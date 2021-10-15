CreatorsPublishersAdvertisers
Adding a port to existing SSN

By Andyz88
paloaltonetworks.com
 10 days ago

Hi - I have an existing SSN...

live.paloaltonetworks.com

paloaltonetworks.com

PBF Routing/NAT question

I have a bit of a strange setup, so hopefully I will be able to explain it properly enough for all to understand. I have a firewall with 2 ISPs, 1 virtual router. ISP 1 is configured for GP Portal/Gateway. The virtual router contains all interfaces below. e1/1 ISP 1...
COMPUTERS
paloaltonetworks.com

Oracle database increase session time

Our application use Oracle database and connect application via TCP 1521 and 7777. One session have to keep 24 hour and is it any ways to increase that time?. Under Security Rule click on service where you have port TCP 1521 and 7777 click on port and override the session timeout to 24 hours.
COMPUTERS
paloaltonetworks.com

Multiple External IPs to Multiple Firewalls

I am sure this is going to be something simple, but I am admittedly stumped (not hard to do). I have a block of External IP addresses assigned by our ISP , say 172.10.10.10/29. The gateway is 172.10.10.10 . This contains a single physical port . This is connected to a switch to allow distribution of multiple ports.
COMPUTERS
paloaltonetworks.com

Global Protect Connectivity Issue

The issue I am having is that when someone RDP's onto on a machines they lose connectivity on global protect. I originally thought global protect was disconnecting, however on closer inspection i can see that when the user is connecting to RDP, he is using a different user name which in turn is knocking of their connection their connection to the apps as the rules do not allow for that new user.
COMPUTERS
paloaltonetworks.com

GP v5.2.8 tunnel doesn't come up automatically post-GlobalProtect upgrade!

The GP pop-up windows tells us that the tunnel would come up automatically post-GlobalProtect upgrade v5.28 with App Configurations selections, Connect Method: "On-demand (Manual user initiated connection) and, Allow User to Upgrade GlobalProtect App: "Allow with Prompt". Although the GP v5.2.7 version is the Prefer version (10/19/2021) trying to skip...
TECHNOLOGY
paloaltonetworks.com

SSL Decryption Exclusions Jamf Protect

We are trialling Jamf Protect but this doesn't support SSL decryption which we use as standard (https://docs.jamf.com/jamf-protect/documentation/Network_Communication_Used_by_Jamf_Protect.html) The above doc lists some URL's that need to be excluded from SSL decryption but we are having problems getting it to work. Packet captures show that the URL's given are being resolved...
COMPUTERS
paloaltonetworks.com

Cortex XDR multiple local malware analysis alerts on seemingly legit programs

Cortex XDR multiple local malware analysis alerts on seemingly legit programs. I have a user whose agent generated a significant number of local malware alerts. However, all of those alerts are generated on legit things like ms teams, vs code, iwconfig etc. Morever, It's only on this user - those...
SOFTWARE
paloaltonetworks.com

Static Bi-directional Source NAT not working on incoming traffic

Static Bi-directional Source NAT not working on incoming traffic. I've users on subnet A that needs to communicate to a service over a vpn on subnet B. This subnet B already knows a subnet A, and therefore we're doing a source NAT for subnet A to C. A server in...
COMPUTERS
paloaltonetworks.com

Cortex XDR linux agent questions

Hi all, I've a few questions about the linux agent:. - Are there any special permissions that i need to give the agent?. -What to do if i have an agent that doesn't want to checkin with the server? the pc is on, the service is up, and i did a manual check in from the terminal.
COMPUTERS
paloaltonetworks.com

1.1.113 won't export Set commands and 1.2 won't install

--- paul@expedition:/etc/apt/sources.list.d$ sudo apt-get install expedition-beta. 1 to upgrade, 0 to newly install, 0 to remove and 3 not to upgrade. Need to get 0 B/17.5 MB of archives. After this operation, 0 B of additional disk space will be used. WARNING: The following packages cannot be authenticated!. expedition-beta. Install...
COMPUTERS
paloaltonetworks.com

Sonicwall Migration with v2

Expedition v2 says that it supports Sonicwall migrations, but when I launch a new project, Sonicwall isn't an option to import. I have updated to the latest version using apt-get. Is this a known issue/gap between the documentation and the current version, or am I missing something?. 1 REPLY. 5...
COMPUTERS
paloaltonetworks.com

Remote initiation of Global Protect Logs

I have some GP users who like to complain about their GP connection but with whom are. difficult to book troubleshooting time. Could there be any way to remotely collect details. of their GP session without having to tell them how to initiate a log capture or remoting. into their...
SOFTWARE
paloaltonetworks.com

Can Cortex XDR be installed to be standalone?

