Palo Alto Networks – my world of IT

Palo Alto Networks NGFW does not respond to ping from HPE Procurve/Aruba switches

Posted on 16 June, 2025

Another unexpected Zone Protection Profile doing it’s thing – in this case sending a ping from an end-user device (such as Windows/macOS computer) to an IP interface (gateway) on a Palo Alto Networks Next Generation Firewall was coming back with a response, but requests from HPE ProCurve (Aruba) switches (2920/2530) appeared to disappear into oblivion with no response. A little… Read more

Palo Alto Networks Captive Portal, long delay in loading – Sophos agent

Posted on 2 June, 2023

In recently deploying the Captive Portal feature of a Palo Alto Networks Next Generation Firewall (NGFW) in testing we were finding Apple Macs take 120+ seconds to load the sign-in page. First thoughts jumped to the Apple Captive Network Assistance (CNA) feature not functioning correctly however this appeared to be a dead end. Some time and a few packet captures… Read more

CITC 2022 Integrating systems through their APIs

Posted on 25 March, 2022

After a few years on hold it’s great to be back at CITC this time in the British Motor Museum. The video presentation covers a short (if speedy) introduction to Node-RED and it’s ability to integrate systems through their APIs. Demo 2 is of note and shows how a user visiting a malicious website can have their internet access revoked… Read more

Aruba Instant – PAN Syslog Parse Profile

Posted on 6 October, 2021 Updated on 6 October, 2021

A little treat that I hope will help someone at some point, for those with Palo Alto Networks Next Generation Firewalls (NGFW) and Aruba Instant Wi-Fi you can forward syslog messages from the controller to the NGFW and parse them with the profile below to map users to IP addresses. There is plenty of information on syslog to User-ID at… Read more

Palo Alto Networks GlobalProtect and Azure AD – AADSTS700016: Application with identifier was not found in the directory.

Posted on 20 July, 2021 Updated on 20 July, 2021

When setting up a GlobalProtect Portal/Gateway with AzureAD you may find you receive the error message: AADSTS700016: Application with identifier <Entity ID> was not found in the directory ‘<Directory ID>’. The fix here is easy – the GlobalProtect client injects a :443 at the end of the domain name which isn’t mentioned in the guide from Microsoft (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/palo-alto-networks-globalprotect-tutorial) but is… Read more

Palo Alto NGFW, decryption and images in Slack not displaying or uploading

Posted on 1 October, 2020 Updated on 1 October, 2020

You may find that when doing decryption on a Palo Alto Networks Next Generation Firewall that images in Slack channels are not displayed or are only shown in a very low resolution – in addition images cannot be uploaded. When inspecting the HTTP error messages in your browser a 503 response may also be seen. To top off the issue… Read more

PRTG REST API, PowerShell and UTF8

Posted on 27 September, 2020 Updated on 27 September, 2020

An issue that I’ve now run into a few times now so I thought it was worth a blog post – if you are using the REST Custom sensor within PRTG Network Monitor you may see the error below if you have generated your REST configuration using PowerShell. XML: The returned XML does not match the expected schema. (code: PE233)… Read more

Processing Cortex XDR Syslog/CEF with Graylog

Posted on 21 July, 2020 Updated on 21 July, 2020

It’s a bit of an odd situation but sometimes you might want to take information from a cloud service in this case Cortex XDR from Palo Alto Networks and drag it into an on premise logging service. This guide will have a look at how to get this log data in as well as parse it such that you can… Read more

PAN-OS and Connections Per Second in PRTG

Posted on 1 June, 2020 Updated on 1 June, 2020

If you are looking to build out Zone Protection Profiles on your Palo Alto Networks Next Generation Firewall then it can be handy to know just what your connections per second metrics look over time for each zone. Quite lucky Palo Alto Networks have a little (although not entirely descript) guide on where you can get this data – https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/take-baseline-cps-measurements-for-setting-flood-thresholds/how-to-measure-cps.html…. Read more

Detecting threats with inbound SSL (TLS) decryption

Posted on 23 December, 2019 Updated on 2 January, 2020

Today we have the answer to the question – Without SSL decryption how many threats/attempted vulnerability exploits/other bad stuff will I miss that are coming from the internet at my internally hosted (externally published) web sites and services? To run some simple tests (which will be detected as malicious attacks) I’m going to be running the Nessus scanner against a… Read more