About TomYoung

Hi @chens ,   Good questions.  Yes, add both NGFWs to the same template stack.  The NGFW is smart enough NOT to used the Panorama-pushed configuration for the management interface, even when you Force Template Values.  I have done it many times, and never lost connectivity.   With regard to HA, you have 2 options:   Delete the HA config in Panorama, which means the HA will remain locally configured.  Panorama does not remove Network or Device configuration if it doesn't have it.  It stays on the NGFW. Use template variables for the HA IP addresses.  This is a little more complicated, but you get to manage the configuration from Panorama.  If you get it wrong, HA won't work.  Generally you do not lose connectivity to Panorama.  If the HA pair is in production at a remote site from Panorama, you may want to be on site.  If HA fails, both NGFWs may become active, and you may have connectivity issues. https://www.youtube.com/watch?v=MxAy_7X5g3E   Thanks,   Tom ... View more

Hi @DanParker ,   You are correct that the configuration 'commit' command commits to Panorama, and the operational 'commit-all' command pushes to devices.  The solution to this discussion confirms this -> https://live.paloaltonetworks.com/t5/automation-api-discussions/trying-to-do-commit-and-then-push-from-panorama-with-a-script/td-p/516567.   What is interesting is that for 'commit-all' you have to specify the device-group or template/template-stack.  I cannot find an option to push all.  That lines up with this doc -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqeCAC.   What I am saying is this:  The XML API lines up with the CLI.  If the CLI requires a parameter, the XML API does also.  Your error is equivalent to 'invalid syntax' on the CLI.  The good news is that you can run the 'cli debug on' command to give you the URL syntax needed when you run a CLI command.  (It does not work for GUI operations.)  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/explore-the-api/use-the-cli-to-find-xml-api-syntax  I have heard the debug goes way when the session is closed.   So, you can run the 'commit-all' commands from the CLI with 'debug cli on' and get the XML syntax you need.  You will have to do it for every device-group and template-stack.  The 'include-template' may save you some steps.   Thanks,   Tom   Edit:  I just saw this -> https://pan.dev/ansible/docs/panos/guides/panorama-push/. ... View more

Hi @Felixcao ,   Yes, it can.  Create a filter with one entry:  no ingress interface and destination IP used for path monitoring.  Capture packets in the transmit stage, and you will capture the ICMP packets.   You can also run the CLI command "show high-availability path-monitoring" and you will see the rtt min/max/avg (ms) times.   Thanks,   Tom ... View more

Hi @dholmes ,   User-ID and Chromebooks is a very common request.  Check out this URL -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSNCA0#Chromebooks-and-User-ID.  You could use a Chrome plugin as described.  You could also use GlobalProtect with Internal Host Detection.  Or, you could use the Authentication Portal as @BPry mentioned.   Thanks,   Tom ... View more

Hi @AhmedAlRashed ,   That is a great question, and one I did not fully answer.  In essence, you are asking about machine groups in AD.  If you created one, I fear that the members retrieved would not match the domain/ma-c0-0a-dd-re-ss format that ISE sends, and the user would not match the group.  We would need to test.  I don't know what changes could be made so that the ISE user and AD group member match.   If you have Panorama, you could use the Plugin for Cisco TrustSec.  ISE would have to assign SGTs in the policy set.  It would then communicate these SGTs through pxGrid to Panorama.  These SGTs could then be used to for Dynamic Address Groups.  The theory is fantastic!  The NGFW is able to use information from ISE for security policy.  I have never used it.  I saw a thread on Reddit from someone who has and they said (1) it can sometimes be 5-7 seconds slow, (2) sometimes does not catch every device, and (3) now means Panorama needs to be up during operational hours in order for the mappings to work.  That's not my feedback.  Again, this would need to be tested.   It would be nice if we could create static User-ID groups.  We can create static User-ID mappings through the XML API.   If the devices have static IP addresses or DHCP reservations, you could create static address groups.  I know that takes a lot of manual work.   Device-ID is another potential solution.  It works best when the NGFW can observe the DHCP traffic.  It can classify devices to be used in the security policy.   The last option is to integrate Device-ID with ISE through Cortex XSOAR, but that is expensive.   I would love to hear if anyone has solved this problem, or if they have good success with the TrustSec Plugin, or anything else.  That is what this community is all about!   Thanks,   Tom     ... View more

Hi @ThamiDlaminiITN ,   I have seen some sales people promote protecting the external routers, but I agree with @S.Cantwell .  Most routers are built to be connected to the Internet and can be patched, hardened, and configured with some features to limit DoS.  Most ISPs offer some DDoS protection, and some offer extra DDoS protection as an additional service.  I would work with the ISP 1st.   Thanks,   Tom ... View more

Hi @Alpalo ,   The HA ports have different functions.   HA1 = Control Link HA2 = Data Link HA3 = Packet-Forwarding Link   The detailed explanation is here -> https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/ha-links-and-backup-links.   So, there is no way to balance the traffic over multiple HA links.  The solution is to upgrade the HA2 port (and the HA2-Backup if configured).  If it is currently 1G, change to a 10G port.  If it is 10G, change to a 25G port.  The best 10G for direct connect would be PAN-SFP-PLUS-CU-5M or equivalent.  I don't see a direct connect 25G cable.  Maybe the PAN-QSFP28-DAC-5M would work, but you would need to confirm.  It is a shame PANW does not make these cables in smaller lengths (that I have found).   Thanks,   Tom ... View more

Hi @MNoble ,   Looking at this doc, I guess it is not required!  https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways  So, yes, you would configure Internal Host Detection.  The internal gateway is optional.   I have seen other docs that say if the Internal Host Detection check is successful, the GP client will connect to an internal gateway.  I always thought it was required.   Regardless, it sounds like you need to fix your connection to the portal.  See the URL in my 1st post to resolve that issue.   Thanks,   Tom ... View more

Hi @MNoble ,   If you do not have an internal gateway configured, then you are not using Internal Host Detection.  This is most likely your issue -> https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000Cm65.   Do you want your internal users to build an SSL or IPsec tunnel to the NGFW?  If not, configure an internal gateway with Tunnel Mode unchecked and configure Internal Host Detection.  Then you can use GP for User-ID only.   If you do want to build the tunnel, then create the NAT rule as described in the document so the traffic to the portal/gateway is not NATed.   Thanks,   Tom ... View more

Hi @hfakoor2 ,   That is good feedback! I have played a little with both.  The nicest thing is that in your script you can easily feed the results into ElementTree without having to screen scrape and format the data.   Yes, the URL will be the same across all NGFWs.  One thing I do not like about both the XML and REST is that the URL is different for different options.  I would like the exact same URL and pass different options through the HTTP body.  That makes for a more scalable script.   Thanks,   Tom ... View more