We're in a situation where HQ has moved to Cortex XDR, at the satellite facilities, there are PC/Laptops that never touches HQ network and are often standalone systems or is on a competely separate domain and those domain is to never communicate with the HQ domain. To complicate things a little more, some of these other domains are moving targets that are often offline for an extended periods (Maritime).
COMPUTERS
paloaltonetworks.com

Question about moving objects...

Question about moving objects... I have some security rules on a device group using shared addresses groups. I need to move these objects to the device group but I'm not finding an easy way so far. I can't simply move the address group, panorama doesn't allow because rules are using the shared group and won't automatically inherit the new location. I can clone the address group but the addresses belonging to the group will remain shared and that does not solve my problem. To make things worse there are many different rules using the addresses of the groups, so even if I use python sdk to create the exact same addresses and address groups on the device group I will still be left with rules to update with the new reference and this is the best solution I could come up so far. Any help with this?
COMPUTERS
paloaltonetworks.com

Configuring multiple DHCP scopes via single layer 3 interface

Configuring multiple DHCP scopes via single layer 3 interface. I am running PanOS 10.1.0 vm image. Devices are connected as mentioned below. Firewall E1/2 ---> L3 switch ---> Vlan 10, Vlan 20. I would really appreciate if some can tell me how to configure two DHCP scopes for Vlan 10...
COMPUTERS
paloaltonetworks.com

October VM-Series and CN-Series Updates

This month’s VM-Series and CN-Series firewalls update is full of useful information about optimizing our virtual and container firewalls across a range of environments so that you can secure data, workloads, and applications wherever they reside. We start this edition with a must-see in-depth video demo explaining how to use a VM-Series firewall. After viewing the demo, be sure to read about our 30-day free trial of VM-Series firewalls, lots of news about boosting Amazon Web Services (AWS) security, the latest CN-Series Rancher qualification, and more.
COMPUTERS
paloaltonetworks.com

User-ID Agent Connecting Status

I am facing an issue with User ID and AD . It continuously stays on connecting... however it seems that some user is assigning. Can someone help me?. 10/19/21 10:47:24:139[ Info 2357]: ------------Service is being started------------ 10/19/21 10:47:24:139[ Info 2364]: Os version is 6.2.0. 10/19/21 10:47:24:139[ Info 685]: Load debug...
INTERNET
paloaltonetworks.com

IPSec VPN Ingress traffic from two different interfaces not passing traffic.

Hey All, We're having a problem in adding new traffic to an existing VPN Tunnel. We've had a VPN tunnel up for a few years working just fine, but now we are trying to put traffic from a different interface into the Tunnel and the PA is dropping the packets (found them in Traffic Capture). The VPN is out to the Internet on Eth1/1 and the original ingress traffic to the firewall is on Eth1/5. All traffic is Natted to a local IP address before entering the tunnel, so no update to the ProxyIDs should be necessary for the new traffic. The new traffic (and Zone) has been added to the Security Policy and the NAT policy and in the logs it shows it's being natted and allowed, but no traffic passes, and I see it in the Drop file in a packet capture.
TECHNOLOGY
paloaltonetworks.com

how to monitor PA firewall interface IP address using SNMP monitoring

How to monitor PA firewall interface IP address using SNMP monitoring. Below KB don't contain OID 1.3.6.1.2.1.4.20 . I am looking for this OID (provides the addresses and the link to the interfaces you've sent through)to receive firewall interfaces IP address using snmp. Please confirm if PANOS 10.0.7 or any...
SOFTWARE

