https://www.staffordnet.uk/ 2026-04-05T20:04:39+00:00 https://www.staffordnet.uk/ https://www.staffordnet.uk/lib/exe/fetch.php?media=favicon.ico text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:alerts&rev=1669207782&do=diff Palo Alerts Certificate Expiry If you want an alert when a certificate is expiring, you need to enable “Certificate Expiration Check” under Device> Setup> Management> General Settings. Note: Please note that the certificate check is only for the Device Certificate of the FW and not for all the certificates present on the firewall under Device text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:bgp&rev=1669207782&do=diff BGP If your PAN-OS firewall has two seperate eBGP peering relationships with two seperate networks that have the same AS number (e.g. AS 1111), the firewall (assuming it is AS 2222) will not export routes that are learned from one neightbout to the other. This is because it is trying to prevent a routing loop. text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:blank_configuration&rev=1669207782&do=diff Blank Configuration * Username: admin * Password: Password1! <?xml version="1.0"?> <config urldb="paloaltonetworks" version="9.0.0"> <mgt-config> <users> <entry name="admin"> <phash>$1$bgymjqlr$3ONAzRb1fsw8noJAl0ZBW/</phash> <permissions> <role-based> <superuser>yes</superuser> </role-based> </permissions> </entry> </users> </mgt-config> <shared/> <devices> <entry name="localhost.localdomain"> <ne… text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:captive_portal&rev=1669207782&do=diff Captive Portal When troubleshooting captive portal, if you find that you cannot get the Redirect mode to work when you are redirecting to an IP that is on a loopback interface on the firewall, you need to enable “Response Pages” on the interface that is text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:certificates&rev=1669207782&do=diff Certificates You can test ciphers being used with the following nmap --script ssl-enum-ciphers -p 443 1.2.3.4 Free Certificates with Lets Encrypt You can get free certificates for Palo Alto Networks devices using Lets Encrypt. Details are here. Certificate Chains text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:cortex_data_lake&rev=1669207782&do=diff Cortex Data Lake To enable enhanced application logging on the CLI set deviceconfig setting logging enhanced-application-logging enable yes request logging-service-forwarding customer info fetch request logging-service-forwarding certificate info delete license key Logging_Service_2021_03_16.key request license fetch request logging-service-forwarding certificate delete request logging-service-forwarding certificate fetch-noproxy pre-shared-key ==put-psk-here== debug software restart process … text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:credential_phishing_prevention&rev=1669207782&do=diff Credential Phishing Prevention Whitelist Remember, PAN-OS does not do credential phishing prevention for certain sites regardless of what you configure it to do. Full list is here. Logging Remember, the logs for crediential phishing prevention will be in the URL text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:data_filtering&rev=1669207782&do=diff Data Filtering When you are applying a data filtering profile, look for hits in the Data Filtering section under the monitoring tab. In Panorama, you have to use the threatID (which refers to the id of the object in Objects->Data Pattern and NOT Objects text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:decryption&rev=1669207782&do=diff SSL Decryption Overview You will find that SSL decryption on Palo Alto devices has its limitations. If SSL decryption is enabled and yet some sites do not work in HTTPS mode, you may find that the site does not support any of the ciphers listed below. text/html 2025-05-26T08:47:13+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:dns_sinkhole&rev=1748249233&do=diff DNS Sinkhole DNS Testing More details here DNS Sinkhole IP For DNS Sinkholing, Palo have an offering on their system which was 72.5.65.111 but is now (as of 2025), 198.135.184.22. Bogon IP addresses are reserved address spaces that are filtered out on the Internet but are not typically filtered in enterprise WAN environments and will therefore get routed to the Internet perimeter. text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:dos_protection&rev=1669207782&do=diff DoS Protection Profiles Remember, you should not have TCP-SYN enabled on both Zone Protection and DoS policies at the same time. Remember, for DoS Protection Profiles, firewalls with multiple dataplane processors (DPs) distribute connections across DPs. In general, the firewall divides the CPS threshold settings equally across its DPs. For example, if a firewall has five DPs and you set the Alarm Rate to 20,000 CPS, each DP has an Alarm Rate of 4,000 CPS (20,000 / 5 = 4,000), so if the new