best design for a small network

Good morning, We just got a Palo Alto Firewall for a small testing lab with several virtual servers and clients. The firewall will be then connected between the lab and our ISP gateway. Most of the network traffic will be internal, since the clients will be connecting to the servers with a switch, and the switch will then be connected to the FW....

VRRP other devices

Hello Guys,I´m new in the world Palo Alto, my company partner is now Palo Alto. I have not found documentation, but it is possible to utilize protocol VRRP in PA-5050 with equipment other manufacturers? Thank you.

Default Management Ports in PAN OS 7.1

Hi all The standard guide for configuring a PANW Firewall to allow access to HTTPS/SSH etc from the outside has been this link: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-Default-Management-Port/ta-p/62333 But with the release of PAN OS 7, the provided instructions no longer work. A loopback interface cannot sh...

DNS Sinkhole Intended Destination

I've configured a DNS sinkhole in our PAN firewall, and it's helped our department identify machines that are trying to reach out to malicious domains and such. Is it possible to identify the original, intended, destination that the user was attempting to reach when they became innfected?

Lync (Skype for Business) Across Organisations

Hi guys, Is anyone else having issues using Lync (Skype for Business) when messaging, or sending file transfers, to someone in a separate Skype Organisation in an external network? Not sure if this is a bug or not, as the application is being seen as Incomplete, and looking at Packet Captures the SYN ACK isn't being received. Kind regardsJack

VPN between 2 Palo Alto Firewalls

Hi there, I am trying to setup VPN between 2 Palo Alto Firewalls. On one side I have public address but on the other side I am using a private ip address as this Palo Alto is behind a router. The VPN is not coming up. I also tried to do port forward from the router to the Palo Alto but still no success. What am I doing wrong here guys or will it...

Active/Active HA managed by Panorama

In the Active/Active HA setup, there is an option to "Enable Config Sync". In the past I have used this because I didn't have Panorama. Now I have a new set of PA5050s that are running in Active/Active mode and we purchased Panorama to go with it. My question is should I enable the config sync? Or should I disable it since Panorama pushes to...

Large Scale VPN (LSVPN) - Opinions from end users?

I'm looking for feedback from customers who have deployed LSVPN on PAN-OS firewalls. I'm getting ready to rebuild a highly manual, semi-fullmesh VPN infrastructure of abotu 10 sites. Yes, I have a mess on my hands. I am planning on a dual-hub and spoke model. The dual-hubs are two datacenters that are connected via IPSEC between them. Each of th...

HA strange behaviour

Hi, we have a cluster Active/passive PA3050 in PanOS 7.0.9. Yesterday we realised that one of our firewalls was having a strange behaviour (event HA), and this morning this FW was in maintenance mode, i had to reinstall the image 7.0.9 and cluster is OK now, but i dont know if this will solve the problem o the problem will happen again. Can you ...

Zone Protection stats

I have recently setup/enabled some zone protection on one of my interfaces. I have set the values high since I have no way of knowing how much data is actually passing the interface and what threshold would trigger the dropping. Now that its running I know I can run the following command "show zone-protection zone untrust" to see the current cou...

Error login in back pages