About pulukas

PAN does strongly prefer active/passive.  But asymmetrical routing is not the only case where  active/active is required.   Active/active is required is if your infratructure requires communication be permitted between devices connected to the secondary firewall at all times.  With PAN Active/Passive the secondary (passive) node has interfaces connected, link is up but no traffic will pass until the device becomes active.   This is great for preventing layer 2 loops when the active and passive device are simply an alternate path for the same traffic.   But if you network design is fully active/active and therefore there is traffic such as bgp, vrrp, or other protocols that need to communicate on secondary links at all times, you must have the PAN cluster setup as active/active.   And if the network design is fully active/active where the traffic load is distributed across both paths, then active/active is also required. ... View more

This article gives the full definitions for incomplete status.  Basically, there is either not a full tcp handshake or not enough data to identify the flow.   https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data-in-the-Application/ta-p/65711 ... View more

I'm also interested in hearing the overall results, but not interested enough to pay $600 for it.  I hope Palo Alto participated in the testing this year.  The 2014 test gave PA a bad score largely from mis configurations but that does not help once the results are widely distributed.   2014 thread https://live.paloaltonetworks.com/t5/Discussions/PAN-gets-low-score-on-NSS-test/m-p/9608/highlight/true#M52   PA response and re-test http://researchcenter.paloaltonetworks.com/2014/09/response-recently-released-2014-nss-next-generation-firewall-comparative-analysis/ ... View more

Assuming the full names are very unique, I would just download the config file and use search and replace in a text editor.   then load the revised file. ... View more

The configuration is possible.   Check the system log to see if there is a more specific error. Do a packet capture on the RADIUS server of the failed login to get the full details on the transaction. ... View more

What is the exact statement of problem for this issue in the PCI report?   I think they misunderstand what the service running here is, or the issue is with they way you have VPN access configured.   Certainly you can run web services and still be PCI compliant.   I think they believe you are exposing the web mgmt interface of the firewall to the open internet.  This would be flagged as a problem.  The scanner cannot know what the content of the web portal is and is probably just assuming this is the firewall mgmt portal because of the address.   I would push back and explain exactly what the service is.  I would think you are compliant without any changes. ... View more

Confirm that you have both firewall local ip addresses setup on the RADIUS server. ... View more

There are products that are able to do remote vpn via web browser based clients only or using the built in clients of the OS.  these are especially useful when you are trying to allow a VPN to a vendor or contractor where you do not have access to install software on the computer, or the user will not have the access to do so, or company policy does not allow adding software, or there are already VPN clients installed for use that conflict.   Palo Alto does not support this approach at this time.  If you company wants an official answer, you will need to contact your sales engineer or open an officlal support ticket.  Palo Alto does not discuss roadmap product features in public forums. ... View more

Global proect does not do route injection.   When you setup the Gateway on the firewall you choose the IP pool that the client addresses will draw from.  You simply insure that this subnet is routed to the PA in your infrastructure. ... View more

Does not help you here on this, but everyone that has this type of issue, please vote for FR204 that would add Commit Confirmed functionality to PanOS.   Contact your sales engineer and vote for   FR204 - Commit Confirmed Applies the candidate confirguration for a set period of minutes.  If the commit is not confirmed after that period the configuration is automatically rolled back to the previous configuration. ... View more

Palo Alto cannot do this.   But if you run a windows domain DNS server and windows domain clients, you can have the client update the record automatically. ... View more

If the monitor log shows success, and the login is actually denied this is probably a bug and you will need to open a support case on this.   For the support case a wireshark of the RADIUS transaction would be the fastest path to an ultimate solution and bug fix. ... View more

This is not a current feature.  To suggest new features contact your sales engineer.  Palo Alto maintains a database of potential new features called the Feature Request.  Each suggestion is logged into the database and assigne a number referred to as the FR number.   If the feature is already in the database your sales engineer will at your company vote to the system.  If it does not exist, they will create a new one and give you the number.   Add that FR number here and encourage other people to contact there sales engineer and vote for the feature.  These votes are one factor that the development team uses when updating and creating roadmaps. ... View more

Sounds like you have a peak utilization over the capacity of the system.   Do you have smtp traffic collection somewhere to see what bandwidth utilization is during the affected period on the PA?   If this only affects the PA connections, I would guess that your PA may need to upgrade to the next higher model to accomadate the bandwidth load.  But you need to check the utilization and specs to confirm. ... View more