ses… text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:dynamic_routing_example&rev=1669207782&do=diff Dynamic Routing Example This page describes how to configure dynamic routing between an end user and two data centres. The scenario involves going through a pair of external firewalls and then a pair of internal firewalls at each location. In practice, I would suggest that merging the external firewalls into the internal firewalls and then making the two firewalls in each data centre an active/passive HA pair will drastically simplify what can be seen as an over complicated design. Still, it is… text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:dynamic_updates&rev=1669207782&do=diff Dynamic Updates Update Servers Normally, you would use updates.paloaltonetworks.com and wildfire.paloaltonetworks.com or eu.wildfire.paloaltonetworks.com to get dynamic udpates for Palo Alto Networks appliances. However, if you want to use static IPs, use the following text/html 2025-05-22T10:11:19+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:edl&rev=1747908679&do=diff External Dynamic Lists Palo have a public list for Microsoft Azure and Microsoft 365 here. There are other SaaS products to manage EDL * EDL Manager * ipEngine Also, when downloading a dynamic list over SSL (HTTPS), you will need to use a certificate profile that includes the root certificate. However, some certificates are signed by two chains. Your web browser may only show one chain. You can use text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:evasion&rev=1669207782&do=diff Evasion In this case, we are accessing 1.2.3.4 as if it were host.corp.com. If we see a threat, we log this because PAN-OS resolves 1.2.3.4 to some other FQDN ( subtype eq spyware ) and ( ( name-of-threatid eq 'Suspicious TLS Evasion Found' ) or ( name-of-threatid eq 'Suspicious HTTP Evasion Found' ) ) and ( addr.dst in 1.2.3.4 ) and ( url eq 'host.corp.com/' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:file_blocking&rev=1669207782&do=diff File Blocking Palo Alto Networks have a page that lists all the file types here. text/html 2025-09-11T08:00:05+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:globalprotect&rev=1757577605&do=diff GlobalProtect SAML for GlobalProtect This page is a good guide. Licence Requirements Palo Alto Networks list the licence requirements here. You need a licence to * Performs HIP checks * Supports the GlobalProtect app for mobile endpoints * Supports the GlobalProtect app for Linux endpoints text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:high_availability&rev=1669207782&do=diff High Availability Latency Recomended but not enforced. Ensure <= 20ms latency between HA members. HA2 Link If HA2 Backup has been configured but isn't showing on the dashboard widget on one or both of the firewalls in the HA pair, reboot the firewall(s) and it should appear on reboot. text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:http_calls&rev=1669207782&do=diff HTTP Server Calls You can use the HTTP Server profiles to allow your PAN-OS appliance to send messages to Slack and Teams. Slack This page has details on how to configure Slack integration. Manage existing Apps here (There should be an option for 'Incoming Webhooks'). text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:initial_setup&rev=1669207782&do=diff Initial Setup * Create User Account on Palo Alto Networks support portal. We suggest that the first account be a generic (fireawalladmins@example.com). You can then create individual accounts for yourself and your team. * Register the firewalls on the support portal. * Activate the Authorisation Codes for text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:ipv6&rev=1669207782&do=diff IPv6 on PAN-OS ping inet6 yes source 2001:db8:1:1::2 host 2001:4860:4860::8888 An IPv6 Bogon address that can be used for sinkholing is 2600:5200::1/128 Clientless VPN Clientless VPN works fine from outside the network when the target webserver is dual stacked AND has both public AAAA record and A record. text/html 2025-03-31T19:42:59+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:kerberos&rev=1743450179&do=diff Kerberos Knowledgebase Articles Two good articles on setting up Kerberos SSO for User ID / Access to the Internet are * here. * here. KeyTab File You will need to create a service account on the active directory domain. You need a service account for each gateway you are using (e.g. if you are using a redirect FQDN for Captive Portal and a couple of GlobalProtect gateways, you will need that number of service accounts. This is because a service account is required for each SPN (server P… text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:lacp&rev=1669207782&do=diff LACP When configuring LACP on the Palo Alto Networks firewalls, if you are connecting to devices other than another Palo Alto Networks devices, use slow timers for LACP. Switch is active. Palo Alto Networks firewall