About Metgatz

Hello @PozsonyiAttila    In order to have a correct idea and concept of the implementation. To correctly apply the profiles you must consider: The external interfaces, the Untrust WAN interfaces, is where you apply the "Upload" topics.   The Trust/LAN interface(s) is where you apply the QoS profile, to correctly enforce the "Download" issues. Then you generate the QoS policies that match the desired traffic and the desired class.   Regards ... View more

Hello @AKhalighi    You can use comparison Tool in Palo Alto Networks Site:     https://www.paloaltonetworks.com/products/product-comparison   You can costumized the Firewall Model and check for example:   -App-ID firewall throughput -Threat prevention throughput -Max sessions (IPv4 or IPv6) -Max concurrent decryption sessions -And too much others data   Cheers   ... View more

Hello @ghughes_itx , well in this case, the flagship product to share configurations, for example, policies, objects, network settings, among others is PANORAMA. But if it is not within the plans to implement, due to licensing issues, costs, operation, etc., then the other possible alternative, is on the one hand to try in both firewalls, to match certain config, for example Zones, Network Segments (if possible), names and / or references of Security Profiles.   I would think like this, first standardize and homologate manually, with care, these configs.   Then for each change you make, for example take the same command and apply it via CLI on the other firewall, trying to speed up the execution a bit more.   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHoCAK   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHoCAK#:~:text=The%20following%20example%20demonstrates%20how%20to%20view%20a%20configuration%20in%20%22set%22%20format.   If you check those links there you have the examples at the view level, then when you run a change, you take the base CLI commands and apply it and adjust it on the other firewall.   You can copy the config but this is more global, to copy the config, from one firewall to another.   https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-cli-quick-start/use-the-cli/use-secure-copy-to-import-and-export-files/export-a-saved-configuration-from-one-firewall-and-import-it-into-another#id84f62535-0ecb-411d-87b8-993aaea5566b   Regards ... View more

Hello @Sanjay_Ramaiah  Well, with the backup, with the snapshot of the Firewall config ( remember export snapshot backup to your laptop/PC ), once you do the factory reset import and load the snapshot and look at the Device Administrator section, as you will be with the "admin" default super user, you make sure to create a backup superuser and to check that the admin does not disappear. And any other user/accounts that you have in the firewall or have created, will be in the snapshot.   Cheers ... View more

What ? You also don't have a Panorama superuser?   If you have superuser access with PANORAMA, then don't push from the template, but rather switch context, from Panorama, and select the firewall, it's as if you were standing directly on the firewall and you already create the user superuser.   Panorama Context Switch https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/context-switchfirewall-or-panorama   Now if this does not work, then take a backup, snapshot of the configuration, so that after the hard reset or the factory reset you can import that backup, but make sure to check the Administrator section and see and/or generate a superuser, so that Don't have problems and/or some other lastresort superuser account. Now for the reset you must restart the equipment and follow these steps:   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldXCAS   The other option, if you previously had the user, or the password, in some other backup, that is, before deleting or changing the password, you could also eventually load that config.   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkxCAC   But if nothing works anymore, then it only remains to restore.     Cheers ... View more

Yes, if you have superuser in PANORAMA, you can create a push a SuperUser on the target device. And what happened to the default admin of the firewall ? and that account, what happened to it ? was it renamed or deleted for security reasons ? Regards ... View more

You must have superuser privileges to create an administrative user with superuser privileges ... View more

Hello @Sanjay_Ramaiah , good evening   Make sure that through the MGT interface your Firewall has access to the Internet, you can test from CLI/SSH ping host updates.paloaltonetworks.com. Make sure it responds and resolves. Make sure you have set the DNS so that the firewall can resolve the addresses.   Once you have validated these two points, re-apply a Retrieve Lincense, in the licensing section.   Regards ... View more

Hello @JMBerzal    Hello, I think it is possible, personally I have not done it, precisely what you want to do, but it is something that falls within the scope of Expedition.   https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-tool-to-migrate-vsys/td-p/274669   Another way can be with Load partial:   https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/load-configurations/load-a-partial-configuration/load-a- partial-configuration-into-another-configuration-using-xpath-values#idc06fc1f6-6820-4985-b3c4-4664b900dfcd   https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/load-configurations/load-a-partial-configuration/xpath-location- formats-determined-by-device-configuration#id34238ccb-2aa0-43d7-a43a-034ee6adf695:~:text=XPATH%20FORMATS-,Multi%2Dvsys%20Firewall,-from%2Dxpath   As always and good practice, run backups   Cheers ... View more

Hello @Sanjay_Ramaiah It's correct.   Cheers ... View more

Hello @UNMPDgordon    I am not entirely clear what your problem is ? What exactly is it where you need support? What exactly are you having doubts about or are you stuck on?   I remain attentive   Regards ... View more

Hi usually the age-out issue is either a nat issue or a return path issue.   I mean if you have more than one link to the internet, multiple links.   The server must be able to, I am talking from the server, directly from the server, to have correct internet access from the server's private Ip to some test Ip. Now a nat destination NAT, has to comply with the following. Referential example: NAT policy: Origin zone: Untrust/WAN zone Destination Zone Untrust/WAN zone Source Any ( or you filter from X public IPs to establish the connection ) Destination Address: The public IP with which you are doing the NAT / DNAT ( i.e. the External IP of the server, External Public ) Service: You could just set the RDP, example TCP-3389 Source translate: Nothing None Destination Translation: Here at this exact point goes the Private IP, the LAN IP of your server. You can use Translated Port to set 3389. Now the Security Policy example: Source zone Untrust/WAN Zone Destination: The destination zone, e.g. DMZ, Trust, Servers, etc. however you have it named. Source Address: Any Destination Addres: The public IP with which you are doing the NAT / DNAT (i.e. the External IP of the server, External Public). In service: You can also use the service to close and only limit to port 3389-TCP-RDP.   Try in each case, NAT and security policy, upload the policy to be one of the first, in both cases. Now your server must exit on the same link that your request enters so you don't have problems with return traffic. Validate that the server, that is to say from the private IP of the server, can exit correctly to the Internet, that at the level of routing by the main link and/or the same of the DNAT it works well. Now also validate that you are placing the correct Ip, that the server, if you arrive from the same LAN or from the same network if you answer the RDP. Validate that from the Server you have Ping with the LAN gateway, you have Ping, with public Ip. Validate that there is no security profile blocking the connection.   Try the connection from several external connections, from outside the network, not from the inside, but from the outside against that public IP you mention, from your laptop sharing internet with your cell phone via 4G, from a home network, your house, etc.   Greetings ... View more