About pulukas

When you setup the interface as DHCP you can choose the metric that your default route to the gateway address will install as. This will take care of routing for the ISP1 virtual router. Your failure detection using the DNS servers should work the same as it does currently as those will not be changing.  So when the the ISP is down this route should be withdrawn the same as the static route is currently and allow will work as it does now. ... View more

Check out the full sample design in the Design Guide example 4.6 on page 80 and following.  I think this is the scenario for your setup. Designing Networks with Palo Alto Networks Firewalls ... View more

When you log into Panorama, the windowed connections to the specific devices are proxied by Panorama and not under you own login.  You don't need to have any local accounts or RADIUS setup on the devices managed by Panorama, it can manage them via the Panorama connection without local accounts on the devices. ... View more

This is not yet available via SNMP.  there is a feature request open for adding SNMP polling to AE interfaces. Contact your Sales team and ask them to add your vote to FR ID: 2368 ... View more

I'm not sure I follow your problem. Are you saying that after the group membership change, you do see the correct user-id membership when you check debug user-id? But the rule that the user-id should hit is not being hit but the final cleanup rule? If that is the case, is it ONLY this new user change or ALL users in that group that fail to hit the rule? ... View more

I know this is a little extreme, but have you tried another reboot of the system. I had a situation with a 5k series last year where a power off and on of one of the connected vwire routers caused those same symptoms for the vwire link.  no other combination of link bouncing on any of the three devices or reboots helped.  We had to reboot the PA to restore the flow. ... View more

infotech wrote: So does the 3rd party cert with a FQDN that I create with generating the CSR end up being the external DNS name out in cyber space? I don't see that is would be something I would create and put on the internal dns server. Whether or not you need the DNS entry on your internet facing DNS depends on where your users access the service from.  With global protect remote access you will likely need that record setup. If the users are purely employees, you could deploy that record as a hosts file on the company computers via group policy if you don't want a DNS record out there. I've never done so, but I suppose you could submit the ip address as the FQDN for the certificate.  If so, that would pass the first of the three tests run for validity.  The name entered into the connection must match the FQDN on the certificate otherwise a certificate error will be triggered. ... View more

Janelle wrote: Again its not a web page its global protect used only by employees, maybe 6 at most, to remote into the network to do work. I don't understand how global protect could be spoofed like a web page and our home web site is hosted by a 3rd party. I get the feeling people have been programmed to assume that a self signed cert is bad when really its not. 3rd party providers get hijacked as much or more than anyone else. Sorry, I am not being clear. Here is what I am trying to say: Don't teach your users to ignore certificate errors.  Issue a certificate from an authority trusted by your users computers on all official employee sites. When we teach users to ignore errors on our own deploys they just get used to clicking through those errors as a matter of course.  This makes them more vulnerable to bad actors. This is why I believe using untrusted self generated certificates is a bad practice. ... View more

I agree with Hardik. If there is a bug that was fixed in 5.0.14 your support engineer should be able to give you the bug number and a reference in the release notes. ... View more

Sorry I am not being clear.  This is what I am trying to say. Companies running official services on SSL should get legitimate 3rd party verified certificates from on of the approved Certificate Authorities that appear in all web browsers. If the service will ONLY be used by employees AND ONLY on company computers you can use certificates issued by your Active Directory CA. This prevents ANY of the three red error messages a user would get going to your global protect site. Users on company computers should be trained to never click OK to bypass certificate errors.  When you get a certificate error one of the three areas in certificate validation is wrong.  Major companies and web sites will NOT have these errors.  A large proportion of fake websites will exhibit these errors.  This basic three point check is the first line of defense to protect users from malicious websites.  This is not our only defense but I would say it is a mistake to cede this first check and teach your users to ignore certificate errors. ... View more

Typically hot fixes are only available with a TAC case to verify the issue is on your system. TAC cases are also the best way to be notified of a pending hot fix. ... View more

Hardik, While it is true that bugs are specific, those of us running HA and looking to upgrade to 6.0.3 would have more confidence if the specifics of the bug were available.  And I have had trouble getting those details on this issue. How are we to know we won't be affected if the details of what causes the secondary to suspend are not available? ... View more

Global protect uses SSL and certificates in exactly the same way the web pages do.  Global protect is a web server. Certificate authorities require a company to provide information to prove their identity as an organization.  This prevents anyone from pretending to be a company and getting a FQDN certificate in the name of that company.  Thus the Certificate Authority helps us know that a web site really is the property of who they claim to be. ... View more

The migration tool is NOT available to customers only to partners.  so we don't have that option. ... View more