About pulukas

For RMA setups you would need to open an official ticket.   Use the "Get Support"  button in the upper right for the support site. ... View more

You can transfer all licenses from one device of the same model to another yourself in the support portal.   https://live.paloaltonetworks.com/t5/Videos/Transferring-a-License-to-a-Spare-Device-on-the-Support-Portal/ta-p/56378   But moving just part of the licenses requires opening a support ticket with the request. ... View more

My recollection is that you really have to use VPN monitor in this scenario because without it the tunnel interface does not go down and therefore your primary route is never removed from the routing table. ... View more

Sounds like  a bug.  Your best bet is to open an official ticket on the support site using "Get Support" in the upper right corner.   If this is a known issue they will tell you what version you need to upgrade to in order to clear the bug.   If it is not yet reported you will get it into the queue to be fixed. ... View more

You could perhaps move your provider peering via OSPF into a separate virtual router.  Then use BGP from this VR to your main VR with the controls you need to have in place. ... View more

On the peer flapping, in all likelyhood you are losing the IPSEC tunnel causing the flap.  So check for the reason that the tunnel is not stable in the logs.   On routing, this requires more thought on the needs.  Why do your resources in AWS need a default route?   Are you providing internet access for your AWS resources via your PA firewall? If not, then you likely do not need a default up this tunnel.  Instead just advertise the resources on your network that the AWS resources need to access.   If you do need the default route to AWS, your peer should be eBGP and when it does re-advertise your local default route it would re-write the next hop to be itself, your side of the AWS peering.  Thus the traffic would come to your AWS peer from the AWS resources. ... View more

Right, if you need that level of route filtering you will need to switch to BGP from OSPF.   Bear in mind that Palo Alto is a security company that provides networking features on their devices.  The introduction pace of new networking features can be slow.  We just got BFD for example last year.  So don't count on networking feature requests showing up soon. ... View more

Your other option here is to switch to BGP for route distribution.  This would then give you full control of import and export policies throughout the enterprise to handle this cases as you desire. ... View more

Another option in this scenario is to make the PA cluster Active/Active instead of Active/Passive.  This way no matter what combination of device failures occur on either side you still have a traffic path with the PA devices.  and you don't need to track anything for failures. ... View more

More specific routes will always win over larger prefixes.  This is the nature of the route selection process and is considered before the protocol of the route in question.   You will need to install the /24 as a static to override the OSPF learned route. ... View more

I'm confused on what the current setup is.   The core switch to the router connection, is this layer 2 or layer 3?  ... View more

I'm not sure I follow your question fully, so forgive me if this is off track.   When you move from v-wire to layer 3 assuming there is a routed interface set of ip addresses on either side of the PA.   R1 10.1.1.2/31 ---- v-wire----10.1.1.3/31 R2   One ip address moves to the PA and you setup a second subnet for the other:   R1 10.1.1.2/31 ----10.1.1.3/31 PA-L3 10.1.1.4/31----10.1.1.5/31 R2   Routing on R1 does not change, the next hop will remain the same Routing on R2 changes any next hops of 10.1.1.3 to 10.1.1.4 PA needs to copy routes from R1 with next hop 10.1.1.3 and change to next hop 10.1.1.5 PA needs to copy routes from R2 with next hop 10.1.1.2 and keep same next hop ... View more

Fireeye can do deep packet changes so it is a possible culprit for this type of issue too. ... View more

All good reasons for the internal side connections.   You have a good handle on the benefits each way.  I'm sure your deployment will go well. ... View more