About Brandon_Wertz

@ssingh wrote: Hi All,   10.1 is going to be EOL in Dec-2024 and if we plan to upgrade on palo alto preferred ver 10.2 then There is a risk that the firewalls may experience significant issues ("popcorn effect"), potentially causing major disruptions to business operations like MFG, RDC, and RND.   Anyone has any update or having the same problem? we are waiting for stable ver 10.2 but palo alto have not released any stable ver with no issues. Please advice? @ssingh -- For myself as a longtime Palo customer I plan to upgrade all our 10.1 firewalls to 10.2.11, which is reported to be a stable release.  Then stay on 10.2.11 until an 11.1.X version is out and stable (preferred.) ... View more

We've hit multiple bugs on 10.2.X.  Supposedly 10.2.11 is going to be a "Major" release which will bring increased stability to the code train.   Recently my company hit a user ID bug twice where the IP to user-id mapping was wrong, which in turn causes incorrect security policy to be applied.  It was identified as PAN-239366 which is fixed in these versions:  "11.2.0, 11.1.3, 10.2.10, 10.2.11, 11.1.5, 10.2.4-h19, 12.1.0, 10.2.9-h9"  (List I got from TAC, that said they didn't indicate an 11.0.X version which seems weird.)   There is a work around for this, which is to restart both firewalls (obviously very intrusive) or running this command "debug software restart process log-receiver."  I'm not certain of the impact of that restart command. ... View more

@EdmarFrancis wrote: Hi everyone, Greetings! PA-1410 11.0.4-h1 I have a bit odd issue, the traffic log (ip address) is showing a local firewall account as the source user but when checking the user-mapping (show user ip-user-mapping ip) or User-ID log was mapped to an AD-user. Is it possible for the local firewall account to show as a source user? is it possible that this is just a GUI bug? deleted the local firewall account and seems to have the issue fixed. @EdmarFrancis I know you mentioned deleting a user fixed your issue, but i have hit a user ID bug where the IP to user-id mapping was wrong.  It was identified as PAN-239366 which is fixed in these versions:  "11.2.0, 11.1.3, 10.2.10, 10.2.11, 11.1.5, 10.2.4-h19, 12.1.0, 10.2.9-h9"  (List I got from TAC, that said they didn't indicate an 11.0.X version which seems weird.)   There is a work around for this, which is to restart both firewalls (obviously very intrusive) or running this command "debug software restart process log-receiver."  I'm not certain of the impact of that restart command, so I would advise reaching out to TAC to confirm if you're hitting this bug or run the command in a maintenance window. ... View more

@JordanRamos wrote: Good morning, I hope you can support me, do you know how long it takes for an RMA team to arrive, with a premium license? RMA Team?  -- You mean RMA replacement gear?  A new piece of equipment typically arrives next business day (NDB) with premium support. Premium License?  -- You mean premium support?  Licenses are features or subscriptions for the various Palo Alto products.     If you have a support case, the TAC person assigned to your RMA should be able to give you the tracking number which should give you an estimated delivery date. ... View more

I would agree with @reaper and where he is likely going.  You mention the advertised throughput capacity of the 3260 being substantially lower than the 40Gb transceiver speed, but just because you have network connectivity of 40Gbps doesn't mean there's actually traffic coming to the FW of that or even close to it.   While Palo Alto advertises a certain throughput limit for it's hardware that number is a factor of probably 100+ different variables.  In some situations the hardware might be able to do double the advertised throughput or in some cases you might only get 1/4th.  The max throughput number is simply a guide customers can use to help gauge the relative performance they could expect from a certain hardware model.     --edit-- shared the hardware specs of the 3200/3400     As an FYI the 3200 hardware platform is being EOLd and replaced with the 3400s.  You can see from the specs the 3400s performance is substantially greater than the older 3200 generation.         ... View more

@SuperMario wrote: I experienced a similar issues in two scenarios 1) while using GP 6.1.x. 6.2.2 has been very stable. 2) When a proxy intercepts the connection.  You might need to check if there is a proxy and the proxy logs or take a pcap to check if something is intercepting your traffic. If none of the above, the pcap and gp logs should help TAC to figure out what is going on. For your 6.1.X code were you using 6.1.5?  We have some Mac users that were on 6.1.1 that experienced issues, but pushing them to 6.1.5 has been stable for our Mac users. ... View more

@Nileshapatil wrote: Ok thanks, Will update you once we attempted the swap I want to clarify something @OtakarKlier mentioned. IMO, you do NOT want to move the cables one at a time.  Doing so will likely split an active port-channel leaving 1 cable behind connected to the 3020 you're replacing (Which means both the 3020 and the 3410 will be active creating a split-brain scenario):     I'm currently going through a hardware swap of 3410s for 3220s.  To accomplish this we're taking the passive 3220 offline.  Then when ready taking all active connections away from the "active" 3220 and moving them to the corresponding 3410 all at once.  Doing this will create a brief outage for the service provided for the 3020/3220, but it's the cleanest and quickest way.   There might be a scenario where you can move a cable one at a time from the hardware being replaced by new, but that will involve a lot more detail than a high-level plan any of us have shared here. ... View more

