Virtual wire mode, the interfaces assigned to virtual wire are transparent mode.Layer 2 interfaces: interfaces can assigned to different zone.
Hello,What is the best practice to replace a HA pair appliance with a different model HA pair appliance, where the configuration must be the same and down time must be kept to minimum.Is there a guide that outlines the recommended process?Thank you
hello guys, Some of the users got the DNS issue for the external websites after globalprotect connected, the users are able to ping the external IP address but just the DNS does not work.There was no change applied to the Firewall recently and only a few users got this issue.not sure if someone else got the same issue and how did you fix that? T...
Customer upgraded to 9.1.12 and after that it was noticed that for some of the zones, traffic was dropped. During debug,it was concluded that reason is Strict IP Address Check in the Zone Protection Profile:"flow_dos_pf_strictip 1 0 drop flow dos Packets dropped: Zone protection option 'strict-ip-check'"In the 9.1.12 release notes it is noted:PA...
We have been working with TAC to find the cause of this issue where FTP client could no longer upload to external companies FTP server over the VPN tunnel. After many days, we started a packet filter on the Public Internet (WAN) interface, which is a different zone from the tunnel interface, and were still seeing drops due to "flow_dos_pf_stric...
Hi guys, I've received an "Internal error" when trying to attempt to commit to applying policies changes. "Internal error (module device) that's all I got. Can you please help me with this?
Hi,I need to update in real time the external dynamic list IP. Looking for this doc https://docs.paloaltonetworks.com/pan-os/9-0/cli-reference/pan-os-9-0-configure-cli-command-hierarchy.html and cli command "find command keyword",didn't see any command help me to do the issue.I think take a cli command and execute them with api request solve my ...
One of devices was not properly shut down due to a power outage in a building. When the device started back up, it appears that it entered maintenance mode. The reason is FIPS failure. I have attempted to reboot the device from maintenance mode and appeared to work (was able to get to the normal prompt for asking password when attempting ssh)...
Hi there, I'm playing with QoS in our lab. I have a simple setup with two queue, first for SMB traffic, second for RDP traffic.The max egress value is set, but when I transfer data, then both queues get bandwith values. What I am doing wrong here?
Hello,I use a Firewall at version 10.0.8-h8. I wrote a rule to allow the application "active-directory-base" (which contains several ports) in the application section then "application-default" in the services/URL category section as recommended by PA. The observation I made is that the flow never matches this rule. It is even dropped by the int...
As of now STORE router/POS1 able to reach the head office(PALO ALTO) via site to site VPN and HeadOffice(PAN) to AWS also working via site to site VPN. But our main goal is that POS1/Store able to reach the AWS network. As of the momment POS1 not able to reach the AWS networks. I already tried to add a route on the PAN from Store network going t...
Hi Team, We have facing the connectivity issue on GP Agent 5.2.10. After turning off the windows firewall, it's connecting. Please let us know how we can achieve this without disabling the windows firewall. Because in earlier versions of GP client we have never asked users to follow this method and it’s not recommended to turn off the windows fi...
Hello, Im trying to configure User-ID Agent. Dedicated users is created, with details acroding to: Create a Dedicated Service Account for the User-ID Agent (paloaltonetworks.com)Agent version: 10.0.4-23Agent is installed on Windows Server 2019.DC's are on Windows Server 2019.All is up to date. This is the status of the agent: But still this is...
PANOS- 8.1.12h3. .When I export monitoring logs in excel . It doesn't show decryption flag info even when I can see decryption (yes/no)in the monitoring logs.
Hello All, For some locations we have 2xISP setup, since we have no dynamic peering with any of those, we do a default static route via each of those. Having 'ECMP/Source IP hash' enabled it works just fine in a lab. We also do path monitoring for each of default route, pining different remote hosts like 8.8.8.8/8.8.4.4 etc. Do we need actual s...
