About TomYoung

Hi @valizada ,   Only one security policy rule is needed to identify infected hosts.  Please see #3 in this document -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGECA0.   For those not familiar with this practice, most outbound DNS requests will come from the company's internal DNS server.  To identify the infected hosts, you can create a security policy rule to match traffic to the sinkhole FQDN.  The traffic that matches this rule will have the source IP addresses of the hosts that initially requested the suspect domain.  The Day 1 Configuration includes an example rule.  The BPA also recommends this rule.   Thanks,   Tom ... View more

That's awesome!   I don't see it on the web page yet (with 3 different browsers), but I hope to check it out soon. ... View more

Hi @grenzi ,   That is a good point.  I went ahead and upgraded to a fixed version since it is only a couple minor releases different.  The only changes in the software will be vulnerability fixes.  I don't know the exact process, but PANW always waits a while before marking a new release as preferred.  I believe they look at the support cases for a little while to make sure there are no bad bugs in the code.   Thanks,   Tom ... View more

Hi @marie-merlier ,   I have a DAG that is IP-based, and I cannot see it on Panorama.  I have to connect to the NGFW to see the members.   Very interesting.   Thanks,   Tom ... View more

Hi @marie-merlier ,   I see that you are using the REST API.  The REST API is  used for CRUD operations.  https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-panorama-api/get-started-with-the-pan-os-rest-api/pan-os-rest-api   I would guess since viewing the dynamic members of a groups is more an operational command and not a configuration create/read/update/delete command that it is not available on the REST API.  Here is the syntax on the XML API to run the operational command:   /api/?type=op&cmd=<show><object><dynamic-address-group><name>mydynamicgroup</name></dynamic-address-group></object></show>   Thanks,   Tom ... View more

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/device/device-high-availability/ha-link-and-path-monitoring   ... View more

This is a good doc on HA best practices.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5ZCAS   With regard to HA Timer Settings, most people use Recommended, but you want faster failover choose Aggressive.   I would definitely configure Link Monitoring.  I would only configure Path Monitoring if you have redundant switches toward the ISP.   EDIT:  No, there is nothing else you would do on the switch. ... View more

EDIT:  This post is wrong.  Please ignore.   Hi all,   This feature is available with the Advanced Routing Engine, but that is a big change to make.   https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-networking-admin/advanced-routing/configure-bgp-on-an-advanced-routing-engine   Thanks,   Tom ... View more

Hi @inSync-MarkValpreda ,   No, it is not expected that the port go error-disable with BPDUGuard.  The NGFW does not initiate BPDUs, but it can forward them for L2/VWire interfaces.  My guess is that the passive may still have had the default VWire configuration on it when the ports were initially plugged in.  The ports connected to the passive NGFW should be configured exactly the same as the corresponding ports connected to the active NGFW.  As long as HA is up and the configuration is synced and the NGFW is in passive state, it is safe to bring up the ports to the passive NGFW.   You do not want to setup LACP on ports connected to 2 different NGFWs.  With the same config on the ports connected to active and passive, the MAC address should only show on the port connected to the active NGFW.  If you want to configure LACP with multiple ports to each NGFW, configure 1 group to 1 NGFW, and a 2nd group to the 2nd NGFW.  If you want LACP to be pre-negotiated on the passive NGFW, check the "Enable in HA Passive State" box under the AE interface.  This will require that the passive link state be set to auto also.   As you asked, changing the passive link state be set to auto will speed the failover a little bit.  The ports will be up on the passive.  You should see no traffic or MAC addresses on the passive ports.   Thanks,   Tom ... View more

Hi @cylusaragao ,   You can create a custom report.  First, you need to verify your GP logs go back 90 days.  Under Monitor > Logs > GlobalProtect, select the ASC drop down in the bottom right.  The log on top will have your oldest date.   Second, you need to create your custom report like so:     Thanks,   Tom ... View more

Hi all,   I don't think either my ladder diagram or @n.major's is correct.  I use Azure MFA for GP, and I see nothing under Monitor > Logs > Traffic between the outside interface and Azure.  Because of the URLs configured in Azure, I assumed there was some communication between the two.  Right now, it looks like all the communication to Azure is from the GP client.  It looks like the GP client sends the identifier 'https://test.com:443/SAML20/SP' to Azure.  A packet capture on the PC interface would confirm.  If that traffic does not go to or through the NGFW, we cannot use NAT to change the port.   Maybe we cannot solve this issue, but if anyone wants to do a packet capture on the PC and post the actual ladder diagram of the traffic, that would be very helpful.   Thanks,   Tom ... View more

Wow!   Maybe it is a typo somewhere.  The "Check Now" button usually fixes it for me.  I can download it fine.  Maybe PANW fixed it.   BTW, the preferred version is 11.1.4-h7.  I would install that one.   https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-p/258304   Thanks,   Tom ... View more

Hi @M.Gill298701 ,   Yes, the configuration is exactly the same, and in the event of failover the passive then becomes active.   With active/passive HA, the configuration is exactly the same between both FWs except for a few device configurations listed here.  https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/high-availability/reference-ha-synchronization   For standalone, you configure one FW and the config is synced.  For Panorama, you put the HA pair in the same template (and device group).  With SCM, it looks like you put them in the same parent folder and modify that configuration scope.  If you configure HA in that scope, you will need to use variables as the HA links must have different IP addresses.  https://live.paloaltonetworks.com/t5/next-generation-firewall/ha-configurations-in-strata-cloud-manager-scm-with-ngfw/td-p/616341   Thanks,   Tom ... View more