About pulukas

Check your gatway configurations.  In addition to selecting aggressive mode on both sides.  Your gateways need to be configured to use dynamic on one side and static on the other.  And you should have local and peer identity configured.  This is used as the alternative to knowing the static ip address to match the IKE phase 1. These are not necessrily real email address just matching strings in the form of email addresses, they need to be the same on both sides as a kind of "password" check. ... View more

I don't see anything on this issue specifically, so here are some general thoughts. Sounds like a bug.  So I would make a quick search of the latest release notes for your PanOS chain and see if this is listed as a solved issue in a release higher than what you are running.  If so, then upgrade.  If not, open a ticket to get this registered as a bug and into the release chain. For a quick fix on issues like this a restart of the management plane will sometimes restore service. debug software restart management-server ... View more

I would recommend looking at the report of what is seen as unknown for a recent time period.  Then visit a large sampling of the sites. From here you can determine whether or not you user base would generate help desk calls when these are blocked.  And thus whether the work generated will be worth the extra security in the browsing environment. ... View more

Sorry, these are the community support forums where users can help each other.  There are a number of PA employees that participate but this is not an official support channel. If you have urgent needs or want an official expert technical response, use the support link in the upper right corner to open a ticket. ... View more

Happy to see you have this working. ... View more

Please try the steps outlined here to troubleshoot the LDAP connector. How to Troubleshoot LDAP Authentication ... View more

These two are explained in this tech note. BrightCloud URL Filtering Exhibiting Multiple Unknown URLs BrightCloud URL DB behavior for some websites is as follows: If the global setting for dynamic-url (set deviceconfig setting url dynamic-url yes) is enabled and url-profile is not, the site returns unknown. If the url-profile has dynamic-url enabled, but the global setting is disabled, the site returns not-resolved. If both the global and url-profile has dynamic-url enabled, then the site is returned matching the cloud category. ... View more

1. Palo Alto tech support suggested an article that configures a layer 2 to layer 3 connection utilizing a combinations of L2 interface and Virtual router and VLAN.   It was complicated and when I tested it, it did not work.  Either I didn't choose the right options or it just doesn't work. I don't think this will work for your configuration.  The critical difference is that this setup depends on the layer 3 interface facing the upstream router with the default route.  In your scenario the default route needs to face the layer 2 side network.  This scenario they are adding the layer 2 to the inside schema, yours is on the outside. 2. If we further divide the WAN subnet so that WAN has 100.100.100.0/25 and DMZ has 100.100.100.128/25, and changing the upstream router route is not an option, does Palo Alto firewall supports Proxy ARP for the new DMZ subnet? or will it only do proxy arp for NAT devices it is responsible for? This would still require changes on the upstream router to change the size of the netmask and convert the second half /25 to a routed subnet instead of a connected one.  By definition proxy-arp can only occur within the same subnet of a configured interface.  You cannot arp layer 2 for an address that is not on your layer 2 subnet.  So there is no way for the PA interface that has been changed to a lower /25 to arp for the upper /25 addresses.  This violates basic subnet  rules, nothing to do with PA features. 4. If we do NAT translation from WAN to DMZ using the same IP, meaning 100.100.100.100 translates to 100.100.100.100 in DMZ.  Would this have worked? This would not be NAT as nothing is being translated.  And you cannot have two devices in the same subnet that have the same ip address.  This would be a basic ip conflict that would cause traffic issues when both attempt to respond to requests for the address in the subnet. You can do port forwarding where the PA interface address is used to forward certain ports to another address.  But this involves then using NAT to change that interface address to the actual address used by the server we are forwarding the traffic to. ... View more

As a general rule you need to pose this type of question to your Sales Engineer assigned to your account.  Palo Alto has a policy of never stating road map or future technology support in public statements. If I were to take an educated guess, I'd say no.  ACI is a very proprietary Cisco implementation of SDN.  I don't see any other vendors moving to directly support this and I would not expect Palo Alto to do so either. Palo Alto is making a significant investment and push to integrate into the VMware NSX automation structure.  I expect their SDN support and resources to focus on this for the foreseeable future. ... View more

V-wire does support nat, but in your scenario the nat will occur over the Layer 3 side, if I understand your setup correctly. V-wire devices have the same ip address as the external WAN 100.100.100.1/24.  So these will be on the external LAN and no nat is required. NAT devices are on the 10.10.10.0/24 network.  So when the 100.100.100.X is requested the Layer 3 side will have  destination nat rule to the 10.10.10.X address with the matching security policies as needed for the traffic. ... View more

Glad to hear you have a successful implementation.  Always feels good when they are complete. ... View more

Sorry not to be clear.  This is what I am trying to say. Session rematch is the default and I expected it to be turned on.  (which you verify) I suspect this is your problem. Please turn off Session rematch ... View more