About Remo

I have never configured it with a /8 subnet, but at least with a /24 subnet NAT will match the last octet. So I would assume if it even works with a /8 subnet, the firewall will try to match the original packet. ... View more

@Amory Does the reverse lookup work and resolves to the fqdn that you configured in the internal host detection? How did you configure the internal gateway? Do you have there enabled tunnel mode (which shouldn't be done on the internal gateway)? ... View more

Hi @Jedi_D   You could configure all the things you want to change. Then you export the candidate configuration and revert to running configuration. And then out of production hours you import the previously exported config and commit this one. This makes sure that no other admin accidentially commits your configuration. If there isn't another admin that can commit, you can simply configure everything, save it and commit the changes at the time you want. ... View more

Hi @MYNAGHI   Do you have decryption enabled? Is it allowing youtube from this android device generally or ony from the youtube app but not within the browser? Did you check the URLs that are logged when this android device connects to successfully to youtube?  With these URL logs you will be able to create a custom URL category to also block this access. If you don't have a URL filtering license, you can also do a packet capture and search for tls handshake packets to see there the FQDNs that you need to block. ... View more

Okta IP adresses you can find here: https://support.okta.com/help/Documentation/Knowledge_Article/Configuring-Firewall-Whitelisting-89944588   Quite a few, but it could work to configure all of them as global protect routes ... View more

Hi @Bhattman   Does company A really have assigned a /8 subnetmask to the servers or is it a little more segmented? And if yes are the networks directly connected to the firewall or is there a router between the dmz networks snd the firewall? ... View more

@david.alicea do you may be also block access to the domain controller for this deny group? ... View more

I feel your pain with the 850s. What PAN-OS version is now installed on yours? ... View more

@RyanJohnstone wrote: Is this set under the destination tab of the service route configuraiton? Yes ... View more

@RyanJohnstone You could try to set a custom ip based service route which routes traffic to your internal webserver out of the internal interface. ... View more

The differences are: Agentless UID Agent does not support Nebios probing Agentless UID Agent requires less bandwidth for reading DC logs as only the required event IDs are transfered compared to the UID agent which reads the whole security log Agentless UID Agent has a max. of supported DCs for querying per HW platform and you need to keep in mind that too many DCs could have an impact on other functions like dynamic routing, logging and other processes that run on the management plane When you had these user-ip-mapping-update problem, it could have been related to the configured log reading frequency. I always configure this value to 1 second, because we also rely on fast updates in order to make some access possible. If you configure this value also to 1 second you should have the data pretty fast, as the agent sends updates to connected firewalls - the firewall does not have to poll the agent to receive the updates.   In your highly distributed AD design you need do make sure that you connect to all DCs to always have the latest mappings and even more important to get the mapping as soon as possible after a user logs in.    Because of that I would still try it with 2 agents that query all the DCs. This configuration should work and you have low-complexity-straight-forward config of the agents which you can distribute to all firewalls with a template and you do not need to configure various UID redistributions back and forth between your firewalls. As you don't absolutely trust the connections to the sites you could configure the site DCs on every branch firewall to continue to have updated ip-user mappings even when thw WAN connection goes down, but this one you probably don't need to redistribute to all other firewalls as it isn't that important to have this mapping when the connection is down anyway. Simply configure a timout of the mappings of about 4 or even more hours and it should be good (as long as the users are mostly static on one computer / IP).   As I already wrote, panorama is an alternative, pretty good one actually in your case. You could use the agentless way and keep all firewalls in sync with the redistribution. Here I only assume that this way also works with pushed updates and nit polling, but I never tested it by myself. And if you require the redundandency as you mentionned, you also would need a HA panorama. If you already have that - go for it 😉     ... View more

This one I did not know (I am planning actually to do the same with an 80G AE Interface). So as soon you have QoS enable the max total bandwidth you can specify is 40G? But you can have multiple 40G channels and so you can also have multiple 40G QoS configurations?  ... View more

The advantage of applying QoS on the egress interface is that at that time paloalto already knows a lot about the traffic that it is processing (specially the app) so it gives you the possibility for very granular bandwidth limitations per app/app group/app filter group... ... View more