About reaper

VAR is a Value Added Reseller, you'll need to reach out to one in your region https://locator.paloaltonetworks.com/ ... View more

There are LAB and trial licenses, but you'll need to go through a VAR to get a LAB, and a palo sales person to get a trial license. You can spin up a "free" panorama on most cloud providers (azure, gcp, aws,..), as long as you pay for the compute cycles, but they'll require one of the aforementioned licenses to actually be able to manage devices ... View more

you can find the MIBs here: https://docs.paloaltonetworks.com/resources/snmp-mib-files   all files are universal and include all platforms ... View more

do you have ssl decryption enabled for these flows? onedrive depends on ssl and uploading/downloading can only be detected if you're decrypting the session   ... View more

this is a duplicate of https://live.paloaltonetworks.com/t5/prisma-access-discussions/fail-when-push-config-to-remote-networks/td-p/551398 ... View more

did you select a compute node (RNSPN) when you onboarded your remote network? (sorry the screenshot is really tiny and unreadable)   check your Remote Network onboarding to see if you've assigned the ike gateway etc to a RNSPN ... View more

That category was only recently (content 8729) added, this would indicate the nodes have not been updated with the latest content package containing that category with a little patience thios should fix itself, else you'll need to reach out to support to check what is up with these nodes ... View more

By putting the mgmt interface in a OOB network where it can only be reached by trusted hosts, or by shielding the mgmt interface with a security policy loaded with security profiles   No unauthorized person or system should be able to scan your mgmt interface ... View more

 think you're looking for https://locator.paloaltonetworks.com/ ... View more

No, admins are allowed to log in multiple times you can limit their idle timeout in "device > setup > management > authentication settings" if you're worried they have too many 'sleeping' sessions open ... View more

once a user is connected they're considered as 'internal' so that limits your means of segregating them for a different region you could use IP based access (as you can assign a different pool per region), but inside the same region you're limited to the same pool for everyone. eacht gateway will get a /24 (or multiple depending on the number of connected users) but I would't recommend using that as a reliable identification method I'd suggest you create an AD group and limit which users are able to access the resource ... View more

it's bad practice creating rules without zones 😉 but yes, zones are still used, they are part of the session in the session table    the visibility only opens up the 'space' between the vsys to communicate, they're not made aware of eachother's sessions, they don't have access to eachother's policies without visibility between vsys1 and vsys2, they won't be able to communicate via the 'external' zone. if you enable vsys1 and vsys2 visibility, but don't add vsys3, then vsys3 will still not be able to use external zones to get to either. if you then also enable visibility between vsys1 and vsys3, these 2 will be able to communicate as well, but vsys3 and vsys2 will still not be able to communicate (hope this makes sense)   Now, with visibility between vsys1-vsys2 and vsys1-vsys3, the security rules will still be 'external'. so each vsys knows it's throwing things into the abyss, but the underlying system decides if this access is permitted   vsys are a tool to segment further, but a single company could indeed simply use multiple VR's to segment networks. The advantage of vsys is that you get separate sets of rules/nat etc, so less room for error IHAC that has 1 vsys for their 'guest' network for sanitary reasons, a vsys for their DMZ environment and a vsys for their internal networks, DMZ and guest vsys have very strict and very few security rules, the internal one has hundreds. The multi-vsys setup also allows regular admins to make changes to the internal security rules, but they're unable to touch the DMZ or guest vsys. If you're a small team that wouldn't matter     hope this helps T ... View more

Not having an overlap would be desirable 😉 Alternatively you could sourceNAT to the physical interfaces in the destination subnet so the "server" side has an IP+MAC in the same broadcast domain  ... View more