About User_333

In vWire, packets will (according to documentation) always leave the same box which received the packet. If the other box is responsible for L7 processing the packet will be sent trough HA3 to the other box for L7 processing. After this, it is either blocked or sent back to the first box trough HA3 which will send it out the other side of the vWire. In no case (bugs excluded), a "vWire"-packet will leave the data interface on the other box. With this, it is guaranteed Paloalto wont generate a loop since it behaves like a cable.   Sorry, currently no clue why this could be happened.  ... View more

ASA did no failover/split-brain during this change? ... View more

Moving an Object (at least Address, Service, Region Objects) from a device Group to "Shared" is possible trough the GUI the follow way: - Navigate to Objects -> Address - Choose Device Group which contains Object - Select the Address (could also be more than one at the time) - Click on "move" at the bottom (next to add/del) - Popup will be there to choose the new Device Group or "shared"   I never tested to move from "shared" to a device group, but i think it should work.   Important: You will get an error if you move e.g. a device group to shared if not all objects within this device group are already shared.   Works with Panorama 7.1 ... View more

If your side gets this "timeouts" log entries it would be interesting to see what the logs on the other side are (if its possible to get them). ... View more

Yes, it's definitely not needed to INSTALL 4.1.0 in front of a upgrade to 4.1.2. The only requirement is a downloaded 4.1.0 Firmware. This is described in the Admin Guide (Page 38) too: You must have a base image downloaded before you can install an update  version. For example, you must have 4.1.0 downloaded (not installed)  before you can upgrade your 3.1.9 device to 4.1.4. ... View more

Looking at Wikipedia isn't always helpful. E.g. if you are looking for allowing icmp-echo-requests, the app don't contain icmp or echo, it's the ping app. So I am looking for TCP-9000. Wikipedia shows me three entries and the third one (SqueezeCenter) is the one I am looking for. Applipedia  don't contains something with "Squeeze" which leads me to the question:  Is this app supported or is their just a different name? It seems,  without testing you will never find out. ... View more

As described, we have some VPN tunnels which allows any traffic (Proxy IDs 0.0.0.0/0). With this, we have a GRE-Like Encrypted tunnel. With VPN, there are always a lot of NAT configuration which could be wrong. Since the administrators on most of our remote sites aren't big companies, there usually don't have big knowledge in special NAT configurations. So, they are sometimes wrong and on a Zyxel (or similar) firewall, it is not easy to debug. Sometimes they even struggle on the routing part. An easy way to find configuration issues on the remote firewall (if you don't have access to it), is looking at the traffic which is coming from this VPN.     Routing Issues -> No Traffic at all     NAT issues -> Traffic with wrong source/destination IP If you can do a filter on outgoing interfaces, it's also an easy way to check if my NAT is correct. As described, I am looking for traffic which is not as expected. So, i am not able to filter it based on IP information. And for a setup like "each VPN has its own zone" (so I can filter based on Zone) the Paloalto doesn't support that much zones as we have tunnels. ... View more

Isn't it possible to upgrade directly to 4.1.2? Why is this intermediate step to 4.1.0 needed? ... View more