About Remo

Another reason for vsys instead of only routing separation is when you have multiple customers obviously with multiple domains. With vsys you're able to completely separate the user-id part. So you don't have all user-to-ip-mappings in one big table. Also the logging or specially the reporting part gets easier in this situation. It's also possible to customize response pages per vsys ... and many many more. But in general it's like @BPry wrote. The advantage of having multiple virtual firewalls instead of multiple physical devices. ... View more

What login option is your default? Which one is chosen when the first login fails? ... View more

Hi @rjdahav163   Because you're adding a new firewall I would recommend to enable multi vsys first. But in general there is no recommended way here. Both ways bring you to the goal. ... View more

I haven't any shared gateway configured on our firewalls. But the logs should be in the thread log if you have assigned a Log forwarding profile to the zone. And in the Monitor tab you probably have to select all virtual systems to view these logs, as they are not assigned to specific vsys ... View more

Hi @aleksandar.astardzhiev   I don't know exactly if this way would make problems with the encryption domain. But you could go the other way. Add 0.0.0.0/0 to the firewallconfiguration (or remove the entries completely to get full-tunnel configuration) and implement a script that adds routes for networks that need to communicate directly. In your case you probably need to rebuild the routing table completely because you want most of the traffic to go directly. So your script could add routes for Office365 and your internal networks to the tunnel and change the default route to go direct.   An example was already made by PAN here: https://www.paloaltonetworks.com/documentation/scripts/windows-exclude-traffic-from-tunnel.html   Regards, Remo ... View more

Your guess is right. It is not possible. At least not with paloalto. Technically I think it is possible for inbound decryption . ... View more

@BPry You probably have the ruleset(s) I'd like to have. But don't forget to specify also the "url category" column to get a rule without "any" 😉 😛   But unfortunately it heavily depends on the customer ... user-id? "Yes please, but as a nice to have not a must" ... app-id? "Just go with port 80 and 443, because we don't wan't to upset our employees" ... Anyway, I think it definately isn't that critical if you have any in the rules at least for general client access rules (active directory, exchange, fileservices, ... , internet) (->with strict source routing enabled in ZP profile, I don't see a reason for specifying addresses when you want to allow this whole zone to access some ressources)     ... View more

Hi @Curt_Wilson   What do you have configured in the portal config - app tab and then at the tunnel rename setting? If you have "-1" there, the pre-logon tunnel should be reassigned to the user without opening a new one. ... View more

Hi @CHammock   It is supported ... with some limitations (as you already saw in the commit warning) https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/network/network-network-profiles-zone-protection/building-blocks-of-zone-protection-profiles#id463e1210-c858-4712-8d34-66b5fb587c2e ... View more

Hi @alexander.Astardzhiev I have to say that I did not test or implement this by myself, so there's no guarantee ... But I think there could be a solution ... you just have to think a little outside of the box (the PAN firewall) 😉 ---->Post VPN Connection script<---- With a post vpn connection script you could modify the routing table with the script. With that script there are multiple ways to do it. First you could statically add the routes of office 365 into that script. Second way is to pull the xml from microsoft with the script and you allways have the current office 365 networls routed to the global protect vpn tunnel. And the third way would be to host a list of networks on an internal server in your or your customers network. This way you could control what will be routed into the tunnel by editing a simple texrfile somewhere. Of course the post vpn connection script would also need to pull that list to make this work. At least worth a try... Regards, Remo ... View more

Sounds like you have enabled the setting "enforce GlobalProtect Connection for Network Access" ... View more

Step 1 to 3 from your list Commit to panorama Export device config bundle. Choose only export Go to the CLI of the firewall into configure mode and enter "load device-state" Do a configuration push from panorama and check the option "merge with candidate config"   This works perfectly fine for single firewalls. For HA clusters there are some more steps ... ... View more

Hi @s.williams1   Are you sure that your CA cert is a SHA256 cert on the firewall? Or did you sign your CA cert with an intermediate CA instead of the root?  Chrome should not complain about SHA1 as root cert (at least not now). Chrome only gives you this error when there is a SHA1 CA which is not the root.   Regards, Remo ... View more

(with Panorama and templates it is possible to set these values different on each clustermember) ... View more