About pulukas

You have a good handle on how the Panorama template system works.  As Hulk and hshah have pointed out these are really designed just to cover the common settings you want to push to all of the firewalls in a group and not all settings. You do need to be sure you pull full local backups of the individual firewalls in the group to have for disaster recovery.  You will restore this configuration first then push the updated policy and template settings from Panorama. With clusters, most of the settings do sync between the two devices.  You can see the details in this document. High Availability Synchronization ... View more

It depends on how you define secure.  Certainly the encryption provided by a self-signed certificate is no different than that of an official certificate authority. But the whole reason we have certificate authorities is to vet entities that provide SSL connections.  In order to get the official certificate you have to demonstrate to the authority who you are.  They in turn are then vouching for you to the general internet public. This ultimately prevents bad actors from impersonating legitimate businesses by pretending to be your bank or other trusted entity. We ask user not to ignore certificate warnings.  And the modern browsers are making these warnings increasing prominent and more difficult to ignore.  This gets users used to not going forward with untrusted certificates and decreases our overall security risk.  If we ask users to ignore certificate warnings for our own company sites, they get used to ignoring the warnings when they really do apply and become victims to phishing scams. ... View more

If you use the ip address instead of the certificate name, you will need to accept the certificate warnings issued by the browser to continue the connection attempt.  If you get past the warnings, then the connection can continue. The certificate check consists of three parts.  If any of the three fail you will get the certificate warning: 1-FQDN match - the name used in the URL must match the name configured on the certificate 2-Trusted authority - the CA (certificate authority) that issued the certificate must be trusted by the browser.  This means one of the public trusted authorities or one where the CA chain has been installed into the browser like a domain authority in Active Directory. 3-Valid date - there is an expiration date on the certificate and this must be valid for the day of the check. ... View more

The reason I recommend downloading the packages on BOTH nodes first, before doing any installations, is to insure that you are staged for the complete upgrade process. You don't want to have the secondary node upgraded and rebooted and then find out there is an issue preventing download on the primary node forcing a rollback or an extended period when the two nodes are out of sync for PanOS version. ... View more

Agreed, the other silly decision on a VM is to not support v-motion.  This is a pretty basic data center feature and makes getting a deployment approved by the VM team very difficult for production usage. ... View more

Besfort wrote: May be you have solved your issue, if not try to disable non-syn reject because that did the trick for me. You can disable it by creating a new Zone Protection profile (in Network -> Network Profiles). In the new profile set the "Reject Non-SYN TCP" to no. Apply this zone profile to your internal zone. Don't be quick to turn off non-syn tcp checks.  This is an important basic firewall check to insure the only valid tcp sessions are transiting the firewall. If you need this turned off for legitimate traffic to work, you probably have asymmetrical routing on your network.  You should hunt down this routing issue and resolve the problem so that non-syn tcp checks can remain in place. To check for asymmetrical routing perform the following steps on the two hosts of the legitimate traffic that is being blocked by the non-syn tcp check. host A: run a trace route to host B Host B: run a trace route to host A These should show the same number of hops and use the same routers.  There may be different ip interfaces on the same router but the number of hops and the router hosts should all be the same. Common causes of asymmetrical routing include: placing two layer 3 routers with interfaces into the same vlan Routing protocols that provide different metric paths between multi-hops between the hosts due to link cost settings in OSPF or local preference modifications in BGP ... View more

On the Devices > Software tab for both nodes: Download 6.0.0 Download 6.0.1 On your Secondary node: Select install 6.0.1 Reboot when complete Once this is completely up and running On the primary node: Select install 6.0.1 Reboot when complete Once this is complete verify that the HA widget on Dashboard shows all elements in sync.  Investigate any issue. ... View more

BRRABill wrote: So with NAT policies on the PA-200 I can plug my FIOS cable into one of the ports and "listen" for all 5 public IPs on that cable? As mackwage says, nat is the standard procedure for this operation on any firewall.  The process works via proxy-arp from the interface facing your carrier.  When an interface has the address configured it will automatically respond to requests from the FIOS for that address.  Proxy-arp is when an address is used by nat the interface configured with a different address responses for that address.  So there is no need for that address to be configured on the interface facing your FIOS. On the PA when you configure this type of nat rule in the same subnet as the FIOS interface the firewall will automatically take care of the proxy-arp.  On other firewalls you may have to specify the interface and ip address you want a proxy-arp to occur. ... View more

Sub-interfaces are what you use to connect the firewall to a switch trunk port with multiple vlans.  This is the PA support for 802.1Q standard trunking.  This would not be appropriate for your situation where all these address really are coming in from a single vlan on an untagged port. Nat is the standard solution to the scenario you have where you want to take your carrier public addresses and forward either the entire address or selective ports to an internal address on your network. One advantage of this method is that it is easy to change that server address down the road and the outside world never notices.  they are still sending the same DNS entry and public address but the firewall simply changes the nat rule to hit a new server. ... View more

The conflicting answers are because of the nuances of the possible situations. You can put multiple ip addresses on an interface but they cannot be in the same subnet. In your situation it just appears that the Barracuda works differently than the Palo Alto.  Instead of putting multiple same subnet ip addresses on an interface the Palo Alto and most other firewalls only put one.  You then use nat and proxy arp to forward those addresses down to the ultimate server destinations. You can start with this document to determine what type of nat is best for your scenario. Understanding PAN-OS NAT ... View more

Palo Alto web filtering does not rely on any browser configuration.  Instead you would need to place the firewall in the final path that the traffic must cross on the way to the internet.  If the traffic crosses the firewall then a web filtering policy can be applied to the appropriate rule for the users. The browser in use is not relevant, the web browsing traffic will be filtered per the configured rule. ... View more

Other features I remember missing were Jumbo frames and LAGs.  I haven't looked at the docs in a while, but at the time there was no single list of feature limitations.  I had to cull them from the text in the deployment scenarios. I don't do the courseware, but create labs for configuration testing.  So I'm not sure how this would map to the classes. ... View more

Also remember that if you are looking for the higher performance make sure your v-switch port inside the hyper-visor supports what you want the VM series to process. ... View more