About dmaynard

I didnt add 4th interface to the deployment files  vmseries-ARM4interface/virtual-machine-password.json And vmseries-ARM4interface/virtual-machine-sshPublicKey.json   The vm is getting delployed using those files as refernced the "base uri" to be my githup repo Added the forth interface to those files and worked   Since you are calling the paloalto master json files as your "base uri" and those files do not have the 4th interface is why the interface is not getting attached to firewall.     ... View more

Hello mathiasj,   I have reviewed and your template and I can also duplicate your issue.   I modified your code a little -(also removed the password from your code) check your post!   https://github.com/dmaynard1/Azure-Custom/tree/master/vmseries-ARM4interface     My template creates 4 interfaces but eth3 does not get assigned. I have not found out why but have found a work around in powershell to get the interface attached.   Powershell = PS ps>  Install-Module -Name AzureRM   Login-AzureRMaccount   Get-AzureRmNetworkInterface -ResourceGroupName "{your RG name}"  Save the VM you want to add the vNic to a variable $myvm = Get-AzureRmVM -ResourceGroupName {your RG name} -VMName {your vm firewall name} Get the network interface Location ID information for the vNic you want attached to firewall  example (/subscriptions/{your subscription number}/resourceGroups/{your RG name}/providers/ Microsoft.Network/networkInterfaces/fw-eth3) Add vNic    Add-AzureRmVMNetworkInterface -VM $myvm -Id "/subscriptions/{your subscription number}/resourceGroups/{your RG name}/providers/ Microsoft.Network/networkInterfaces/fw-eth3"   Update VM with new vNic Update-AzureRmVM -ResourceGroupName "{your RG name}" -VM $myvm  Start VM   Configure IPv4 address and zone on firewall GUI ... View more

Hello MCPcAdmin, Firewall-policy migration can be a challenging task, and is most effectively accomplished with professional services assistance from Palo Alto Networks and a network of solution partners, who can guide you though the migration process using a combination of automated tools and best practices. There is a guide available and video tutorials.  The tool is not supported by TAC, but is community supported Migration Tool 3 Info and Guide Refer to the following resources for additional information: For support, Please remember the TAC does NOT support this tool. This tool is supported through the Palo Alto Networks Community. Refer to the following link to get the discussions page where you can look for info and post questions if you cannot find what you are looking for: Migration Tool For information on the additional capabilities of Palo Alto Networks firewalls and for instructions on configuring the features on the firewall, refer to the live homepage at: https://live.paloaltonetworks.com/welcome The following post offers training for partners: Migration Tool 3.0 Training ... View more

Hello Mandar.Kulkarni, Three different options to view configured network interfaces: (to see management interface ip address use >show system info) > show interface all >show config running xpath devices (will start at network interface config) (to view config in set format) > set cli config-output-format set > configure # show network interface # exit > set cli config-output-format default ... View more

Hello czetazate, Creating a Certificate Profile Device > Certificate Management > Certificate Profile Use CRL Select the check box to use a certificate revocation list (CRL) to verify the revocation status of certificates. Use OCSP Select the check box to use OCSP to verify the revocation status of certificates. note: If you select both OCSP and CRL, the firewall first tries OCSP and only falls back to the CRL method if the OCSP responder is unavailable. Checking the "use CRL" option should be sufficient.  The caveats would be, that if the firewall can not get to the CRL imbedded in the certificate, it would be considered valid.  Also, if there is no CRL in the certificate, same behavior.  You can check your "service routes"(by default the MGMT port), and make sure that the firewall can get to the CRL to check the certificate status The certificate will usually tell where its corresponding CRL is hosted. You can find out from the cert where the CRL is hosted as follows: Ensure there is connectivity to the CRL link (check for general http/https connectivity, inline web proxies etc) If it is an http link, you can simply pcap on the mgmt interface going to the IP where the CRL is hosted to check if the CRL is being downloaded or not. > debug sslmgr view crl [CRL URL] > debug sslmgr statistics sslmgr statistics              Count ------------------------------ ----------- Cert-status request lost       0 Cert-status request received   0 Cert-status request processed  0 Certificates revoked by CRL    0 Certificates revoked by OCSP   0 Certificates confirmed by CRL  0 Controlling GlobalProtect VPN Access with OCSP How to Configure an OCSP Responder ... View more

Hello rvandergrift, You would need to apply an application override. How to Create an Application Override Policy How to create an application override for FTP ... View more

Hello kk555, Currently the Maximum that can be set is 30 seconds as you have stated and can not be bypassed. You can contact your SE to vote on a Feature Request that is open to Extend the RADIUS Timeout to 90 Seconds. ... View more

Hello marce1000, Currently not able to monitor logical tunnel interfaces with snmp. You can reach out to your Sales Engineer to request to vote on the following Feature Request. FR ID: 1054 - SNMP MIB variable for IPSec VPN tunnel status FR ID: 1095 - Allow SNMP monitoring of VPN tunnel bandwidth ... View more

Hello mrsoldner, I was able to confirm couple of things. - mrsoldner hitting Bug# 57763 - workaround is to define explicit "alert" instead of "default(alert)" for WF Action - permanent fix is in PanOS 5.0.10 Regards, David ... View more

Yes, the 2 VRs would need to have 1 physical interface each assigned for connectivity. ... View more

Can you create a test rule to allow zones inside to outside destination address = 107.14.166.72 application = Any service = Any? If this allows emails to go out may need evaluate what ports are being used. ... View more

For more information on 802.3 specifications, refer to the following: IEEE-SA -IEEE Get 802 Program - 802.3: Ethernet Cannot Commit when Interfaces are Set to 1000/full Autonegotiation is a requirement for using 1000BASE-T [11] according to Section 28D.5 Extensions required for Clause40 (1000BASE-T). [12] At least the clock source has to be negotiated, as one endpoint must be master and the other endpoint must be slave. ... View more