About hshah

Hello Khansen, Let me know for additional queries. Regards, Hardik Shah ... View more

Hello Infotech, Yes you are right, its just an cert error, and it will still work. There is a logic behind error. If user tries to access Site through IP and cert has FQDN than user gets warning that "He might be connected to wrong site because certificate has different CN(FQDN) name". Basically software is trying to inform user that he might be connecting to fake site. So, now user has chance to relook URL and certificate details to validate the same. Sometimes Hackers change DNS records. Lets say they change DNS record for bankofamerica.com and point it to their server. Now user is connecting to https://bankofamerica.com, he connects to hackers server. But hackers server gives certificate with different CN name. Now software prompts user to check certificate, based on certificate CN name he can determine its an attack. So its security mechanism. Regards, Hardik Shah ... View more

Hello Mackwage, Let me know if you need additional information. Regards, Hardik Shah ... View more

Hi Rrau, I didnt find any bug specific to 6.0.4 release. Regards, Hardik Shahax ... View more

Hi Darren, Any time any thing, also refer following documents for GP & IPsec in DUAL ISP. https://live.paloaltonetworks.com/docs/DOC-4500 https://live.paloaltonetworks.com/docs/DOC-6036 https://live.paloaltonetworks.com/docs/DOC-3376 https://live.paloaltonetworks.com/docs/DOC-3190 Regards, Hardik Shah ... View more

Hi Darren, It works in all PAN-OS.  Let me know for further difficulties. Regards, Hardik Shah ... View more

Hi Chris, You can give similar names to address object like "A_Obj_1" &  "A_Obj_11", that way it would be easy to change IP for Address Objects. Regards, Hardik Shah ... View more

Hello Adam, Here I have taken Example for  Ethernet1/9 as a port to be in VLAN1. 1. Delete Configuration for L3 Ethernet Port. 2. Create L3 VLAN, as mentioned bellow. 2. Change Etherenet 1/9 into Layer 2 Port. 3. Add Etherenet 1/9 into VLAN Likewise you can add more ports to same VLAN. Let me know if this helps. Regards, Hardik Shah ... View more

Hello Admin, Normally people do not use panorama to configure everything on firewall. So just one template and one device group works for them. But if you want to configure everything from Panorama than you you have to have two different Templates. With different Template you can also configure management IP addresses. So, if you configure management IP locally, then rest you can configure with just one Template on both the units. Regards, Hardik Shah ... View more

Hi Tiwara, Lets say Networks has following topology. Host---(Trust)PANW(VPN)----Tunnel----- Other End of Tunnel 1. Host send a Packet and it Hits Trust Zone of The Firewall. 2. There is a Policy Between Turst and VPN zone. If that policy has anti-virus, vulnerability, anti-spyware profile configured than Firewall will scan packet. If Policy doesnt have any profile, Firewall will not scan traffic. 3. Now After scan Packet Hits Tunnel and then sent accross the tunnel in Encrypted Format. NOTE: Firewall do not inspect any kind of encrypted traffic like SSL/IPsec. Lets say if Host send a packet with SSL header[means encrypted], than Firewall will not inspect it. Because firewall can not read content. [story is different is decryption is configured on firewall] Lets say if firewall gets pass through traffic for IPsec, still it will not scan it. Because its encrypted and firewall can not read it. Let me know if it helps. Regards, Hardik Shah ... View more

Hi Khansen, PANW-VM can work in following combination. 1. Enable Promiscous mode and also MAC address Change for that interface. 2. Disable Promiscuous mode and hardcode PANW-VM MAC addresses on ESXi Bottom line is you can never change MAC address of the VM. In this scenario I dont see any solution. Regards, Hardik Shah ... View more