@ChrisDean wrote: When I go to Updates --> Software Updates --> I don't have the PAN-OS for VM options. I only see PAN-OS for the actual FW hardware that I have in my DC's.  I want to setup a lab and need a VM, where do I get it? On the customer support portal, although you'll probably need virtual credits or an eval license to get the VM to work.  (There's a whole process to get VMs to work, it's more than just downloading VM software):     ... View more

@Sarou22 wrote: Bonjour, Pour accéder au ressources internes il faut configurer un portail sur global protect. Pour monter un tunnel ipsec, il faut d'abord se connecter à une gateway qui se trouve dans le cloud prisma ( la gateway la plus proche de ta localisation) C'est pour cela que je demande quelle IP doit on renseigner comme IP de gateway lorsqu'on configure le portail global protect dans prisma? This sounds like something that should have been known to you when you stood up your Prisma Access connection.  Your typically don't connect to an IP address, but rather a DNS entry in front of an IP.   From my experience the customer gives Palo Alto the desired DNS entry and Palo Alto assigns the IP address.  With that said the IP address you're looking for should be given to you from Palo Alto.  No one on this community site can know or give you the Prisma Access IP assigned to your company. ... View more

@ksaifu wrote: Hello @jeff6strings , Good Day, We also just yesterday are having this same issue. I know its been a while, But have you been able to find a fix for it? Cheers. This is a pretty old thread, but reading through it, it appears that ultimately SSL decrypt (not using it) was/is the problem.  Ultimately if you're wanting to ensure correct security policy using APP-ID SSL decrypt is pretty much mandatory.  So "the fix" in this case is probably using SSL decryption. ... View more

@paIoaItonetworks wrote: Are there any cheaper alternatives of Data Lake? Let's say, our retention is 6 months and we'd like to store incidents and all related information for 1-2 more years somewhere else. Has anyone used/using something like that, e.g. Amazon S3 I'm not 100% sure if they're the same.  You talk about CDL logs, then also INCs.  If it's just CDL log retention you can log forward out of CDL to a different destination.  I'm not sure about INCs though, I assume you mean something from XSOAR or XSIAM?  If it's either of these 2 platforms I'm not sure about the export ability from these consoles. ... View more

@SaiTeja_1 wrote: Hello Brandon,   We are not using Expedition/ FireMon/tufin etc in our lnfra. Is there any other way (Manual/ Automatic) to identify all the traffic hitting the rule using Palo Alto GUI through logs etc..   I really appreciate your suggestion on this.   Short of what was already described your only way would be to create a custom report of the traffic logs for the rule.  Dump that report into excel and do that for a month's worth of data probably and do the review manually. ... View more

@BRasicot wrote: I am currently running two 1420 HA pairs at 2 different sites.   Current SW version is 11.0.4 h1.   I see newer versions of code out there such as 11.0.5 and 11.1.3-h1.   Questions: * Do I need an upgrade * What code should I go to * If 11.1.3-h1 is recommended, can I upgrade straight to it or do I need to first upgrade to earlier versions of 11.1.X * Has the 11.1.x been out long enough to warrant going to it or should I just go to 11.0.5? * Should I first upgrade the Panorama to what ever version is recommeded * All recommendations are welcome   Thanks a lot - Brian * Do I need an upgrade  --  That really depends on your organization.  Especially with newer Palo code I've found, "if it ain't broke, don't fix it."  That said if you're not on the current "preferred" code in the train you're running then maybe upgrade to that? * What code should I go to  --  Kinda same as above.  Typically best to run the preferred code on your existing train. * If 11.1.3-h1 is recommended, can I upgrade straight to it or do I need to first upgrade to earlier versions of 11.1.X  -- I'll take these two together * Has the 11.1.x been out long enough to warrant going to it or should I just go to 11.0.5? -- I'll take these two together   -- Take a look at the code sheet below.  11.1 is relatively new.  Unless there's a feature you have to have I'd stay on 11.0.X.  To answer your first question if you wanted/needed to jump to the 11.1.X train you only need to download the "base" 11.1.0 code then you can download/upgrade to the 11.1.X revision you wanted to deploy.   * Should I first upgrade the Panorama to what ever version is recommeded -- Yes it's always recommended that your Panorama version be at the same code or higher as managed firewalls.     ... View more

@ChrisWimpy wrote: Everyone is running 6.0.8.  Try running 6.0.10...It has a bunch of fixes that 6.0.8 does not. ... View more