About TomYoung

Hi @GhislainB ,   It looks like there is no preferred version for 11.2 yet.  https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-p/258304   I would recommend 11.2.3-h5 as it should have minor fixes.   Thanks,   Tom ... View more

Hi @vivekms ,   HA can be pushed from Panorama with template variables.  Not a big deal, just an FYI.   Thanks,   Tom ... View more

Hi @k.malkhasyan ,   There is no tool that I know.  What I do for customers is use the Product Summary Specsheet.  https://www.paloaltonetworks.com/resources/datasheets/product-summary-specsheet   It has the throughput and Threatput™ numbers.  With regard to decryption, you can reach out to your PANW SE, or just add a cushion.  The NGFWs released in the last few years don't get bogged down too much.   Thanks,   Tom ... View more

I have always wanted this feature.  If everyone on this thread contacts their PANW SE and requests this feature, then we should get a feature request ID created. ... View more

Hi @palorox2023 ,   Sorry for not replying.  The interface down does not look like a good sign.  I have used the DHCP added default route many times.  It should work without issue.   Thanks,   Tom ... View more

Hi @vkvinodin ,   The easiest way that I know is via CLI.  Run the following commands with the IP that you are looking for. you@yourfw> set cli config-output-format set you@yourfw> configure you@yourfw# show | match ip.ad.dr.ess You will get a list of all of the commands in which your IP address is used.  Paste these into your text editor.  Change (1) all the ^set to delete and (2) any list inside a bracket to the single IP address, e.g. [ object1 ipaddress1 ... ] to [ ip.ad.dr.ess ].  Paste into the CLI configuration.  (^ = regex beginning of line in case the pattern exists elsewhere.)  (The regex \[.*ip.ad.dr.ess.*\] will match all the existing groups in which the IP exists for a fast search and replace for #2.)   These commands will delete the IP address from everywhere it is used in the configuration.   Unless you enable scripting mode, you can only paste 40 or so commands at a time.  I definitely would test the different types of commands before using them all.  If something gets messed up, the command "revert config" will erase the candidate configuration.   IF the IP address is also an address object, follow the same process with the object name instead of the IP address.   Thanks,   Tom ... View more

Hi @MFacella1 ,   There is no grace period for expired subscriptions, but some features do not expire.  Here are the details -> https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/subscriptions/what-happens-when-licenses-expire.   Essentially, your Threat will continue to work with no updates while the URL will stop working.   Thanks,   Tom ... View more

Hi @itassetbenilde ,   Great question!  I checked mine, and it is exactly the same.  Seems to be normal.   Thanks,   Tom ... View more

Hi @dshastri ,   The NGFW does not know the user until authentication.  There is no pre-authentication check as far as I know.   Thanks,   Tom ... View more

Hi @MeyerJason ,   Once you click install on the new PAN-OS version, the NGFW will begin the install.  After a few minutes, a popup will ask if you want to reboot the NGFW.   Thanks,   Tom ... View more

Hi @NickoKristian ,   1. Is it a normal behavior for the configuration of the firewalls to be stripped off once they are being managed by Panorama?  Yes.  The "Export or push device config bundle" step will delete the local policies and objects.  This is needed or you will get a bunch of duplicate value errors.  The Force Template Values step will delete the local Network and Device values, except management interface IP address. What if in the scenario that the Panorama Suddenly reboots, does this mean that traffic for all the devices it manage will go down since there are no configurations the NGFW's?  No.  Once the Panorama configuration is pushed, it remains on the NGFW.  It appears your push failed because the NGFW was disconnected from Panorama. Given our current status now what would be the best advisable thing to do next?  You need to fix the disconnect error first.  You may want to failover if needed for connectivity to Panorama.  https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/troubleshooting/recover-managed-device-connectivity-to-panorama Are there any documentations for onboarding/Import and Push Active/Passive Firewalls to Panorama?  https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management Thanks,   Tom ... View more

Hi @dshastri ,   Here is a great place to start.  https://www.packetswitch.co.uk/how-to-protect-globalprotect-portal-from-brute-force-attack/   I have used all of these methods.  They will significantly decrease the amount you are getting.   The 4th one is a vulnerability signature that does mostly what you ask.  I found it to not be as effective since most of my hackers were low and slow.  The signature only detects login attempts and not failures.  So, you can't tune it too tight or valid users may be blocked.   GP can still be used without the portal page enabled.  (You actually can still download software by going to https://your.domain.com/global-protect/getsoftwarepage.esp, but that's another story.)   Thanks,   Tom ... View more

Hi @NoRaindropsInTheSky ,   The cool thing about this document https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping is that is has example security and NAT policy rules on the bottom.  Follow those examples and your inbound traffic will work fine.  Pay close attention to the zones used, the correct configuration may not be intuitive at first.   With regard to your traffic logs, traffic that does not match a security policy rule will hit the interzone-default rule.  This rule does not log by default.  You will need to highlight the rule, click the Override button on the bottom, configure logging, and commit your changes.  Then you will see the dropped traffic in the logs.   Since you have a NGFW and a CSP (Customer Support Portal) account, you can also log into Beacon.  https://beacon.paloaltonetworks.com. From there, search "firewall essentials".  You will see the free 9.1 training.  The PAN-OS is old, but the foundational configuration is the same.  It is very good.   If you don't like the older audio/video type training, you can search for "next generation firewall".  You will see training of the same name in the new interactive HTML format.  Both free training have lots of good material.   If you have any question as to why, feel free to ask.   Thanks,   Tom ... View more