About santonic

Why is second IP on trust interface? Just put the second public IP on untrust interface (or to wherever ISP route directs it)  and PA will respond to ARP requests for it.   ... View more

Not pretty but it would work. Just make sure routes on PA are correct: 10.10.1.0/25 to the first tunnel interface and 10.10.1.128/25 to the second. However for IPSEC to be established with current settings you will have to keep Proxy IDs on PA as 10.10.1.0/24 for both.   Just out of curiosity; why not just setup 2nd location with 10.10.2.0/24 network? I doubt you're running out of private classes?    ... View more

Restarting management didn't help. So as i had to do a reboot  I did an upgrade to 7.1.8 as well and everything is ok now.  ... View more

NAT policy to see configuration. Enable coloumns NAT Dest IP and/or NAT Src IP to see NAT happening in logs. Or click 'detailed log view' on specific traffic log entry to open all details about a session. ... View more

It's PAN-OS 7.0.3 with 491 days uptime 🙂 I'll start with management plane restart. I always thougth it's about disk space so far.   ... View more

Nobody had anything like this?   ... View more

You know the source where the scans are coming for? You have designated scanners? Then yeah, put them in seperate network and you will see their traffic and alerts. I thougth the idea was to monitor your network for users which might be doing some unwanted scans.   So far I never heard about possibility of redirecting mirror traffic to a L3 tap. Nor about such devices.   There is another family of devices tho, called netwrok taps. Basically you put them in your network on interesting traffic paths and mirror that traffic to some device which can analyze the traffic. Either for troubleshooting or security checks. Basically a TAP is a 3 port device; 2 ports are inline segment where you direct your traffic through. 3rd port is a port where all that traffic from inline ports is mirrored to. That 3rd port can then be connected to a PA TAP port. Of course these network taps are scaled and sized by throughput, number of ports... etc       ... View more

@AdamCoombs Traffic between 2 PCs within same broadcast domain pases only through a pair of layer 2 ports on switch (if we simplify things a bit). Options to see this traffic are: - mirror port (which is not an option in your case), - inline pair of ports for each host on network (which is not realistic), - some endpoint client on these PCs (with host IPS functionality)     ... View more

@jambulo The problem in this case is getting the traffic to the PA first. PA can do a great job analysing the traffic it sees. ... View more

If PA is in L3 mode then it will see only traffic travelling between networks configured on that FW. Local traffic within same broadcast domain will never reach FW. You would need SPAN/TAP ports for that.   ... View more

Tho if you have PI public address network just use PI address for NAT? ... View more

Use Dynamic IP and port with Address type 'Interface Address', (Inerface setting with correct interface selected) and IP address valuse set as none. ... View more

I would suggest one (or more) of PA customers to contact PA about this then.   For you i'm afraid I don't know what is the correct path to contact PA about this issue. Some PA employess also visit these forums, maybe they will be able to provide more info.       ... View more

Go to https://support.paloaltonetworks.com with same credentials. Then Tools->Case management and open a case. Or contact the partner who sold you PA if you have partner enabled support.     ... View more