About Remo

Hi @timgowan   Unfortunately this isn't possible ... at least for now. With Panorama 8.1 there might be something that you're asking for: "With device health monitoring, Panorama provides a deployment-wide view into the health and status of your next-generation firewalls." Source: https://www.paloaltonetworks.com/products/new/new-panos8-1 Of course this requires that you use panorama...   Other possibilities are if you monitor the CPU and RAM usage (and maybe also session utilization) with snmp. With these values you can then build the automation to spin up new firewalls automatically when they are needed. ... View more

@Justin.Abendroth QoS Policy rules based on URL categories are possible: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/quality-of-service/qos-concepts/qos-policy ... View more

Hi @nawaza   Yes, "Force Template Values" will override local settings and the orange cogs change back to green.   Regards, Remo ... View more

Hi @itserviceHEWA   @itserviceHEWAwrote: So here is my question:   For us, it is critical that both HA members will be active (split brain), because firewall A has to handle traffic from company A and firewall B hast to handle traffic for company B until the HA links recover. Will this work like I suggest?     Yes, this will work as you suggested. As long both firewalls know nothing about the other they both assume that they have to be "active" and handle traffic.   @itserviceHEWAwrote: And the next question:   When recovering from split brain (wich we need to force), which device will sync its log entries to the other or are both logentries  will be brought togehter (wich would be the perfect thing).   The logs aren't synched at all. For such a situation you would need addfitional servers to store the logs. An option would be panorama. During the split-brain you only have the logs from one firewall (in case of one panorama), but after the split-brain the firewall that lost connection to panorama will send all the missing logs to panorama. Syslog servers are also an option but then you would need at least 2 syslog servers and something that has the intelligence to keep then in sync after the split-brain. So probably panorama is the easier solution.   @itserviceHEWAwrote: Are there any other concerns about recovering from split brain?   Is the split datapath option in HA needed, although it is pointed out only to use in A/A deployments. (The option would be available in A/P deployment)   In your situation you don't need to worry about this option. As I wrote, as long as the firewalls don't see each other both will automatically become active. But when recovering from solit-brain some connections might need to be reestablished - probably the ones on the firewall that becomes passive after the split-brain.   Regards, Remo ... View more

Hi @pasmartin   You could create a custom URL category where you configure the URLs you want and then attach this custom URL category directly into the securitypolicy (not in an URL filtering profile). This way the rule allows specific access to the configured URLs.   Regarding the general user. It's a possibility with advantages and disadvantges, but in general it matters how the firewall gets the User-ID information. If you have a captive portal then is easily possible to have a generic user. But obviously you then have to give this one account to multiple users. ... View more

Create an any-any application override policy Create an any-any-allow security policy without adding any profiles Do not add any zone protection profiles to the zones Create your required NAT policy Have fun with your pretty expensive NAT router 😉 ... View more

The way back is only a unicast which the PA (with DHCP relay agent) then forwards to the right device based on the mac address ... View more

Hi @Alex_Samad   On the first PA you need to configure a DHCP relay agent (https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/networking/dhcp/configure-an-interface-as-a-dhcp-relay-agent) This DHCP relay agent keeps track of the received DHCP requests to that rhe unicast reply from the DHCP server will find its way back to the device which sent the broadcast request. ... View more

This should work, yes. Details on how to configure the RADIUS part on the firewall can be found here: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-radius-authentication#id01590369-93b6-48be-8928-eac0ade51d5d   ... View more