About aleksandar.astardzhiev

aleksandar.astardzhiev · ‎06-13-2021

Hi @Srikant , The only command you must remember working with Palo Alto FW is: find command keyword <keyword> user@Panorama> configure Entering configuration mode [edit] user@Panorama# find command keyword master show device-group <name> master-device set deviceconfig high-availability election-option timers advanced additional-master-hold-up-time <0-60000> set device-group <name> master-device set device-group <name> master-device device <value> set device-group <name> master-device vsys <value> set device-group <name> master-device sync-group <yes|no> set template <name> config shared admin-role <name> role device webui device master-key <enable|read-only|disable> set template <name> config deviceconfig high-availability group election-option timers advanced additional-master-hold-up-time <0-60000> set template-stack <name> config shared admin-role <name> role device webui device master-key <enable|read-only|disable> set template-stack <name> config devices <name> deviceconfig high-availability group election-option timers advanced additional-master-hold-up-time <0-60000> set shared admin-role <name> role panorama webui device master-key <enable|read-only|disable> set shared admin-role <name> role panorama webui panorama master-key <enable|read-only|disable> set shared admin-role <name> role panorama contextswitch device master-key <enable|read-only|disable> set shared admin-role <name> role device-group webui device master-key <enable|read-only|disable> set shared admin-role <name> role device-group contextswitch device master-key <enable|read-only|disable>

aleksandar.astardzhiev · ‎06-12-2021

Hi @khsieh , My suggestion would be simpler: - Prepare your configuration with text editor (ex. notepad++) in set format - Login with SSH to your Panorama that is managing the targeted FW. - Just copy/paste the set commands through the SSH session. - Review your changes via the GUI, if everything looks ok, commit and push Configuring network interface ip over CLI is pretty much exactly the same as if you do it directly on the FW. The only difference is that on Panorama the set command needs to refrence the template assigned to that FW. Full command would be: # set template <template-name> config network interface ethernet ethernet1/1 layer3 ip 1.1.1.1/29 Optional you can move # edit template <template-name> config // this will place you in templace configuration so your every set command doesn't need to referecen it and you can simply # set network interface ethernet ethernet1/1 layer3 ip 1.1.1.1/29 //repeat this for every interface you need to change

aleksandar.astardzhiev · ‎06-12-2021

Hi @Joni_Larned , This is the whole purpose of "SSL/TLS Service Profile". - You select a certificate in the service profile and use this profile everywher you need. - When you need to renew/change the certificate you change it only in the service profile, which apply to all locations where this profile is being used. In addition - you cannot refrence certificate anywhere except ssl/tls service profile. So you don't have to worrie that you need to change the certificate anywhere else. So what you need to do is: - Find the ssl/tls service profile which is using the certificate that needs to be replaced - Edit it and select from the dropdown your new certificate - Commit and push config - You should be able to old ceritifcate now - (optional) now you can renew your new cert (removing "new_") name. This should automaticaly reflect in the service profile, but you can go and doublecheck if profile is using the update name. Commit and push to have it on the FW.

aleksandar.astardzhiev · ‎06-12-2021

Hi @GideonKonga , No difference at all.

aleksandar.astardzhiev · ‎06-12-2021

Hi @ChrisCon , It sound like hardware issue for me...Have you tried to power cycle (reboot) it again?

aleksandar.astardzhiev · ‎06-12-2021

Hi @SurajN , You must renew it before it expires. If expires and if you use default configuration (deny users to connect to GP portal with invalid certificate), none of your users will be able to connect to GlobalProtect. So you must renew it before cert end date. You can renew it when ever you want (one, two, three months before that), as long as you do it before it actually expires

aleksandar.astardzhiev · ‎06-11-2021

Hi @Gareth.Doyle , Apart from some scripting and API calls your only option is feature request.

aleksandar.astardzhiev · ‎06-10-2021

Hi @Palobeacon , Like @nikoolayy1 already mentioned I would suggest to get later version than 8.0 as there are lot of changes. But you want to stick with this version - Can you check if "Hypervisor assigned MAC address" is enabled - https://docs.paloaltonetworks.com/vm-series/8-0/vm-series-deployment/about-the-vm-series-firewall/hypervisor-assigned-mac-addresses.html As far as I remember this setting was not enabled by default in earlier versions (like 7.0 and 7.1) and I am not sure if they enabled it by default from 8.0 or it was from 8.1.

