Destination NAT to address not in same subnet

Hello,

I had a quick question about destination NATing to an address not in the same subnet as an interface on the Palo Alto. For example, let's say I have a site-to-site VPN and I am using destination NAT on one side of the tunnel. When traffic comes

Accessing web systems using main office's IP trough IPSec tunnel

Hello.

We have a few IPsec S-2-S tunnels with different devices on other side and all works nice, but in one of them is required, that users on other side can use internet resources (to get this sides WAN IP address and access few web systems that wit

Is a crossover cable required if cabling a host directly to the PA interface

I have a host directly cabled to an interface on the PA. I am having issues with internet connectivity on this host. I wonder if a crossover cable is required to cable direct rather than traversing a switch first?

Thanks,

Daniel

Problem with IPSec tunnel monitor

Hello,

We have an issue with one IPSec site-to-site tunnel. The PAN usually doesn't recognize when a tunnel is down. We can correct this by setting up monitors on all tunnels with a "wait-recover" action after 3 subsequent failures. This works for all

Panorama commit devices with different results

Hi,

We have a device group in Panorama with 4 devices members. When we've committed changes sometimes devices had the result "Commit succeeded with warnings", because we have some dependence warnings, but one of them has the result Commit Succeeded".

Captive Portal authentication as a replacement for Checkpoint Client Auth

Hello,

We're in the process of replacing a number of checkpoint firewalls with Palo Altos and we're looking at ways in which we can replace the current Client-Auth setup on Checkpoint where you telnet to the firewall directly, authenticate, and it the

session browser source=0.0.0.0?

seeing a lot of sessions in the session-browser with a source ip of 0.0.0.0 (in the internal "trust" zone) - these tend to be UDP protocols, RTP, bittorrent, skype etc and the session browser shows them not matching any rule or having any bytes.  Are

Test commnad on the nat policies

Hello,

I did an upgrade from a 500 model to a 3020 model. All the configurations work just fine. The problem that I see is that I cannot test the nat-policy rules. I have the following configuration:

..

snat-all-LANs {

        from inside;

        source

Original MAC Address of each interface on device

I have two Palo Alto devices and running HA.

When i run command on Active and passive device:

> show interface hardware

It only show the same MAC Address value of all interface.

I want to know original (physical) MAC Address of each interface on each d

What does not get uploaded in Config that needs changed via CLI?

We have a PA-500 that has a bad hard drive in it. We copied the config from the bad device and transferred it to the new RMA device they have sent us. on the GUI all the settings have transferred over just fine and nothing looks different. But when t