Panorama Discussions
Post discussions about Panorama, a centralized network security management solution for all your Palo Alto Networks firewalls irrespective of their form factors or locations, in this forum.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Panorama Discussions
Post discussions about Panorama, a centralized network security management solution for all your Palo Alto Networks firewalls irrespective of their form factors or locations, in this forum.
About Panorama Discussions
Post discussions about Panorama, a centralized network security management solution for all your Palo Alto Networks firewalls irrespective of their form factors or locations, in this forum.

Discussions

Welcome to the Panorama Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 4949 Views
  • 0 replies
  • 0 Likes

policy based Ikev2 site to site VPN between Cisco router and Palo Alto

we have a policy-based site-to-site VPN between cisco router and palo alto. But the tunnel goes down and doesn't come up after the IPsec lifetime is expired. And tunnel only comes up after sending traffic from cisco to palo alto and not the other way. When The devices under the Cisco LAN subnet(192.168.2.0/24) try to communicate with the server ...

msdphi by L2 Linker
  • 1989 Views
  • 1 replies
  • 0 Likes

VMware ESXi Panorama ha1 down

Hello - I have a VMware ESXi Panorama (10.1.10-h1) active/passive pair and the ha1 port goes down several times a day every day. This produces the following in system logs "Staying in Active state after split-brain recovery (split-brain duration: xx's". I've rebooted, ensured that the root was less than 90% and increased the Heartbeat Interva...

Built-in External Dynamic Lists - Not showing so they can be added to shared Policy

I am currently attempting to make all of my firewals look the same from a policy perspective as possible and I would like to know if there is a way to add the Built-in External Dynamic Lists To the shared policy. I understand that each firewall is updating the list based on the dynamic updates received but, I would thing that these items should...

Resolved! Add to Panorama a new firewall to form an HA with a current standalone already managed by Panorama

One of our customers has a standalone PA-820 that is currently managed by Panorama. They now want to add another PA-820 and form an HA Active/Passive peer with the one mentioned above. Checking PA documentation, I can only see references about how to integrate both HA peers or a standalone firewall but do not mention anything specific about ho...

Syslog in Panorama Policy

Hi All, We have multiple firewalls managed by Panorama. We have single Template managing these firewalls. There are local Syslog configs done on each firewall as logs is being pushed on different ports. But now we have multiple rules configured in Panorama template pushed on to all firewalls with no Log forwarding on the policy. But to configure...

Failed migration to Panorama 10.1.3

I had an issue recently when attempting to migrate a 3250 HA pair (10.0.8-h4) to Panorama 10.1.3. I was able to complete the push and commit however anything that uses a password or secret such as a IKE Gateway pre-shared key didn't work. The resultant outage was significant with over 100 IPSec VPN's configured so I quickly reverted the 3250's...

benlewis by L2 Linker
  • 5910 Views
  • 4 replies
  • 0 Likes

GP -> SAML -> EntraID Windows users vs Mac user experience issues

Got a weird one and I'm on Mac so short of pestering my colleagues reaching out to the greater community while I wait on support to attempt to triage. GP client 6.2.3 - PAN 11.1.2 GP setup; using default browser to support our yubikey users using auth override cookies portal creates gateway accepts Problem comes with a super annoying us...

plupini by L1 Bithead
  • 3388 Views
  • 6 replies
  • 0 Likes

Help finding partial config diff API

I'm working on an integration to segment access to the Panorama feature to review audit comment messages and partial config diffs for policies. In Panorama, if you navigate to Policies -> <select a policy> -> Audit Comment Archive, there are three panels available there; Audit Comments, Config Logs (between commits) and Rule Changes...

Resolved! Cannot push IKE gateway X variable using template (chicken or the egg)

I have run into another 'bug' in 11.0.2 where my Palo Alto (PA-440) is trying to apply a configuration in an impossible order. Or, more likely, this is a Panorama bug of some sort. Screenshot of gateway configuration: Error message from the attempted push from Panorama: network -> ike -> gateway -> vpn-xxx-> local-address -&g...

SteveBallantyne_0-1692131763931.png

Add managed firewall to Panorama without import policy to Panorama

Hi all There are pre-rules, local firewall rules, post-rules and default rules after I added a firewall to Panorama, but when we import the configuration to device group, seems import rules to pre or post rules is a must during the the import operation, then the original local firewall rules will become the pre or post rules after we push the ...

alextsa by L1 Bithead
  • 1895 Views
  • 2 replies
  • 0 Likes

No logging for URL Filtering on Panorama

Hello all, Having some trouble getting URL filter logging to work correctly. The PA is currently running version 10.2.6 When going to Objects > Security profiles > Url Filtering, I do see red text saying a license is needed for URL filtering. But if I read online correctly this is only for advanced URL Filtering? I have gone to O...

NGFW - Panorama registration 3978 : Traffic allowed but RST constantly.

Hi, I was trying to connect a new PA-440 spare device to our existing Panorama infrastructure, when i faced this weird issue as shown in the system logs. It's as if the TCP session starts and abruptly ends on port 3978 leading to a never ending loop of success and failure. The Panorama is natted behind a cisco so i went there to see wha...

OELHANCHI_0-1713863049269.png
OELHANCHI_1-1713863173974.png

Resolved! Panorama import local managed device issue

I added a PA to panorama test lab with version 9.1.11 them import configuration. However I am unable to push config from panorama to PA and I found below errors which showing customized application is in use, then I need to delete many objects and policies on PA firewall to push configuration. I want to know is it a normal practice for Panorama ...

TonyTam by L1 Bithead
  • 13469 Views
  • 4 replies
  • 0 Likes

Errors after deploying template from Panorama

Hi all, I am seeing the below errors after deploying templates to Palo's when attempting to commit HA configuration. I have applied the HA IP so unsure why that is stating ip-address to be configured? Also what is best way to resolve these dynamic list no cert with profile errors?

MAllen_0-1713886027548.png
MAllen_1-1713886065327.png
M.Allen by L2 Linker
  • 1423 Views
  • 2 replies
  • 0 Likes
  • 723 Posts
  • 47 Subscriptions
Labels