About rnitz

While migrating objects and rules to Panorama, make sure you are either rename the new objects and rules in Panorama or delete the old local objects and rules on the device.  The reason is that Panroama will be unable to push objects or rules named the same as objects and rules that already exist on the device. ... View more

The address group limit for the PA-500 is 250. ... View more

I'd like to address some of the issues without addressing all of the individual issues. There are two reasons to upgrade to a new major release: 1) New features that have been added. 2) Fixes that will not be back-ported to the previous release. Depending on the code changes, not all fixes can be back-ported. For a description of the new features offered in a major release, please refer to the release notes and consult the Admin Guide for more detailed information. The best place to find what is fixed in a maintenance release is in the release notes. 4.0.2 is proving to be a very stable release with no significant stability issues. In regards to mthomasson’s specific questions on https to the management interface, QOS and IPSEC: "HTTPS not working on the management interface after the upgrade”.  The workaround for this issue is to enable http on the Management interface before the upgrade.  Then after the upgrade attempt to log into the WebUI using HTTPS.  We do have a known issue with some certificates.  If after the upgrade the web UI does not come up, log into the PAN using HTTP.  Then, Go to Device Tab -> Certificates and open the certificate used for the web UI.  The Usage column will be labeled "Certificate for Secure Web GUI".  Deselect the check box for "Certificate for Secure Web GUI".  This will cause the PAN to use the default certificate included with the web UI. I believe the QOS problem mthomasson is referring to might be from the following Knowledgepoint entry: https://live.paloaltonetworks.com/message/5782 This entry mentions that Support told the user to turn off QOS until 4.0.2 was available.  This specific issue is caused by QOS profiles that include "any" in the source and destination zone fields, this is an issue that exists in 3.1.X and can also affect IPSEC.  Customers can work around this issue by specifiying the source and destination zones in the QOS policies instead of using "any". I am verifying that both the certificate issue and the QOS policy issue are fixed in 4.0.3 and will confirm tomorrow. ... View more

With snmp you can monitor CPU load, Session statistics and interface statistics.  Here is a link for the Palo Alto Networks MIB file https://live.paloaltonetworks.com/docs/DOC-1005 The CPU load and Interface statistics is straight forward to monitor with Cacti.  In the Cacti Console page, In Devices, under Associated Data Queries, you'll need to add "SNMP - Get Processor Information" and "SNMP - Interface Statistics". This will at least get you started.  I have not configured monitoring for Session statistics and we do not currently have Templates for Cacti. ... View more

Yes, you can assign the same vlan tag to different interfaces like you are showing.  But if these interfaces are assigned to the same virtual router, they can not have ip addresses in the same range.  Or, if the ip addreses are in the same range, these interfaces need to be assigned to different virtual routers. ... View more

No, there really is no way to do what you are trying. By adding site.domain.com/ to the allow list, it will allow all queries for items to the right of "/". The only workaround is to create a new security policy for the source IP addresses that the monitoring site uses and either allow all http traffic for that site or create a new URL filtering profile for this new security policy. ... View more

I don't believe there is a Doc.  It is relatively straight forward. Edit the interface you want to use and choose PPPoE.  You will now see the PPPoE options.  Enable PPPoE and enter the username and password.  If you need more advanced options there is a link just below the password fields to display the advanced optins. ... View more

The only thing that I can think of that would affect this is your security policies.  How are your security policies conigured?  Are you allowing all traffic through?  If yes, what is the authentication traffic detected as? ... View more

There is a document in the support website under Technical Documentation called "Layer 2 networking".  I'd suggest starting with this doc. ... View more

Since you are able to ping and telnet, this tells me that one of the services might not be working properly.  There was a known memory leak on 3.0.2.  If you are able to, I would recommend rebooting the device.  this will free up the memory leak issue and should give you the opportunity to upgrade to a newer version.  I recommend 3.0.10.  Or you should open a support case. ... View more