About pulukas

If the firewall does not come back from an upgrade reboot you should get on the console port to see what the status messages say.   Yes, it is likely then you will see maintenance mode and can try to recover from there. ... View more

You could post the question on this documentation for the factory reset procedure.  The document owner will be notified and might respond with an official answer.   https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Factory-Reset-the-WF-500-Appliance/ta-p/56350   You can also open a support case to confirm the file handling. ... View more

You are correct that the metric alone can steer the traffic and there is no need to create a second area.   Generally I see that route selection is used as more predictable and reliable overall rather than load balancing. ... View more

Completely agree with reaper.  those command disable important tcp sanity checks and allow asymmetrical traffic flows.  They should NEVER be a permanent solution to an issue.   The permanent solution is to identify why the traffic is not flowing fully through the firewall and change the network flow so that the entire flow crosses the firewall.     Palo Alto inspection relies on being able to see all of the flow to be fully correct and accurate for the inspection and identification of threats and applications.  Having partial flows bypass the firewall greatly lowers the security posture. ... View more

I am confused on what the issue is for inbound VPN.   Users connect to the Cisco ASA for SSL VPN and cannot access internet?     Users connect to PA SSL VPN and cannot access Internet?   Users connect to PA SSL VPN and cannot access internal resources?   to find outbound connections and logs on the PA filter for the source address and destination address of the user and destination vpn in the logs.  These will show if the traffic is permitted or denied. ... View more

From your description, I think you are saying that the ASA user access tunnels establish correctly.     And that the users are setup without split tunnel so internet access will be from the ASA.   And that users are blocked from internet access after connecting.   If this is true, you would need to look at your outbound internet access policy setup on the PA.  Find the zone assignment for the address pool you assign to users on the ASA.     Make sure there is an outbound from this zone to untrust policy on the PA. Make sure there is a NAT policy from this address and zone to untrust on the PA.   Check the logs on the PA for these source addresses to see why the traffic is denied.  Also confirm you have logging turned on for your final deny rules. ... View more

Pretty sure that Panorama can only have one interface.   But as long as you have routing setup so that the mgmt address of the firewall over the IPSEC tunnel is reachable from the Panorama address, you should be able to connect to the device and manage it.   Is your MPLS a completely isolated network that you are not permitted to route out of? ... View more

set address-group GROUPNAME static MEMBERNAME ... View more

If you really do want an official reply your best path is to contact your sales engineer.  Palo Alto in general is very careful about their public statements.  But are much more open in private conversations with customers, especially if your company has agreed to the NDA. ... View more

If I understand your connectivity correctly, the answer is no.  It sounds like the two connections between the two cores where the PA will sit are A/A.  Thus you would need both PA to allow the traffic between the cores and they would need to be A/A as well.   When the PA is in A/P mode the interfaces on the passive device show link up but do not pass any traffic.  Only the active device in the pair will pass traffic. ... View more

How you configure the WAN interface depends on how your Service provider configures your upstream router.  If the service has already been setup you should consult your Service Activation or Modification Notice for the details on the your site has been configured.  If this is still a pending order, you can contact your sales engineer.   Typically when we provide multiple subnets on a single line we configure the /30 on the two interfaces (service provider and client firewall) and then route the remaining subnets to the client firewall ip address.   In this setup you will then choose to either use these address ranges as NAT pool configurations or you could configure internal interfaces with all or part of any of these subnets and use the addresses directly on your equipment.   The alternative Service provider setups are to run multiple subnets on the same interface.   Or to run the multiple subnets a Q tag sub interfaces on the line.   But in any case you need to know what the expected configuration upstream will be. ... View more