About aleksandar.astardzhiev

Hi @securehops, No. You don't need to select any of the "Management Options", if you already have Panorama deployed and licensed. Central management or logging does not require additional license or subscription. So it is not required when you are calculating your Software NGFW credits.   You should select Panorama (or Statra) only if you plan to deploy freshly new Panorama. Those options are primarily targeting someone who is about to deploy completely new solution with central management/logging and firewall. In your case you don't need any of those. ... View more

Hi @ciscojuniperf5 , Two important notes that you need to remember for PAN QoS - Traffic is "labeled" with class4 by default, if no class is explicitly assigned to the traffic. - QoS is applied on egress only. Which means if you want to limit download from public internet you need to apply the QoS profile on the inside interface (when traffic egress from the firewall to the user). If you want to limit/shape the upload to public Internet, you need to apply the QoS profile on the outside interface (when traffic egress from firewall to Interne) It is not clear which is your public interface and which internal, but I would guess (based on the sub-interface to Veem) that eth1/6 is your inside interface, which means that applying a QoS there will shape/limit the download from Internet. If am understand you are trying to limit the upload from Veem to Wasabi, correct? If that is the case you need QoS interface for your public interface. Under the Clear Text Traffic tab, configure the same rule - where you use 1/6.201 as source and Veem QoS profile. This will tell the firewall to apply the Veem QoS profile when traffic is sourced from eth1/6.201 and egressing to public internet. Note that - "Default Profile" under the QoS Interface is the profile that will be applied the traffic that is egressing this interface and does not match any of the "rules" under the Clear Text Traffic tab.     ... View more

Hi @D.Verma502651 ,  There is one "quick and dirty" way to achieve what you want, without any scripting or API. Little fun facts first: - PanOS is utilizing the "less" pager when showing any file (being log or config file) - less has a build-in feature that allow you to show only the lines of the file which match a given pattern - https://man7.org/linux/man-pages/man1/less.1.html  &pattern Display only lines which match the pattern; lines which do not match the pattern are not displayed. If pattern is empty (if you type & immediately followed by ENTER), any filtering is turned off, and all lines are displayed. While filtering is in effect, an ampersand is displayed at the beginning of the prompt, as a reminder that some lines in the file may be hidden. Multiple & commands may be entered, in which case only lines which match all of the patterns will be displayed. In a nutshell you have "grep" capabilities for the config file right in the firewall.   Armed with this information you could: 1. Login to Firewall/Panorama CLI 2. Set the config output to set user@My-PAN-FW> set cli config-output-format set 3. Enter configure mode and climb the configuration hierarchy # For Panorama [edit] user@My-Panorama# edit device-group My-PAN-FW pre-rulebase security [edit device-group My-PAN-FW pre-rulebase security] user@MY-Panorama# show # For Firewall [edit] user@My-PAN-FW# edit rulebase security [edit rulebase security] user@My-PAN-FW# show 4. As your firewall policy is longer than your terminal the output will be presented by the "less". While inside "less" you enter the "&" followed by the pattern you search. In your case you look for all rules that are disabled  &disabled\ yes Above will return all lines where the "disabled yes" is found. Since the output is in set format the name of the firewall rule will be in the same line.     ... View more

Hi @HindraHindra , Broke VM will always initiate connection to the cloud. Meaning it will only generate outbound traffic. You don't need static NAT as there will never be inbound traffic from XDR cloud to your broker VM. ... View more

Hi @Ahmedeid , Although Expedition tool is officially EoL you can still consider using it. https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool With Expedition tool you should be able to import the config from the old device, make the necessary change and export it for the new firewall.   ... View more

Hi @Y.Choi597679 ,   ACC tab will provide summarizade information for the timeframe defined on the top left While the Session Table view will show you the existing sessions that are currently passing through the firewall. Even if you decrease the time window for the ACC tab it still will show aggregrated/summarized information. So it is very likely that at this moment you have 1million conccurent sessions, but for the last 30mins they were 4milion ... View more

