About TomYoung

Hi @JessePeden ,   You are right.  It is not in the URL, and therefore not supported by Palo Alto.  I thought I saw it there but was mistaken.  I will delete that post if I can.   Thanks,   Tom ... View more

Hi @JessePeden ,   Palo Alto PAN-OS does not support this feature.   Did you see the URL I posted above?  It should be supported in the Advanced Routing Engine.   No it's not. This is not the same as defining your local ASN at the base level of your BGP instance.   I know what local-as means and what it does.  Creating a new VR with a new BGP ASN will allow you to configure the new peering with the neighbor that requires the different ASN.  All the original neighbors remain on the old VR.  This is an effective workaround.  I just did it with a customer.  You can enable BGP between the VRs to facilitate routing.   Thanks,   Tom ... View more

Hi @Igor_Bartak ,   Try ECMP with Symmetric Return instead.  Also, this can be done with one VR.  With regard to your failover, is DNS changing as well?   I've done scenarios like this many times.  Feel free to DM is you want.   Thanks,   Tom ... View more

Hi @DrewNumberTwo ,   I am curious what changed.  Was there a GP upgrade?  Did someone change a URL in your IdP?  For example, Entra has a sign-on URL, an Entity ID URL, and a Reply URL.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE  I don't know if one of those is used for successful authentication.   Thanks,   Tom ... View more

Hi @D.Maas ,   So we would have to change all rules that have the original domain format to the new userid format. This is quite a big task.   You can quickly do it via the CLI and a regex text editor.   > set cli config-output-format set > configure # show rulebase security | match source-user   If you have a regex text editor you can copy the output and quickly change $username@domain.com to domain\$username for all your users.  Paste into the CLI.  You can have both formats for a period of transition.  To delete the original formats, change the original set to delete and paste.  If the users now match groups, you can use the group instead.   Also what I found was that if you use a group within the agent profile for identification does not work, using either the domain\groupname or the cn of the groupname.   I have tested groups in the portal agent config before.  Converting the format is the 1st step to the users matching groups.  Did you try the commands I mentioned above?  The username must match exactly.  Here they are again.  Substitute the bogus group name with yours.   > show user ip-user-mapping all > show user group list > show user group name "cn=it_operations,cn=users,dc=al,dc=com"   Thanks,   Tom ... View more

Hi @chens ,   I don't work for PANW.  I create all my TAC cases in the CSP, and I always get an answer.  SSL decryption on my NGFWs works fine.   This community is primarily users that just want to help each other.  I've done what I can.   Good luck with your issue,   Tom ... View more

Hi @chens ,   Have you opened a TAC case?  I don't have any more insights or updates.   Thanks,   Tom ... View more

Hi @chens ,   I always liked that when the session end reason was 'threat' that you could see the threat log in the Detailed Log View.  I don't know why PANW does not do that with the session end reason of 'policy-deny'.  It would be so efficient for the NGFW to show the corresponding policy log.   @Remo opened a TAC case on this years ago and TAC said it is always a decryption issue.  https://live.paloaltonetworks.com/t5/general-topics/identify-policy-deny-source/td-p/208306   With that said, you can grab the session ID from the Detailed Log View and use the filter ( sessionid eq '82516' ) under the Decryption logs to confirm there is no decryption log for the session.   The only other issue that I know that does not show up in the decryption log is this one -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kI0RCAU.  You could test by running the CLI command.  If you do not want to make changes to a production NGFW, you could try creating a packet filter to match the session and running the CLI command 'show counter global filter packet-filter yes | match incomplete'.   That's all I got.  To repeat, PANW really should have the Detailed Log View show the corresponding log just like they do with threat.   Thanks,   Tom ... View more

Hi @${userLoginName} ,   Jumbo frames must be enabled end-to-end.  On the Nexus, that would mean jumbo frames from VM host to VM host or to storage.  I have seen jumbo frames significantly speed up vMotion or storage data.   For the campus network (Catalyst), it is generally not needed.  Of course, your NGFW Internet should match the MTU of the ISP, which is probably 1500.  The biggest issue if you do not enable jumbo frames everywhere is that jumbo packets received on interfaces with normal MTU will be dropped.  If you do not enable jumbo frames on the hosts, then they won't take advantage of the larger frames.   Thanks,   Tom ... View more

Hi @CiprianChira ,   That is disappointing that the URL no longer works.  I have attached a the PDF version.   Thanks,   Tom ... View more

Hi @sneelapu ,   It is disappointing to find NO documentation about GP and multicast.  https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses   In the past, TAC has said it is not supported.  https://live.paloaltonetworks.com/t5/general-topics/does-globalprotect-support-multicast-traffic/td-p/353380   I guess the only way to know for sure today is to open a TAC case.   Thanks,   Tom ... View more

Hi @Carleton ,   I don't know why PANW does not allow SAML for CLI access.  https://docs.paloaltonetworks.com/compatibility-matrix/reference/mfa-vendor-support   You could do MFA with a local NPS server pointed to Entra.  That is not 3rd party but it does require a local server.  https://learn.microsoft.com/en-us/entra/architecture/auth-radius   I have not tested it, but this person has found a way to not allow the local account to work if RADIUS is up.  https://live.paloaltonetworks.com/t5/general-topics/local-authentication-should-not-work-if-when-radius-is-available/td-p/511849  EDIT2:  @reaper may have a simpler way -> https://live.paloaltonetworks.com/t5/next-generation-firewall/to-force-ngfw-login-using-saml-sso/td-p/1229870.   However, you cannot use SAML in an authentication sequence.  Again, RADIUS to NPS would solve that problem.   I think you have valid points.  The solution would be to ask your PANW SE to create feature requests.  I don't think the business units look at this forum for ideas.   Thanks,   Tom   EDIT:  The RADIUS users may have to log onto the GUI 1st before the CLI will work.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3qCAC ... View more