Date

By Source

By Technology

By Services

By Audience

Displaying 9181 to 9210 of 10861

Securing Your Virtualized Data Center

The topic of security for virtualization and cloud is an important one for many of you. With virtualization and cloud technologies, the data center environment has evolved from rigid, fixed environments where applications run on dedicated servers towards dynamic, automated, orchestrated environments where pools of computing resources are available to support any application to be accessed anywhere, anytime, from any device. Security is the biggest hurdle to support this new architecture. How long does it take your security administrators today to implement appropriate policy changes on firewalls in the network? How …

  • 0
  • 1

Both Panorama's in HA are in Suspended State

Issue Both the Panorama's will be in suspended state either if the serial numbers of the Panorama match or if they have same priority set in the HA priority settings.   Cause The reason for the suspended state can be shown from the CLI of the Panorama server with the command:

sdurga,
  • 0
  • 0

How to Configure Global Protect Gateway on Loopback Interface with iPhone Access

In addition to using a non-https Global Protect Portal, you can access an associated Gateway on a configured loopback interface. If you only have one public-facing IP address, and you wish to host SSL-based applications, such as OWA on that IP, the following information provides the configuration steps for doing

nato,
  • 0
  • 4

Email Scheduler Does Not Work

Issue Using telnet to connect to port 25 of the email server from the management interface works. From the logs we can see that the Palo Alto Networks firewall connects to the email server, but the connection is closed almost immediately. Sending a test email using the test email button

jnguyen,
  • 0
  • 0

How Does Panorama HA Work?

Panorama HA is similar to the regular HA with some minor changes.   The active device in a Panorama HA configuration can make and push all configuration changes to managed devices. The passive device cannot make or push configuration changes to managed devices. The priority of the device dictates which Panorama

sdurga,
  • 0
  • 3

Some User Mappings not Performed by the User-ID Agent

Symptoms Some user mappings are not performed by the User-ID Agent. Issue Errors in uadebug.log: 03/08/12 21:49:23:201[ Info 278]: Read security log event first returns false 5 for DC 03/08/12 21:49:23:201[Error 1173]: Read security log returns error 2 on server . Resolution Enable the option "Enable

ppatel,
  • 0
  • 0

How to Write a Source NAT Rule Using Panorama

When creating a Source NAT rule directly on a firewall, it is common to use Interface Address as the NAT type and select an IP attached to that interface as the Source NAT address. When using Panorama, the Interface Address does not provide any interfaces in the drop-down list.  If

gwesson,
  • 0
  • 0

Can all NTP Traffic Going to External Servers be Redirected to an Internal Time Server?

Overview Currently there is no way to redirect traffic bound for all external NTP servers to a single internal server. However, traffic destined to specific external servers can be translated to the address of an internal server using NAT policies. If the server exists on a different zone than that

npare,
  • 0
  • 1

URL Categorization of SSL Websites

URL category will only apply to traffic that is valid HTTP/HTTPS.  In the case of non-http traffic, the URL category is ignored as a matching criteria by design. URL categorization will happen for SSL regardless of whether it is HTTP inside or not. It is not possible to tell what

ppatel,
  • 0
  • 3

Can the Tunnel Interface be Disabled?

Overview There is no command to disable a tunnel interface. This is a logical interface which is not tied to a physical interface. Tunnel monitoring can be configured, as that can basically disable the tunnel interface if the VPN is down to influence routing protocols. See Also Sample IPSec Tunnel

ppatel,
  • 0
  • 2

User Name Containing an @ Symbol is Not Sent to the RADIUS Server

Issue User names which contain an @ symbol (such as username@example.com) are not sent   Solution This is intended behavior. Palo Alto Networks Firewall RADIUS server profiles are designed to work with Active Directory or OpenLDAP configured to use the "domain\username" format. Therefore, any user name sent in username@example.com will

gwesson,
  • 0
  • 0

Replacing a Failed SSD in a PA-5000 Series Box with a RAID Configuration

Overview If a single drive fails in a RAID, two blank drives of the same make and model will be sent as replacement for reliability reasons. Palo Alto Networks has determined that there are long term reliability issues with running RAID with mixed drive models, even if those drives are

tyamato,
  • 0
  • 1

What can Cause a Device to not Generate Traffic Logs

Overview There can be certain condition where the device is passing traffic but no logs are generated. This article will discuss various troubleshooting steps that can be performed to isolate the issue. In order to generate traffic logs there must be traffic passing through the device matching a rule that

sspringer,
  • 0
  • 0

Is there a Limit to the Number of Security Profiles and Policies per Device?

