About TomYoung

TomYoung · ‎02-11-2022

Hi @rosawhney , Correct. I have done that. Thanks, Tom

TomYoung · ‎02-11-2022

Hi @SamuelCardoz , You could try this and see if it works -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UkxCAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail. I am curious. Why do you want a fixed IP address for the user? If it is for security policy rules, you can use Source User instead without having to assign a fixed IP address. If it is for something else, then that may be the way to go. Thanks, Tom

TomYoung · ‎02-11-2022

Hi @rosawhney , Yes, that will work. Thanks, Tom

TomYoung · ‎02-11-2022

Hello @Amoltelore , Yes, the NGFW does support CrowdStrike in a HIP Object. A GlobalProtect license is require for HIP enforcement. Finally, the NGFW does not disconnect the user, but the security policy is used to allow or block traffic. See the URLs below. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBMYCA4&lang=en_US%E2%80%A9 https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/host-information/configure-hip-based-policy-enforcement.html Thanks, Tom

TomYoung · ‎02-11-2022

Hi @securehops , What do the licenses show on the firewalls? Panorama may be accurately showing the license status on the firewalls, in which case it is not a Panorama issue. This is a common issue when upgrading from URL Filtering to Advanced URL Filtering, and we have seen and are going to see lots of posts on this issue. Check out SeanDeHarris's response in this post -> https://live.paloaltonetworks.com/t5/threat-vulnerability-discussions/pan-db-vs-advanced/m-p/463874#M1489. I also had to do steps 1-3 for a customer of mine to fix the problem. The steps in the KB article did not work. Thanks, Tom

TomYoung · ‎02-11-2022

Hi @palomed , It sounds like you have "Log at Session End" configured, which is recommended. The most probable answer is that the Meraki session never ends. Active sessions show up in the Session Browser, and sessions that have ended show up in the traffic logs. Log at Session Start will change this behavior, but is not recommended. Thanks, Tom

TomYoung · ‎02-10-2022

Hi @RobertShawver , The only thing I can think of is if you put a unique <string> in the name of all your FQDN object names. Then you could use the search in the upper right or "show | match <string>" in configuration mode (assuming you set cli config-output-format set). Thanks, Tom

TomYoung · ‎02-10-2022

Hi @isentric89 , Yes, you can have different authentication methods for different users. Create a new authentication profile without MFA and list only yourself under Advanced > Allow List. Add a new Authentication Sequence, with your new authentication profile on top. Change you authentication profile under both the portal and gateway to the authentication sequence. Since you are the only one in the allow list, the new authentication profile will be used for you. The existing one will be used for everyone else. You do not need a new gateway. With regard to access to resources, that is controlled in the security policy. Thanks, Tom Edit: Thank you @aleksandar.astardzhiev for the feedback! I actually made this same mistake when doing this for a customer months ago, and forgot my lesson learned! I have corrected my steps above.

TomYoung · ‎02-09-2022

Hi @EddieReyes , No problem! There a lots of little pointers I could give. My best one is this -> load the Day 1 Configuration on your new firewall and use that as your base configuration in Expedition. Then you have a lot of best practices configured. Thanks, Tom

TomYoung · ‎02-09-2022

Hi @EddieReyes , I believe the latest user guide is here -> https://live.paloaltonetworks.com/t5/expedition-articles/expedition-user-guide-v1-2/ta-p/285157. If you send me a direct message (mouse over my name > send message), we could setup a video call to walk you through the process if you want. Thanks, Tom

TomYoung · ‎02-08-2022

Hi @EddieReyes , Great question! In Expedition under Devices > +, I don't see a pa400 option. You can send an email to fwmigrate@paloaltonetworks.com, and you will receive guidance relatively quick. Would you mind posting what they say? I am curious what difference it makes. Thanks, Tom PS @S.Cantwell is also correct that you do not need to push the config via the API connected to the device from Expedition. You can export the XML from Expedition, and import it into the PA-440.

TomYoung · ‎02-08-2022

Hi @rbabu0 , So the 1x.6x.x.2 IP address is not 10.6x.x.2? Thanks, Tom

TomYoung · ‎02-07-2022

Hi @AhmedAshour , Do you have access to the Partner Actions > Manage Users menu on the partner portal? (Scroll down and click on Partner Relationship Management on the 1st page. The menu at the top will turn blue.) Changing user info in the partner portal can only be done by administrators. At least one person in your organization should have been made an administrator by PANW. You will need to find that person and have them do it. Thanks, Tom

TomYoung · ‎02-07-2022

Hi @rbabu0 , A Martian packet is one that does not exist on planet Earth, e.g. non-routable. Looking at your error message it looks like 1x.6x.x.2 is an RFC1918 10/8 IP address, which is not routable on the Internet. To fix this issue, find out what traffic is not being NATed to your public IP, and create a NAT rule for it. Thanks, Tom

TomYoung · ‎02-07-2022

Hi @SeanDeHarris , Exactly! I just did the same thing for a customer the other day. They upgraded from URL to Advanced URL. URL is not sold anymore. We are going to see this a lot. Your reply should be marked as the solution. The same process works for 9.1. Thanks, Tom

Member Since	‎11-15-2017 11:37 PM
Date Last Visited	‎12-30-2025 09:30 PM
Posts	1,549
Total Likes Received	602

Online Status	Online
Date Last Visited	‎12-30-2025 09:30 PM

Unlock your full community experience!

About TomYoung