is passive. Transmission rate should be set to slow on both the firewall and the switch(s). text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:ldap&rev=1669207782&do=diff LDAP When configuring a Global Protect portal to authenticate users against an LDAP server (in my case, Windows Server 2012 R2), I had to remember the following few details. Firstly, when you edit the LDAP profile Web GUI->Device Tab->Server Profiles text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:lldp&rev=1669207782&do=diff LLDP For Palo Alto Networks firewalls, these are the supported TLV fields for LLDP: * Chassis ID * Port ID * Port Description * Time-to-live * End of LLDPDU * System Name * System Description * System Capabilities * Managment Address text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:log_retention&rev=1669207782&do=diff Log Retention Tell firewall to keep log capacity to no more than 95%. debug software disk-usage aggressive-cleaning enable text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:lsvpn&rev=1669207782&do=diff LSVPN Do not set 'External Certificate Authority' when createing the IPsec tunnel on the Satellite site. You have to open up TCP-443 and UDP-4501 for LSVPN to work. Unless we are doing dynamic routing, we do not need to put an IP on the tunnel interface of the satellite as it will get an IP anyway. text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:management_interface&rev=1669207782&do=diff Management Interface Enable Management HTTPS From CLI If https has been disabled on the management interface, it can be enabled from the command line. Connect to the CLI through through SSH or the console port and log in as an administrator. Use the text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:master_key&rev=1669207782&do=diff Master Key The default master key for Palo Alto Networks PAN-OS is p1a2l3o4a5l6t7o8 text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:multicast&rev=1669207782&do=diff Multicast Info on Multicast * 224.0.0.0/4 - Multicast IP Range * 224.0.0.0/24 - Link Local multicast * 224.0.0.5 OSPF - to send information to all OSPF routers * 224.0.0.6 OSPF - to send information to DR/BDR routers. * 224.0.0.13 PIMv2 * 224.0.0.18 VRRP text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:multi_vr&rev=1669207782&do=diff Multiple Virtual Routers You may want to configure several virtual router objects on your Palo Alto devices to connect to the same network. To get this working properly, ensure that each virtual router's interface that connects to a given network are assigned separate zones. If, several interfaces are assigned to the same network and the same zone, the fact that they are on different routers will not stop the Palo Alto Networks firewalls from failing to route because of the logic flow. text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:multi_vsys&rev=1669207782&do=diff Multi-VSYS Collapsing Multi-Vsys Collapsing multivsys firewalls controlled by Panorama into single vsys firewalls. In this case, the two VSYS were external and internal were effectively a perimeter firewall and a core firewall. * Perform pre-cutover config checks. text/html 2023-01-10T10:16:25+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:nat&rev=1673345785&do=diff NAT For Games Consoles, you can may try, </code>set system setting persistent-dipp enable yes</code> and then reboot. <https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/networking-features/persistent-nat-for-dipp> You may also need to reduce NAT oversubscription. text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:ospf&rev=1669207782&do=diff OSPF Show Routes Learned To see routes being learned by OSPF, use the following command show routing protocol ospf lsdb Get general routing data with show routing route Oi means ospf intra-area and is the subnet in which the virtual router has established OSPF peering relationships. If you have several /32 addresses in the same subnet as the larger /x on the interface, those /32 routes will also have Oi routes created with a metric of text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:panorama&rev=1669207782&do=diff Panorama Setting Up Logging When setting up Panorama to be a log collector, you may need to run the following (or just reboot the VM). debug software restart process management-server Disk Management If the disks disappear when setting up a new Panorama, you can re-add them with text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:panorama_variables&rev=1669207782&do=diff Panorama Variables Adding Variables Using CLI Set variable set template Core variable $tunnel-fwhq-local type ip-netmask 169.254.10.1/30 set template Core variable $tunnel-fwhq-remote type ip-netmask 169.254.10.2 set template Core variable $tunnel-fwhq-peer type ip-netmask 1.2.3.4 text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:policy_format&rev=1669207782&do=diff Policy Format Security Policy * Destination