About TomYoung

Hi @chmotley ,   Thank you for the excellent thread.  AA also uses Boingo on some flights.  Not sure if it needs to be whitelisted since you connect to aainflight.com, but it wouldn't hurt to add it.   Thanks,   Tom ... View more

Hi @JoHyeonJae ,   The main value of adjusting the protocol timeouts is so that return traffic will be allowed through the NGFW based upon the session.  Most syslog traffic is unidirectional.  So, it should not be needed.  Are you sure the syslog drops are caused by the UDP timeout value?   Thanks,   Tom ... View more

Hi @Metgatz ,   You could generate the new cert in advance before you replace the current cert.  You will get a duplicate CN commit warning, but nothing will be broken.  You could then push the new CA to the clients to trust before the SSL/TLS Profile change.  You could even use the Trusted Root CA box under the Portal Agent tab to have GP install the new CA on the clients.   Thanks,   Tom ... View more

Hi @JoHyeonJae ,   This document is a good reference -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/session-settings-and-timeouts/configure-session-timeouts.   The Note box indicates that they are optimal values that can be modified "according to your network needs."  The UDP protocol has no mechanism to end a session like TCP.  Therefore, the NGFW does not know when a session ends based upon packet inspection.  It relies on the session aging out.  This is why the most common Session End Reason for UDP under Monitor > Logs > Traffic is aged-out.   Notice also that the doc says you can adjust the application-specific timers.  If your traffic is identified as "syslog," it has a UDP timeout of 30 seconds that overrides the global timeout.  If you are positive it is a timeout issue, you can increase the App-ID timeout.  Increasing the global timeouts will result in more active sessions on the NGFW.   This is a great article on session states -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVECA0.  Typically discard identifies a security policy or threat detection drop.   I am curious why the NGFW does not create a new UDP session if the old session timed out.  As mentioned earlier, UDP is not like TCP with session setup and teardown.   Thanks,   Tom   ... View more

Hi @ibuildp ,   In response to your question about an end user guide, the online Administrator's Guide is very well written -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/getting-started.  You should be able to quickly navigate to the features you need.  Also, the free Firewall Essentials course on https://beacon.paloaltonetworks.com is very good.   Thanks,   Tom ... View more

Hi @suba_muthuram ,   You can manually install the certificate or configure the portal to push the certificate to the client.   The portal configuration to push the certificate is found under Network > GlobalProtect > Portals > [edit portal] > Agent > [edit config] > Authentication > Client Certificate.  There are 3 options available:  Local, SCEP, and None.  These are the options described by @Arnesh above.  Please remember to change this setting back to None once the certificate has been distributed to all of your GP clients.  Otherwise, there really is no 2FA with certificates, it is pushed every time.   Manual installation can be done by distributing the certificates to the client devices through other means, the most common is MS GPO combined with MS CA server.  As @Arnesh described, the certificate can be unique to each user or the same for all users.   Thanks,   Tom ... View more

Hi @Tech_pp ,   Could you verify the license on the C9300 as requested before?  That's the only thing I can think of right now.   So you are placing the IP addresses on the interfaces and not using VLANs?  Then what I said earlier still applies to the physical interfaces and not the VLAN interfaces.   You are correct in that no configuration is required on the NGFW for the VRF.  The VRF is local to the C9300.   Thanks,   Tom ... View more

Hi @Tech_pp ,   Given the small amount of information, I have to make certain assumptions.   If you can ping outside the VRF... the interface and VLAN configurations are probably correct, and L2 connectivity is good, and the Management Profile (if pinging the NGFW) is probably correct. It sounds like an issue with the C9300.  No changes are made on the NGFW between working and not.  You may need to go to the Cisco forum.  However, I will add a couple thoughts.   Placing a VLAN interface inside a VRF is only one command, "ip vrf forwarding VRF_NAME", and it would fail if the VRF were not created.  You should get a warning the IP address has been removed and needs to be re-added.   Network Advantage is required for VRFs on the C9300.  What does "show license summary" show on your C9300?  I don't know if you would get an error if you tried to create a VRF without the proper license.   Thanks,   Tom ... View more

Hi @Sanjay_Ramaiah ,   There should be something in the system logs.  The 1st thing I would do is go to Monitor > Logs > System and use the filter ( severity eq critical ).   Thanks,   Tom ... View more

Hi @AmitKa79,   I had a customer for which we replaced a FW with PANW.  His RDP sessions became terribly slow.  We never could find the solution on the NGFW, but it started when we put the new NGFW in place just like your scenario.  We disabled UDP in the RDP config of each server as @BPry suggested, and the performance improved dramatically.  Just sharing my experience.   Thanks,   Tom ... View more

Hi @AmitKa79 ,   Do you have a "no-decrypt" rule?  If so, the decryption profile can still be applied and deny traffic even it it is not decrypted.   Is there anything in the decryption logs?   Thanks,   Tom ... View more