About pulukas

I suspect this has something to do with your vsys configuration.  I don't see the vsys indication on log messages for my other admin users.     ... View more

The other thing to be aware of is that these specifications are specific to the feature they mention in the sheet.  So for the PA500 the 100M specification is for traffic that hits policies with threat prevention enabled.  The 250 M is for traffic that hits policies that use app-id.  So these are not the total traffic passing the interface but the traffic actually processes by the inspection system.   https://media.paloaltonetworks.com/documents/Summary_Specsheet-Nov12.pdf ... View more

A session that is "incomplete" along with "aged-out" typically indicates a fundamental network routing problem between your client and the site in question.   https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data-in-the-Application/ta-p/65711   One of the most common issues with this would be asymmetrical routing for the path.  But basically the 3 way handshake is not completing or there is no data transmited through the PA after the handshake at all. ... View more

The datasheet limitations are not based on physical port limits but on the processing of traffic and inspection limits of the platform.  They cannot be increased by port aggregation or other physical means.   They do tend to be conservative in their estimation of processing power, so you can likely experience better performance.  But the base limitations are with the packet inspection and processing not the port speeds. ... View more

Before I go to the trouble, do I still have to manually add named administrators to the firewall config with the RADIUS setup, or will they be autocreated? (e.g. if I log in as "jdoe" to the firewall and have never logged in before or added him as an administrator, as long as he is a member of "Firewall Admins" he will get access to the firewall with the access class defined in his RADIUS attribute)?   I have setup RADIUS auth on PA before and this is indeed what happens after when users login.  The RADIUS server was not MS but it did use AD groups for the permission mapping.  If users were in any of 3 groups they could log in and were mapped based on RADIUS attribute to the appropriate permission level setup on the PA. ... View more

check your settings as instructed in this document to insure you have blocking for malicious setup everywhere you want it.   https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Enable-WildFire-to-Block-File-with-malicious-Verdict/ta-p/54376 ... View more

I supported a similar setup a few years ago.  Basically these systems create random high port streams to send the audio and video data.  As you can see from your symtoms the control is setup but some of these streams are blocked.   Option 1: get the ALG to work - the ALG is designed to recognize the needed ports are part of an approved session and open a pinhole for that traffic to come back into the firewall on these random ports.   You need to know which system H323 or SIP your system is using.  then follow the policy setup instructions so the traffic can correctly hit the ALG.   Option 2: Open the wide range of ports - your system will designate a range of high ports for these streams to the device.  If you can't get the ALG to work you will need to open the entire range of ports to permit in from untrust to your device the possible audio/video feeds.  Find the configuration where this port range is set and create the inbound allow policy. ... View more

You could confirm the DNS theory by seeing what the resolution of the FQDN is on the firewall when disconnected and if that matches the current server address or not. ... View more

Unfortunately, the feature to use a FQDN instead of an IP address for a remote VPN gateway is a rare one in the site-to-site VPN world. As you picture, SceeenOS had this feature and Sonicwall was the only other one I've worked with that allowed this configuration option.  This is very convenient but rare.   Even Juniper only semi migrated this to Junos.  They allow you to enter an FQDN gateway when you do a VPN configuration but Junos simply uses this to resove the CURRENT address for the FQDN then stores and uses the actual IP address in the configuration.   So the bottom line here is one side will need to have an IP address gateway entered to get a configuration to initiate and come up. ... View more

You could also see if this is covered by   clear counter all   So you don't have to reboot. ... View more

With complementary PBFs on both sides, will the PBF "Enforce Symmetric Return" feature ensure that I won't face an issue where traffic on one PAN and interface will try to be returned from the other unit on a different interface or tunnel?   This should work as you outline.  And if it does not, this won't be critical because you have placed the three paths into the same zone on the firewall.  So even if the traffic is asymmetrical the session will still match and the traffic will be accepted.   Since PBFs operate from top to bottom precidence, will the secondary rule sit idle until the L2 rule above it is disabled?   This will work, I would prefer to call it "not hit" as opposed to "idle" but that is just symantics.  The idea is the same the rule order is what is dictating the path.   Will the wait-recover delays (currently set at the default Interval 3 and HB 5) cause inconsistent behavior on both sides which and lead to  potential symmetric return issues?   Very likely, the chances of the recoveries being identical is small.  But as noted above your zone setup protects the traffic in any case even when not symmetrical.   Should the tertiary IPSec tunnel also reside in a PBF instead of being in the default virtual router?    Either would work but putting this in the default VR is simpler and I tend to like simplier solutions.   Thoughts:   I wonder if you had considered setting this up with straight up normal route preferences instead of using PBF.  You seem to be using static routes, so if the static routes just had the preferences in order of your paths and you setup the path monitoring to bring down the interfaces when the path is not valid, you would get the same failover sequence and behavior.  And the configuration would be simplier still. ... View more

Yes, this seems to be a application install and startup issue.  So the troubleshooting will be with the install process on the Mac.  If the GP service is not running you won't be able to connect. ... View more