About PavelK

Hello @rrobles   here is a link for support plan: https://www.paloaltonetworks.com/services/support/customer-support-plan   Is it what you were looking for?   Kind Regards Pavel ... View more

Hello @Wenwei_Y   while I can't think of explanation of what you are experiencing, it should not be display limit. The limit is 32 IP addresses: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHJCA0   I tried to check a few FQDN objects we have configured and it is returning 8 or more IP addresses.    Kind Regards Pavel ... View more

Hello @smartz   what you are experiencing is expected. Even though Firewall is registered in Panorama by using a data plane interface, reported IP address under device summary is management interface IP address. Since management interface is set to DHCP and not getting any IP address, it is reported as 0.0.0.0/0. Unfortunately, I do not believe there is any way around it.   Kind Regards Pavel ... View more

Hello @Nhussain   thank you for reply.   I did basic verification in Lab Firewall and the answer is yes to both. It is possible to assign different interfaces to different VRs and still use them as a service routes:     Kind Regards Pavel ... View more

Hello @cpasquale   overall log retention depends on Firewall model and volume of the logs. You can confirm log retention from CLI: show system logdb-quota. Scroll to the bottom to: "Session log usage". Here you will find current log retention. If you have unallocated disk space, you can increase log quota from Device > Setup > Management > Logging and Reporting Setting > Session Log Storage.   If you have already allocated all available space and still this is not meeting your desired retention time, depending on volume of traffic that generates logs, there is not much you can do to extend it. The only option I can think of is to re-arrange some quota. For example, reduce allocated percentage for Threat and assign it to Traffic. Another option is to set log forwarding to external syslog server/SIEM.   Kind Regards Pavel ... View more

Hello @Wilian1984    it looks like that QoS is preventing you to disable ipsec tunnel. Could you navigate to: Network > QoS, then select the interface that is used to build ipsec tunnel (untrust), then navigate to Tunneled Traffic and remove "tunnel.17", then you should be able to disable it from: IKE Gateways and IPSec Tunnels and commit.   Kind Regards Pavel ... View more

Hello @Nhussain   by default a Firewall is using management interface for this communication: Panorama and NTP/License Check   If you want to change that behavior, you can configure it by using service route. Here is corresponding KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0 From service route setting you can separate Panorama/Panorama Log Forwarding to use one dedicated data plane interface and for NTP and Palo Alto Networks Services (I think this one is used for license check) to use different dedicated data plane interface. Any other data plane interface will be used for East/West/North/South traffic depending on your configuration.   If you want to further separate data plane interfaces, you can create 2 Virtual Routes. One where you assign interfaces for East/West/North/South traffic and another one for management where you assign interface for traffic from Firewall itself for Panorama, NTP/License Check communication.   Kind Regards Pavel ... View more

Hello @ToughGuy_PAN   you can use below CLI to view pre or post policy in specific Device Group:   show device-group <Device Group Name> pre-rulebase security rules show device-group <Device Group Name> post-rulebase security rules   Kind Regards Pavel ... View more

Hello @monitoreonetrix   Palo Alto keeps releasing a new version of User-ID agent to keep numbering in sync with the PAN-OS releases, however feature wise in two latest releases 10.1 and 10.2 there is no new feature introduced since version 9.1. User-ID agent is in general forwards and backwards compatible with Firewall PAN-OS. Personally I would recommend install latest version of User-ID agent 10.2. If you prefer to keep User-ID agent version number in pair with PAN-OS, then you can still install User-ID agent 9.1, however do not forget to upgrade it when it is end of life in December 2023.   Kind Regards Pavel ... View more

Thank you for reply @Metgatz   since you mentioned you are running 9.1.4, as a next step I would personally recommend an upgrade to 9.1.14-h4.   Kind Regards Pavel ... View more

Thank you for reply @Habte-01   this should be all you need to get an interface available in a zone. An interface can be a member of only one zone. Is the interface you are trying to add already member of existing zone?   Kind Regards Pavel ... View more

Thank you for reply @Sujanya   the link I shared is the only way I am aware of. I believe there is nothing else available from CSP. If you have a Panorama in your environment, you can leverage: "Auto Push on 1st Connect" to streamline onboarding of Firewalls. Other than this I can't think of anything else.   Kind Regards Pavel ... View more