About dstjames

You need to provide more information. What error are you getting and what was changed?   ... View more

Where is this listed officially? On the cisco site they put a star next to the recommended code release but for palo alto I never really know what the recomended release really is until I call support and they say "your on an unrecommended release you need to upgrade."  ... View more

Support requested I upgrade from 8.1.1 to 8.1.5 because of an issue we had. I was really worried after reading this but so far I have had no issues with 8.1.5.   Just my 2 cents so far. 🙂   ... View more

Can we assume that HA1 on one device is plugged in directly to HA1 on the secondary? If so I also assume you  have replaced the cable just in case there is a cable issue?   I use the dedicated HA ports on mine but they are all set for auto/auto ... View more

I usually setup the hostname, management IP and HA information locally on each firewall then push everything else out from a single template to both firewalls.    I also have 2 templates that I have setup in a template stack. 1 that has basic configurations that I want all firewalls in the environment to have like NTP servers, logging servers, etc. Then I have a specific template for each HA pair in the template stack and push the template stack out to the firewalls. This way you can make sure that the common settings are applied the exact same to all firewalls in the environment but also maintain individual site settings.    Not sure if this is best practice but its how I configured it.  ... View more

I would check that it committed successfully. I remember when I first started using panorama I thought since I did not get an error that it committed and pushed correctly even though if you go in and check it my have failed for some reason.    ... View more

Not sure if its the correct way but the HA settings, the management IP, and the host name are the only things I do manually on each firewall rather than through panorama.  ... View more

Yeah 8.1.1.      ... View more

When I run this I get the following:   Server error : Failed to execute op command ... View more

We changed over to SFTP rather than FTPS and are much happier. The issue we had with FTPS is the random ports that are used were causing us issues.  ... View more

I had to setup u-turn for webmail access on our guest wifi network. The reason is because they are segregated from our internal network they use public DNS to go out and query the IP and get the public IP for e-mail rather than the internal. Then when the client goes out to this IP the internet would send it right back in the same connection and come back in. By default routers do not like to receive traffic that they send out the same interface. So the U-turn basically just tells the DNS query to use the DMZ IP rather than the public IP to get to this service.    This fixed the issue for us.  ... View more

I had similar issues when I moved from stand alone firewalls to panorama. It was a major pain but now that everything is moved over and I push everything out through panorama I love it.      ... View more

Thanks for the reply.    Yeah I put them in as different names.    If I go to the firewall directly rather than through panorama I do see that it installed both certs and both tls serivce profiles. Since these are technically both the same cert thats why when I commit its telling me I have a duplicate subject name.    Just not sure what the best practice is to use the same cert in both scenarios? I guess I could remove it from the default template and put all the cert settings in the site specific template. I was just hoping there was a better way.    ... View more