aleksandar.astardzhiev · ‎06-10-2021

Hi @DongQu , There are some gotchas when working with tunnel monitor, which is very crucial to remember: - Tunnel monitor are ping probes that are source from the ip assigned on the tunnel interface. - Those probes does not pass through any policy (that incluse nat and security) neither the routing tabel. Which means when you run the pings manualy they will match your NAT rule and the source will be NAT-ed behing the ip in your local proxy-id. In addition ping will check the routing tabel before being routed through the tunnel. - Source and destination of those ping probes must match your local and remote proxy. Because the tunnel monitor probes does not pass through the NAT policy the source is not matching your proxy-id and therefor it will be dropped by the IPsec tunnel. - The whole purpose of tunnel monitor is to "disable" the logical/virtual tunnel interface if the ping is failing. That is why you will see status as red, while phase1 and phase2 established. Because the tunnel interface is listed as down, the associated static routes will also be "disabled" and will be removed from forwading table (FIB), which will cause your manual pings to fail (no more route to destination) From what I understand you will hide your local network behind one ip address and list only this address in the proxy-id. In that case I believe it is more conviniant to assign the IP that you will use for source NAT to the tunnel interface. After that just change the NAT rule to use interface ip for the dynamic ip and port nat. This way the tunnel monitor probes will be sourced from IP that is part of the proxy-id without the need to add additional addresses to the proxy-id

aleksandar.astardzhiev · ‎06-08-2021

Hi @Himashukadam , What OS version and Application package version are you using?

aleksandar.astardzhiev · ‎06-08-2021

Hi @Mohammed_Yasin , Almost every time I have seen this behaviour it is caused by differences how the group mapping is reporting the users and how the authentication profile is logging the username - mainly in the domain. If your authentication profile is accepting only username (without domain) as user input, while the group mapping is returning domain/username. @Mick_Ball already give you steps how to check what format are you receiving from group mapping.

aleksandar.astardzhiev · ‎06-07-2021

Hi @A_Adamski , @nikoolayy1 has post a very instersting topic a while ago, you may want to check it https://live.paloaltonetworks.com/t5/automation-api-discussions/version-10-no-7-byte-limit-for-sinatures-examples-for-layer-7-l7/td-p/394734 It sounds like really intersting idea, but I personaly haven't any chance to try it.

aleksandar.astardzhiev · ‎06-03-2021

Hi @Dharmendra.Chaturvedi009 , The information you have provided is very limited and unclear. It would be useful if you share your current configuration. With provided information I am guessing that: - You have configured Custom URL Category listing all Google related URLs that you want to allow - You have URL Filtering profile which is blocking storage-and-backup category - You have create security rule which includes the custom URL category and assign the URL profile to it. You don't actually need to list the URL category in the security rule. If you put the URL category in "service" tab it will work bit different from what you expect. Putting URL category to the rule is actually putting new matching criteria for the rule - only if traffic match the URL then the action for the rule will be applied. What you really want is to override the URL Filtering security profile action for specific URLs only. To do that you need to edit your URL filtering security profile, add your custom category (the one defining google urls) and select action allow or alert (I would suggest alert to keep track of all urls that users are visiting, but this really depends on your deployment and business needs)

aleksandar.astardzhiev · ‎06-02-2021

Hi @SurajN , As any other vendor Palo Alto is using some kind of ip-geolocation database. There are countless reasons why this information could be wrong. It is regularely updated, but still is could have wrong information. If you are sure that this IP is located in India you can create custom region object listing the IP address/range. This will effectivley override the geo location for that ip in the FW internal db.

aleksandar.astardzhiev · ‎06-01-2021

Hi @JulianH, Fully aggree with @Remo. I will only add the possibility to reach the maximum capacity if the aggregated interface. You may want to consider QoS with separate profile for each sub-interface. Unfortunately here you have limit for of 32 different profiles for each sub-interface. Which means if you plan to go with applying QoS (which probably is good idea to limit the posibility one client to consume most of the interface capacity) you will be limited to 32 sub-interfaces.

Member Since	‎08-01-2017 11:18 PM
Date Last Visited	‎12-22-2025 12:06 AM
Posts	1,077
Total Likes Received	448

Online Status	Offline
Date Last Visited	‎12-22-2025 12:06 AM

Unlock your full community experience!

About aleksandar.astardzhiev