About PavelK

Hello @Gladstone   have you tried to disable persistent NAT for DIPP: persistent-nat-for-dipp?   Kind Regards Pavel ... View more

Hello @birkhojk   I was going through KBs and documentation. Based on information in this KB: How to Filter BGP Routes Using Extended Communities standard community is received and read by Firewall in standard decimal format. In this documentation: Create Filters for the Advanced Routing Engine there are some exampled. If you expect only one community, you can configure 1234:567 in the community field. If you have to match multiple communities or need pattern to match community, you will have to use regex to match community values.   Kind Regards Pavel ... View more

Hello @Purushotham   thanks for post.   NAT64 requires DNS64: DNS64 Server. I do not believe there is a way to translate directly IPv6 to IPv4 on Palo Alto Firewall. While NAT64 is configured on Firewall, you still need 3rd party DNS server to facilitate DNS64 translation. If your service / application has hardcoded IP address without using domain names for DNS resolution, this solution will not work.   In NAT configuration Firewall expects these subnet masks: /32, /40, /48, /56, /64, or /96: Configure NAT64 for IPv6-Initiated Communication. If you configure /128 you will get commit error.   Kind Regards Pavel    ... View more

Hello @A.Avizena   thanks for posting.   I experience random log loss in Panorama in the past. The root cause was high log forwarding load. On log collector side, could you please issue: "debug log-collector log-collection-stats show incoming-logs" to check "fails" count? Also, could you look into this KB: Log forwarding delays or Missing Logs due to high latency between log collectors in a collector group? If you have multiple log collectors, the latency between each of the log collector should be below 10 ms.   Kind Regards Pavel   ... View more

Hello @${userLoginName}    the issue you reported was most likely caused by below incident:     I would recommend to either subscribe or check status of services from this page: https://status.paloaltonetworks.com/.   Kind Regards Pavel ... View more

Hello @Mebinbaby   thanks for posting.   While I have not personally came across this issue and nothing comes to my mind what the potential issue could be, I would like to collect more information.   Could you please confirm PAN-OS version of Panorama? What accounts are being used for login? Local accounts, TACACS+/RADIUS/LDAP, SAML? Could you please confirm what happens after login? Is the page blank or loading forever? What is the disk utilization / root partition utilization? Once you are able to reproduce the issue, would it be possible to collect web debug: How To Collect Web Interface Debug Logs? If you are able to login by CLI while you are facing the issue could you try to restart web relater process: debug software restart process web-server ?   Kind Regards Pavel  ... View more

Hello @S.Kutwal   Enterprise DLP plugin is supported only on Panorama. Below are quotes from documentation: Install the Enterprise DLP Plugin on Panorama.    "A Panorama with the Enterprise DLP plugin installed is required; managing the Enterprise DLP configuration on your NGFW isn't supported."   "You only need to install the Enterprise DLP on Panorama. By default, all NGFW have the minimum supported Enterprise DLP plugin version installed based on the currently installed PAN-OS version. The minimum supported plugin installation occurs automatically when you install a new PAN-OS version on your NGFW."   There is no need to install plugin manually. If you have installed plugin, could you try to uninstall it from CLI: "request plugins uninstall dlp"?   Kind Regards Pavel   ... View more

Hello @Vjuarez   did this issue started after UI Agent upgrade? Could you checking this KB: After upgrade of User-id agent, the firewall gets disconnected from the Agent to see it can help?   Kind Regards Pavel  ... View more

Hello @Chris80   you will have to perform below steps.   1.) Register Firewall to Panorama (Add Firewall's S/N + Authentication key).   2.) Theoretically, it is not necessary to add Firewall to Device Group to get logs only, however I recall memory that logs did not show up until I associated Firewall with Device Group. Please test it first by not associating Firewall with Device Group. If logs do not show up after completing all the steps, please add Firewall to Device Group to see logs show up.   3.) Add Firewall to log collector group by navigating to: Panorama > Collector Groups > [Log Collector Name] > Device Log Forwarding > Log > Forwarding Preference.   4.) Commit configuration to Panorama and to log collector. If you do not push configuration to log collector group logs will not show up. To see the logs you do not have to push Device Group configuration, but if you have assigned Firewall to for example dummy Device Group with no actual configuration in it, the Firewall will be reporting out of sync status, however this should not prevent Firewall from sending logs to Panorama.   5.) On Firewall side, in log forwarding profile select log Forwarding Method "Panorama" checkbox.   After completing all steps you should see Firewall logs coming without having Panorama managing Firewall configuration. There are a few things to keep in mind. If your Firewall and Panorama are using different Time/Time Zone logs might not show up in Panorama's GUI. Ideally you should sync time with the same NTP server.   Kind Regards Pavel  ... View more

Hello @jwill2   personally, I am using Firefox as well (The same version you mentioned on Windows 11 as well) and do not experience this issue. My Panorama is running PAN-OS 11.1.6-H3. I am not using any plugin. Maybe that makes a difference. In general, over past a few years, I do not recall memory to have an issue to see Firefox performing poorly to force me to switch to Chrome.   Kind Regards Pavel  ... View more

Hello @weezy   thank you for reply.   If TAC is already working on it, you are already in better hands, however only to share. For this kind of error, my next step would be looking into configd.log file (less mp-log configd.log). This file generally includes more details about error.   Kind Regards Pavel ... View more