About dan731028

Hello Community, Recently I did my first configuration import a firewall into Panorama.  Everything works as expected, but when I do a device group commit, I get the following message in panorama:    Details Configuration committed successfully Warnings vsys1 (Module: device)   When I take a look at the firewall, it says the commit was successful.  In managed devices in Panorama, last commit state is "commit succeeded with warnings".  Any idea what I need to change in the Panorama config to make this warning go away?  Both Panorama and firewall are running PAN-OS 7.0.11. Commits to firewalls with their configuration originally built in Panorama do not experience the issue. Thanks for any help! ... View more

Would anyone have a simple example that would allow me to put a warning banner below the login table on the GP Portal page?  I'm no HTML expert and have tried to follow some of the posts and documents here, but am not having any luck.  I have made sure to set the custom login page in the portal configuration page, but the text I tried to add does not appear. Anyone have simple instructions and/or example of what the response page should look like?   Thanks in advance! ... View more

I'm trying to import my production Panorama VM configuration into my lab Panorama VM and I am getting the following message, and I'm not entirely sure what it means:   upload -> config -> content Node can be at most 41943060 characters - current length after decoded 42002198upload -> config -> content is invalid   Does this mean the Panorama configuration file must be under 42 MB to be imported?  If it's running in production and I have to recover, does this mean I'm screwed?  Any help would be appreciated.   Dan ... View more

Hello All, I'm working on a migration that requires me to breakout one large SRX config into a PAN-OS config while implimenting multiple VSYS instances.  I am managing the configuration via Panorama, so I've got a base config out of the migration tool for the policies and I have that in a conversion device group.  I'm using a CLI output of set commands for this device group, identifying the rules I want to migrate to a new device-group in Panorama, then searching the sets I need in the conversion device group CLI output, copying them to notepad, changing the device-group name, and re-uploading the rules into a new device-group.  I'm doing this in a lab version of Panorama.  I then take a named configration snapshot, upload that to my production Panorama and do a load config partial to copy the rules from my lab config into my production config.   This method works great for me, and the migration process has gone great so far.  The time consumer here, though, is this method only allows me to upload 2 rules worth of set commands at a time in the CLI without throughing errors.  Does PAN-OS have a way for me to take all of my set commands in a txt file and upload them into the configuration all at once?     ... View more

Hello support community, I'm using a PAN 3020 A/P cluster on the perimeter running 6.0.9.  At all of my remote sites I have a cisco ASA that uses IPSEC tunnels to connect back to the main network.  The IPSEC tunnel configuration (IKE phase 1, IKE phase 2, and peer IDs) are consistent across my remote sites (best to my knowledge).  Out of my 8 IPSEC tunnels, when I try to initiate the tunnel to one site I receive the following in the system logs where X is the remote peer and Y is the local peer: "received unencrypted Notify payload (NO-PROPOSAL-CHOSEN) from IP X.X.X.X[500] to Y.Y.Y.Y[500], ignored."  I then get: "IKE phase-1 negotiation is failed as initiator, main mode. Failed SA: Y.Y.Y.Y[500]-72.28.162.32[500] cookie:cbf02ee495115ae1:0000000000000000. Due to timeout.' If the PAN is the responder, the tunnel comes up: "IKE phase-1 negotiation is succeeded as responder, main mode. Established SA: Y.Y.Y.Y[500]-X.X.X.X[20796] cookie:2790c31cdce7deae:05a5f962eee2989b lifetime 86400 Sec." Looking at the interpret-vpn-error-messages.html page, I would think if there was a proposal mismatch in the IKE Crypto profile, it would fail as both initiator and responder. I've verified the isakmp policy on the cisco side matches what's configured in the IKE Crypto policy, and I've verified the firewall is allowing the traffic via security policy. Any ideas why I'm failing as an initiator? ... View more

Guys and Gals, I have been working to set up NAT-T across an IPSec tunnel between two PA-200's in my lab and am not having success.  I have followed documentation and suggestions I could find on this site, but I am unable to get NAT-T working and was wondering if anyone out there could help.  In testing I first setup the tunnel with NAT-T configured.  On initial configuration, the tunnels came up, but I could not reach the remote firewalls by their assigned NAT IP address across the tunnel.  I removed NAT from the equation to make sure my IPSEC tunnel was working.  Once I did this, I could get to the remote firewalls across the tunnel using their real IP addresses.  So I didn't have to flip back and forth I left the real IP configuration and re-added my NAT configuration, but am still not able to reach the remote side. Here is my topology.  The firewall interfaces are Layer 3 interfaces: The Cable Modem they connect to has a 4-port switch on the back.  The Peer addresses are on the same subnet and are in zone Internet.  I have created tunnel.1 and put it in zone IPSEC, and I have a zone named LAN serving DHCP addresses to clients.  I want to be able to hit the management interface of the remote firewall over the IPSEC tunnel using the NAT IP address in the topology diagram.  To do this I have configured a source NAT and static NAT on both sides. NAT statement Firewall 1: Security Policy Firewall 1: Routing Table Firewall 1: NAT Statements Firewall 2: Security Policy Firewall 2: Routing Table Firewall 2: I suspect the issue lies within the monitor log.  With ICMP pings going across the tunnel I see this in the traffic log: This tells me the Remote firewall is applying the NAT policy, and it is coming across the tunnel correctly, but I'm not sure why the destination zone is the Internet zone and not the LAN zone.  As an aside, if you look at my security policies, you'll see a disabled rule named "tunnel traffic for NAT"  this security policy rule allowed zone IPSEC to Internet, but having this rule in place just changed the rule name in the traffic logs.  Traffic between a local machine and the remote firewall would not pass.  Any clarity on why the firewall is putting the destination zone as Internet, and how I can get the firewall to correctly forward this to the LAN instead would be greatly appreciated. ... View more