About ericgearhart

gafrol would you care to provide some details of your implementation? PA 5000s? IPsec tunnels? HA? GlobalProtect? What all are you using? Are you taking advantage of the new DNS blackholing? ... View more

Frank the recently released 5.0.11 fixed some serious issues in 5.0.10's handling of HA. I pushed my PA 4020 to 5.0.11 today, so I can't speak to 5.0.11's stability at this point. I would recommend you at least take a look at the fixes in 5.0.11.... there are some red flags in there that's making me avoid 5.0.10 like the plague. I thought that after a year of 5.0 being out and the tenth minor revision, Palo Alto would have it together in terms of release stability, but apparently not 😕 ... View more

ttl_expired if this question was answered to your satisfaction can you please mark answers as helpful and/or correct? It's good forum etiquette ... View more

Is there some reason you don't just also go add that IP to your externally facing interface on your PA? That way the PA should ARP out for it and things should work as you expect. Leave the default gateway alone and just add 6.6.6.5/28 to the outside interface. ... View more

I have pushed a PA 4020 that we have in tap mode (we throw a ton of data at it) to 5.0.10 and it's been solid. The User-ID agent was freaking out and reconnecting a bunch when we first did it, but that settled down. "Uptime    13 days, 19:56:25" on the PA4020 ... View more

Hithead - honestly I think the company presses forward with new features too quickly. It's the classic "engineering versus sales" argument... engineering wants things to slow down and stable off, sales wants new features that they can sell. GlobalProtect hasn't even stabled off yet and they're adding a mobile device management solution integrated into the firewall for example. I understand that features sell product, and sales drive profit, and if Palo Alto Networks isn't selling then they can quickly be bankrupt, but honestly I think they need to put the brakes on some. But what do I know, I'm basically just another engineer 🙂 ... View more

BobW - give it time. Wait till you have two PAs in an HA pair bouncing back and forth with dataplane restarts, or specific VoIP traffic triggering dataplane restarts once an hour, or specific instances where the PA built in DHCP server doesn't work. Or I'm completely wrong and PA ironed out all their QA issues and 6.0 will be a solid release out the gate. I'm waiting and seeing though. ... View more

darren.g yep, this whole thread is basically "preaching to the choir" for me ... View more

Thanks for dilligently chasing this down mikand ... View more

I have to admit I have installed 6.0 on a couple of lab devices myself, so I can't say I'm not helping finding the bugs. Hithead - why in the world are you using IE though? Is this some draconian thing at your work? Chrome or Firefox for PA all the way man... ... View more

@jmenon - Hi! You've come out to our headquarters before and we've expressed these views to you... honestly I don't need you guys to come out and talk to us, I just need the product to perform and be intuitive for users. Go copy the CheckPoint Endpoint Connect R73 client if you have to... that VPN client seems to be pretty intuitive for our users and has served us well. ... View more

You guys can go ahead and find the bugs... I'll be waiting about a year until PANOS 6.0.10 is out before we will move anything critical to 6.0 Or maybe we'll wait for 6.1.10... hmm. Decisions decisions. Hithead I believe you found a bug in the WebUI already didn't you? Self fulfilling prophecy there, no? 🙂 ... View more

So to reply to myself, I think Steven Puluka 's answer sufficiently refutes me saying that "EIGRP isn't proprietary" so it worked itself out! 🙂 ... View more

I understand the "open a case to get your issue resolved" way of thinking, and how customers don't have room to complain if they have not at least opened support tickets for the issues they're having, but far too often I've seen vendors of ours hide behind the "did you open a ticket?" mentality. At some point I have to decide that I am not the QA department for the product or technology in question (in this specific case, GlobalProtect), and essentially my company's security posture is better served if I redirect my energy into another vendor's product with less issues. We are there at this point with PA, with regards to the business need of providing remote access to our users as seamlessly and efficiently (and in a stable manner!) as possible. We have opened ticket after ticket with Palo Alto about GlobalProtect, but really at the end of the day PA has to conclude internally that they need a "do-over" and the client needs to be rewritten. I've already had GlobalProtect 2.0 crash and act weird on me on my Windows 7 VM... honestly was this release of GlobalProtect really worth a "2.0" designation or are we just doing version creep? I really was hoping that a user experience person would be called in and GloablProtect 2.0 would be reworked in a lot of ways and a lot of it would be rewritten with the user in mind. Again I was disappointed... ... View more