About pulukas

With your Palo Alto in v-wire mode, I would directly connect to the two ASA devices.  This provides simplest set of failover scenario planning.   In this case you will need to be sure that your ASA cluster can detect a failure of your downstream Palo Alto and failover to the secondary node.   If this is not easily done, then setting up vlans forthe upstream and downstream PA connections would be the best option.  If your run the Palo Alto in active/passive mode you won't need to worry about STP as the passive node interfaces won't pass traffic.  But if you do run active/active then STP will need to be setup for all the links. ... View more

you are correct that allow does not log and alert does. ... View more

In the monitor tab is logging still happening for July and August? ... View more

Do you have the domain DNS (and WINS if you use this) setup with the domain name suffixes on your global protect settings.   Nework > Global Protect Gateway > network settings   ... View more

The Palo Alto firewalls do not communicate with each other.  They each only know about the user-id associations they get from agents associated with that firewall.   With AD and user-id, the key to remember is that the ip address association for the user login will be in the server event log that authenticates the user.  These local event log messages with the user and ip address only exist on the server that authenticates the user locally.  These event message do not replicate as AD data does through the AD database.   So for each firewall you will need to see how your rules are written for user-id and where the user was authenticated by AD.   For example, if all of your rules are based on local users going out of the site, you likely only need the local AD for the firewall.  When you login to any of your forest domains, this will be serviced by the local AD and logged there even if the actual account was created in one of the other two domains.   But if your have inbound rules from the other two sites coming into the local site that require user-id, you likely will need the agent input from the remote AD because that is where the authentication took place.   The other complication could come if you are using nat between any of the sites.  Because the user-id will be based on the real ip address and if you nat that address the association would be lost. ... View more

Nice collection.   Another hint for new users is to simply click on a listing type value (like source address) in the monitor logs.   This will add a filter correctly formated for that specific value. You can then edit the value to be the one you are looking for.   This way you don't have to memorize the keywords and formats.   You can continue this way to build a mulitple filter with different value types as well. ... View more

Is the procedure documented somewhere for the limited version? ... View more

Thanks for the pretty complete testing.  I agree this is likely a bug.   Did you open an official support ticket so this can be logged in the bug database and fixed?   These forums are informal community support.  You do need an official ticket to get the bug report created. ... View more

Do you also have the security policies setup betwee zones vlan10 to inside; vlan20 to inside; and inside to outside.   You will also need a NAT policy for inside to outside. ... View more

I believe this is letting you know those are the oldest available logs.  As the logging rolls over for available space the data is no longer available for reporting. ... View more

SSL decryption does not impact your session count.   As Guru, mentions there is a separate limit for the number of active decryption sessions.   SSL decryption also impacts processing on the firewall so you should add this in stages to be sure you don't overload the capacity of the device.    This is a good overview on how to ease in decryption.   https://live.paloaltonetworks.com/t5/Articles/Controlling-SSL-Decryption/ta-p/56218 ... View more

My experience was with both 5 and later upgraded to 6.  Would be interesting to see if the issue is 7 specific.   Let us know what support says. ... View more