About TomYoung

Hi @esheldon ,   The error is referring to the certificate under Device > Setup > Management > Device Certificate.  It is not listed under Certificate Management.  It is used to leverage cloud services.   https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/obtain-certificates/device-certificate.html   Thanks,   Tom ... View more

Hi @Evahi21 ,   On 10.1, I am able to use the Move button on the bottom of the Address and Address Group pages to move the objects from Shared to the same device group as the security policy rule.  What exact error are you getting and where?   Thanks,   Tom ... View more

Hi @JimMcGrady ,   Did you see @SebRupik 's comment?  The PA-800 Series fans will run loud if only one PSU is plugged in.   Thanks,   Tom ... View more

Hi @Vijaygvasan ,   Sure!  Here is a doc -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HANzCAO&lang=en_US%E2%80%A9.  That doc uses an MFA server profile.   With PANW and Duo, there are 4 ways to configure MFA:   RADIUS with Duo Authentication Proxy (free install from Duo on Windows server). The RADIUS server profile configured in the GP doc in the previous reply can also be applied to Auth Policy. SAML with Duo Access Gateway (another free install on Windows). Here is a doc -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-multi-factor-authentication/configure-mfa-between-duo-and-the-firewall.html. The SAML server profile configured in this doc can also be applied to Auth Policy SAML with Duo SSO. Can authenticate against another cloud IdP. Can authenticate against local AD with Duo Authentication Proxy. MFA Server Profile This procedure is outlined in the top URL of this reply. It needs to be combined with a primary authentication profile. Thanks,   Tom   ... View more

Hi @GrantCampbell4 ,   BGP NSF Awareness is not enabled by default on Cisco.  NSF Awareness is needed for it to recognize the BGP OPEN message sent by the newly active firewall in order to re-establish the session and repopulate its BGP RIB.  The "bgp graceful-restart" global command (can also be configured per neighbor or per template) enables both NSF-aware (assist neighbor) and NSF-capable (perform SSO if HW supported) functions on the router.   This configuration on the Cisco side should allow the BGP session to be re-established without the outage (neighbor down, routes withdrawn) caused by the hold timer expired.  With GR enabled, you should keep the long hold timers.   Thanks,   Tom ... View more

Hi @Vijaygvasan ,   You mentioned RADIUS.  Have you configured the Duo Authentication Proxy?  Here is a doc for GP, but the RADIUS config is the same regardless of the use case.  https://duo.com/docs/paloalto   Here is an overview of supported use cases and protocols for PANW MFA.  https://docs.paloaltonetworks.com/compatibility-matrix/mfa-vendor-support/mfa-vendor-support-table.html  Note that the MFA server profiles can only be used with the Authentication Policy for now.   Thanks,   Tom ... View more

Hi @Evahi21 ,   If you have at least 1 public IP address advertised to both ISPs, I would use a loopback for a single VPN tunnel.  That design is by far the simplest, but requires a separate public subnet than the ones on the interfaces.   Thanks,   Tom ... View more

Hello @MRamadanAHafiez ,   Most likely the format of the username does not match.  Do you have a username or group in the security policy rule that allows access to your resources?  You can verify the format of the username via the monitor tab, but I prefer CLI.   Use "show user ip-user-mapping all" to verify active username format.   Use "show user group name [group]" to verify username format needed to match group.   This doc will have the fix most of the time -> https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/user-id-features/support-for-multiple-username-formats.   Thanks,   Tom ... View more

Hi @tamilvanan ,   It is possible that ECMP will solve your issue.  If you enable ECMP and check Symmetric Return, then your GP traffic will be returned on the same interface that it was received.  I think this will work with one primary default route, but I would need to test.  Otherwise, you would need two equal-cost multipath default routes.   Thanks,   Tom ... View more

Hi @SBI_INFRASTRUCTURE ,   I believe the Cloud Identity Engine can now get groups from AzureAD.   https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/identity-features/cloud-identity-engine.html   Thanks,   Tom ... View more

Cool!  I guess this is a poll.  I called the other day.  I waited only about 5 minutes.  I had to call because I was getting an SSO error when clicking on the Support Cases menu in the support portal.  Otherwise, I open a case online.   Edit:  Bad news:  I called this weekend for a Sev1, and was on hold for over an hour.  I hung up.  Good news:  I opened a Sev1 case online, and got a response within an hour.  I guess I got lucky the 1st time. ... View more

Hi @drewdown ,   Ahh!  I see.  You are using PBF because the article which you posted said to use it.  My bad.  I use this method with my customers -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO.  It works well.  It uses route metrics for forwarding and not PBF.  It's more straightforward.  I am curious if removing PBF may remove the NAT issue.   While PBF is policy routing, I prefer a route table lookup.  That's what I meant by routing.  The nice thing about using the route table is that you can also use both ISPs if you want.  You would need to enable ECMP in your VR.  I would check the Symmetric Return box.  I had one customer where load balancing broke voice, but changing the ECMP method to IP Hash fixed the issue.   With regard to path monitoring, I like to use 2 Internet IP addresses so that one down host doesn't take down the circuit.  I ran into one customer (not my setup) that was monitoring 8.8.8.8 for HA path monitoring, and the host went down causing a firewall failover!   Thanks,   Tom ... View more

Understood. ... View more