About TomYoung

Hi @drewdown ,   Could you tell me why you are using PBF?  Most dual ISP designs can be handled by routing.   Thanks,   Tom ... View more

Hi @GFN182 ,   Use groups in your security policy.  You will need to configure group mapping, but with groups a single user can match multiple security policy rules.  The user does not have to change gateways for different access rights.   Thanks,   Tom ... View more

Hi @GFN182 ,   The straightforward solution is to use source user in the security policy to isolate the users without having to build multiple gateways.  GP has User-ID built-in.  I like keeping all of my security configuration in one place.   Thanks,   Tom ... View more

Hi @Alpalo ,   You did this?  Once you do the command it should be blank.   admin@ngfw# delete deviceconfig system update-schedule [edit] admin@ngfw# show deviceconfig system update-schedule [edit] admin@ngfw#     Thanks,   Tom ... View more

Hi @ecesureshkumar ,   There is a newer Expedition user guide here -> https://live.paloaltonetworks.com/t5/expedition-articles/expedition-user-guide-v1-2/ta-p/285157.  It is really good.  There are a few things I would like to highlight:   The 1st PAN-OS configuration imported becomes your base config.  It doesn't matter at which step you load it.  I prefer to load the Day 1 Configuration on the new firewall, export it and import it into Expedition.  In that way, you will have many best practices configured. With regard to cleaning up objects, do the groups first.  Then click the green button in the lower right, and more unused member objects may show up. If the config is grayed-out or doesn't show, make sure you select the correct drop downs in the bottom right.  Most of the time, you will be working with vsys1. Clicking on the dashboard numbers will automatically enable a filter.  Clear filters in the top right.  You can also select predefined filters from right-click. Right-click and select Search and Replace to show you where in the config file and object is used.  After Search and Replace comes up, you have to check the box next to the object. If the config has ICMP in the security policy, importing the Palo Alto > Snippets > Custom Applications creates ICMP App-IDs. I like to export the XML and load on the firewall.  It will replace the entire config.  You could also use the API or load config partial. With regard to @OtakarKlier 's comment.  Expedition can sometimes cause commit errors because of XML syntax errors.  I always load these on a lab firewall first to fix the issues before the customer firewall.  However, for large configurations, Expedition saves me a LOT of time cleaning unused, duplicate, and invalid objects.  The resulting config is SO much better.  I prefer using it then doing the config from scratch. The majority of the commit errors are self-explanatory.  A very few times (both associated with IPsec) I got commit failures with no warning.  This article was useful -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMb2CAG.  You can always delete the offending config piece. That's enough for now.  I love the tool.  If you have issues, send an email to fwmigrate@paloaltonetworks.com.   Thanks,   Tom ... View more

I would delete the whole section, commit, then paste the 6 lines back, and commit again. ... View more

Hi @Alpalo ,   Your NGFW is still trying to connect to WildFire every minute like the update-schedule is still there.  Maybe the config is in the CLI, but not the GUI.  Could you run the commands > "set cli config-output-format set", > "configure", and # "show deviceconfig system update-schedule"?  If the wildfire is still there, I would delete the whole section with "delete deviceconfig system update-schedule" and then add the pieces that you want back.  You can copy and paste the CLI for the other sections to quickly add them back.  You can also "commit" on the CLI.   Thanks,   Tom ... View more

He @ErikMarschang ,   That is not normal or expected.  If you setup TACACS+ for authentication into your NGFW, you should only see requests from the management interface of the NGFW.   Maybe you have a security rule allowing TACACS+ from the outside?  You could check the traffic logs.   Thanks,   Tom ... View more

Hi @Alpalo ,   That's strange.  Do you have a valid Threat Prevention license?  What licenses are active under Device > Licenses?  If you have a  Threat Prevention license you still should be able get WildFire signature updates every 24-48 hours.  The object should not be completely gone.   What do you see under Device > Dynamic Updates?  Is there an update schedule for WildFire?  The CLI command refers to that section.   if you don't have a Threat license, try the CLI command "delete deviceconfig system update-schedule" without the wildfire parameter.  That should delete all dynamic update schedules.  You can then add the licensed ones back.   Thanks,   Tom ... View more

You're welcome @Bad_Goat ! You could look into WSL2, cURL for Windows, or others.  If you are going to go down the automation path a long way, I would learn Python with the requests module.  There are so many automation options out there, it can be hard to pick the one best for you. ... View more

Hi @Hemal_Vaghela ,   Could you have them run this command on their ASA, "show run all | i crypto isakmp identity"?  You want to make sure you match that configuration on your firewall.  Sometimes I have found that "auto" doesn't work so well, but they probably can't change it since the config is global and applies to all their VPNs.   Thanks,   Tom ... View more

Hi @Alpalo ,   I believe this is what you are looking for -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClyXCAS.   Thanks,   Tom ... View more

Hi @Qui ,   The PA-3020 has been announced end-of-sale and will be end-of-life on October 31, 2024.   https://www.paloaltonetworks.com/services/support/end-of-life-announcements/hardware-end-of-life-dates   Thanks,   Tom ... View more

Hi @bobvaal ,   Can you RDP to the IP address that you put in the Permitted IP Addresses and then HTTPS to the firewall from it?   Thanks,   Tom ... View more