Palo Alto firewalls have a neat feature called "DBL" - Dynamic Block List. This feature allows the firewall to grab a list of ip addresses or domains from an http page. You have to format the web page cleanly (https://live.paloaltonetworks.com/t5/Learning-Articles/Working-with-External-Block-List-EBL-Formats-and-Limitations/ta-p/58795), but it

With the default LDAP settings on a Palo Alto firewall, failing over from one LDAP server to another may not work correctly.  You need to tune the LDAP timers and retry intervals down to a lower level.  The settings I used are: Time Limit: 3 Bind Time Limit: 4 Retry

Below are the steps I used to perform an PAN-OS upgrade from 6.0.4 to 6.0.6 successfully. 1. On the active fw (fw1), log into the cli and enter: request high-availability state suspend.  This will force a failover to the secondary firewall (fw2).  I lost 2 pings

>show high-availability all >show high-availability state >show high-availability link-monitoring >show high-availability path-monitoring Configuring High Availability: https://live.paloaltonetworks.com/docs/DOC-2926 After enabling HA, the interfaces on the firewall will switch from using the interface MAC address to a virtual MAC address.  In my case, the Palo Alto updated the

Two quick cli commands to see who is currently logged in, and who logged in previously: show global-protect-gateway current-user show global-protect-gateway previous-user You can also specify the username with each command to see specific results. If want want to force a user logout (from my testing, the user will not