About TomYoung

Hi @RomainCouvreur ,   The PA-5450 can have 60K GlobalProtect clients.  Many of the max #s can be found on the Product Selection page -> https://www.paloaltonetworks.com/products/product-comparison?chosen=pa-5450,pa-5410.   Thanks,   Tom ... View more

Hi @user9891 ,   Yes, that process is correct.  The document actually says to add the root and intermediate to the certificate profile.  That is the process that I use, and it works.  Your reasoning makes sense that the root is already trusted.  Let us know if only the intermediate CA works in the certificate profile.   Thanks,   Tom ... View more

Hi @Alex_Samad ,   Here is the process -> https://live.paloaltonetworks.com/t5/blogs/how-to-use-palo-alto-networks-new-feature-request/ba-p/409590.   If it is on the list, ask your PANW SE to vote for it. If it is not on the list, ask your PANW SE to add it to the list. Support is not part of the process and won't help.   Thanks,   Tom ... View more

Hi @StuartSharp ,   There are a couple of solutions to this issue.   You don't have to add a device to Expedition.  You can export the final config and import it into the NGFW. You can send an email to fwmigrate@paloaltonetworks.com and see if they can assist in adding the device. https://live.paloaltonetworks.com/t5/expedition-articles/expedition-user-guide-v1-2/ta-p/285157   Thanks,   Tom ... View more

Hi @kbe ,   Thanks for sharing!   Tom ... View more

Hi @sachin_chauhan ,   Using tags by @PavelK is the easiest solution with just a few different subnets.  If you don't want to use tags, you can also manually check the device under the Target tab in the policy rule.   Another solution is to use nested device groups.  Put the policies that don't change in the higher device group and the policies that are different for different NGFWs in a lower device group.  You can use the Move button on the bottom of the GUI to do this.  I generally put all objects in Shared.  This method makes it easier to manage multiple NGFWs but requires planning.   Once done, you can clone your lower device group.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cla3CAC  Or you can copy the rules as @PavelK suggested.  Assign the new NGFW to the new DG and make the changes needed.   These are other options for you.   Thanks,   Tom ... View more

Hi @StuartSharp ,   08/29/24 UPDATE:  I replaced a PA-3060 on PAN-OS 9.1 with a PA-1410 on PAN-OS 11.0.  Step #4 - Export and import the configuration worked great!  I don't remember if I got any commit errors.  If I did, I probably just opened the configuration window related to the error and saved.  The NGFW upgraded the config syntax great!  The only issue I had was the master key was configured on the PA-3060, and I needed to configure it on the PA-1410 before I imported the configuration.  Sorry that I made the following steps more complicated than they needed to be.   If the NGFWs are in HA, then upgrading them will cause much less down time.  Upgrading is preferred to make the config as similar as possible.  Upgrading production NGFWs is unavoidable and should become routine.   With regard to your other question, the following is the complete answer I have given to the question of replacing an older NGFW with a newer one when the PAN-OS is different.   Panorama if you have it.  Replace the device or stage it by adding it to the same device group and template stack. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljGCAS.  Panorama must be greater or equal PAN-OS. Expedition if you have the time to set it up and learn it.  The PANW migration tool, https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool, saves a lot of time with migrations.  You can still have a few commit errors from Expedition, although it is rare. Find a spare PA NGFW that supports both 9.1 and 10.2 and use it.  In most cases any PA NGFW will do.  In rare cases, a few features will be missing if you use a lower end model.  You could even borrow an HA standby unit. Import the old PAN-OS XML file and be prepared to work through commit errors.  Some sections can be fixed on the GUI by filling in blanks or deleting and recreating.  Or you may want to use the CLI, which should show the incorrect parameter causing the error.  Some people on this community say the NGFW will convert it.  If the commit errors are few, this may be the easiest.  I have never tried it, and would like to hear if someone has done this.  (Edit:  Thanks @kbe !  He imported the device state and used the XML to fix the commit errors.) You could also cut-and-paste on the CLI and work through each error.  Ugh! Thanks,   Tom ... View more

Hi @StuartSharp ,   I would love for you to try @OtakarKlier 's process and let us know how it works.  If you have any commit errors, the fix may be as simple as opening up the section in the GUI and filling in any missing parameters and commiting again.  If that becomes too painful, we can discuss other options.   Thanks,   Tom ... View more

Hi @Sanjay_Ramaiah ,   That is a great question.  You can manually export the configuration periodically, or you can automate it with a script to grab it via the API.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm7yCAC   For those customers with Panorama, it automatically stores the configuration files for each NGFW.  You can schedule a config export using SCP or FTP.  https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/administer-panorama/manage-panorama-and-firewall-configuration-backups/schedule-export-of-configuration-files   Thanks,   Tom ... View more

Hi @Charlie80 ,   You are correct.  If the NGFW cannot decrypt the traffic, it cannot inspect it for AV, most vulnerabilities, etc.   Generally you do not have to worry about CPU load unless your CPU is mid range to high now.  Your max throughput will go down.  Your PANW SE can give you the numbers, but threat prevention throughput (which I like to call threatput) minus 30% is a good estimate in my opinion.   Thanks,   Tom ... View more

Hi @JeonJiChan ,   Did you install the system extensions as stated in this document?  https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-user-guide/globalprotect-app-for-mac/use-the-globalprotect-app-for-mac   Thanks,   Tom ... View more

Hi @abhay_saama ,   As the error states, you need a GP license to connect from Linux.  https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses   Thanks,   Tom ... View more

Hi @RobertShawver ,   Maybe you could allow all outbound from the management interface of 1 NGFW and see if it connects?   Thanks,   Tom ... View more