Tag: Firewall

Palo Alto Device Certificate

Palo Alto Networks firewalls often require a device certificate. A device certificate is needed for items like device telemetry and for some of the CDSS (Cloud-Delivered Security Services) items, such as WildFire, DNS and URL filtering, and others. In this post, I show you step-by-step how to check if a device certificate is installed and…

Palo Alto Private Data Reset with HA (Active/Passive)

Sometimes, you need to do a quick factory reset on a Palo Alto Networks firewall. If you aren’t decommissioning the firewall, a Private Data Reset can be a faster way to accomplish similar results as a factory reset and can be done via CLI directly and could technically be done remotely with some coordination. In…

Securing GlobalProtect

Out of the box, you can’t just add a Security Profile to the interface that runs GlobalProtect fortunately there’s a relatively easy way to do it with minimal impact to your existing GlobalProtect setup. In this post, I will show you step-by-step how to secure GlobalProtect by adding protection with a Vulnerability Protection Profile or…

Upgrade Palo Alto HA Pair (Active/Passive) with CLI

I’m a big fan of CLI, I love to use it when I can, it always feels more complete and absolute. A while back I posted how to Upgrade Palo Alto Firewall HA Pair (Active/Passive) in that post I only covered the GUI method this post will detail how to complete everything with CLI only.…

FortiGate Policy Mode vs Profile Mode

By default all Fortinet FortiGates are in Profile-based NGFW mode. There is nothing wrong with the default mode. However, I personally prefer policy mode more. Profile mode works like most firewalls like SonicWall, pfSense and UniFi for example. All your rules are based on ports. Policy mode works like Palo Alto Networks firewalls. All your…

Palo Alto Predefined IP Commit Error Fix

In this post I will detail how to resolve the Palo Alto commit error when trying to commit a predefined IP list. Below is an example of the error Validation Error:external-list -> Palo Alto Networks Tor exit IP Addresses -> type -> predefined-ip -> url ‘panw-torexit-ip-list’ is not a valid referenceexternal-list -> Palo Alto Networks…