This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About Metgatz

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Metgatz
‎02-10-2026
since ‎04-20-2021
L4 Transporter
User Activity
User Profile
Latest posts by Metgatz
View All
Posts I Liked
View All
User Badges
Community Statistics
Member Since ‎04-20-2021 03:55 PM
Date Last Visited ‎02-10-2026 10:40 PM
Posts 329
Total Likes Received 35

Re: SNAT to a FQDN

by in General Topics
‎11-04-2022 01:07 AM
‎11-04-2022 01:07 AM
Hello @maniac72    I think you have a little wrong concepto to apply NAT in Palo Alto. I suggest review this links:   https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples    https://www.packetswitch.co.uk/palo-alto-nat-example/        Best regards ... View more

Re: how to import cert on palo alto

by in GlobalProtect Discussions
‎11-03-2022 06:32 PM
‎11-03-2022 06:32 PM
Hello @MarkLee-ext , good afternoon   Well, you must import the certificate, if you generated it from a CSR from Palo Alto, you do not need the private key, if you generated it externally and not from a CSR from Palo Alto, you must import the certificate along with its key private.   After this, you must apply or attach to the SSL/TLS profile that you are going to use for global protect.   Best regards ... View more

Re: PA-440 Global Protect VPN - no Internet after connecting, only local resources

by in GlobalProtect Discussions
‎11-03-2022 06:11 PM
1 Kudo
‎11-03-2022 06:11 PM
1 Kudo
Hello @JRECKNAGEL , good afternoon   In the Global Protect configuration, are you using Split tunnel? that is, are you only using the tunnel for your local tunnels? If so, for example, if you do not set any DNS, in the configuration (it makes sense since they are using public) of global protect, the client will use the DNS of the network from which it is connecting, that is, the DNS that it gives you the network of the house, cafe, restaurant, office etc etc.   Now if you are not using split, that is, you use 0.0.0.0/0, therefore you are forwarding all global protect VPN traffic, through Palo Alto, you must set the corresponding security rule(s) and the "NAT" policy is important. " ( Source Nat ) for the network segment you use for global protect so that it can go out to the Internet through the PA.   Now if you are using split for some resources, but you are fixing and setting the DNS, that DNS connection will be made through Palo Alto, then you must apply the security and NAT (Source Nat) policies that allow the network traffic from global protect to the DNS, example towards 9.9.9.9, 8.8.8.8, 1.1.1.1, etc. that is to say, the global protect network must go to resolve those public dns to the internet, then as it will do it through the PA, you must apply the NAT rule ( Source NAT ) for the global protect network with destination to those public DNS IPs and the security policy.   Best regards ... View more

Re: Palo Alto Dual ISP, ECMP enables the external interfaces and enables IPSEC VPN tunnels

by in General Topics
‎11-03-2022 01:37 PM
‎11-03-2022 01:37 PM
Hello @OtakarKlier Good afternoon, thank you for your collaboration and your time.   Yes, but now what I was referring to was the scenario of having 2 IPSEC tunnels, with ECMP enabled (IPSEC routes equal to both tunnels: Tunnel.21 and Tunnel.22) for Site-To-Site VPN traffic. so that it is balanced, so that both links, both tunnels are used (No Dual Fail Over, I mean balanced, not that if one link fails it goes through the other, where you could use Router Monitoring or PBF). So based on the above and in a Dual Balanced scenario, not Dual Fail Over, if the Palo Alto firewall with ECMP for the tunnel interfaces, and routes of the same metric, to use both links, the Palo Alto will be sending traffic through a tunnel then through the other tunnel, so to what I mean, to have a fully balanced traffic scenario, it would require that the other peer, the other end, the other firewall, from whatever manufacturer, also have some ECMP mechanism enabled, or balancing or similar, with equal metric routes, as an example if Palo Alto sends traffic through one of its tunnels, and then through the other, if the other end does not have an ECMP type balancing or similar, for the return traffic, the other end will always forward the return traffic through its route with the best metric (thinking that it does not have something like ECMP) and therefore through its route with the tunnel with the best metric and not in a balanced way, in this scenario it could eventually occur asim traffic metric, since the PA will send traffic through both tunnels in a random and/or balanced way, but if the other end does not have something like ECMP, the return traffic will always go through its best metric and therefore always through a tunnel. Now in a full scenario balanced by both ends, both devices must have the ECMP mechanism enabled so that they can send the outgoing or return traffic through both links.   Please give your comments regarding what is mentioned in this post.   Thank you in advance for your time and collaboration.   Stay tuned to your comments   Best regards ... View more

