About rabolfathi

Let's say you have an interface for untrust zone, another for trust zone, a third for wifi, and a fourth for DMZ.  Seems you want to be able to use QoS on all interfaces but not mess with DMZ.  The process is to setup QoS on each interface with no limitations, so it functions as a monitor.  Then use the QoS levels as buckets to hold your apps (see below).  Finally, apply the actual caps to the QoS profile.   There are a couple very good articles describing in detail how to setup QoS.  Here is a quick summary of what I would do in your situation:   First define QoS profiles for each zone, with a max set to 1000, and define the levels such that each has a guaranteed min of .01 & max of 1000.  This setup allows you to begin monitoring the traffic on each interface.  Once you apply each named policy to each interface (Trust-profile to Trust interface, etc.), you'll notice that all the traffic is in the default level 4.  The next step is to actually control the traffic. So set levels 1-3 as bogus stuff, and levels 5 & above as time-sensitive and critical.  Leave Level 4 alone, since that is your normal business traffic and catch all. For example, level 1 can be reserved for "games" and the highest level for "VoIP" - Using just this simple Q0S profile example, apply it to the Trust Interface and monitor QoS in the Network tab.  You'll see the actual usage of these apps that you defined for each level.  Once you understand what bandwidth the applications are actually using, go back to the profile and in the coresponding level, set a max limit for the bandwidth.     By defining separate QoS profiles for each interface, you can monitor them all, with minimal configuration. Customize the profile assigned to the interface you want to manage, and you can actually control the traffic. ... View more

I ran into a similar issue with Cisco ASA.  IPSEC tunnels have been around for a very long time, and as long as you are very specific about the proposals and all the rest, it's solid. So  I doubt the issue is with the IPSEC-tunnel setup on the client-side.  The Microsoft-side is a different story, since you have no visibility whatsoever.   First, verify that your onprem/azure network definitions match exactly on either end of the tunnel. Next, count how many networks you've defined for your onprem side.  Microsoft has a very poorly documented artificial limitation on the default number of networks you can define for onprem. It's something like 25 or 50.  So, if you have more subnets defined, then you will experience random disconnections.  The tunnel itself wil be up, but you won't be able to reach anything for anywhere from 1-15 minutes.   Good luck! ... View more

Don't do it withouth checking to see if PA fixed the NTP bug.  The issue is that if the time is off, you will get kicked out of the management GUI after a few seconds.  Also, run show NTP server to verify that you're actually connected. ... View more

Two suggestions:  First, don't use application as a matching criteria in PBF.  As you indicated, it needs to look at some packets before it determines the application, by which time it's too late.  Instead, just use source & destination.   Second, if the fix above works, then your traffic monitoring rule should see that the ISP is down and automatically switch to the second ISP. ... View more