About TomYoung

Hi @Arielhz ,   Here is more info on it -> https://live.paloaltonetworks.com/t5/community-blogs/how-to-use-palo-alto-networks-new-feature-request/ba-p/409590.   With regard to your FRID, ask your PANW AM or SE to vote for it.   Thanks,   Tom ... View more

Hi @OtakarKlier and @Andreikin ,   Sorry for the late reply!  The original design is good.   I would create specific security policy rules (both ways) to block traffic from one public IP to egress on the other interface.  It sounds like both ISPs are in the same zone, and the traffic is allowed via the intrazone-default rule.   Thanks,   Tom ... View more

Hi... Yes with SAML you can (or must) go via Idendity Engine. We build it in our company that way. You get the Assigned Groups then via CIE... ... View more

Hi @AhmedAlRashed ,   I only have the login event also.  With regard to the source user populating, you could increase the User Identification Timeout (min).   Thanks,   Tom ... View more

Very cool tool! ... View more

I was having the same issue after upgrading to a newer software version.  The initial configuration out of the box was working fine.  The management IP address setting disappeared when I upgraded to 10.2   I used the following format and the address stuck.    configure set deviceconfig system type static set deviceconfig system ip-address 10.x.x.x netmask 255.255.255.0 default-gateway 10.x.x.x dns-setting servers primary 8.8.8.8 commit exit show interface management ... View more

Great article - Really helpful. Thank you! In our case it was this line in particular that resolved our issues: Sometimes you must reset the password of the service account as well so that it is stored with AES encryption.     ... View more

As promised, I am here with an update.  I was able to successfully move firewalls over to the new Panorama.   I ran into an issue where the firewalls would show as disconnected on the new Panorama.       I remembered this article, as helpful for similar issues in the past https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/troubleshooting/recover-managed-device-connectivity-to-panorama   In this case, I only needed to clear the device state on the new Panorama using CLI command clear device-status deviceid <device_SN>   Thanks again @TomYoung @JayGolf      ... View more

Wish this command would tell you the actual route entry was being used.I would like the output to reveal that it is using the 0.0.0.0/0 entry in my example. Any ideas?   For example,   xxxx@xxxx (active)> test routing fib-lookup virtual-router Default ip 8.8.8.8 -------------------------------------------------------------------------------- runtime route lookup -------------------------------------------------------------------------------- virtual-router: Default destination: 8.8.8.8 result: via 172.16.4.10 interface ae1.4, source 172.16.4.1, metric 10 -------------------------------------------------------------------------------- ... View more

Hi @Sanjay_Ramaiah ,   Since you do not plan to use the management interface, I will configure all the service routes the same.  The service routes you listed should be all you need, but it is not working.  Let's see if this makes a difference.   Thanks,   Tom ... View more

Hi @Prathmesh ,   If you have a CSP account, you can login to Beacon for free training.  https://beacon.paloaltonetworks.com/student/catalog   There are a lot of resources there.  This one has the new style slides format.   PCNSE training -> https://beacon.paloaltonetworks.com/student/collection/668346-palo-alto-networks-certified-network-security-engineer-pcnse?sid_i=2   I prefer the old style audio/GUI format below.  Use the ones that work for you.   https://beacon.paloaltonetworks.com/student/path/642692-firewall-9-1-essentials-configuration-and-management?sid=d1d2356a-5556-4620-9d56-8415191a037b&sid_i=0 https://beacon.paloaltonetworks.com/student/path/642697-panorama-9-0-manage-firewalls-at-scale?sid=cb612c63-924f-481c-8cb3-69b10b57740c&sid_i=1   Thanks,   Tom ... View more

Hi @John_J ,   I don't think the NGFW forwards GP logged-in users to Panorama.  IF you were using Panorama to redistribute User-ID info then you MAY be able to query the Panorama user-IP mapping table to view the source NGFW.   Sorry!  That's all I got.  Maybe someone else has something good.   Thanks,   Tom ... View more

@JamshedDayar wrote: Hi Brandon,   Let me clarify.   Currently we have UIA version 8 on our 2012 server which is working fine since ages, status on that for all DCs is connected. no issues   Now we are deploying a win 2019 server with newer version of UIA 10.2 but using the same service account thats being already used for 2012 deployment ( so permissions are not an issue imo as that one is working fine )   Now on the 2019 server, the UIA agent is running and connected, but on 3 DCs ( screenshot attached in 1st post ) , the status is stuck at connecting and after sometime it is Connecting ( Access is denied ).    We have followed the KB and all local permissions are also granted to service account on new server as well.  Hrmm...If you're saying you've followed all the steps and the service account is running the software, it's possible there could be some weird issue going on, but that likely will need a support case to truly discover.   That said my enviornment is a mix of 3200s, 3400s, and 5250s running 10.1.X and 10.2.X PAN-OS.  I've got 4 UIAs targeting 100+ DCs and 1 credential agent.  We're running UIA software version 10.1.0-21 and we don't have any issues monitoring 2019 DCs.  Maybe try downgrading the UIAs to 10.1?   Where Can I Install the User-ID Agent? https://docs.paloaltonetworks.com/compatibility-matrix/user-id-agent/where-can-i-install-the-user-id-agent#id8f750af3-799f-4546-8b9e-a44a23b5b5c0     Which Servers Can the User-ID Agent Monitor? https://docs.paloaltonetworks.com/compatibility-matrix/user-id-agent/which-servers-can-the-user-id-agent-monitor#id48730da4-e269-4a3b-aeae-ea577c5c04ea  ... View more

Hi, I got similar issue here. Any update from your side?   ... View more