About TomYoung

Hi @JorgeOrtega ,   Unless you are hitting a bug, the firewall is telling you that the public and private keys do not match.  Is there a chance that a different CSR was uploaded to GoDaddy than the one on your firewall?  You can go to this site -> https://www.sslshopper.com/certificate-key-matcher.html to verify that the CSR on the firewall matches the cert you have imported.   Thanks,   Tom ... View more

Hi @treysgrun ,   Thank you for your excellent summary!  I found this article because I ran into a similar problem.  I was curious is 0/32 would work also, and you saved me that step.   The solution is found here -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfnCAC.  The key sentence (4th line from top) is "When you use 'Destination' as one of the filtering/matching criteria in Redistribution Profile, you should read the destination prefix as 'OR LONGER' and not 'EXACT'."   Scenario #1 worked for me with the following values: Deny 0.0.0.0/1 priority 1. Deny 128.0.0.0/1 priority 1. Allow 0.0.0.0/0 priority 2. Only the default prefix is redistributed and all longer prefixes are not.   Thanks!   Tom ... View more

Hi @utahman3431 ,   You can convert the NG800 to CSV and import the config into Expedition.  The CSV import support most features, but not all.  If there are 100s of objects or rules, then writing a script to convert to CSV could save lots of time.  If the NG800 config is not that large, manually configuring the PA might be better.   Here is the guide -> https://live.paloaltonetworks.com/t5/expedition-articles/expedition-user-guide-v1-2/ta-p/285157.  You can also message me directly if you want some guidance.   Thanks,   Tom ... View more

Hi @GQMerdian ,   Please also verify the "endpoint route table" that @BPry mentioned.  On Windows, this is "route print" and on macOS/Linux it is "netstat -r".  If GP works fine for everyone else, then it may be a conflicting route injected by the public WiFi.  Adding that same route to GP split tunnel will cause it to inject a route with a better metric on the endpoint and fix the issue.   Thanks,   Tom ... View more

Hi @Marc.Luecke ,   You are the man!  Removing application default from my security poicy rule did the trick.   Thanks!   Tom ... View more

Hi @DongQu ,   Split-tunneling by domain requires a GP license -> https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-overview/about-globalprotect-licenses.html.  Do you have a GP subscription for your firewalls?   Thanks,   Tom ... View more

Hi @tamilvanan ,   That's exactly what I said in #1 above!  Glad you got it working.  BTW, your URL points to webdefense.  You may want to fix it.   Thanks,   Tom ... View more

Hi @tamilvanan ,   Does the username format in the "show user ip-user-mapping all" command match the username format in the "show user group name cn=blah,cn=blah,dc=blah,dc=blah" command?  (The "show user group list" command will give you the exact group name for the previous command.)  If the format does not match exactly, then the user may not be matched to the group.  There are some things you can do to fix the issue:   Make sure the domain specified under Device > Authentication Profile > [LDAP Authenticaton Profile] > Authentication > User Domain matches the domain under Device > User Identification > Group Mapping Settings > [edit] > Server Profile. Follow the guidelines in this doc -> https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/user-id-features/support-for-multiple-username-formats.  The primary and alternate usernames can fix it as well as the matching without domains if the domain is different or missing. Thanks,   Tom ... View more

Hi @fedoracore123 ,   For a VM-Series, the PA-VM is the 3rd and final prompt.  Your new password should work.   Thanks,   Tom ... View more

Hi @Andrew_Bergt ,   NAT before IPsec is configured just like regular NAT except one of your interfaces will be your tunnel.  The tricky part is that you need to add static routes to get NAT to work -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClipCAC.   Thanks,   Tom ... View more

Hi @malayalamitlokam ,   It's easy.  Simply import the new certificate, and it will replace the existing one.  I would export the existing certificate and key just in case.  Since your existing configuration works, I would give the new certificate the same name so I don't have to change the configuration.   Depending on the CA, you should be able to get a new cert with the same private key.  In which case you would not need to import the private key.  This is a good doc for reference -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK.  One thing I don't like about the doc is that it says you should import the server (portal, gateway) cert with the private key.  This is not necessary if you generated the CSR and key from the Palo Alto or you are re-using the existing private key.   Thanks,   Tom ... View more

Hi @YazarArafath ,   With the PAN-OS 10.1, the "new Network Packet Broker feature replaces Decryption Broker and expands its capabilities to filter and forward not only decrypted TLS traffic, but also non-decrypted TLS and non-TLS traffic."  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/networking-features/network-packet-broker.html   Thanks,   Tom ... View more

Hi @brouyao ,   It should be as easy as filling out this form -> https://www.paloaltonetworks.com/vm-series-trial.   Thanks,   Tom ... View more

Hi @Aewald785 ,   If your ISP does not reliably remove the default route when they have issues, you can remove BGP and use static routes with path monitoring.  I wouldn't use PBF.  Static routes are more straightforward.   Thanks,   Tom ... View more

Hi @fjwcash ,   Every policy in a Device Group has a Target tab for which you can enable or disable policies.  There is also a check box "Target to all but these specified devices and tags."  So, it looks like you can do everything that you want with the Target tab.  It looks like you can also use tags to make the process more efficient.  This is the only URL I can find -> https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/manage-device-groups/push-a-policy-rule-to-a-subset-of-firewalls.html#id918f9f51-f516-4abb-8e1c-61f0f9f9476c.   This is cool!  I can't find any docs, but under Panorama > Managed Devices > Summary, you can add tags to devices.  These tags show up under the policy rule Target tab under Filters or Tabs.  You can create tags that mirror you child DGs, and you have a working solution today.   Thanks,   Tom ... View more