About pulukas

Yes both virtual wire and layer 2 mode are supported on vmware esxi hosts.   https://www.paloaltonetworks.com/documentation/80/virtualization/virtualization/set-up-a-vm-series-firewall-on-an-esxi-server/install-a-vm-series-firewall-on-vmware-vsphere-hypervisor-esxi/provision-the-vm-series-firewall-on-an-esxi-server   ... View more

Yes both virtual wire and layer 2 mode are supported on the vm series on esxi   https://www.paloaltonetworks.com/documentation/80/virtualization/virtualization/set-up-a-vm-series-firewall-on-an-esxi-server/install-a-vm-series-firewall-on-vmware-vsphere-hypervisor-esxi/provision-the-vm-series-firewall-on-an-esxi-server   ... View more

VR are needed when you need to isolate groups of routes that you don't want to propogate everywhere on the network.  I suspect we are missing some element of your topology and routing requirements that make putting the Azure Express Routes in an isolated instance.   What is the toplogy and what segments need to communicate with Azure across this connection?   ... View more

Typically this is how you would be looking at your public facing services.   How many different public ip addresses do you need and for what services then add one for the PAN.  You request then from your ISP the appropriate subnet sized for that need, in your case looks like you will need either a /29 or /28.   This gets delivered on the ISP device facing your PAN.  You use one of these addresses on the PAN. This is now your untrust zone.   You now organize your publicly facing resources into risk groups and create the muliple zones and private networks to support them or if the risk is similar they can all go into one DMZ zone.  These are the inside interface(s) of your PAN with zone assignments.   Now you create your nat rules pointing each ip address from the ISP scope at the matching internal address of the server providing the public service.  And write the security policies needed for the inbound and outbound communications for each server.   ... View more

I think you have the wrong idea of zones.  Zones are collection of interfaces/subnets that we write policies against.   In the policy we specify the specific services and ports not in the zones.   ... View more

Just do a source nat to interface on the inbound traffic flow on vr3.  The the return traffic in vr1 will come back to vr3 match the session and return via the same ISP.   ... View more

Thanks for the diagram.  I think you are verifying you are using PBF.  You will need to remove PBF and configure the PAN the same way you do the SRX.   PAN also allows you to create virtual routers and put the second upstream in a separate VR rather than use the PBF method for dual ISP.   ... View more

Not sure I'm reading your topology correctly but I think you can do the same in PAN as you have in the SRX.   PAN also supports having the second ISP in a virtual router and if that is setup then the route lookup for the return path would stay on the same ISP as it does with your SRX configuration.   I think you might have the Policy Based routing method for dual ISP setup on the PAN instead of the separate VR?   ... View more

This will be a different issue then, PAN-73053 was fixed in 8.0.4   The alert means the user-id to ip address mapping is not correctly updating from an event.  If you can tell from the first time stamp what is the source of the update it may help narrow down what is not working.    This might be best handled with an official support ticket to find the source of the error.   ... View more

Sounds like you are hitting issue PAN-73053.  What PanOS version are you running? An upgrade will likely fix this.   ... View more

I have not done this but I think you won't need two rules if you place everything in the same zone.  The rules will be intrazone traffic. They are written in the direction that traffic is initiated. As the traffic comes through it should still match the existing sessions even though it goes through the PAN twice in each direction.   ... View more

To have the inspection at layer 2 with the gateway on the core switch you need to find a layer 2 path where you can insert the PAN in the link using v-wire would probably be simplest.   If you core device is a pure core with nothing but other switches attached this should be possible.  Intercept the links from the core switch to the aggregation switch and insert the layer 2 PAN in these lines.  Assuming you have enough ports for all the links.   On the PAN side then you need to create all the vlans that exist on that line and setup the rules for inspection then for traffic that crosses the PAN v-wire for each vlan.   ... View more

Each ACE exam is tied to the PanOS major version and gets opened with the full dot 1 release.  I don't believe you can take the older exams only the active version which is currently 8.1.  So to keep this up you take the test for as each major release progresses.   https://www.paloaltonetworks.com/services/education/ace   The ACE and PSE exams are available with free training online at the education site to prepare for them. Sign up for an account here.   https://paloaltonetworks.csod.com/LMS/catalog/Welcome.aspx   You don't need to be concerned about hardware platforms for the PAN tests.  The questions are focused on NGFW feature usage and really don't vary across the platforms.   ... View more

If you have actual traffic in a live network your best bet is probably to open a support ticket and generate some actual traffic that can be captured and passed on to the development team.   There is no public submission on existing app-id but if you don't want to go the TAC route you could probably submit the information via the request new app-id process outlined here.   https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Request-a-new-App-ID/ta-p/60834   ... View more