About Raido_Rattameister

As you need QSFP28 transceiver to Cisco side you should check with Cisco reseller.   https://www.cisco.com/c/en/us/products/collateral/interfaces-modules/transceiver-modules/datasheet-c78-736282.html ... View more

If you go to Panorama > Managed Collectors > Statictics then what number do you see behind "Detailed Firewall Logs" field? ... View more

One option to free up space is to keep smaller number of Dynamic Update versions on the box.   > show max-num-images Maximum images to keep is set to 5   To change the number stored to a minimum of 2. > set max-num-images count 2   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLSJCA4 ... View more

Skipping version during upgrade is not available before 11.0. https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/management-features/skip-software-version-upgrade   By "content version 401 or higher" it means dynamic update under "Device > Dynamic Updates". As PA-200 is EOL then it is not available any more.   Best you can do is to use it as-is as a regular layer 4 router/firewall. Nothing else. ... View more

For DNS Sinkhole to work it is enough to have it configured only on 1 rule - domain controller to Internet. But in this case also make sure that all devices actually have domain controller set as DNS server. Not having Anti-Spyware configured for all outgoing policies you will loose DNS Security protection for devices that connect to Internet hosted DNS servers.   Best would be to also use DNS Proxy to make sure infected internal device is not trying to bypass URL categorization by having hardcoded IPs. ... View more

If firewall is end of sale but not end of life yet then you can get antivirus and IPS updates. 5050 is end of life so no antivirus and IPS updates for it any more. ... View more

Enable DNS Security in Anti-Spyware profile. Attach Anti-Spyware to all policies that apply for traffic where you need to identify infected hosts (ideally all). ... View more

PA-5050 is end of life from January 2024. It does not get any updates any more.   https://www.paloaltonetworks.com/services/support/end-of-life-announcements/hardware-end-of-life-dates ... View more

I would take packet capture as next step to see what happens during session drop. ... View more

This solution adds additional "Change Gateway" droppdown. If it is not visible it means your agent has not refreshed config from portal yet. Click on hamburger menu in GlobalProtect agent (3 lines top right) and choose "Refresh Connection" to force config sync from portal to agent.   Adding second portal is more cumbersome to the user but can be done from agent itself if needed. ... View more

No you do not miss any functionality. ... View more

Gateways can be added under: Network > GlobalProtect > Portals > Portal-Name > Agent > Agent-config-name > External     ... View more

As your Palo don't have access to public IPs you will configure GlobalProtect on interface with IP 10.254.10.2. In public DNS you need to use real (public) IP for GlobalProtect record. ... View more

You create only 1 portal. Run it on DMZ interface (2x ISP IPs natted to that DMZ IP tcp/80, tcp/443 and udp/4501). If your users are ok to add https:// manually in front of the portal to access portal address then 80 is not needed. Otherwise Palo will automatically redirect 80 to 443. Set up 2 A records pointing to 2 different ISP IPs (so DNS resolution gives back 2 IPs for same portal). Agent picks one of those IPs randomly to connect to portal.   For gateways you set up 2 separate DNS records vpn-isp1.company.com vpn-isp2.company.com   Run gateway on same DMZ portal natting public IPs to DMZ IP. Portal config hands out 2 gateways to agents.   Agents perform latency test and connect through ISP that is closer by. ... View more