About pulukas

There are a some options to manage configuration history on the PA device.   Automatically each change in configuration commit is saved for you and can be accessed to roll back changes.   Running Config > Current active device configuration Candidate config > current set of changes made but not yet commited on the device Rollback configs > up to 49 previously commited configurations Saved Snapshot > A manually saved configuration by the user.  This can be a created candidate config that was never applied.  Or an imported config to the device created outside.  Or saving or maually selected running configurations as they are active.   Revert to last saved configuration is a quick rollback of the current running configuration to the last one before this one.  this is helpfull if the current changes are not working as planned.   Load Configuraiton Version lets you go move than one version back in time up to 49.  These are saved automatically as you make commits and simply labeled by the date and time.   If you need to go back more that one version you will find Config audit help.  here you can compare any two config files and see what the differences are.  So you can compare the current configuration to these rollback ones and more easily determine which one you need to go back to. Device Tab > Config Audit left menu > Select the two configs to compare on the bottom   Load Named Configuration version - allows you to select those previously saved configuration versions named as you like. ... View more

Do look at the packet flow process noted above. The general flow is:   Routing lookup -  This is needed to assign zones and know the egress interface NAT - This occurs then to get the final ip addresses after NAT Security policy check - now we have all the information to confirm if the flow is permitted Deeper inspections - if permitted, we perform any deep inspections applied to the policy   https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081 ... View more

I've seen this type of behavior in multiple windows domain systems.  The issue there was with how windows handles the "short" names for resolution.   First is adding the computer local domain Next is cycling through the domain suffix options on the workstation   The fix was two fold.   All DNS servers in each domain had forwarders configured to point to all the other internal domain names.  This way no matter what domain the computer belonged to and used for DNS the forwarder would work for the other domain name resolutions.   A group policy was then added for computers in each domain to add all the other internal domain names to the DNS suffix list on the computer.  This way they would all be tried for each short name if the local computer domain failed in the lookup.   ... View more

IKEv2 is supported starting with PanOS version 7.  You simply select this at the top of the form.   Documentation https://live.paloaltonetworks.com/t5/Management-Articles/Is-IKEv2-Supported-on-the-Palo-Alto-Networks-Device/ta-p/61537 ... View more

I've seen this type of issue when the load balancer is setup in a way that allows asymmetrical routing.  Here is the RADware document that describes the issue and how to avoid this in their load balancer.   http://kb.radware.com/Questions/AppDirector/Public/What-is-Segmentation ... View more

There was a bug in the code that caused this sync failure for Pan DB on HA clusters.  I can't remember the versions or details.    You might check the release notes for the versions above the one you are running to see if it  would be solved by an upgrade. ... View more

you are correct, if you want to use web filtering you cannot use tap mode.  In tap mode we are looking at the stream of traffic and logging only offlline to the traffic and cannot affect it.   If you have a fully functional existing firewall, the simplest way to insert some PA funcationality like web filtering is to use vWire mode.  In this mode two ports of the PA are treated as a virtual wire, as if they are simply a patch cable that the traffic goes through and have now layer 2 or layer 3 impact on your existing network.   You disconnect the internal path of your traffic into the ASA and connect that to the trust side port of your two vWire ports.  Then run a new cable from the untrust vWire port to the ASA.  Now all your traffic can be web filtered and controled on the PA and no rules on your ASA are changed.   Basic instructions for this are here. https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Virtual-Wire-VWire/ta-p/56695 ... View more

This should still work the same with PanOS 7, features generally do not change unless called out in the release notes and I see nothing syslog related there.   Note in the comments on that doc that you may need to adjust some mapping values.  Normally when you comment on a docuement the owner at PAN gets and email to participate.  But I don't see answers to queries on this one so I suspect they are no longer with PAN.  Posting comments on tech docs is usually the best and fastest way to get specific doc questions answered.  But this one seems to be an orphan.   Maybe a community admin can ping someone over in tech docs to do an update on this one. ... View more

If your ISP is routing the subnet to your PA interface as the next hop, then no proxy-arp will be needed.   If your ISP has added the second subnet to their interface and given you a second gateway address, then you need to add an address in this subnet and mask to your interface.  Then the necessary proxy arp will be created when you add the NAT rules. ... View more

Here is the basic information on ECMP.   Video overview of topology and implementation https://live.paloaltonetworks.com/t5/Configuration-Articles/Equal-Cost-Multi-Path-Routing-ECMP/ta-p/120497   Sample Config https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-ECMP-Load-Balancing-on-the-Firewall/ta-p/110339   ... View more

This message is related to the GP install on your computer.  Follow these instructions to confirm the service is present and running.     https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-Client-Unable-to-Connect-on-Newly-Installed/ta-p/60421 ... View more

When you configure the DNS settings for global protect these should take precedence over the local DNS when you are connected.  All queries would go to these servers and you need to confirm they are reachable from the global protect tunnel connection.   However, this behavior can be overriden by the local OS of the client.  And there are known issues with some OS like Apple IOS ignoring requests to non-standard domains like .local. ... View more