Re: Palo Alto Dual ISP, ECMP enables the external interfaces and enables IPSEC VPN tunnels

by in General Topics
‎10-31-2022 08:42 PM
‎10-31-2022 08:42 PM
Hello @OtakarKlier , thank you very much for your time, your collaboration and your answers.   Some doubts, regarding point or doubt number 2, if it is being given a weight, for example, prefer traffic with a greater weight, example weight tunnel.20, "200" (Best link Bandwidth and stability), tunnel.21 "50" (lower bandwidth and less stability), in that case you will always be giving more weight to one connection than the other, based on the balancing algorithms, but if you have so many problems with balancing and load balancing and routing, in that case it does not contribute much or not at all useful to use EMCP for this type of scenario (VPN IPSEC DUAL load balancing)? In that case it would be better to just use type Fail Over with PBF or with static route path monitoring?? I also understand that the other important considerations are that the other peer, the other end, with its two tunnels (regardless of the Firewall manufacturer) should also have something like ECMP or similar, since if at the routing level, the other peer, always has preference for only one of its tunnels, some asymmetric traffic could occur, or ruotung problems. Since the other end does not understand that it can reach the networks behind Palo Alto, only from one of its interfaces or only from one of the tunnels, El PAlo Alto, it will send by ECMP, through one tunnel and another, and the other end, but it does not have something like ECMP, it will forward or use the return route or the return traffic, it will always be through one of its tunnels, this referring to the peer, to the other end. Then you have to consider that in both firewalls, both in Palo Alto, and at the other end (the vendor whatever it may be), since Palo Alto could be sending traffic through a tunnel or tunnel interface of one of the IPSEC tunnels , and the other responds the same traffic and/or return route, it goes through the other tunnel, where the other firewall of the peer, from the other end, points out its preference metric to reach the networks that are behind the high pole and that knows through the ipsec tunnel, I understand that in that case we could have that type of problem, right, of symmetrical traffic? Are my considerations correct? Should asymmetric traffic be allowed in Palo Alto and at the other end?   Thank you very much for your time, for your collaboration.   I remain attentive to your comments   Best regards ... View more

Two Static Route - same destination, Same metric

by in General Topics
‎10-27-2022 11:25 PM
‎10-27-2022 11:25 PM
Two Static Route - same destination, Same metric   Hello, good afternoon, thank you very much for your time, collaboration, time and suggestions.   Thinking in an environment where you have two routes to the same segment, example a pair of static routes through the Switch Core to LAN resources or two routes to the same destination, by two tunnels interfaces of a pair of VPN Site to Site to Azure.   According to the above, if I indicate the same route, to the same destination, with the same metric, but different interfaces, Palo Alto will generate an error when placing a route, to the same destination with the same metric ? Demanding to adjust the metric values or asking to enable ECMP ? And if it does not generate an error, in this case, which route will be used if both have the same metric ? which one goes from the RIB to the FIB ?   Thank you for your support, collaboration and time.   I remain attentive to your comments.   Best regards ... View more

Palo Alto Dual ISP, ECMP enables the external interfaces and enables IPSEC VPN tunnels

