised to request a security rule. And by policy we are not allowed to have any ru

Need assistance with fixing weak Ciphers via Panorama cli

Hi 

I wanted to update weak ciphers on a PA-VM using the document below, I wanted to apply the change via Panorama but I don't see the correct config to apply.

I have tried the following:

>set cli config-output-format set

#set template "template name" c

After upgrade Panorama from 8 to 9 Panorama stopped sending GP-logs to Qradar syslog server.

Before the upgrade everything was working just fine, now after upgrade still I can see the GP-logs sent from the Firewalls to Panorama, but Panorama still unable to sent those logs to Qradar syslog server. Connectivity between the 2 devices is good.

I

Data filtering - email issue

Hello all,

i was configure data filtering and it works.

But i face problems with the mailing. 

When the the fw match pattern it blocks it, but the email stuck in outbox queue  , and the user can not send/receive other emails until the mail is deleted f

Minemeld Crashing, miner tab not loading, RPC timeout exception

Hi,

we have an issue on our Minemeld instance in production. Similar to the issue reported in https://live.paloaltonetworks.com/t5/minemeld-discussions/minemeld-crashing/td-p/289998, minemeld randomly crashes with the following results:

- the green l

Different Actions for Security Rules

Hi Guys,

I would like to know what are the difference between the following actions in the security rules for PA.

1. Deny

2. Drop

3. Reset-client

4. Reset-server

5. Reset-both

Which of these are the most preferred to use? Is deny or drop action also resets

Two IP address from same subnet on an 1 Aggregated Interface

Hello All, 

I am pretty new to Palo Alto, wanted to check if the an aggregated port in PA can be assigned with 2 IP addresses from same subnet, say 1.1.1.2/29 and 1.1.1.4/29. The Idea is the ethernet interfaces 1 & 2 that are be bonded to ae will be

SMB URL File Logging acheivable or not?

Hi Palo Alto Experts,

I want to know if we want to log SMB URL Blocked events then can we do in Palo Alto or not? Basically, the requirement is as below:

Example URL if typed by compromise system is: smb://www.example.com/fileshare/malware.exe

Right

Add network to address group via CLI?

I am trying to add a network to an address group via CLI on PAN OS 9.1.X

# set vsys vsys2 address-group XXXXXXXX static 108.61.41.0/24

Server error :  static '108.61.41.0/24' is not a valid reference

What is the valid syntax?

Outside interface listening on HTTPS "502 Bad Gateway"

I have this odd issue whereas one of HA Pairs seems to be listening on 443 on its outside interface for GP but I don't use GP and never had.  I have a interface profile that allows HTTPS but not from any IP and when I disable that it still shows that

Issue with proofpoint emerging threats

Hi All,

I am testing minemeld with proofpoint emerging threats service.

I am having issues with the miner because the categories are not set correctly.

I think that the miner reaches for a csv file available to proofpoint subscribers that contains ip,ca

Is Minemeld supported on OEL(Oracle Enterprise Linux)?

Currently we have Minemeld running on Redhat linux and planning to migrate to OEL. Can you confirm if Minemeld runs on OEL?