Here we go again.
docs.paloaltonetworks.com seems to be DoS'ed out, so heavens know what they have fixed today.
Hello,
Have you tried integrating Intune with Global Protect? I know its pretty lazy question, but it would be very helpful if someone did it.
Seems like just 8 days ago the last hotfixes came out. We have the last releases in Test, but haven't rolled to Prod. Guess we'll be skipping the last and going to these.
The PAN-OS 11.1.7-h6, 11.1.10-h26, 11.1.13-h6, 11.2.4-h17, 11.2.7-h15 & 11.2.10-h8 software updates are now available on the Palo Alto Networks Software Updates page.
Check out the following Release Notes for release details, including the new features and bug fixes that make the upgrade worthwhile:
11.1.7-h6 (Long list of CVEs)11.1.10-h26 (fixes for Eth1/1 data port and PoE ports, don't use -h25)11.1.13-h6 (fixes for Eth1/1 data port and PoE ports, don't use -h5)11.2.4-h17 (Long list of CVEs)11.2.7-h15 (fixes for Eth1/1 data port and PoE ports, don't use -h14)11.2.10-h8 (fixes for Eth1/1 data port and PoE ports, don't use -h7)CVEs:
This documentation is pretty vague....
I've already tried multiple ways to set the configuration using MSI which has been erratic to say the least, and in most cases, it appears to not set anything. I'm using PDQ to push the client to the endpoints. I'd like to set do things like set the mode to on-deman, and preconfigure two gateways.
the documentation for doing these settings in the registry first off says to set Keys....which to me is incorrect or does every setting create a new key under the settings Key? and if so what's the contents of the key. I think they mean to set REG_SZ, or REG_DWORD entries within the settings key, but the documentation does not say which or what format. for example, if I want a yes or no answer am I setting a string that says NO or am I setting a Binary that reads 0.
I've only been able to come up with a few examples, and they are all pretty old so I thought I'd put it out here and see what people say.
Thanks in advance.
Hi,
It's been a little while since deploying a PA in Azure, and I can't seem to deploy one that PanOS 11.2. They all seem to deploy with PanOS 12.
Is there a way around this? As I there isn't anywhere to select the version or image.
Cheers
Im installing a new active/passive HA pair and having a really odd failover issue.
Lldp and lacp pre negotiation are enabled. The firewall has 4 lacp interfaces plugged into a juniper virtual chassis.
If i suspend the active device the other device does become active, but all the lacp interfaces remain active on the suspended device, thus stopping all traffic cold.
PAN-OS 10.2 End of Life has been extended until March 30, 2027. You must upgrade to 11.1 or 11.2 (10.2 for PA-220 series) Preferred Release or its subsequent HF releases to prevent loss of support and security updates.
Hello,
I have issue with device cert on passive because because he doesnt have access to Internet. I am using service route for palo alto updates and dns and on passive device data interface is down. For management interface there is no internet access. I need valid device cert for CIE. Is there way i can acutally make this work?
I've been having an issue for a while (well over a year at this point), where my Android devices (all of which are Samsung) can't pull internet over wifi after updates/reboots. Just had to factory reset a tablet, and am struggling to get through the initial setup. Keeps either just stalling or telling me the connection is slow. This is across multiple devices. Generally when it happens, I just disable and re-enable wifi, and its fine. Finally annoyed enough to try to figure out the root of the problem and fix it instead of just working around it.
Figure it could be any of a couple things:
Everything looks like it should be working. Bi-directional traffic is flowing (except the denied QUIC obv). I'm wondering if this isn't like that issue I had with Prime Video where the DNS requests were too large for UDP, and at that point I didn't have TCP DNS allowed. That's now fixed, but I wonder if I'm getting a bad interaction on the 853?
Only other possilbe indicator of wierdness is an open 6/5228 or whatever Google Play is. Recieved 10k bytes and basically just sat thre stalled in session browser. I cleared it but it didn't re-establish.
Palo is not fantasic rn at the modern web traffic. Like, for my phone or the tablets with 5g sometimes hanging up, pretty sure they're on QUIC out on 5G, they move into wifi, the QUIC connection ID is still live but won't get through, so it either has to time out or I force it to re-establish over TLS.
There's gotta be a better way to be doing this.
Hi Guys,
One of our customers recently migrated from on-premises AD DS to Microsoft Entra ID with Palo Alto Cloud Identity Engine.
They have two Palo Alto NGFWs.
Previously, user identification was handled by four on-premises Windows User-ID Agents installed on Windows servers. These agents collected user-to-IP mappings from AD and shared the mapping information with both firewalls at the same time. This worked smoothly without any noticeable delay.
After moving to Entra ID, the current design is:
The issue is that after the Internal Firewall identifies the user, it takes a few seconds for the user-to-IP mapping to be redistributed to the Internet Firewall.
During this short delay, the Internet Firewall does not yet know the user mapping, so the initial internet request hits the unknown-user/block policy and users receive the block response page. After a few seconds (2s to 3s), once the mapping reaches the Internet Firewall, access works correctly, but users have to manually refresh the page.
Has anyone faced this type of delay after migrating from Windows User-ID Agents / on-prem AD to Entra ID with Cloud Identity Engine?
I would like to understand the best-practice design for this scenario:
Any recommendations or design guidance would be highly appreciated.
Thanks.
Experimenting here.
I am working with a few layer two interfaces. First question - is there a way to tag the interfaces without creating sub interfaces?
The main issue I’m trying to address is having multiple interfaces communicate with my AP which defaults to a management VLAN 1. So, my user VLAN 10 is tagged from the AP. I have a few other ports to connect ethernet devices, also layer 2 set to use the same PAN vlan object/interface, but not sure how to tag them without creating a sub-interfaces, so that all that the wired and wireless user devices share the same subnet and DHCP server.
Let’s say vlan is set across eth1/1, 1/2 (endpoints) and 1/4 (wap).
Seems like I could run a cable from one of the other ports on the AP, or assign another port with a sub interface same vlan object/interface and tagged for VLAN 10, and connect that to an additional port added to the native VLAN of eth1/1 & 1/2. Neither seems very elegant.
I’m probably overthinking this, but maybe I’m missing something? Is there a way to accomplish this entirely within the Palo?