Hi @DJ_1924 , The DNS failover suggested by @TomYoung and @jpomachagua  shouldn't have any effect on the SAML authentication, as all comes down to the fact that both portals will be using same FQDN.   ... View more

Hi @Naga_Chaturvedi ,   According to the documentation this feature is supported only on Windows and MacOS To reduce the security risk of exposing your enterprise when a user is off-premise, you can force users on endpoints running Windows 7 or Mac OS 10.9 and later releases to connect to GlobalProtect to access the network. https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-portals/enforce-globalprotect-for-network-access ... View more

Hi @glennne , What do you mean by "verfied the settings"? In my previous post I have tried to explain why this is expected behaviour if you have two default routes with different metric and/or ECMP is not enabled.   Can you share little bit more of your configuration? ... View more

Hi @SupportSPOC , As part of GlobalProtect Gateway config,  there option to tell the client to cache the username and the password (or only username or disable credetials caching).   As mentioned here - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm6MCAS cached credentials are saved in the Windows Credential Manager.   I am only guessing that after update of the GP client, the cached credetials are no longer considered valid. For that reason user needs to enter the password again. If you haven't change the settings on the firewall, it should cache the credentials again and remember them for subsequent logins.   Unfortunately users will need to enter the password at least once after update ... View more

Hi @DRAGONTATTOO , You mentioned IPv6 at the end... And you said GP is connecting successfully when your corp laptop is connected to iPhone hotspot. Does your iPhone hotspot give you IPv6 address or only IPv4 or both? On your corporate laptop can you run the following in PowerShell, what is the output? Get-NetAdapterBinding -ComponentID ms_tcpip6 | Format-Table Name,ComponentID, Enabled Above should list all of your interfaces and if IPv6 is enabled or disabled   Previously it was best practise to disable IPv6 on the corporate device, because the VPN solutins and the firewalls (and the network administrators) were not prepared for IPv6 or dual-stack and having IPv6 enable while your VPN tunnels only IPv4 provide an easy way for the traffic to bypass the VPN tunnel.   More Internet providers are adopting IPv6 and home router either provide IPv6 only or dual-stack. If your company is strickly disabling/preventing IPv6 this could be causing issues for the GlobalProtect.   But this is little shooting in the dark. Can you try again in PowerShell: - "nslookup google.com" what is the output? - "nslookup <globalprotect portal>" what is the output? - " ping -f -l <xxxx> google.com" where <xxxx> is number between 1400 and 1200. Start from the top and if you see "Packet needs to be fragmented...", decrease the value and try again until you see "Reply from...". What is the max value before you see replies? - Check the content of this file, scroll to the bottom and check the last 10-20 lines - "C:\Program Files\Palo Alto Networks\GlobalProtect\pan_gp_events.log". Can you share the content You many want to obfuscate the any IP address or GP portal hostnames from the above outputs before sharing ... View more

Hey @Michaeleddinger , Unfortunately GlobalProtect does not really provide a way to block users to connect to the VPN based on host compliancy check. However you can use the HIP profiles to define host compliancy check, including the version of the GlobalProtect app - HIP Objects General Tab (paloaltonetworks.com)   As mentioned, using HIP user will still be allowed to establish tunnel (after successfull authentication), but once connected GP client will submit a HIP report with host information. With HIP object and HIP profiles, you can create firewall rules matching these users with older version and restrict or completely block their access.     ... View more

Hey @M.Bathgate ,   Can you share the full custom vulnerability obect that you have created? Are you using any Context Qualifiers (paloaltonetworks.com) ? ... View more

Hi @djohnson229 , As far as I am aware you can use Panorama to redistribute user-to-ip mapping, but not for group mapping. For user-ip mapping you can redistribute the information from one of the firewalls to the Panorama and let the other firewalls to get user-ip mapping from the panorama (instead  of connecting all firewalls between each others)   But for group  mapping I don't believe it is possible, you will need to connect each firewall to the CIE. ... View more