Tunnel Traffic from ISP2 IP Working Despite Default Route on ISP1 – Need Insights?

Hi Team, 🔁 Scenario Summary for Asymmetric routing Primary ISP (ISP1): Default route with lower metric (10), so all traffic prefers this path.Secondary ISP (ISP2): In Firewall, I manually initiate traffic using ping source <ISP2 IP> host 8.8.8.8.Routing Table: Since 8.8.8.8 is unknown, the firewall uses the default route — which points ...

Dynamic IP at Spoke site in PAN-OS SD-WAN Hub/Spoke topology

HiI am new to PAN-OS SD-WAN and need to clarify Internet service requirement at new spoke site. My client has PAN-OS SD-WAN hub-and-spoke topology, the hub PA firewall has a static public IP for its internet service.All spoke PA firewalls also use static public IPs, but we now will have a new spoke with a dynamic public IP. I am hoping to confir...

Bootstrap 4.3 reaching EOS

Hello community, we have been informed that Bootstrap 4 is reaching EOS and this could cause a vulnerability, and I would like to know if there is any information about which firmware version uses this ? Is it a real potential threat? Thanks in advance!

Concerns of Firewall 5250 dropping packets and enabled DSRI (Disable Server Respponse Inspection) relieve issues for a few hours but came back

Good evening, Working with one of the top Microsoft engineers today who performed numerous wireshark traces regarding huge concerns that Palo Alto Firewall 5250 firewall was dropping packets. Identified exact time and sequence as well as size of packets and sequence being lost in transit. Noticed over tens of thousands of these re-transmits ...

Consequences of replacing CBC encryption with GCM on IPSec and IKE profiles

I am looking to replace all existing CBC encryption with GCM within IPSec/ IKE crypto but need to be certain that functionality will remain. What if any impact would this have on the existing profiles if changed? Unfortunately could not find a definitive answer on the forums/ elsewhere. Many thanks.

Limit IP address range bandwidth during recurring time period

Need to limit residence hall users bandwidth to Internet monday-friday 8:00 a.m. to 5:00 p.m. The following is how it was done previously on Cisco ASA. Need to translate to PA5430. object-group network MV_NETWORKnetwork-object 192.168.0.0 255.255.0.0 access-list MV_TRAFFIC extended permit ip object-group MV_NETWORK any time-range RegularHours ...

Is there any way to bulk select dynamic group matches - when i filter i need to select over 21 different matches do i really need to select each one?

What is Certificate Pinning and how to deal with SSL Decryption

Certificate pinning was developped to help prevent man in the middle attack. But what is the Certificate Pinning? Traditionally, SSL Handshake consists on the validation of the server’s certificate, let’s say collab.com. The validation is done using the CA’s certificate located in the certificate store of the web browser. The certificate sto...

VPN Performance over Prisma Access : slow downloads

Hi, Can somebody tell met what you can expect from downloading a file over prisma access backbone. Our datacenter is connected to service connection and when I try to download a 200 Mbps file from the datacenter to a remote network located in the same region, I am getting a download speed of 500Kbps per second.(smb transfer) Within the remote ...

LACP LINK DOWN FW PALO ALTO

Hi, I have a customer who's firewall unexpectantly failed over recently, looking at the logs before failover LACP links appeared to fail negotiation right before which triggers failover. Unfortunately HA logs don't stretch back enough! Looking at the l2ctrid.logs (LACP log files on TSF) See the bellow error constantly thrown leading up to ...