About TomYoung

TomYoung · ‎11-29-2021

Hi @GnContente , That is a very good question. If Tunnel Monitoring is configured with a Tunnel Monitoring Profile configured for Fail Over, then loss pings will bring the tunnel down. I had a customer that setup a VPN for a critical printer. He pinged the printer as part of his tunnel monitor configuration. The remote site powered off the printer, and the VPN went down! :-0 Or, the VPN could go down first resulting in the loss of pings. The first place I would look is in the system logs to see why the VPN went down. The logs will indicate if tunnel monitoring brought the tunnel down or something else did. Thanks, Tom

TomYoung · ‎11-26-2021

Hi @GnContente , Tunnel monitoring works by pinging a destination address on the other side of the tunnel -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/vpns/set-up-site-to-site-vpn/set-up-an-ipsec-tunnel.html, Step 9, #2. So, rekeying child SAs will not cause the tunnel monitor to bring the tunnel down. The VPN does not drop during the rekeying process. The PA does not store a log of the keys unless the debugging level is set to dump -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClinCAC. In general, logging IPsec keys is not a secure practice. The IPsec protocols use a very complicated process to generate secure keys in order not to be compromised -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/vpns/site-to-site-vpn-concepts/internet-key-exchange-ike-for-vpn.html. New keys are renegotiated are regular intervals to provide more security. So, I would never log the keys unless I needed to decrypt the traffic as described in the article. Thanks, Tom

TomYoung · ‎11-26-2021

Hi @Patrick_Jessett , You do not need to add another subnet to your interface. As long as the ISP has a route for the new subnet to your existing IP address, it will work fine. Notice in the 3rd paragraph of this article -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSDCA0 that for "NAT configuration, the additional IP addresses do not necessarily need to be configured on the interface". Configure NAT for IP addresses in the new subnet, and the NGFW will translate them. This practice of NATing a different subnet than on the interface is quite common and works well for exactly this scenario. All firewalls do it, and you do not need to burn an IP address on the interface. Thanks, Tom

TomYoung · ‎11-24-2021

Hi @Joshan_Lakhani , It may be a bug in PAN-OS 9.1.11. I am running 10.1.3, and the comand works fine for me. tyoung@fdsnsdfw01> show arp management <response status="success"><result> <total>2</total> <entries> <entry> <interface>eth0</interface> <ip>removed</ip> <mac>removed</mac> <status>C</status> </entry> <entry> <interface>eth0</interface> <ip>removed</ip> <mac>removed</mac> <status>C</status> </entry> </entries> </result></response> Thanks, Tom

TomYoung · ‎11-21-2021

Hi @fedoracore123 , Since you post was 3 hours ago, you probably have already been able to login. You have to wait for the 3rd prompt before you can login -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloQCAS. The PA-HDF login is the 2nd prompt. Your VM was probably still initializing the software after the 1st boot. Thanks, Tom

TomYoung · ‎11-21-2021

Hi @davistg , Did you create the zone first with the "set vsys vsys1 zone test" command? Also, you will need to create interface ethernet1/17.66 as a layer3 interface if it doesn't already exist. Then, your command should work. Thanks, Tom

TomYoung · ‎11-18-2021

Hi @Travis_Molleck , You can use the "test security-policy-match" command on the CLI. It won't do bulk, but you can make text edits to it easy and paste the new command. Thanks, Tom

TomYoung · ‎11-17-2021

Hi @a.jones , It is difficult to troubleshoot your issue without more details. With that said, have you considered leaving the /30? Since you are moving to active/passive, then you do not need separate IP addresses for the passive firewall. The same IP addresses are configured on both. The IP addresses on the passive firewall do not respond to traffic until it becomes active. Thanks, Tom

TomYoung · ‎11-17-2021

I have macOS Catalina, and I ran into the same issue. So, it is not the issue in the KB article for Windows. Previous upgrades worked fine. For 5.2.8, I would get a popup, then nothing. I chose to download the software from the portal and manually upgrade. That process worked fine.

TomYoung · ‎11-15-2021

Hi @MichaelMedwid , I don't think the firewall records the peak users, but you can check current or previous -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClorCAC. Previous should show the "peak" from a unique username count. I would hope that an NMS could graph GP users via SNMP. The maximum GP users is a hardware limit. If it is exceeded the gateway will refuse the connection. See the picture in this thread -> https://live.paloaltonetworks.com/t5/general-topics/global-protect-firewall-behavior-after-reaching-max-users/td-p/310408. Thanks, Tom

TomYoung · ‎11-09-2021

Hi @tonyrobson , Great question. I wondered the same thing myself. On a firewall with the default single vsys, the certificates and SSL/TLS service profiles are stored in shared, although you cannot see or set the location in the GUI. You can see it in the CLI with the "show shared certificate" and "show shared ssl-tls-service-profile" commands. So, on the single-vsys NGFW, you can only choose SSL/TLS service profiles in shared from Device > Setup > Management. I first noticed this behavior on a multi-vsys firewall. It seems to be built in and cannot be set to choose from vsys1, possibly because PANW does not want device management config tied to a vsys. Thanks, Tom

TomYoung · ‎11-09-2021

@TonyTam is correct. When you initially import a firewall configuration into Panorama, you need to "Export or push device config bundle" to remove the local configuration and replace with Panorama configuration. If you try Commit > Push to Devices you will get the "already in use" or "duplicated name" errors. You only have to do it once, and then you can manage from Panorama normally.

TomYoung · ‎11-08-2021

Hi @DiogoFG , It looks like a STP design issue. A say "design" because STP is working, just not as you expected. The interface shown by "show arp all" is there for convenience. It is not resolved by ARP but rather reflects the L2 forwarding table of "show mac all". The PA does not participate in STP, but rather forwards the BPDUs to assist in loop prevention. So, the STP topology looks like SW1=SW2 (the = represents 2 links). It sounds like once the SW1-PA link goes down, once it comes back up it stays in STP blocking mode. You can confirm what port is in STP blocking mode on the switch. You should design the blocked port according to desired traffic flow. If you want the direct link between SW1 and SW2 to always be in blocking state (when all links are up), then adjust your STP cost or priority accordingly on SW1 or SW2. Thanks, Tom

TomYoung · ‎11-08-2021

Hi @landoa , I would upgrade the entire cluster to 9.0.14, then upgrade it again to 9.1.11. I would not test for the interim version since it is only temporary. I would implement the full test plan for 9.1.11. The TAC recommended releases are very stable. https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-p/258304 Thanks, Tom

TomYoung · ‎11-07-2021

Yeah, I have noticed that 10.x runs a little slower than 9.x on many firewalls. I have installed in on a PA-220. There is a known issue that "PA-220 firewalls are experiencing slower web interface and CLI performance times." Because of that bug, the CPU spikes and slowness are a lot worse. However, the data plane seems fine.

Member Since	‎11-15-2017 11:37 PM
Date Last Visited	‎12-18-2025 07:22 AM
Posts	1,548
Total Likes Received	602

Online Status	Offline
Date Last Visited	‎12-18-2025 07:22 AM

Unlock your full community experience!

About TomYoung