About davanderson

There are some settings we recently ran into that did not take effect until we cycled the template button on the firewall.   Here is an example:   Device Tab >> Setup >> Interfaces There are settings assigned to allow management from specific IP addresses on the Management interface. These settings are pushed out via Panorama and a device teamplate.    When we logged into the firewall and went to the same place, the  "Permitted IP Addresses" list had our previous entries.  We had to toggle the gear button "On" to allow the device template settings to override the values we had configured previously on the FW.  It looks like that is a protection to prevent you from doing something silly and losing your initial values.     ... View more

As nice as this is what would be really great...   ... wait for it ...   Palo Alto Networks - you mainain the list of objects for Microsoft.  Then when you update definitions every night (or sooner) you just update our firewall. This would allow you to run the MineMeld and handle the back end stuff.  We don't do this for other protections (AV, Malware, Wildfire, etc...) why would we do this for another definition? ... View more

AWS (and Azure) is not all rainbows and unicorns.  These companies have taken standard products and have slapped a web gui over the top of them to make their cloud systems.  We often find many issues with compatability or settings that should work that don't because of the GUI overlay.  If you work within their boundries to perform basic functions - you will be fine.  If you want really advanced stuff - you may have issues or limitations. ... View more

I like the way you are approaching this option, but I would change the methodology slightly:   1) configure the new ports on the switch in your VLAN and wire it to the new ports on the firewalls (with the switchports SHUT) 2) setup the new FW ports as just standard members of the VLAN (untagged or access-port depending on your terminology) and push policy 3) when the maintenance window begins, SHUT the VLAN Trunk Interface on the switch,  NO SHUT the standard access ports 4) once you verify everything is functioning, remove the VLAN from the trunk ports on the switch 5) once you verify everything is functioning, remove the VLAN tagging from the FW ports and push policy   The roll back is a quick - SHUT of the new ports and NO SHUT of the old ports.   Very similar process to Joe, but slightly different focus. ... View more

Your routing becomes problematic in the design you are attempting with little benefit.  In both scenarios you have your data passing over the Internet inside of an IPSec tunnel.  In either method you will need to implement a dynamic routing protocol to have an automated method for path selection.     Also keep in mind that when you have the VPN tunnel on the Internal FW, you will need to setup dynamic routing from your core LAN switch to the FW.  Otherwise the Firewall will always pass traffic between servers over the VPN tunnel and it won't use the MPLS.   In this example we summarize each site with /16 subnet routes.  These are static routes on the LAN-SW and the Servers-FW.  This will allow traffic to cross the VPN if we lose the Dynamic MPLS routing.   The LAN-SW's at each site will learn a more specific /24 route for the remote office networks and this will be a more prefferred path.  Traffic will normally use the MPLS network from site-to-site.   When your MPLS dynamic routing stops (due to circuit or router failure) these specific routes disapear and the next best path are the /16 static routes.   Also remember that all of your FW rules will need to be built with the new VPN tunnel zone as a source or destination on the Server-FW's at each location. ... View more

You would normally have a dynamic routing protocol setup to allow traffic from one site to another via your MPLS network.  Then you can easily use your default route to send traffic to the Internet firewall for your backup VPN tunnel.   This is an example of how a network would likely be setup to serve the function you describe.  When the MPLS goes down, you lose the dynamic routes and the VPN kicks in.   ... View more

Hello Ryan,   Here is a guide for best practices on the PA upgrade process:   https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045   Section 4 outlines the process you are looking for.  After your backups and testing / validation the process is essentially this:   = = = = = = = = = = = = = = = = = Suspend the Primary Upgrade the Primary Reboot the Primary Resume the Primary = = = = = = = = = = = = = = = = = Suspend the Secondary Upgrade the Secondary Reboot the Secondary Resume the Secondary = = = = = = = = = = = = = = = = = ... View more

Hi Andrew,     You don't need to install the intermediate software updates and can go to the latest version.   Please keep in mind that if you are going to upgrade your firewall from one major version to the next (say version 7.x to 8.x) you will need to download the base image for the major release before installing the patch fix.  (You don't have to install that base version, only download it.) ... View more

Interesting question.   Back in 2012 - this was not an option.  You could only go like for like hardware.   https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Save-an-Entire-Configuration-for-Import-into-Another-Palo/ta-p/61476   I would suggest a command line migration.   I prefer the "SET" command line commands.  Dump the full 500 series configuration to text file via the SET language.  Then modify the configuration to match your interfaces and then paste it back into the 800 series unit.    Tera-Term pro has an option to allow you to limit the number of copy/paste lines per second.  Bump that up to 1 command every 500ms and this should allow you to paste the entire configuration in one go. ... View more

This isn't a function of the VPN client, but a function of your usage.  If you connect 2,000 people and use RDP @ 250Kbps then you would need a 500Mb connection (assuming they are all using this steady amount of traffic all at the same time).  If you have people using various applications such as Word, Excel, Outlook it will vary.  I would suspect that a 200Mbps Internet circuit would be fine.  Note:  This is a dedicated business class service from an actual ISP (such as Level3) and not a cable company or home user type service (think Comcast/TimeWarner or Verizon Fios).   I've never had to limit user speed on the GP vpn.  I don't see an easy option. ... View more

This is definately an area that could use attention.  There are over 2,000 threads when I search in the forums here.  That is pretty significant number.   ... View more

Matching the syntax of your accounts and groups is crucial for LDAP requests.  You can find the proper synatax for your user or group by using the "Distinguished Name" field in "Active Directory Users and Computers".   Open up "Active Directory Users and Computers" and right click on your root domain.  Choose the "Find" option from the pop-up menu.  From the drop-down menu "View" select "Choose Columns" and then add the column for "Distinguished Name".   Search for your account.  In this example we have a user with the word Palo in the name.  The search box will show you the syntax for an LDAP query (example: CN=xxxxxx, OU=yyyyyy, DC=com).  This will have your specific information required for the Palo Alto.   ... View more

This has become a royal pain in the backside.   It also seems like a great way for Palo Alto to make some $$.  Be the first FW vendor to maintain public cloud lists and allow customers to use PA objects for services such as this. ... View more

You can run your command to export the configuration on the Panorma appliance (just like you did on the FW).  I would export both the Panorama and the FW. ... View more