by in General Topics
‎10-27-2022 11:11 PM
‎10-27-2022 11:11 PM
Palo Alto Dual ISP, ECMP enables the external interfaces and enables IPSEC VPN tunnels.   Good afternoon, as always, thanks for the collaboration and support.   A few doubts, We currently have an PA configured with ECMP, for outbound to the Internet, with two different ISPs. We plan to configure a Site to Site VPN, with each of the ISP.   Here are the doubts, so that you can give me your opinions and suggestions:   Doubt 1: Will I have any problem when I configure the two IPSEC tunnels, with the dual ISPs ( With ECMP previously enabled ), with the IKE/ESP type traffic ? will it generate any conflict or problem with the stability of each IPSEC Tunnel ? The PA will not have problems with this type of traffic, from its Interfaces, with their respective public IPs, with their respective ISPs and Peers?   Doubt 2: If I configure, already thinking and focused on the routes, with the tunnel interfaces that are used to declare the routes of each ISP, to reach the same destination, is it feasible to use ECMP for the tunnel interfaces ( tunnel.20 and tunnel.21 ) ? to send the traffic in a balanced way ?   Doubt 3: Thinking about a Dual Fail Over scenario, not balancing, but fail over, which is better? To use routes with Path Monitoring ( At route level, in the Virtual Router VR, not at HA level ) and so in case of failure the other route becomes valid in the FIB ? Or use PBF ? If I use PBF, I am forced that the Tunnels have IP in each end to be able to monitor the other peer, right? because for example, for the case of Path Monitoring, using an IP of the range and that this allowed in the encryption domain is enough for me to sense the IP at the level of Path Monitoring Route, but with PBF, I am forced that the other end also has an IP in its tunnel interface. What is the recommendation or the best way ?   I am not talking about Dual fail over type, that one responds and in case of failure, the other responds, but an ECMP type balancing for vpn ipsec site to site traffic. This is for Doubt 2.   Thank you very much for your time, I remain attentive to your comments.   Best regards   ... View more

Re: Panorama - Administrators user - Required Password Change Period (days) - Pan-OS 9.1.14

by in General Topics
‎10-17-2022 07:24 PM
‎10-17-2022 07:24 PM
Hello @JayGolf , good evening, thanks for your time:   I am using Minimum Password Complexity -Enabled, in setup/management. I am not using a password profile, but globally.   Best regards ... View more

Re: Global Device/Setup Authentication Settings vs Device/Setup/Authentication Profile

by in General Topics
‎10-17-2022 04:32 PM
1 Kudo
‎10-17-2022 04:32 PM
1 Kudo
Hello @kiwi Excellent, thanks a lot for your time!    Best regards ... View more

Panorama - Administrators user - Required Password Change Period (days) - Pan-OS 9.1.14

by in General Topics
‎10-14-2022 01:58 PM
‎10-14-2022 01:58 PM
Panorama - Administrators user - Required Password Change Period (days) - Pan-OS 9.1.14   Good afternoon, Thank you for your collaboration and your time   I am doing some tests in relation to Minimum Password Complexity -Enabled, mainly to force the password change in X days. When I set Required Password Change Period (days) with value of 3 days, I wait 3 days and I never get any password change request, moreover when I login with any of the setup/administrators users, with fully operational password and working properly before applying the Required Password Change Period (days) of 3 days, I wait the 3 days and it does not suggest me any password change neither for admin, admin01, admin02, admin03, in fact after this, none of the known passwords work anymore and I have to go back to a previous configuration entering in maintenance mode,   Why is this happening? This is critical because we want to implement this, but we lose access after X days and the idea is not to lose access, but to force the password change after X days.   Please send me your suggestions regarding the above.   I remain attentive   Best regards ... View more

Global Device/Setup Authentication Settings vs Device/Setup/Authentication Profile

by in General Topics
‎10-13-2022 06:10 PM
‎10-13-2022 06:10 PM
Global Device/Setup Authentication Settings vs Device/Setup/Authentication Profile   Hello good afternoon, thank you very much for the usual collaboration.   I have the following doubt, at Global level in Device/Setup Authentication Settings there are parameters such as: Failed Attempts and Lockout Time and also if I create an Authentication profile appears the Account Lockout section, which are also Failed Attempts and Lockout Time settings.   Now that this is clear, if I create a local account called: testadmin01 Then that account, I create it as in Device/Setup/Administrators, I associate it to an Authentication profile ( Local Database ), and in its Account Lockout settings I have configured Failed Attempts with value 3 and Lockout Time: 30 minutes.   But also at a global level, i.e. Device/Setup Authentication Settings I have Failed Attempts configured with value 5 and Lockout Time: 30 minutes.   Based on the above, which settings, which configurations are superimposed over the other ? the global or the custom authentication profile ? Which of the two is valid, which one has real practical validity?   Thank you   I remain attentive   Best regards ... View more

