About darren_g

@fjwcash wrote: See this comment for the difference between VLAN interfaces (which are actually bridged interfaces for creating a virtual switch) and layer 3 interfaces with 802.1q vlan tags (which is probably what you are looking for): https://live.paloaltonetworks.com/t5/General-Topics/Correct-IP-setting-when-two-firewalls-connected-to-one-ISP/m-p/262311/highlight/true#M74341   When you say "trunk" do you mean a vlan trunk (meaning only tagged vlans on the physical interface, no untagged vlans), or an LACP trunk (where you bond together multiple physical interfaces into a single aggregate interface to increase throughput or provide fail-over)?   I really hate it when the same terms are used for different things based solely on context.  🙂   I'm guessing you want to create a single Layer 3 interface (you don't have to actually configure anything on it), then create multiple sub-interfaces underneath the physical interface, with each sub-interface having a vlan tag associated with it.  Thus creating a vlan trunk.  We do this on all our firewalls.  Each sub-interface can be configured with it's own Zone, Virtual Router, Zone Protection, Management Profile, etc (they're treated as separate interfaces).   OK, the comment you quoted makes it a bit clearer - a "vlan" interface is simply used to make ports into local switch ports.   Yes, I mean VLAN trunk - a port which allows ONLY tagged traffic in one (or more) VLAN's in and out - connected to a "trunk" port on a switch (trunk mode switch port in Cisco/Juniper land).   And yes, I hate it when the same word means two completely different things depending on which vendor you're talking to as well! 🙂   Based on your last paragraph, what I have should work, as that's exactly what I've done - my only concern is that the "physical" interface is listed as "untagged" - does that mean it passes native VLAN traffic with a default (1) tag, or passes nothing at all?   Thanks - I think you've cleared this up enough that I can make things work. ... View more

@BPry wrote: @darren_g, You don't tell it which tunnel to fail over to, it simply disables the tunnel interface. Disabling the tunnel interface will take your first route out of consideration as far as the firewall is concerned (because it can't use a disabled interface) and the second route you have configured will take over as it's the remaining route.    Another option of doing essentialy the same thing is configuring Path Monitoring on the route entry itself, which would be independent of the Tunnel Monitoring. You can view that method of operation HERE   Essentially either option would work fine here, but the Tunnel Monitoring helps you by attempting to re-negotiate the IPSec keys between peers instead of simply removing the static route.    Ahh, OK, so I just enter two static routes to the different tunnels, and if the primary fails, it disables and the other route automatically takes over. That's a lot clearer now. Thanks!   So when you apply the tunnel monitor, the "destination IP" is any address on the other end of the link? Or is it specifically the tunnel interface address at the other end?   I'll look into path monitoring too - thanks! ... View more

@BPry    That's good, but how do you tell it which tunnel to fail over to?   I can't see where to configure it to pick a specific tunnel to fail the traffic over to. Do you simply set two static routes pointing to both tunnels, or is there some other magic that needs to be worked to make this selection choice?   Thanks ... View more

@BPry wrote: @darren_g, Do you have a tunnel monitoring profile assigned to the tunnel at all?    @BPryNo, I don't, because I don't really understand the purpose and functionality of them - they seem pretty simple to configure, but how do you apply them - and more importantly, how do you tell them which tunnel to fail over to?     ... View more

@BPry wrote: @darren_g, If you export the XML configuration you'll see the actual CSR in the running-config.xml.    You, Sir, are an absolute legend! That did the trick. Thanks! ... View more

@rrau wrote: 3000 series FW, software 6.0.1, GP 2.0.1 -- GP continually disconnects/reconnects.. tried reinstalling client, rebooting, etc.. happens with some users at random times..then the issue will magically go away.  Anyone else experience?   I've seen this caused by some kinds of cable or DSL modems on the remote end.   It's got soemthing to do with the way some modems do UDP security - they allow the connection/authentication, but block the packets after the connection competes, resulting in a timeout and disconnect.   Once it disconnects, the client goes back to phase 1 and reconnects and discovers fine - but then times out again after 5 minutes.   The various modem/router manufaturers call the settings different things - ALG, PnP Security, some toher things. It's particularly common on DLink routers   I'm not sure if I can link to external dicsussions here - I'll try   Example 1, Example 2, Example 3 ... View more

hi Otakar.   I won't allow content upgrades to install automatically - I've been bitten in the backside one time too many by bad upgrades breaking things for this - I manually install them all when I'm around, so I can roll back quick if I start getting complaints.   Virus definitions are different - they can install automatically - but content and app definitions I don't trust.   Still don't know why I'm seeing so many of them on PanOS 8, though. My other firewalls are on 7, and they still only see the three releases. ... View more

@mgarg wrote: Some from the engineering team should be able to comment on whether all virtual interfaces get same mac address as per design. As far as configuration is concerned, I don't believe there is a setting which allows you to force unique mac addresses or assign them statically.   That was what I was afraid of.   Thanks anyway. ... View more