About TomYoung

Hi @Adam_DiMarco ,   Follow steps 1 and 2 here.  You will need an SMTP Relay IP address.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/configure-email-alerts For step 3, configure the settings below under Device > Log Settings > Configuration.  If you open Filter Builder, you can test the filter with View Filtered Logs.  You can also test the filter under Monitor > Logs > Configuration.   If you are forwarding all of your configuration logs to Panorama, you only have to do it once on Panorama.  It also catches administrators configured in a template.   Thanks,   Tom ... View more

Hi @sshivanandap ,   The most simple way to "export" the security policy in JSON format is to run the command "show rulebase security" in CLI configuration mode and copy the response.   If you need to retrieve the security policy more than once, you can automate it with the REST API and also get the response in JSON format.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-rest-api   The PAN-OS GUI is a human interface, and CSV and PDF are human-readable formats.  The PAN-OS API (XML and REST) is a machine interface, and support machine-readable formats or XML and JSON.  The reason that you want the format in JSON is most likely to run some type of automation against it.  (I could be wrong.)  If you are going to run automation against the data, you might as well automate the retrieval of the data.   Thanks,   Tom ... View more

Hi @ptingalls ,   Yes, the proxy has to be on the same subnet as the interface.  The NGFW will not change the IP header of the original packet.  So, it cannot be routed over the network.  It must be forwarded to the proxy MAC address.   One way to get around that limitation is with a GRE tunnel if the web proxy supports it.  Here is a doc for PBF with GRE for Netskope.  https://docs.netskope.com/en/netskope-help/integrations-439794/ipsec-and-gre/netskope-gre-with-palo-alto-networks-ngfw/palo-alto-networks-ngfw-configuration/   If the web proxy does not support GRE, then you will need to extend the VLAN to the NGFW.  I could be wrong, but I think those are your only 2 options.   Thanks,   Tom ... View more

Hi @latechguy ,   Yes!  This can be done.  See the 2nd paragraph in this article.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS0CAK   You can limit your untrust ingress by applying policy to your trust egress, especially with TCP-based traffic, which will decrease the sliding window based upon packet loss.  The article also has good stuff for your SIP trunks.   Thanks,   Tom ... View more

Hi @JohnSturk ,   You have done all the hard work!  You only need the ports now.  Here is a document that is a good start, but missing a couple of items.   https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-with-port-translation-example   The NAT example should have an object tcp-80 (or service-http) for the Original Packet Service.  It is very important when you create service objects for NAT that you specify the destination only, and not the source.  (Unless, of course, you are NATing source ports which is uncommon.) I would not leave the security policy rule service to any.  I would put it tcp-8080 or service-http in that example.  I believe the service in the security policy rule is pre-NAT like the IP. Thanks,   Tom ... View more

Hello @dipak_2000 ,   From the CLI, you can issue the "show log system eventid equal state-change" command.  From Monitor > Logs > System, you can use the filter ( eventid eq state-change ).   Thanks,   Tom ... View more

Hi @Remko ,   Exactly!  What does "show url-cloud status" show?  https://docs.paloaltonetworks.com/advanced-url-filtering/administration/troubleshooting/pan-db-cloud-connectivity-issues   Thanks,   Tom ... View more

Hi @chens ,   Great question!  Adding a locally managed NGFW to Panorama is tricky.  You have to do it a few times to get used to it.  Here are the steps:   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS   https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management   However, in the long run, it will be worth it because you can change something once and push it to your NGFWs.  Here are some pointers:   The HA pair document has extra steps.  Be sure to go through those.  My step #s below refer to the top URL. When you import the device configuration, it will create a new device group and template. Uncheck "Import devices's shared objects into Panorama's shared context (device group specific objects will be created if unique)" if you have LOTS of objects.  Otherwise you can get conflicts and commit errors.  You can move your objects to the Shared device group and resolve duplicates after the NGFWs are imported. I usually import my rules into the Post Rulebase. Do not make any changes to the device group or template until after you are finished with these steps. You can always rename the device group and/or template any time.  Don't worry about it for now. Step 5 is very important!  (Step 4 on the HA doc.). Do not do the 1st push from the Commit menu.  Push & Commit from the Panorama > Setup > Operations > Export or push device config bundle menu.  This step deletes the local policies and objects so that you will not have duplicate object commit errors.  After this step, push normally. Finally, the top URL document above is not complete!  (The HA one has this step.). If you want to managed the Network and Device configuration from Panorama, select Force Template Values in step 6. This will override IP addresses, etc. So, make sure you have automated commit recovery enabled so that if the NGFW cannot communicate with Panorama it revert the configuration.  This is critical if the NGFW is at a remote location. Like step 5, this only needs to be done once. Try it out!   Thanks,   Tom ... View more