About santonic

Yes, you can have both interfaces in the same security zone. And then make rules based on security zones.   ((but you can't have same interface in multiple security zones)) ... View more

Seems like an authentication issue for phase 1. I'd check following things for phase 1: - if both devices support IKEv2, (or just select IKEv1 on your side and see if it work) - check authentication settings; local ID and PSK (or certificate and DNs for certificate authentication.) ... View more

I agree. But in this case this wouldn't be really useful. Or it would be risky at least. Because when removing objects (zones, network objects, apps..) from security rules you have to check each rule carefully. Because if the object you are removing is the only one in that field, after removing it the value of that field would become 'any'. So you could make huge holes in your FW policy when automatically removing objects from policies.     ... View more

What's session end reason?  ... View more

Yeah, it's hard to know what will be reocgnised as an application and what only as a web-browsing to a specific URL like you ecperienced with your 'gambling' testing.   I believe both of your 2 options would work with some additional configuration. In rules where you are allowing web browsking and applying URL filtering options, set application to 'any' and limit service to port 80 and 443 (and maybe 8080). But also make an additional rule above these web browsing rules. In this rule block all unwanted application, preferably with application filters (gamin, remote access, file sharing...).   Maybe it's not ideal solution but it should work. I'm also interested to hear how others are combining URL filtering and application policy for web browsking traffic. ... View more

Get the right CLI syntax, edit it in some text editor for all the rules you need and paste it into CLI. ... View more

PA has monitor object which does something similar: - disables tunnel interface when it's applied on IPSEC tunnel when some destination isn't reachable - disables PBF route  when some destination isn't reachable   But unfortunatelly it can't be applied to a network interface.     ... View more

You don't gain anything by running active-active. There is some extra overhead with session setup. And you shouldn't utilise it above 50% anyway because in that case a single device won't be able to process traffic in case when one fails. So you have no HA with that.     ... View more

For active passive PA you need same licenses on both devices (if you want same functionality for both cluster members). Licenses for HA pair are a bit cheaper. Unofrtunately you already bought licenses for your current device at full price, but the licenses for second device will be slightly cheaper.   There is also alternative without 2 sets of licenses. It's called On-Site-Spare. In that case you have 2nd device in (cold) standby without licenses and when primary device stops working (and support can't solve the issue) you transfer licenses from original device to OSS and switch cables to OSS device.     ... View more

I mean to get an esitmate of all traffic flowing through your FW and compare it to device specification (like PA-500 has 100 Mbps threat prevention throughput).  Yes, session info will give you current throughput. But to monitor it over longer period of time it would be a good idea to monitor it with some tool like Cacti or whatever monitoring tool ths company is using.   ... View more

In that case check the actual throughput and compare it to your platform limits. You might need a bigger box. ... View more

Did amount of traffic suddenly increase?  ... View more

Hmm, duplicate identities in Live Community? Above post i posted earlier but it didn't go under my account 🙂 ... View more

It's concurrent sessions.  Or with other words: the number of sessions at specific moment. If you are at 100% a new session coming through FW won't be established. Current sessions won't be affected. Once an existing sessions timeouts/disconnects.. FW will be able to establish a new session.     ... View more