About Brandon_Wertz

 you can? How so? ... View more

Hello,   has someone ever experienced a similar issue? Are there any chance it is a HW issue or that could be solved by applying specific QoS policy for webex traffic?   Thanks in advance ... View more

@SebastianHermes wrote: Hi Matlat, we are experiencing the same issue. How could you solve it ?  My company used to have WebEx as our primary meeting platform. We really didn't have any issues, outside of the one off user complaints.  WebEx uses a bunch of different applications from a list of different IP networks.   I would first create an IP based rule that allowed "any application" over service "any" to the known Cisco WebEx IP networks.  Then after 2-4 weeks review the applications that matched the rule and create an application based rule above your IP (L3) based rule.  What I suspect is going on is you're probably not allowing the "stun" application or some other media based application which is causing your audio issues.  Following the suggested method above will be a much easier way of troubleshooting.  Only do this of course following your internal approval processes for allowing traffic through your firewall. ... View more

@rolinger wrote: We have a spirent connected directly to a PA-5450 to do load testing on the 100Gb ports.  The PA5400 has two NC cards (Slot 1 & 2) and then 4 DPC cards (slot 3-6).  The docs show that NC1 is logically mapped to DPC3, and NC2 is mapped to DPC4.  But there is virtually no mention of slots 5 and 6.  Are they auto assigned or do we have to manually map them to NC1 vs NC2?  Any insights on Slots 5 and 6 is appreciated.   Spirent Port 1 <-- 100Gb --> FW eth1/25 (Trust Zone) Spirent Port 2 <-- 100Gb --> Fw eth2/26 (Untrust Zone). QSFP28-CWDM4 optics being used   There is a single bi-directional policy SRC: trust/untrust  Dst: trust/untrust - with any/any/any across the board, no threat/virus/security applied to the policy, just straight throughput traffic at the moment.   At the moment we are only able to get 53Gb of stateful connections through the FW during load testing.  Are there any other FW configurations I need to be aware of or should consider to get the loads up to the 100Gb capacity?  Or any specifics we need to tweak in the test itself?     I don't have anything specific to point out to help get you to a better throughput, only to point out you might want to consider the type of data you're pushing through the box and also turn off DSRI to help create better throughput.  I would think you'd get a better throughput rate with UDP vice TCP also packet size of the traffic will also impact throughput performance.     It's probably going to be in your best interest to reach out to your account SE and walk through this with them as they'll be the best resource to work with you on what you're trying to accomplish. ... View more

@S.Ramesh960545 wrote: PA-5450   I need to enable the AI ​​Access feature, then the PAN OS requirement must be PANOS version 11.2.2-h1. Currently PAN OS uses 10.2.9-h1, then I checked in portal Preferred it is still 11.1.6-h3. Please confirm to Palo Alto best practice, which OS version should I upgrade to enable AI Access? Need to, or want to?  If you're doing this on a production environment I'd wait at least until there's a preferred version of 11.2.X before going to 11.2 on a production environment.  ... View more

@RobertShawver wrote: Is there a way to find out how many count against the max?  show system state | match cfg.general.max-address That will tell you that the max is 10000, but how can I find the number counting against that 10000? Can't you just look at the UI of that object group?  It will tell you what the count is.  Or platform object count are you looking to see your limits on? ... View more

@Al-Zuhri wrote: Hi,   How can we know the frequency release version of PAN OS? Or just wait for new info on software release guidance eg version 10.1.14-h8 Version Represents Frequency 10 Major Version   1 Minor Version   14 Maintenance   H8 hotfix (urgent fix on introduce issued)     Thanks in advance! In the past there was a loose cadence of ~every 6 weeks for a "minor" / "patched" / "X" (a.b.X) release.   It's my understanding that "a" and "b" positions Palo considers them major releases where new features are released.  Typically the first or "a" release happens every 2-4 years and a "b" release ~ every 2 years.  Like Radio mentioned though, there's been a lot of churn from a firmware cadence in the past 3 years so the above hasn't really tracked. ... View more

Hello, Or is you send logs to a SIEM, you can alert that way as well, eg if an update hasnt installed in X time.   Regards, ... View more

@PaloAltorrr wrote: Could you update me please? I am unable to escalate. You're unable to "escalate?"  You have a support case open and TAC isn't working with you?  Based on your original post it looks like your firewall is having issues communicating with Palo's support portal given you have messages for multiple dynamic content packages not receiving updates.  I would ensure the firewall has connectivity to the Internet, or open a support case like the error messages suggest. ... View more

This topic/feature has been bugging me for two years.  I am not a firewall guy by trade, but I have been learning a great deal because I have to administer Palo Alto firewalls.   Thanks Gwesson! ... View more

Yes, this seems to be very confusing in the documentation. As far as I have been able to determine and tested, there are 3 different methods of authentication which can not be interchanged in an authorization sequence: Certificates, SAML, and User/Password (via AD/LDAP/Radius/etc.).   This is because the 3 methods occur at different points in the client connection. The certificate authentication happens during the initial SSL/TLS and webserver connection. The SAML authentication happens after connection is established and the server requests an authorization token before fulfilling the web request. The User/Password is after the client has connected, requested a page, is sent a login prompt, and has replied with a credential set.   As you can't send a SAML token before you have established a certificate-verified web connection, and you can't submit user/pass responses before you have SAML-token-verified web request, you can't intermix these authentication methods. The AD/LDAP/Radius authentication sequences works as the client connects, is sent an authentication page, and returns a user/pass credential response. The PA can then test that single response against multiple authentication servers in the authorization sequence. Certificates and SAML don't use user/pass credentials. ... View more

Hi All!   Thank you for sharing your ideas and thoughts.   @Brandon_Wertz  we do have a ISE device that we use for our Cisco devices currently. I wasn't sure if ISE would work with other manufactures but to be able to restrict to specific commands makes this the ideal way. @nohash4u I did go looking down the API rabbit hole but was unable to find the proper command to view and clear the table. @BPry We have the script created already and the permission part is the last step. We have tuned it at this point as well and not seeing as many as we were when first implementing. Since we already have an ISE device this will definitely be the best way to go.   Thanks again for the replies they were much appriciated.   Ed ... View more

@OtakarKlier wrote: Hello, I cant recall ever seeing an issue with either when upgrading a PAN. Both hold to pretty strict standards. SSH https://datatracker.ietf.org/doc/html/rfc4253 ARP https://datatracker.ietf.org/doc/html/rfc826   Regards, @OtakarKlier -- Palo has actually has such an issue when we were upgrading to a 10.1.X from a 10.0.X we had "weird" traffic not working issues.  In the end, it was because we had our NAT rules setup wrong.  Prior to the upgrade from 10.0.X to 10.1.X traffic worked just fine with the firewall matching traffic to the NAT policy, but in 10.1.9 (mid code) they changed how the device functioned regarding ARP (Ours was a single VR, not dual):   ... View more