Zone = Post Translation Zone * Destination IP = Pre Translation IP Destination NAT Policy * Destination Zone = Pre Translation Zone * Destination IP = Pre Translation IP PBF Policy * Destination Zone = No Destination Zone text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:qos&rev=1669207782&do=diff QoS To control upload and download speeds with respect to internal endpoints browsing the web, apply the following. * You will need a QoS policy that says “From Internal zone to External Zone”, then apply application and service details as appropriate. Finally, set the class to a value between 1 and 8. Remember, QoS policy applies after all other policy and that means 'source IP' will be the external IP if you apply Source Nat to traffic. That is why just using Zones can be good. text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:radius&rev=1669207782&do=diff RADIUS Azure MFA Azure NPS RADIUS: Vendor specific vendor code 25461 Vendor Specific Attribute: Add: //Vendor-Specific Attribute Information Vendor Code: 35461 Yes, It Confirms Configure Attribute: // Configure VSA (RFC Compliant) Vendor-assigned attribute number: 1 Attribute format: String Attribute value: AD Group Name text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:response_pages&rev=1669207782&do=diff Response Pages PAN-OS HTML Variable Description <appname/> Application type of the blocked request. <category/> URL filtering category of the blocked request. <certname/> The name of the certificate used for SSL decryption. Other cert variables include: <issuer/>, <status/>, <reason/>, <badcert/> text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:routing_flags&rev=1669207782&do=diff Routing Flags When running the show routing route command or when the virtual router runtime stats are viewed, a set of flags are displayed next to each route. Routes that start with A are active * AS - Active and static * AR - Active and learned via RIP text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:scheduled_log_export&rev=1669207782&do=diff Scheduled Log Export On the firewall, if you schedule a log export, whatever time is set, it is the previous full day of logs that will be exported. The export from firewalls will be in CSV format. When exporting configuration from Panorama (on a schedule) the export file is an XML file in a TAR GZ format. text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:sd_wan&rev=1669207782&do=diff SD-WAN Remember, when marking interfaces for ADSL/DSL, Cable Modem, Ethernet or Fibre, those links can be added to full mesh tunnels. MPLS and other links will form point-to-point links. Tunnel Names tl_0101_0123456789_0108 * tl = tunnel * 0101 text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:security_profiles&rev=1669207782&do=diff Security Profiles Evasion Signatures You can run an evasion test on PAN-OS using a client that accessess this site through the firewall. We find that the following threats are detected and blocked. Notice that a lot of them are low and informational. Severity text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:set_commands&rev=1669207782&do=diff Set Commands To set configuration from the command line, you have to enter configuration mode with configure and then use the set command. When in Panorama, the following is an example of how to set information in a specific template. set template My_Custom_Template config network virtual-router My_VRrouting-table ip static-route "CLIROUTE" interface tunnel.1121 destination 10.0.0.0/16 metric 110 text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:show_commands&rev=1669207782&do=diff Show Commands To show the configuration of the Palo Alto Device, log into the CLI and run show config running To show the configuration as a list of 'set' commands, run the following set cli config-output-format set set cli pager off set cli terminal width 500 configure show text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:snmp&rev=1669207782&do=diff SNMP SNMP Introduction SNMP is Simple Network Management Protocol. It allows SNMP servers (SNMP Agents) to report data when queried by a SNMP client (SNMP Manager). SNMP servers are normally on things like switches, firewalls, etc. The SNMP client is normally installed on a network manager solution (e.g. SolarWinds). SNMP servers can also sent SNMP text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:subscriptions&rev=1669207782&do=diff PAN-OS Subscriptions * Threat Prevention – Provides protection against viruses, malware, vulnerability attacks (e.g. SQL injection) etc found within network traffic. This licence covers IDS and IPS features. * DNS Security - Provides advanced protection against DNS threats. text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:url_filtering&rev=1669207782&do=diff PAN-OS URL Filtering Multi-Category URL Filtering Remember, if you manually whitelist a site, any specific sub-pages that are normally classed