Palo alto network HA link monitor failover Monitor Fail Hold Up Time

by in General Topics
‎10-13-2022 12:17 PM
1 Kudo
‎10-13-2022 12:17 PM
1 Kudo
Palo alto network HA link monitor failover Monitor Fail Hold Up Time   Hello good afternoon, thank you very much for your usual collaboration. I have a question, regarding HA Links monitor timers.   When one has configured a track or HA Link Monitor, some interfaces, checking the HA timers, the one that corresponds is: Monitor Fail Hold Up Time (ms). It is both in recommended as in aggressive by default this in "0 ms", therefore it means that to the smallest detail, to the smallest Flap at the level of interfaces that detects the Palo Alto, this will immediately trigger a Fail Over, that is to say immediately since it waits according to the Monitor Fail Hold Up Time (ms) 0 Milliseconds.   Reviewing the doc indicates: Monitor Fail Hold Up Time (ms): Interval during which the firewall will remain active following a path monitor or link monitor failure. This setting is recommended to avoid an HA failover due to the occasional flapping of neighboring devices. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/ha-timers    If we take it to a scenario where for example there may be an occasional flap on the interface of the switch where it is connected, as the doc indicates, a slight flap, the firewall high stick will detect the drop and trigger a fail over, so here what would be the recommendation ???? Leave it at 0 ms ? or set it to 1000 ms ( 1 second ) or 1500 ( 1.5 seconds ) ? so that the Palo Alto waits and validates that there is no longer a failure in that Link and therefore the Link Monitor will not trigger the Fail over since it waited 1 or 2 seconds approx since it was only a flap, not a real fall of the interface, a physical failure of the link or a failure of the entire switch.   As always thank you very much for your support   I remain attentive   Best regards ... View more

Re: HA Passive Link State Auto - Vwire Interfaces

by in General Topics
‎10-13-2022 08:48 AM
‎10-13-2022 08:48 AM
Hello @BPry  good afternoon, thank you very much for your time and cooperation.   OK, so that means that always, but always, even if it is in "Auto", when there are Vwire type interfaces will appear Down/RED, this expected behavior will always happen, that is Down/Red in the passive ?   Now then the recommendation is only to set Auto in Layer 3 links, that is L3 interfaces, L3 subinterfaces, Vlan interface with IP L3, but for layer two environments that is L2 interfaces or subinterfaces and Vwire deployment, the recommendation is not to use auto to avoid any network loop.   But example in interfaces or subinterfaces of L2, these if they appear in Up and green, when it is in Auto, but nevertheless the recommendation is not to use auto in these cases ?   Thank you for your support and I would appreciate if you could please rectify the above mentioned points.   I remain attentive to your comments.   Best regards ... View more

HA Passive Link State Auto - Vwire Interfaces

by in General Topics
‎10-13-2022 12:58 AM
‎10-13-2022 12:58 AM
HA Passive Link State Auto - Vwire Interfaces   Hello good evening, thank you very much for the collaboration.   In HA I have configured the passive link in AUTO, in the layer 3 firewall, this works correctly and the secondary firewall interfaces appear as green UP. But in the equipment with "Vwire", in the secondary equipment they appear in red, that is to say down, is this correct? Is it because it is at the level of layer 2, therefore due to STP issues, the adjacent equipment does not negotiate with the interface, therefore it appears as down/red?   Thank you   Stay tuned to your comments   best regards ... View more

Admin account - Minimum Password Complexity - Firewall - Panorama

by in General Topics
‎10-12-2022 08:00 PM
‎10-12-2022 08:00 PM
Admin account - Minimum Password Complexity - Firewall - Panorama   Hello good evening, as always, thanks for the time and for the collaboration.   In the "Device / Setup / Minimum Password Complexity" section, the settings made there, including password length, password forcing time, etc. These settings are also applied to the default account ("admin" ) of users. Palo Alto Networks and PANORAMA admin firewalls ( admintrators / "admin" ), that is, it will apply to the user "admin" and to "All" the users generated in "Device / Administrators"   Thanks for the support and collaboration.   Best regards ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎02-10-2026 10:40 PM
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks