Anybody know how to configure gre over ipsec ?from the 9.0,pa support gre tunnel and only one word describe about this feature.(Optional) Select Add GRE Encapsulation to enable GRE over IPSec.Add GRE encapsulation in cases where the remote endpoint requires traffic to be encapsulated within a GRE tunnel before IPSec encrypts the traffic. For exa...
I'm running PAN-OS 10.1 on a VM-100. I have DHCP on an interface and use a script to update an address object with the default gateway from the DHCP interface. I have a static route with next hop set to this address object and path monitoring enabled. I've run into a situation where if the DHCP lease expires (something upstream fails with the pr...
Hi all, We are using tunnel monitor on the IPSec tunnels and i am wondering if rekeying childs SA, causes the tunnel monitor to bring the tunnel down. In additon i would like to know if PA stores a log of all the rekeys for each tunnel. TIA
Hi folks, I'm facing some throughput issues with a site to site vpn between my onprem site (vm-300) and azure (VpnGw1).Scenario:- Windows cluster + SQL Always on Availability Groups (async commit)- 2 nodes on premises (sql01 and sql02)- 1 node on azure (sql03).- Link speed 150Mbps- Latency between on prem and azure: 15ms Ipsec tunnel is working,...
Does anyone know whether PanOS 9.1.11-h2 runs on PA-3020? I have upgrade PanOS on PA-3020 to 9.1.11-h2, and the PA-3020 now cannot drive physical ethernet interface except for a management interface. When I downgraded to PanOS 9.0.14-h3 or 8.1.20-h1, it came back to work again. Here is a little debug out: hoge@fw02> show interface hardware S...
Hi everyone, Hope everyone is doing Great. I have one question regarding the shared objects and here is the problem I am facing. I am trying to find the best way to convert device specific objects(addresses, services, tags) into shared objects. I was using Expedition to convert around 9300 objects into shared with the help of multi edit feature...
How Palo alto HA and Cisco HSRP work together ? For example ===========Here Palo alto HA is upstream devices ( lets consider PA1 and PA2 are in HA setup). Cisco Switches are catalyst 6509 or nexus 5 or 6K ( SW1 and SW2)SW1 is connected to PA 1 and SW2 is connected to PA2 in SW1 and SW2 HSRP is configured to maintain gateway high availability for...
Hey folks, Can someone point me to a "best practice" design guide or white paper for making the physical connections to a vSphere cluster that will run a VM-200 virtual appliance? I'm only seeing configuration guides on deploying and setting up the VM on a vSphere host but nothing on how best to make the physical connections to the hosts-espe...
We current have 1 subnet linked to an layer 3 interface which is supplied by our isp. We have run out of ip addresses and our isp want to present another subnet but on a completely different range. (too many services to move to a new range)Is it just a case of adding an ip address from the new subnet to the current interface so there will be 2 g...
Hello all, I am using the guide below to clear out UDP sessions after a PBF failover. When I get to the part about the key parameter under Payload Format, it says the value is too long. I am copying the exact key I generated from the web browser. The key generated is 132 characters, but it says the max length is only 128 characters. The fire...
Here is the set up. Palo FW HA pairs send logs to Panorama and Log Collectors. Log Collectors send logs to long term archival (LTA) such as LogRhythm. Here is the issue, long term storage is not seeing the latest logs. I guess what I don't understand is the timing. When/how often are logs sent from the FW's to Panorama/Loggers and then when/...
purchase a VM-50 lab bundle last year. pa-vm license was "perpetual", while the other components were 1YR subscriptions. Subscription expired on 7 October 2021.the previously licensed was "destroyed" ☹️ before it could be properly deactivated. I am looking for advice on how i can get PA Support to make the change that would permit me to acti...
Greetings (apologies in advance if this is a bit long) Could i have some advice on what would be considered best practice for allowing and blocking certain traffic at certain times. As a school (K-12) that has Day Scholars, boarder Scholars, live in staff and different privilege's for different aged scholars, i need some advice on the best way t...
Hi All, I am stucked with very basic requirement on Palo-alto firewall. Would like to know how to check the traffic statistics on PA Interfaces as requirement is to check the current live traffic on specific Interface. Followed some articles available on Internet. But none of them are correct or useful. They referring to Network -> QoS fo...
