About gwesson

The testing you are doing is flawed, at least when compared with a full traffic test. The reason is based on the number of sessions and how they are handled within the dataplane of the firewall.   If you're using a single download from your browser, you are only using a single TCP connection to actually get the content. You'll have multiple connections when browsing the site, but that one object being downloaded is limited by many factors.   If you had 50 PCs downloading 50 different objects from different servers, then you'll have a much more accurate test. Sessions can be distributed across dataplanes and cores, for example. ... View more

@JesseWilson here are the changes to default behavior: https://docs.paloaltonetworks.com/pan-os/8-1/user-id-agent-release-notes/user-id-agent-8-1-release-information/changes-to-default-behavior.html   I'd actually recommend going through all the release notes for it if you're also jumping from 7.0 to 8.1. The primary release notes for the User-ID Agent 8.1 are: https://docs.paloaltonetworks.com/pan-os/8-1/user-id-agent-release-notes.html ... View more

There are a couple approaches you can take. There are likely other options but these are what jumps to mind.   1. Bootstrap the firewall using USB: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/firewall-administration/bootstrap-the-firewall.html   2. Load a partial config that contains the Panorama IP: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/use-the-cli/load-configurations/load-a-partial-configuration.html ... View more

8000 ms is the correct default value, which is also the lowest it can be configured to use.   You can confirm on your own device with the following op command:   > show system state filter-pretty cfg.ha.limits.timers The results may look different depending on the version of PAN-OS you're running, but you should see a "hello-interval" with the values either way.   Looks like the training needs an update to reflect the correct default. ... View more

To answer the one can be answered: MOBIKE is not supported with PAN-OS as an endpoint.   Whether it will ever be supported is not something you'll get an answer to here. Anyone that knows about future plans within the roadmap wouldn't post it to a public(ish) forum. You can contact your reseller/integrator/sales team who can either put in a feature request, or vote on it if there is one already submitted for MOBIKE. ... View more

Gotcha. If you already paid for the license and it's not showing up, there may be a way to link them. For that, you'll likely need to work with support directly. Lab devices have separate licensing, but I am ignorant of how the DNS Security license is sold/provided to those devices.   If you have not purchased the license for that, then you would want to work with your account team or reseller/integrator to do so. ... View more

DNS Security was introduced in 9.0, so if you last checked your licenses before the upgrade it wouldn't include that one (8.1 and older wouldn't know what to do with that type of license).   In the GUI, go to Device > Licenses, hit Check Now to see if you now have the DNS Security license. In CLI enter: request license fetch ... View more

Yes. On the firewall, you can disable the Policy and Objects (Device > Setup > Management > "Panorama Settings" section). You'll be given an option to import the Panorama items locally.   ... View more

The rules are greyed out only because they came from Panorama, and to indicate that they can only be modified on Panorama instead of locally on the firewall. Generally you don't want a local firewall admin to override the rules from Panorama.   Once those rules are committed to the firewall, they are part of the configuration. Connectivity to Panorama is not needed to maintain the function of the rules. If you lose connectivitiy to Panorama, the rules stay in place but you won't be able to modify them until Panorama reconnects.    You can still add/remove/change policies on the local firewall itself, but not the rules pushed from Panorama. ... View more

If you're not interested in root cause or a real solution and just want to get past this issue, you can try a commit force from CLI or if you want to be even more aggressive you can restart the management plane (debug software restart process management-server).    8.0.8 is about a year old and is also 8 maintenance revisions back. There aren't any clear fixes in the release notes that account for this specific behavior, there are several medium- and high-priority vulnerabilities fixed since then it may be worth upgrading first to see if the issue is resolved. Doing the upgrade also does a system restart and a commit, so you can get up to a more current version and try the debugging steps above at the same time if you're able to upgrade. ... View more

You'll want to configure HA1-backup using a different path: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/high-availability/ha-concepts/ha-links-and-backup-links   The backup will ensure the firewalls stay in HA even if the primary HA1 link is disrupted. Ideally you should connect the two firewalls directly on HA1, which would eliminate the switch link as a failure point. ... View more

Nope.   Only one at a time through the session browser. You could also do it using the CLI command with XML-API (or REST API on 9.0), but not the GUI. ... View more