About Sly_Cooper

We faced similar issues again after upgrading Panorama to 10.2.2. If the issue is for Panorama, then before working on editing the configuration file, please try restarting the management service on Panorama. It solved issues for us when Panorama could not push config to the firewalls (Panorama version 10.2.2, Firewalls version 10.1.5) ... View more

One of my colleagues worked on editing the xml config and re-importing the config in Panorama. It resolved the issue. It was a hassle. Palo Alto needs to resolve this issue in the PAN-OS. ... View more

I tried the CLI option. I could see the hip-profile config for the rule, however, delete command does not have hip-profile option for removal. I replace set with delete and use the same config, then it complains about invalid syntax. Looks like a bug. ... View more

I am facing a similar issue, however for the Authentication rule. I tried it via CLI. I do see a hip-profile match, however, there is no matching option for the delete command. delete rules <rule-name> authentication-enforcement Authentication enforcement object to use for authentication. category category description description destination destination destination-hip destination-hip disabled Disable the rule from from group-tag group-tag log-authentication-timeout log-authentication-timeout log-setting Log setting for forwarding authentication logs negate-destination negate-destination negate-source negate-source service service source source source-hip source-hip source-user source-user tag tag target Target devices timeout expiration timer (minutes) to to <Enter> Finish input Here is config for the policy. set device-group <GROUP-NAME> post-rulebase authentication rules <RULE NAME> hip-profiles any   ... View more

@LAYER_8 Please check the accepted solution I posted. ... View more

@lychiang - Somehow the last export from Checkpoint worked and the tgz had all required files. I was able to import the config in the Expedition tool. Thank you! ... View more

I have no experience working with Checkpoint firewalls. I am working on migrating Checkpoint to Palo and, got the tgz and routes.txt with the help of current admin. When I try to import the config, the import progress shows the error "NO INDEX FILE FOUND". How can I fix this? Thanks in advance. ... View more

@BPry - Okta SAML profile (Imported) - Authentication profile using the Okta SAML profile - Captive portal using Okta SAML profile (redirect mode) - Authentication policy, trust -> untrust -> http, https, tcp/3389 services -> default-web-form - Security policy allowing required traffic   I also tried using a custom authentication object by cloning default-web-form and configured it to use Okta SAML authentication profile, and using it in the authentication policy.   The issue is not with the authentication policy. If I remove user-id agents from the vsys, the firewall does not have user to ip mapping and the authentication works as expected. The authentication is not triggered when the user is already known via user-id agents. It does not trigger network MFA. I hope this explanation helps.     ... View more

Where do you get the value of "CustomerName" in the request to get the JWT? ... View more