About PavelK

Thank you for the post @bschaper   Could you confirm the PAN-OS version you are running? If you are running 9.1.X, it might be related to this: PAN-159295 addressed in 9.1.13. Kind Regards Pavel ... View more

Thank you for comment @LAYER_8   The "Rematch Sessions" is enabled by default and in my own personal experience it did not take an effect for QoS policy. Based on my research, this feature only works for security policies.   Kind Regards Pavel   ... View more

Thank you for reply @RobertShawver   no worries, it was not rude at all 🙂   I do not have a lab device with vsys license, however I tried to reproduce it in Panorama by creating a Template for multi vsys system. I did not manage to make this change in CLI, but after I placed a sub-interface in different vsys, I could see this change in CLI: "vsys vsys3 import network interface ethernet1/1.10".    Kind Regards Pavel   ... View more

Thank you for the post @rbabu0   It is possible to clear an ARP entry by either of the below commands:   clear arp interface <name> ip <ip/netmask> clear arp interface <name> mac <value>   or set static ARP entry to some dummy entry: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGrCAK   Other than this I can't think of a way to disable a single entry. Could you elaborate more on this request? What is the motivation to disable ARP entry?   Kind Regards Pavel ... View more

Thank you for reply @RobertShawver   Your post is clear. I made a mistake. For vsys, could you check this: set vsys [vsys number] import network interface [Interface name] ?   Kind Regards Pavel  ... View more

Thank you for reply @RobertShawver   before I replied to you, I have tested this. By issuing this: "set network virtual-router [vr name] interface [number]" the interface was added to both virtual router as well as directly to interface under: Network > Interfaces > [interface name] > Virtual Router. Is your experience different?   By using: "find command keyword" CLI feature I was not able to find any other way to add interface to: Virtual Router.   Kind Regards Pavel  ... View more

Thank you for the post @RobertShawver   Could you try this: set network virtual-router [vr name] interface [ae number] ?   Kind Regards Pavel ... View more

Thank you for the post @tominak   Probably by Panorama Manager, the SE might meant Panorama Interconnect: https://docs.paloaltonetworks.com/panorama/panorama-interconnect/1-0/panorama-interconnect-admin/panorama-interconnect-overview/about-panorama-interconnect.html   In Panorama Interconnect, one Panorama instance is running as a controller and managing another Panorama nodes.   Kind Regards Pavel ... View more

Thank you for the post @FabioPiluso   Could you confirm in what mode Panorama where you added this is: show system info | match system-mode Could you also confirm that you completed this step: Select Commit > Push to Devices and push the changes to the Collector Group the Log Collector belongs to.   Kind Regards Pavel ... View more

Thank you for the post @Toufik   Basically by default all communication that Firewall will initiate will be over management interface. In the case you for what ever reason can't use management interface, you can change all services to communicate via data plane interface instead of management interface. You can also do it selectively based on service you want to communicate over data plane interface. Here is KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0 In the case of Active/Standby HA you will come across an issue when standby Firewall will not be able to use data plane interfaces (Depending on HA configuration interfaces are either shut or suspended), so service route configuration will not work unless Firewall assumes active role or you change it back to use management interface.   Connecting management port to switch with dedicated Vlan is the most optimal way. Having management interface on the same subnet as data plane interface is possible and it will work, however I would avoid this security reasons. The first option you mentioned is of course possible to connect management interface directly to your PC, but outside of the lab environment, this is not scalable option. If you need to change management interface IP address from CLI to range for management Vlan, you can do it from CLI: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClN7CAK   Kind Regards Pavel ... View more

Thank you for response @rmcrae    Yes, this is correct. This behavior is described in this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCQlCAO   Kind Regards Pavel ... View more