About SuryaR

Understood.    IGW's are easy and Yes, you can create multiple portals and try to restrict "test-config" access only to a test account/user.  EGW's, would suggest to stand up a seperate GW/tunnel intf. just for testing, as routing will be affected if you try to use the same GW.    ... View more

Please try this and see if it works.   Download the desired GP version on your test PC from PA-software updates page. I have been using 3.1.6 and didnt find any issues(I should say I dont have complex environment/configuration). You can still connect to your existing Portal and GW with out disturbing any users.  However keep in mind that everytime you authenticate, a popup shows up saying an older version exists. Do you want to upgrade.? Just simply say no.   ... View more

Hi @acc6d0b3610eec313831f7900fdbd235   Thank you for detailed explanation. Understood about the recommendations.    My question:   How is this feasible in an enviroment if I have 50+(not including passive pair) firewalls .   I also thought panorama might be of help here. But in case, if a update is revoked and you try to push dynamic updates via panorama, it fails horribly.   For example: We have dynamic updates set  to check daily, with a threshold of 8 hrs.   709 was relased( threshold was set to 8 hrs ). After 8 hrs 709 is installed on every firewall. ~14 hrs later PA decides to revoke 709.   Next, all I can think of is panorama, I do check updates (I find 708 is latest/available). Awesome, lets try now to push 708 to all firewalls,. Panorama complains, the firewalls have better version than what it am trying to push.  EPIC Fail...!!! Only thing I can do is to Login to every firewall and push it back to 708 or wait for 24 hrs before the firewall updates itself.    My 0.02$  is PA should make emergency and regular updates different in the dynamic updates tab, rather than combining them and pushing them once, just how checkpoint does. Hope I made sense.    ... View more

Thank you for detail explanation.    "But I would like to allow some users (mainly developers) the ability to connect from home - or remotely and not have always on, but on demand."    Will these users use your organization assets to connect or their own/personal machines.     ... View more

Understood.  Panorama was not mentioned, so I assumed its a firewall 🙂 ... View more

Try this    > configure # show address-group ?    All address groups must be listed here.   Hope this is what you are looking for.   ... View more

Yes negate option is added only if you use 8.0.x +4.0.x.  It doesnt work with 8.0.x and 3.x.x versions.    Hope this helps.  ... View more

May I please know what PAN-OS version and GP -version are you using.. ... View more

Can you give more details when you say " I have a working GP setup"   I am looking for more details like, is this an External set up or an internal setup. In short is the portal accesible only from inside your  organization or from anywhere. ... View more

Now I Understood it correctly. I was always focusing on the Radius tab, but I should have to configure in the authentication profile tab as two different profiles.  I tested and it worked. Thanks for the idea and your time.    Appreciate your replies. ... View more

What kind of interface management profile you have on the device.  If you allow HTTPS and SSH on your data-interfaces. you should still be able to access it via E1/1,2,3,4.....    ... View more