Yes there is a limit to the number of security profiles as well as security rules that can be configured on the device. Following is sample output on a PA-4020 that shows the limit to the profiles and security policies PA-4020> show system state filter cfg.general.max* | match profile cfg.general.max-profile:

ppatel,
  • 0
  • 1

URL Filtering not Working when Traffic Goes Through Multiple Virtual Wires

Symptoms Policies are in place to perform URL filtering on one of the virtual wire (vwire) interfaces that traffic goes through, but the firewall doesn't apply the policy.   Issue When traffic goes through more than one virtual wire interfaces, if one virtual wire interface has a URL filtering policy

npare,
  • 0
  • 1

How to Perform Route Filtering with BGP

To filter the routes announced by OSPF: Go to Virtual Routers Select the routing profile Select BGP Under the Import tab, create an import rule to allow the route(s) While creating that rule select the Match tab add the routed to be included (0.0.0.0/0 for the default route for example)

npare,
  • 0
  • 0

How to Display the Number of Log Events per Second

When planning a log consolidation solution, it is useful to know how many events per second the firewall is generating. To see that information, run the following command via the CLI > debug log-receiver statistics Logging statistics ------------------------------ ----------- Log incoming rate:             1/sec Log written rate:              1/sec owner: jteetsel

npare,
  • 0
  • 0

Can a Custom Logo be Added to the Response Page with Panorama?

A custom logo can be used for response pages by following these steps: Click the Panorama tab Click Setup Click Operations Under Miscellaneous, Click on Custom Logo Click the magnifying glass to view the current logo Click the box with the down arrow to upload a custom logo   owner:

npare,
  • 0
  • 2

IPSec Tunnel Details

When troubleshooting, multiple commands may be needed to gain different pieces of information on an IPSec tunnel. Shown below is one command where a lot of information can be gained and requested from the customer:   Local IP and peer IP: Provides the external IP information of both ends of tunnel

Phoenix,
  • 0
  • 4

Getting License Expired Error while Generating Report

Symptoms Even if a valid license is installed (not expired), running reports sometimes returns a License Expired error.   Issue The date range selected includes a period during which the firewall did not have a valid license.   Resolution When selecting a date range, make sure the range is within

npare,
  • 0
  • 0

Why is User Name Missing for Commit Job in Logs?

Details The screenshot below shows a commit job that succeeded but the username is missing. This happens in an HA environment where a configuration change was done on the other firewall. If for example a commit is performed on the active firewall, it's logs will show a username (as below)

sdurga,
  • 0
  • 0

Twitter Images are Blocked even when Allowing twitter.com

Symptoms The firewall is configured to block the social networking category, but to allow twitter, the following URLs are configured to be allowed: *.twitter.com twitter.com With that policy in place, twitter is allowed but images are blocked. Issue Twitter images are not hosted on twitter.com, they are hosted on another

npare,
  • 0
  • 0

DoS Policy Dropping Packets Destined for an External Interface

Symptoms External interface doesn't respond to pings from anywhere on the Internet, even from the next hop.  The issue occurs even with an interface management profile configured to allow ping, IP addresses are permitted, and after the ARP table has been checked for proper function. Counters indicate that the packets

kadak,
  • 0
  • 0

Palo Alto Networks Devices Require FQDN For Update Server

To ensure proper operation of service updates for your device, the update server field should be configured using either updates.paloaltonetworks.com or staticupdates.paloaltonetworks.com. IP addresses should not be used. owner: djipp

djipp,
  • 0
  • 0

How to Shut Down an Interface from the Web GUI or the CLI

GUI Go to Network > Interface. Select the interface you want to shut down. Commit the changes.     CLI > configure Entering configuration mode [edit] # set network interface ethernet ethernet1/1 link-state down #commit   owner: ppatel

ppatel,
  • 0
  • 1

How to Improve Performance for IPSec Traffic

Overview This document is intended to help improve performance for IPSec traffic.    Details Traffic to be tunneled will generally add 36 bytes to the original size of the packet because of the ESP header. One thing to keep in mind, depending on the encryption algorithm used, the ESP header may

kadak,
  • 0
  • 0

How to Forward Threat Logs to Syslog Server

Forwarding threat logs to a syslog server requires three steps Create a syslog server profile Configure the log-forwarding profile to select the threat logs to be forwarded to syslog server Use the log forwarding profile in the security rules Commit the changes Note: Informational threat logs also include URL, Data

ppatel,
  • 0
  • 0

How to Forward Hipmatch logs to Syslog Server

Steps Forwarding Hipmatch logs to a syslog server requires three steps: Create a syslog server profile Configure the Hipmatch logs to use the Syslog server profile to forward the logs. Commit the changes Syslog Server Profile: Go to Device > Server Profiles > Syslog Name: Name of the syslog server

ppatel,
  • 0
  • 0

How Many User-ID Agents are Supported on the Palo Alto Networks Firewall?

Overview There is a limit of a total of 100 User id-agents are supported per device on all hardware platforms. The limit is not per VSYS, it is per system.   owner: ppatel

ppatel,
  • 0
  • 0

Can URL Profiles be used if there is No URL Filtering License?

Overview Yes, but the only way to use URL filtering profiles without licenses is to create the custom URL categories and manually assign list of URLs into the custom category.   Steps Go to Objects > Custom Objects > URL category. Click 'Add' to create a new profile. Manually enter

ppatel,
  • 0
  • 0
Displaying 9181 to 9210 of 10861