About TomYoung

Hi @g-crisostomo ,   GP uses a Certificate Profile to authenticate certificates, and it has a check box to use CRL.  Theoretically, the authentication should fail if the certificate is revoked.  Please let us know the results if you configure it!     Thanks,   Tom ... View more

Hi @RotemTech ,   You should open a support case according to these instructions -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3aCAC.   Thanks,   Tom ... View more

Hi @JohnSimon ,   The keyboard shortcut Esc+backspace (Esc+delete on MacOS) deletes the word before the cursor.  I tried all of these shortcuts on my NGFW (PAN-OS 10.1), and they work.   Go to next in command history Down arrow or  Ctrl+n Go to previous in command history Up arrow or Ctrl+p Go to beginning of line Ctrl+a Go to end of line Ctrl+e Go left one character Ctrl+b Go right one character Ctrl+f Go forward one word Esc+f Go backward one word Esc+b Delete character over cursor Ctrl+d Delete word after cursor Esc+d Delete word before cursor Esc+backspace Delete text from the cursor to end of the line Ctrl+k Delete the line Ctrl+u Paste the deleted text at cursor Ctrl+y   Thanks,   Tom ... View more

Hi @alexshchukin ,   It's called Path Monitoring, and it is based on pings only -> https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/static-routes/configure-path-monitoring-for-a-static-route.   For something similar to IP SLA, you could configure PAN-OS SD-WAN which looks at delay, jitter, and packet loss.   Thanks,   Tom ... View more

Hi @NelsonE3 ,   By default the Management Interface Settings DO override what is sent by Panorama.  You should see the orange gear on top of the green one to indicate override.  Mousing over the gear will also confirm.   You can run these commands from the CLI to see what is configured locally:   > set cli config-output-format set > configure # show deviceconfig system permitted-ip   The Panorama pushed config will NOT show there.  If you delete the local configuration, the Panorama configuration should then show up.   Thanks,   Tom ... View more

Hi @DavidSchwartz ,   That is a great question.  It should be possible.  Here is some info you may want to check -> https://live.paloaltonetworks.com/t5/aiops-for-ngfw-discussions/new-activation-onboarding-and-upgrade-processes-for-aiops-as-of/td-p/530732.   Thanks,   Tom ... View more

Hi @zinkt101 ,   The Product Selection tool is a great way to compare NGFWs -> https://www.paloaltonetworks.com/products/product-comparison?chosen=pa-3410,pa-1420,pa-3420.   It should highlight the main differences.   Thanks,   Tom ... View more

Hi @AlexCheong ,   The video Scenario 3/4 says that CDL is required for AIOps Premium (1:40).  "The workflow will stop is there is no CDL."   https://live.paloaltonetworks.com/t5/aiops-for-ngfw-discussions/new-activation-onboarding-and-upgrade-processes-for-aiops-as-of/td-p/530732   Like you, I was told that I could activate the trial license without CDL.  The video says otherwise.  Customers can request a trial CDL license from their PANW SE.   Thanks,   Tom ... View more

Hi @zinkt101 ,   The PA-1410 is a great replacement NGFW for the PA-3020.   10 virtual routers LACP 3x threat prevention throughput of 3.2 Gbps almost 1M max sessions 2.5G and 10G interfaces The PA-400 Series do not have 10G interfaces.  I would not purchase an older model.  The PA-1410 will have a longer life span.   Thanks,   Tom ... View more

Hi @MemjetITS ,   Do you have telemetry enabled on all NGFWs?   Thanks,   Tom ... View more

Hi @LijoMathai ,   I have migrated a single firewall configuration to Panorama using Expedition.  So, the reverse should work, also.  Here are the steps:   Import the NGFW configuration 1st.  The 1st imported PAN-OS configuration is the base config.  I personally like to load the Day 1 Configuration on my NGFW and use it as my base config.  In that way, I have a lot of best practices configured. Import the Panorama config into Expedition next.  Look at the dashboard and fix any items, if desired. Under Export drag the source configuration items on the left under templates to Device or Network on the right.  Drag the policies and objects on the left to vsys1 on the right. Merge and export. https://www.youtube.com/watch?v=RMHfO4MA0jw   Thanks,   Tom   Edit:  Hi @LijoMathai , the steps above work if the new NGFW is not managed by Panorama.  Is that what you want? ... View more

Hi @Buck_Smooth ,   If you have agentless User-ID, the issue could be the DCOM security change MS put out last year.  Do you see the DCOM errors in the Windows system event log?  You may be running into this issue -> https://live.paloaltonetworks.com/t5/general-topics/user-identification-and-winrm-on-http/m-p/481674.   Here is (I think) the latest MS KB article -> https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-....  It says next month you can't do the regex fix.  I would encourage you to go to the   Thanks,   Tom ... View more

Hi @RomainCouvreur ,   Yeah, I was curious if you were asking about tunnels (mentioned in topic) or gateways (mentioned in post).  Looking at the URL you posted, I should have known you were talking about gateways.  My bad!   What you're really saying is that PANW needs to update the KB!   I did use @kiwi 's command on a PA-220 we have.   > show system state filter cfg.general.max* | match portal cfg.general.max-ssl-portal: 6   The number of portals matches the number of gateways listed in the KB URL.  I wonder if the max GP portals and gateways is the same?  You could check the results on other NGFWs if you have it.  If they match, go with @kiwi 's answer and mark it as the solution.   Thanks,   Tom ... View more

Hi @BaireshP ,   Here is the link to the TAC recommended versions -> https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-p/258304.  The preferred release for 9.1 is 9.1.15-h1.   The decision to upgrade to a major release (10.x, 11.x ) is usually based upon new features.  PAN-OS 10.x provided a ton of enhancements to threat protection and decryption along with a lot of other features.  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-release-notes   I usually don't consider an upgrade for all my NGFWs until the release has been out 12 months so that I don't run into bugs.  This is a personal preference.  Both PAN-OS 10.1 and 10.2 have been out for over a year.   Thanks,   Tom ... View more