About HULK

You are welcome. Let us know how it goes :smileygrin: Thanks ... View more

FYI: How to Receive Email Notification for Community Announcements Thanks ... View more

Hello greeng, The above mentioned setup will work fine if you are running internal servers on different port. For an example: External                                             Internal mysite.org - xxx.xxx.67.18 Port-80         >  192.168.1.20 -port-80 mysite1.org - xxx.xxx.67.18  port-8080      >  192.168.1.21 -port-8080 mysite2.org - xxx.xxx.67.18  port-443      >  192.168.1.22 port 443 NAT/security policy should be configures as mentioned below: Name: mysite.org (outside) - FQDN: mysite.org Name: mysite.org (inside) - IP Address: 199.168.1.20 NAT Policy ----------------- Src: untrust Dst: untrust Src Addr: Any Service: http/https or custom service Destination Addr: mysite.org (outside) Dst Addr Translation: mysite.org (inside)/192.168.1.21/192.168.1.22 Security Policy ------------------- Src: Any Dst: mysite.org (inside) Hope this helps. Thanks ... View more

Hello Satish, You may try below mentioned CLI command. The VPN tunnel will negotiate the keys after the time expires ( ike-24 hrs, ipsec-8hrs) > show vpn ike-sa gateway XXXXX > show vpn ipsec-sa tunnel XXXXX  ( will get the tunnel id) > show vpn flow tunnel-id XXXX Thanks ... View more

Hello Satish, Could you please try to remove cache from the data-plane: > clear url-cache all It looks the data-plane still having the wrong mapping. Thanks ... View more

Just an heads-up, if you have any internal server to access from LAN: How to Configure U-Turn NAT Thanks ... View more

Sure :smileygrin:. Take your time and let us know the result. Thanks ... View more

Hello Satish, Both PAN-DB and Bright-cloud is categorizing as  "travel". Hence, i would suggest you to clear the URL cache from you PAN firewall. > clear url-cache url <URL> > delete dynamic-url host name > test url  mytravelaffairs.com A similar doc for your reference: How to Handle a URL Miscategorization Hope this helps. Thanks ... View more

Hello Niuk, You can check the real time session in the CLI by using 'show session all filter source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION'. >  If there is an session exist for the same traffic,  then please apply  CLI command PAN> show session id XYZ   >>>>>>>> to get detailed information about that session, i.e NAT rule, security rule, ingress/egress interface etc. >  verify the global counters, if a specific "DRP" counter is increasing rapidly. The command show counter global provides information about the processes/actions taken on the packets going through the device; if they are dropped, nat-ed, decrypted etc.  These counters are for all the traffic going through the device and are useful in troubleshooting issues; like poor performance, packet loss, latency etc. It is advised to use the command show counter global filter packet-filter yes delta yes in conjunction with filters to obtain meaningful data. For more information, you can follow the DOC What is the Significance of Global Counters? > You can enable FLOW BASIC feature to understand the exact reason behind the failure: > debug dataplane packet-diag clear all > debug dataplane packet-diag set filter match source  IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION > debug dataplane packet-diag set filter match source IP_ADD_OF_THE_DESTINATION destination  IP_ADD_OF_THE_TESTING_PC > debug dataplane packet-diag set log feature flow basic > debug dataplane packet-diag set log feature tcp all > debug dataplane packet-diag set filter on > debug dataplane packet-diag set log on ~~~~~~~~~~~~~~~~ Initiate traffic ( try to access the management interface) ~~~~~~~~~~~~~~~~~~~~~~~~~ > debug dataplane packet-diag set log off > debug dataplane packet-diag aggregate-logs > less mp-log pan_packetdiag_log.log For more information, you can follow the DOC: Packet Capture, Debug Flow-basic and Counter Commands Hope this helps. Thanks ... View more

Hello Niuk, There is a feature request has been already submitted for the same. Description:Wireless (WiFi) for Low-End Appliance FR ID: 3323 You may contact with your PAN SE ( sales engineer) and he will vote on behalf of you. Hope this helps. Thanks ... View more

Hello Madan, Did you mention specific source and destination IP address on that new NAT policy...? Ideally, this NAT policy should not impact your other traffic. Thanks ... View more

Hello RyanF, Since PAN firewall is having multiple options ( based on available licenses) for a deeper packet inspection, hence PAN does not have any recommended security settings. But, you may refer below mentioned documents for individual security features. What are the Data Filtering Best Practices? Amsterdam Oct 2014 - AppID best practices config example  >>>>> you may need help from your PAN SE to view this doc. URL White List for SSL Sites Best Practices How to Configure WildFire Understanding DoS Protection Hope this helps. Thanks ... View more

But, that would be "dynamic IP and port" not "dynamic IP only"...? THanks ... View more

Hello MadanSudhindra, Don't use FQDN name, use the address assigned by the DHCP server in a static form. Thanks ... View more

Hello Paulo_Aun, You can achieve it through two ways. 1. Write a script on Server to pull/scp/tftp configuration from Firewall. ------------------------------- >tftp export configuration to  <tftp host> >tftp import configuration from <tftp host> >scp export configuration to <username@host:path > >scp import configuration from  <username@host:path > ------------------------------ 2. OR configure panorama to have scheduled back up:How to Schedule Configuration Export on Panorama? A similar discussion for your reference:Backup Configuration of a PA-200 Hope this helps. Thanks ... View more