About BPry

@Sec101, While I don't have any insider knowledge available on this topic, I'd be shocked if ADEM ever became available to on-prem deployments. While I don't see absolutely any technical limitations that would prevent making ADEM available to on-premise deployments without Prisma Access in the future, it appears that PAN wants to keep this functionality as a value add trying to get more organizations onto Prisma Access.  ... View more

@Momoj, From what you've described it sounds like you aren't using the management interface and you have a management profile setup on a loopback interface or another dataplane interface. Likewise, it sounds like you have a service route configured on the device, which would make sense if you don't have the management interface connected. If that's the case everything you described in your post makes sense. Service routes through dataplane resources aren't going to be accessible unless the device has the active role. Likewise access to the passive device isn't going to function if you are using a management profile on a dataplane interface. It sounds like everything you've described to this point is expected behavior working under the assumption that I've stated above.   If you actually have the management interface plugged in on both devices and you aren't using service routes, please report that. I'm making some assumptions based off of what you've said that may not be correct, but account for the behavior that you're reporting.  ... View more

@SIIX_Support, In addition to what @TomYoung already mentioned, have you verified that any service routes you have configured on the device were carried over if you're not able to download updates? Also take note that 9.0.0 itself had plenty of issues present, including several that directly addressed GUI issues specifically and an early bug in that code branch that had various issues with appweb that caused the interface to stop responding completely. I might try upgrading the device to 9.0.17 before attempting to downgrade to 8.1 again.  ... View more

@RickV2023, There's a few different ways you can go about this depending on exactly what you want to do. Seeing as one of the requirements here in this example is changing connection methods, you would have to do that aspect of things with at least a different agent configuration within the GlobalProtect Portal configuration. This will allow you to modify the connection method and modify the uninstall option for these external users, in addition to connecting them to a different gateway if needed. Likewise some people if they're only using an on-demand connection and don't have any traditional "internal" restrictions on their portal agent configuration might just create a different gateway for external users. This might drop these external users into a different zone or give them a set IP pool to utilize within the security rulebase.   In all how you configure this is really up to you and what you're actual requirements are for each group. I've seen some people utilize the same Portal and Gateway for internal and external users and rely solely on User-ID for limiting access to different resources. This isn't something that I would personally ever configure because it leaves open the chance that a simple misconfiguration allows these external users access to things they shouldn't have. I personally like putting all external users into their own zone as an additional security measure. That way the chance that a misconfiguration gives them too much access to any particular system is diminished within the environment. It doesn't make it zero obviously, but it just adds that additional limiting criteria.    If you open a new post about exactly what you're looking to do, I'm sure you'll get plenty of suggestions on how you can accomplish what you're looking to do.  ... View more

@BigPalo, You'll need at least a 2TB disk to a maximum of 24TBs of space. I can't really comment on recommending sizing as this is going to heavily depend on what you log and what your retention goals actually are.    https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-log-collection/log-collection-deployments/deploy-panorama-virtual-appliances-with-local-log-collectors#idf8280ce5-544d-4e37-921b-88d022aab430 ... View more

@nivhovav, You might want to think about changing over to a certificate for the actual tunnel and then using an authentication policy to capture the actual login instead. This would ensure that the tunnel is always connected, while still giving you the ability to enforce user authentication to capture the user-id and access resources.  ... View more

I've never actually used it since any macOS environment since I've always deployed always-on with certificates, but the SSO functionality was enabled for macOS a bit ago. Not sure how well it actually works, but may be something to try.   https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-new-features/new-features-released-in-gp-app/single-sign-on-sso-for-macos-endpoints ... View more

Did you attempt to do that in one jump? Similar to running upgrades, I would never recommend skipping a major code version when running a downgrade. If you did, the benefit is that you can likely use SWM to revert to your last install.    1) Run 'debug swm status' to verify the partition PAN-OS version and ensure that it's showing revertible. 2) Run 'debug swm revert revert' to revert the active partition to your old partition.  ... View more

@wiler121, If you qualify for Azure or AWS educational credits, you can use that to spin up an appliance in any of the public clouds and build out a test network. The educational credits will probably cover you depending on how long you need to work on things as long as you spin them down when not actively in use.   There used to be a free 30-day trial that you could sign-up for, but it appears like that now just links to the demos and that program might not be active anymore (there where more than a few people that had issues getting access to it, so may have been a support burden).    Past that if you absolutely need this to be GNS3 and you can't go the public cloud route for this project, just keep in mind that I absolutely would not recommend that you search for the file and validate via GNS3's correct MD5 hash to ensure it hasn't been tampered with. Nope that would be a terrible idea in a secured lab environment and wouldn't be recommended at all. In all seriousness without licensing that image isn't going to give you much from a functionality and usability aspect. It's just going to give you a chance to mess around the interface. You'd be better suited going through the process of paying for a LAB VM perpetual bundle through a VAR.  ... View more

@12345, What version of PAN-OS are you running? There's a somewhat recuring bug following commits where this can pop up. As long as it's transitory and it reconnects this isn't really that big of a deal.  ... View more

@KurtHinson, The 2021 signatures functioned fine for 2022 and I would assume that they'll continue to function for this year unless they modify things.  ... View more

@WingMak, I'm not exactly sure what you're asking. It sounds like you may be attempting to verify that a malicious file is going to be caught by the firewall, is that correct? Do you have a threat prevention license or WildFire license installed on your firewall?  ... View more

@DaveManDownThere, Whenever you're dealing with an issue on one device that's only present on one network, it's fairly safe to say it's a localized network problem. Doesn't really matter that it's worked for two months prior without issues or two years, it just tells you that it is a new issue instead of an existing issue. The best thing you can do is pull logs from the endpoint in question and review the PanGPS.log file; why is the agent dropping the connection? Do you see in your GlobalProtect logs that they're falling back to SSL? Do you have SSL fallback enabled, or are you seeing them constantly flap between SSL/IPSec?  ... View more