About reaper

The main thing to keep in mind is that the palo NGFW is a zone based firewall.   The most important aspect of building a session is determining the source and destination zone. So, your VR's can be shared or assigned to an individual vsys, but the real barrier is at the zone level: to have vsys talk to eachother, you need to create the external zones and have one vsys allow traffic to the external zone and have the other one allow traffic from the external zone   the 'vsys visibility' setting actually allows a vsys to participate in the twilight zoney/dark matter 'external zone' that lives between the vsys. without this visibility turned on for a vsys, it does not have access to the 'external' zones ... View more

I understand your frustrations with TAC, but is reassigning to your timezone really necessary? (just playing the devil's advocate here)   Tickets first need to go through triage, i.e. someone needs to look at the ticket and see if there's a need to reroute to another TAC center or if they can already provide you with the first feedback. Most of the time your ticket will probably have a low priority (?) which means TAC has anywhere between several hours to several days to get back to you Redirecting tickets for anything that's not urgent is usually counterproductive as that also resets the timer for your next update ... View more

this is all explained in the EDU-318 course, i'm not sure it is documented as such   i can't help you with usage issues of the LIVEcommunity, maybe you should reach out to community@paloaltonetworks.com to raise your concern ... View more

tcp-fin means the session was graciously ended, which means the initial connection was allowed   a session that was blocked will have 'deny' or 'drop' in the action  'end' in the type is an allowed session, 'drop' or'deny' in the type is a blocked session   can you please provide a screenshot of what you're seeing? ... View more

Have you been able to verify @kiwi 's pointer? Another thing you may want to check is the deeper details of the log: A session might get allowed at an early stage (source/destination/port) but eventually no longer be able to hit an security rule because it morphed into an application for which there is no allow OR drop rule. This will cause the session to fizzle out on the default rule and this may look weird ... View more

1- the bw will be bursted beyond the assigned BW (capped at 1000mb/RNSPN i think). as long as this doesn't happen all the time you should be fine, but make sure to assign more bandwidth if you consistently pass your assigned BW   2- secure inbound access creates access from the internet into a remote network. this can be useful if the RN hosts a website or an app: https://docs.paloaltonetworks.com/prisma/prisma-access/preferred/2-2/prisma-access-panorama-admin/prisma-access-for-networks/quick-configs-for-network-deployments/provide-secure-inbound-access-to-remote-network-locations   3- overlapping subnets limits access to everything except the internet : https://docs.paloaltonetworks.com/prisma/prisma-access/3-2/prisma-access-panorama-admin/prisma-access-for-networks/network-locations-with-overlapping-subnets ... View more

yes, you can achieve this via traffic steering (in the service configuration) first assign the SC you want to use in a group, then create a traffic steering rule that redirects a custom category containing your FQDNs to that SC group ... View more

- arp loadsharing is 'sticky' in a sense that it uses an algorithm to determine which 'source' is handled by each firewall. if you have an internal (NAT)router or proxy for example, that could easily skew how the 'sharing' part actually works. for load sharing i'd sooner rely on ECMP if that's an option instead of distributing among chassis - i guess that could also work - if your perimeter is L2 connected so both firewalls can use the same public IP, load sharing could work, but what do you see as the added value of doing this? stretching the firewall's capacity (1+1=2) is dangerous in case of failure   I usually resort to floating IP so i can easily predict which firewall is used for what and only when there is a failover the traffic will shift.  ... View more

ecmp can also be configured to assign a weight to each interface so the "bandwidth" is balanced the way you prefer it   not sure if the traffic you're describing is inbound or outbound? on the inbound (from the internet to a service hosted internally) you can enable 'symmetric return' on the ECMP configuration to ensure packets flow back to the originating ISP on the outbound you can create a PBF policy to force your outbound packets for your particular destination out of your preferred ISP interface your NAT rules should be set to an egress interface so NAT is applied in corespondance to the ISP packets are egressing to ... View more

The behavior you describe matches your authentication policy. So this appears to be expected behavior?   Could you explain a little more what you expect the behavior to be, maybe I'm missing something? ... View more

Did you explicitly configure GP to launch the default browser? Try using the embedded one instead. In all my deployments, my users are being asked which of their accounts they want to use (Azure as IdP), I use the embedded browser  ... View more

have you asked support to confirm which ip you're connecting from? (to see if it even matches the subnets you entered?) ... View more