About pulukas

think I will live with the warning seems counter intuitive to add snmp and then limit to 161. Yes, it does take some getting used to.  Remember that with PAN the point of basic policy is to FORGET about port and protocol just select the application you want.  And PAN will detect that application EVEN IF it runs on different ports.   Thus if you know the app you are writting the rule for will always be on the standard port then you use this option to prevent that default behavior.   ... View more

On the cli for live traffic your best bet is problably show session.  There are some examples of how to use this with filters for the source and destination address here.   https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Flow-Basic/ta-p/72556   The general cli cheat sheet may also help.   https://www.paloaltonetworks.com/documentation/80/pan-os/cli-gsg/cli-cheat-sheets/cli-cheat-sheet-networking   ... View more

And note that once you dig into the api and start working on this.  There is a separate forum here to ask questions.   https://live.paloaltonetworks.com/t5/Automation-API-Discussions/bd-p/TechnologiesSDKsDiscussions   ... View more

There is only metric in the actual routing tables.    PAN uses the term administrative distance to set the default metric per protocol for the virtual routers when you create them.   ... View more

Thanks for updating the final solution.  This was a strange one.   ... View more

Virtual wire is nothing like just an access list. This is still a full session table firewall with the NGFW app detection and features for policies fully available.   You can have two different zone names on the two joined interfaces like trust and untrust or you can have them in the same zone with intra zone policies.  I have always seen it deployed with two zones.   Virtual wire requires not participation in layer 2 or 3 protocols so it is very unobtrusive to existing network topologies.  Thus I have mainly seen it deployed to isolate small numbers of devices or a physical section of the network topology without having to change any of the ip schemes at all.   Some Common scenarios: Hospital equipment or PCI devices connected to the same VLAN as other devices in the area but needing to be more aggressively protected.  PCI for regulatory reasons, hospital devices because they run very old unpatched operating systems due to testing regulations.   DMZ areas where the desire is to have actual public addresses physically on server interfaces in applications like VOIP servers.  The vwire inserts on the line into the DMZ switch invisibily and allows rules and sessions without any NAT in play.   ... View more

You won't need to configure anything else on the standby device.  Once it joins as an HA pair they are treated as a single device and the shared configuration elements are all inherited from the primary device.  And you manage and do all the future configuration from the primary device once joined.   ... View more

I think you will need to modify your PBF filter rule for the web server to work.  What might be happening is the http/https traffic from the server in reply to the inbound dNAT is being picked up and sent to ISP 2.   Add to that filter a negate ip address source for the internal address of your web server so that it is not covered by the forwarding filter.   ... View more

Agree that is ugly and non-standard.   Bear in mind that when you leave the company when your replacement sees this they will curse your name forever.  Assuming they can even figure out why it works.   ... View more

The Cisco ASA is implementing the ethernet standard PRP for redundant ethernet connections.  This standard is not supported by PAN devices.   Your next best option is to configure AE ports on both the PAN and switch which would be supported properly configured on both sides and would also survive the loss of one physical link.   Both of these are layer 2 redundancy protocols.  I would not recommend replacing a layer 2 redundancy with policy based routing.   ... View more

Thanks for pushing on this issue.  This really is an industry standard now to have such a recommendation based on support activity.  And making customer hunt for the right information does not help your reputation as a company at all.   As you note, we live in the real world.  Where newly released software has bugs and needs to be road tested by those who truely really need those new features while the rest of us follow when the bugs are crushed.   ... View more

I assume the ISP is not able to give you dual handoff in the same layer 2 domain.  This is our first approach to this type of request as an ISP.   I also assume that the PA cluster is active/passive with a single peering.   Does the peering work when directly connected to one PAN or was that not attempted? This would be good information to have even if it cannot stay that way.   It is not clear if this is a peer direct or multihop without the move.  I would assume this is a direct link peer.  If so, setting multihop won't make any difference and that parameter does need to match on both peers if it is multihop.   Running a pcap during the failure should give more detailed information on the issue the instructions are here. https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Open-a-Support-Case-on-Routing-Issues-OSPF-and-BGP/ta-p/132153       ... View more

Is there consideration being given to creating a standing kb article of current recommended releases by platform?   With a commitment to valid and update monthly or quarterly.   ... View more

Assuming Fortinet uses 802.1x controls for this you could replace that part with another vendor like Aruba and feed the associations over to the PAN device when they are created.   ... View more