About hshah

Hi Hndorf, PANW do not support SPAN, at max you can do packet capture on the interface. There is a open Feature Request for the same. Contact SE to vote for you. Priority: Medium FR ID: 1307 Regards, Hardik Shah ... View more

Hi Ajbool, When user tries to login, firewall sends credentials to AD for verification. So, AD should have that log in security logs. Regards, Hardik Shah ... View more

Hi Randy, I am rephrasing the question, correct me if I am wrong. Question : How to find out unused GP users for last 21 days? If that is the question, you can not readily pull out that information from Firewall. However, system logs have information about GP user login/logout activity. You should forward it to syslog server. And do the analysis from login/logout logs. Let me know if that helps. Regards, Hardik Shah ... View more

Hi Darrent If you are not interested in "Certificate based" Authentication than, following document is useless. https://live.paloaltonetworks.com/docs/DOC-5229 In your update it seems you are looking for AD based authentication, than configuration is much simpler. You just need following change in existing GP configuration. Let me know if this helps you. Regards, Hardik Shah ... View more

Hi Pdv, Make sure you havent used subnet mask in NAT policy, Normally it should be /32 mask in NAT policy. If its bigger sometimes it cause problem. Regards, Hardik Shah ... View more

Hi Nitesh, As of now there is no way to have mapping between IP and computer name, hence this is not possible. Closest thing you can do is users group based policy. How to Configure Group Mapping settings? I do not think this might be a valid Feature Request, because this is extremely rare requirement. regards Hardik Shah ... View more

Hi Nitesh, You are almost correct. Follow bellow instructions. 1.) Created new VLAN 2.) Created new VLAN interface (with L3-forwarding enabled) 3.) Placed new VLAN interface into appropriate security zone (L3-Trust in my configuration) 4.) Assigned new VLAN interface an IP Address (192.168.1.1/24 in my config) 5.) Configured 2 firewall ports as "Layer 2" and placed them into the newly created VLAN from step #1 Commit On the switch side, I created a vlan in a Brocade switch with 3 access ports.  I also enabled spanning-tree in this VLAN.  Of the 3 ports, 2 go to the firewall and one to a test laptop. In this configuration, everything works fine!  It takes 30-45 seconds to fail over, and about 15s to fail back - which is expected for standard spanning-tree behavior. For more reference refer bellow documents. Re: Redundant links interface failover on PA500 Regards, Hardik Shah ... View more

Hi Register, When you change order, you are supposed to hit Enter. Make sure you have done it. Make sure filter criterias are same for both asc and dsc. Let us know your findings. Regards, Hardik Shah ... View more

Hi Rsaber, Its possible through authentication sequence, kindly follow bellow document for authentication sequence. Configuring Authentication with Fallback Options Let me know for additional query. Regards, Hardik Shah ... View more

Hi Dwharam, Its possible through PBF. In PBF you can configure route failover upon ping response. Refer following document for PBF configuration, Page 5 has information on Path Monitor which triggers failover of route based on ping. Policy Based Forwarding Regards, Hardik shah ... View more

Hi Gafrol, HSCI has to be connected directly, it doesnt support L2 or L3. PA-7050 Hardware Reference Guide (English) Refer 15th page of above document. Its used for Hardware Redundancy and can be used for HA2 and HA3 interfaces. Regards, Hardik Shah ... View more

That is right Mackwage, Firwewall in aggregate, and it goes to stand alone port of Switch. And it will work just fine. Let me know if my answer is Helpful. ... View more

Hi Mac, On the switch there is no Etherchannel, its an individual Ethernet Ports. Aggregate interface exist on PANW Firewall. You can leave it to default as its outgoing traffic from firewall. It doesnt matter which switch recieves it. Regards, Hardik Shah ... View more

And Inteface on the firewall should be aggregated interface in L3 Mode with an IP address. ... View more