About PavelK

Hello @DForde   thanks for the post in LIVEcommunity!   Even if you manage to inject /30 routes into routing table and advertise this from PA to your ISP, ISP will typically not allow longer prefix than /24 for IPV4 and /48 for IPv6. /30 should be filtered out by your ISP you are peering with. This is part of the effort of all governing body to conserve number of prefixes in global routing table.   Kind Regards Pavel  ... View more

Hello @Schneur_Feldman   what PAN-OS version are you running? I tested it with 10.1.7 and 10.1.8, but was not able to re-produce the issue.   Kind Regards Pavel ... View more

Hello @yjimenez   thanks for posting in LIVEcommunity!   To me this looks like standard log when Firewall initiates phase 1 to remove peer. The fact that this says: "queued since no phase1 found" indicates this is a new session rather than configuration is missing. Is there any further log after this entry? If there is a response, then there should be logs indicating what phase 1 parameters were received from remote peer. If there is no response or traffic is blocked in between, this log entry will be repeated as PA tries to establish phase 1.   Regarding your question, yes the phase 1 configuration is under: "IKE Gateways".   Kind Regards Pavel   ... View more

Hello @mscioscia   thanks for your post in LIVEcommunity!   The requirement you mentioned is typically accomplished by Device Group Hierarchy. Any configuration in Device Group will be automatically inherited from top Device Group to all lower level Device Groups: https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy   If you currently have a single Device Group, I would recommend to create a new hierarchy either based on location or function or combination of both, then place each of the Firewall into own Device Group.   For example: Shared   Data Center     [DC Name]     [DC DR Name]   Offices     [Office Name]   With the above hierarchy, anything that you configure in Device Group "Shared" will be inherited to all Device Groups. Anything you configure in Data Center will be inherited to all your DC Device Groups. You can create multiple Device Group to serve only as a place holders in hierarchy. Keep in mind that under Shared Device Group you can configure depth of up to 4 Device Groups.   Since you mentioned you have all your policies in the single Device Group, by building new Device Group Hierarchy, you might have to migrate your existing policies to upper level Device Group. You can select multiple rules and do a bulk clone to upper level Device Group, then delete policies from existing Device Group.   I hope this helps.   Kind Regards Pavel ... View more

Thank you for reply @qmso475   from the screen shot you provided, it looks like one side is setting up maximum segment size to 1410 Bytes and TCP Reset is coming back. Personally to narrow down the issue, I would try temporarily remove the permit list and test it again. If it works without permit list, then the issue might be broken PMTUD, source IP address of your machine does not match, NAT device in between, or else.   Kind Regards Pavel ... View more

Hello @qmso475   thanks for post.   Could you check this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clb4CAC If you take the permit IP address list off temporarily, are you able to access it?   Could you take packet capture on your host in your permit IP address list to see you are getting response at all?   Kind Regards Pavel ... View more

Thank you for reply @MarKra   I went through release notes for 10.2.3, but could not find any related bug. From screen shots you provided, the configuration looks correct. I would advice to open a TAC ticket to confirm this is a bug.   Kind Regards Pavel ... View more

Hello @Doyenadmin   if you are running PAN-OS 10.2, then this is a known issue addressed in 10.2.3: PAN-178194   https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-3-known-and-addressed-issues/pan-os-10-2-3-addressed-issues   Kind Regards Pavel ... View more

Hello @MarKra   thank you for posting!   The behavior you described is not expected. I tried the same with PAN-OS 10.1.7 and it worked. All the configuration including "Enable Probing" that was configured in a Template was reflected in a Template Stack.   What PAN-OS version are you running? What happens if you override the setting directly in Template Stack?   Kind Regards Pavel ... View more

Hello @joecastillo   thanks for the post.   Firewall does not have an option to block MAC address. If there is a switch in between, I would block it there by configuring static MAC address table entry with drop action. If that is not the option, then I can only think of creating a fake ARP entry on Firewall Interface side: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGrCAK   Kind Regards Pavel ... View more

Hello @jeromecarrier   thanks for the post.   In short, this is the right scenario: "For Inbound, I use the *.company.com provided by tbs to decrypt inbound traffic and for outbound, I use à certificate provided by our internal cert authority to decrypt outbound traffic"   For Inbound decryption, the Firewall must have loaded the certificate used on server: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-concepts/ssl-inbound-inspection   For outbound decryption, you should use a certificate issued by your internal CA. All your company managed computers should are part of the same PKI therefore will trust certificate issued by internal CA.   Kind Regards Pavel ... View more