as malware will be allowed through (even though the list of categories will mark it as cust-list, malware). text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:url_override&rev=1669207782&do=diff URL Filtering - Override Override Overview I have been unable to get the Continue/Override pages working properly on Palo Alto Networks when set to transparent mode under Device->Setup->Content-ID->URL Admin Override. I have also been unable to get it working with loopback interfaces. I suspect the latter issue should be fixable as it implies that the administrator would be limited to response pages on one link only (and that seems crazy). text/html 2025-05-26T08:31:32+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:useful_security_policies&rev=1748248292&do=diff Useful Security Policies A list of handy rules. Useful Methodlology * Block all from IP * Block all to IP * Block all to sinkhole * Block all to tcp/udp/port * Block all from country * Block all to country * Block all application (e.g. quic, ssh-tunnel) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:user_id&rev=1669207782&do=diff User-ID Useful User-ID information. User-ID Requirements Palo Doc Here. Win-RM Setup Run this command on each DC. Then add the account. winrm configSDDL default The service account needs to belong to the 'Remote Management Users' group in AD to allow WinRM connections from the firewall to query WMI. This is because the service account is not an administrator on the domain, and by default PowerShell Remoting requires admin privileges. text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:user_id_group_mapping&rev=1669207782&do=diff User-ID Group Mapping Test Commands To list the number of group mappings: show user group list To list the members of a particular group show in the results of show user group list show user group name "cn=some groupname with whitespace,ou=AnOUname,ou=AnotherOUname,dc=example,dc=com" text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:user_id_terminal_services&rev=1669207782&do=diff User-ID Terminal Services Terminal Services agent caveat - (Windows 2012 R2 servers only) Disable Enhanced Protected Mode in Microsoft Internet Explorer for each user who uses that browser. Palo Alto Networks recommends that you do not disable Protected Mode, which differs from Enhanced Protected Mode. This task is not necessary for other browsers such as Google Chrome or Mozilla Firefox. text/html 2025-01-05T11:37:20+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:vpn&rev=1736077040&do=diff VPN on PAN-OS Don't enable replay protection unless required as it impacts VPN throughput performance. IKEv2 DH 14 or 19. AWS-GCM-128 with SHA-256 for best throughput (if we ignore SHA-1). (See this page.) MODP * Diffie-Hellman Group 1 (768-bit) * Diffie-Hellman Group 2 (1024-bit) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:vpn_monitoring&rev=1669207782&do=diff VPN Monitoring PAN-OS to PAN-OS VPN When configuring PAN-OS to PAN-OS VPN tunnels, use IKEv2. When using IKEv1, I've seen issues with tunnel droping on some configurations. From Palo Alto Networks support: PAN IKEv1 does not support overlapping IKE SA. The phase1 SA will be deleted when its lifetime expires. The phase1 SA rekey will only be triggered when Phase2 SA lifetime expires. It is not a bug. While, IKEV2 support overlapping SA, phase1 SA will be rekeyed before its lifetime expires. text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:vsys&rev=1669207782&do=diff VSYS set system setting target-vsys vsys2 set system setting target-vsys none text/html 2024-04-02T09:47:33+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:xpanse&rev=1712051253&do=diff Xpanse Saw this on my web server logs 198.235.24.57 - - [22/Oct/2023:20:49:50 +0000] "GET / HTTP/1.0" 200 347 "-" "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers&#39; presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com" text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:xpath&rev=1669207782&do=diff XPATH Command In addition to being used by the load partial command, you can use xpath to show config of a firewall in the CLI. The following is an example. show config running xpath devices/entry[@name='localhost.localdomain']/deviceconfig/system text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:zone_protection&rev=1669207782&do=diff Zone Protection Remember, you should not have TCP-SYN enabled on both Zone Protection and DoS policies at the same time. Logging To enable the additional logging, run this operational command: set system setting additional-threat-log on More data text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:configuration:ztp&rev=1669207782&do=diff Zero Touch Provisioning If you get a firewall with a ZTP SKU, they are the same as standard NGFWs but boot up in a different way. If for any reason you want the ZTP to function like a normal box, run the following command. set system ztp disable