About aleksandar.astardzhiev

Hi @BatD , @Laurent_Dormond,   I am really not sure what is the maximum size that you can add - due to our limitation I haven't work with disk bigger than 2000GB. However reading the documentations I am not able to agree with @BatD:   Add a Virtual Disk to Panorama on an ESXi Server   In Panorama mode, you can add disk sizes larger than 2TB and Panorama will automatically create as many 2TB partitions as possible. For example, if disk sdc was 24TB, it will create 12 2TB partitions. These disks will be named sdc1-12.   Going back to your question - does Panorama allow extending the existing disk - I didn't manage to find any reference for this in the documents ... View more

Hi @LukaPecher,   My solution was to split the proxy-id into separate IPsec tunnel configuration. It may sound very confusing, so I will try to explain it as clear as possible: - You will need four ipsec tunnel - two tunnel to primary remote peer and two tunnel to secondary remote peer - First two tunnels must be assigned with same tunnel interface (let say tunnel.1) and same IKE gateway (remote peer) - Second two tunnels also must be assigned to same tunnel interface - tunnel.2 and same remote peer   - First primary tunnel will be configure with tunnel monitor enabled and with only one proxy-id that match the source and dest of the monitor - Second primary tunnel will be configured with tunnel monitor disabled and with as many proxy-id as you like/need, excluding the proxy-id configured in the first primary   Identical you need to configure the second two tunnels to the secondary remote peer.   So under Network > IPsec Tunnels you should have something like that:   That way the tunnel monitor will send pings only via the correct proxy-id. If the pings fail (for what ever reason), tunnel monitor will bring the logical tunnel interface. And because we are using the same tunnel interface for the second tunnel (to the primary peer without monitor), all the routes to tunnel.1 will be remove from FIB and traffic wil be redirected to secondary tunnel.     ... View more

Hi @Laurent_Dormond,   Hi big is actually your first disk? I am asking because Panorama has limitation that if your first disk is smaller than 2T you will not be able to attach additional disks:   Add a Virtual Disk to Panorama on an ESXi Server     In all modes, the first logging disk on the Panorama VM must be at least 2TB in order to add additional disks. If the first logging disk is smaller than 2TB, you will be unable to add additional disk space. Due to some limitation of the orchestrator we are using, we are able to attach only 2000GB disk to a VM. But since 2000GB is actually around 1.93T we were not able to attach additional disk to our Panoramas.   ... View more

@reaperam I missing something or the Panorama is not valid option here?   Even it is cluster setup (with config synchronization) Panorama needs to have access to both members. Dedicated Mgmt interface is not reachable so the Panorama cannot use that It is active-passive cluster so you cannot use service route through one of the dataplane interfaces. ... View more

@Venkatesan_radhakrishnan,   You need to verify the Phase2 setting on both devices - Sonicwall and Palo Alto. ... View more

Hi @R_Sharma,   If I understand your request (it is bit confusing because in the subject you are talking about source NAT, but then you say you need destination and at the end you actually need twice nat 🙂 ) you just need to specify the original source and destination in your NAT rule. Something like that:   "VPN-to-Server-A" { to Inside-zone; from VPN-zone; source Network_X; destination NATed_Server-A; destination-translation { translated-address Server-A; } source-translation { dynamic-ip-and-port { translated-address NATed_Network_X; } } service any; } You shouldn't need to specify NO-NAT rule for server B, because the above rule will only match traffic destine to Server A (or NATed Server A) address. However if you will feel more confortable you can configure separate NAT rule above the rule for server A. Specificy again source and destination and leave the translated source and translated destination as None: "VPN-to-Server-B" { to DMZ-zone; from VPN-zone; source Network_X; destination Server-B; service any; } You can put this rule closer to the top to be sure that it will match first in any case.   ... View more

 Hi @nanukanu,   What type are the EDLs? You mentioned that they are d URL list type, is that correct?   It is also possible that the firewall is allowing some traffic in order to get the actual URLs from the data. Once it retriefs the URLs it will evaluate the rules again to see if the this traffic is stil matching this rule (before that it is potential match, that is why some packets are allowed).   You should be easy to confirm if you filter the logs by address and not by rule name - that should give you all the rules that this traffic has hit.   But if you are right and the reason is that EDL is being used with static group in the same rule...This looks weard, not sure that the FW should act like that. ... View more

Hi @ChiragP ,   As you said it yourself the path monitoring is just a constant ping sent from the Palo Alto firewall to the monitored IP.   So in theory any reason for the pings packets to fail should disable the given static route. I would say both actions should end with same result.   The only different I can think of for disconnecting the interface is the link monitoring under the HA setting. Are you sure that when you disconnected the cable the firewall hasn't failover to secondary member where the cable was still connected?   Also I would suggest to check the FIB during your tests in order to be 100% sure which route is actually the active one: > show routing fib | match <your-destination-network> ... View more

Hi @WRibeiro,   You should be able to filter the Software Updates at the top left corner of the table. Ther you should select Panorama Base Images for the OVA.   ... View more

Hi @qd_056,   If you haven't disabled the configuration sync under HA settings, what ever you did on the primary member was replicated on the standby as well.   If I understand correctly you have followed the instructions to remove Panorama config from the firewall and know you want to push again the config from Panorama to the cluster. As you already have enabled device groups, templates and object on the firewalls, have you tried to push the config from the Panorama again?   If the firewalls are still listed as connected under Panorama and have device group and template assigned you should be able to push the policy. You should be able to "force" policy push - manual select the devices under Edit Selection ... View more

@DaniloBarbosa,   The web-browsing application is like last resort application. web-browsing will be used only if the firewall fail to match any other application, while the traffic contain HTTP protocol. See below:   Palo Alto firewall will match facebook application even if the traffic is not decrypted (in my personal limited observations), so I am guessing it is using the SNI from the server certificate. Without decryption the firewall will may fail to match the more specfic facebook apps, but it still will know that it is facebook related.   Same goes for google, dropbox, twitter and many more well known services that Palo Alto has create application for it. ... View more

It looks like this interface is not configured.   Have you commint and changes on this interface? What colour is shown under the GUI for this interface?     ... View more

@Abdul_Razaq,   From the screenshots in the original post you can see his routes through the tunnels are not default routes.     ... View more