About pulukas

I am not sure if this is normal or not as all my clusters run Active/Active and I have not had time to lab up an active/passive one. Can you test failover to see if it successfully shifts to the passive device? ... View more

jprovine wrote: so the rule needs to be moved above the rule that it shadows to be affective if there are any differences in the rule to start with Correct, firewall rules are processed from the top of the list down.  And they stop processing on the FIRST match of criteria. Thus you need your most specific rules to appear in the rule base before the least specific rules. ... View more

When a cluster is Active/Passive the passive node interfaces do not pass any traffic.  This is by design to prevent creating any layer 2 loops from any alternate paths created by having two devices serve the same traffic.  Since the Active/Passive design is that only one firewall at a time is processing sessions, this generally does not create an issue. If you network design requires that traffic pass on the inactive node, then you will need to implement an Active/Active cluster.  This is the case if you need dynamic routing protocols to traverse the inactive device or if you have multiple network paths setup by design and want the cluster to handle asymmetrical routing. It sounds like your network design method might require an Active/Active cluster deploy. ... View more

You could write a specific rule just for the Sophos site ip address as a port based rule before the application rule. ... View more

Since you know the actual crypto settings are correct, I would suspect one of these: There is some kind of firewall blocking your request as initiator to the ASA interface.  But as a responder you match the session created by the ASA so it works. The Cisco configuration has the initiator only command in the configuration so it will not respond. ... View more

The web banner agencies are a vector of attack that malicious actors are using now.  They purchase ads from these legitimate vendors and get malicious links sent out via these ad services.  The specific services will come on and off the list as actual malicious links are detected and removed the same way that a compromised legitimate web site gets onto the list. The botnet report is letting you know activity to sites that are on the malicious link list.  They may or may not be actually compromised it requires follow up. ... View more

v-wire is separate from any layer 3 usage on the device.  So the two interfaces in a v-wire act like an ethernet cable, one side connects to the untrusted device the other the protected device or network switch.  Then anything that passes through the v-wire must have a rule. This pair of interfaces will not participate in any layer 3 configuration on the Palo Alto.  This is a "virtual wire" patch cable. ... View more

You'll need to direct product roadmap questions to your account team.  Palo Alto does not make any public statements about future feature releases.  They only release this information under non-disclosure agreements via the sales team channel. ... View more

I'm not sure I follow the issue.  But I think you are saying you need the Miele device to be on the public subnet but also behind the Palo Alto firewall. For this application you could use a v-wire deployment.  One side of the v-wire goes to the public untrust connection the other to the Miele device.  Since v-wire has no layer 3 profile the device is both on the public subnet and also behind the firewall. ... View more

The interface uses flash for display objects and animations to visualize the device status and some reports. You can still perform all configuration functions without flash enabled, just some objects will not display correctly. ... View more

For the certificate, they are asking you to purchase a certificate for the PA from a recognized CA instead of using the device generated certificate. How to Generate a CSR(Certificate Signing Request) and Import the Signed Certificate For the CVE coverage, you will need to wait for PA to update the PanOS to pass. ... View more

I don't have a real solution, but you could try just restarting the routing service instead of the entire PAN device. >debug routing restart >debug software restart routed ... View more

On a secondary device in an Active/Passive cluster all the interfaces are "down" and do not pass any traffic until they become the active node.  If your design requires that the secondary interfaces be up, then you will need to use an Active/Active design and be careful about creating layer 2 loops. Have you seen the reference design for using Active/Passive Palo Alto firewalls with AE bundles? this is found on page 80 and following in the design guide.  This may be what you are looking for in your network. Designing Networks with Palo Alto Networks Firewalls Diagrams and Tested Configurations ... View more

If I understand you correctly, your AE bundle is also a Q tag trunk port.  In that case you simply create the subinterfaces on the AE interface and match the tags. ... View more

This tech note outlines the process for a two interface bundle, but the same procedure can be used for three.  Naturally, the two AE will be separate v-wires but you can put them into the same zones. Cisco Link Aggregation Traffic Through a Palo Alto Networks Device ... View more