About tonyrobson

Hi,   I've been looking all over for some guidance on this, without much joy.   I am trying to renew a subordinate-CA certificate on a firewall, that was issued by a Windows Server Enterprise CA.   Obviously there is no Renew function on the firewall for that cert as it was externally issued - and it appears on Windows server you can only renew Subordinate-CA certificates for domain servers (I think?).   So based on the above, I generated a new certificate request, matching the name of the original (the certificate then shows as pending), and went through the signing process the same as last time and re-imported.  The certificate shows as having the expected new date and shows as valid, the chain hierarchy remains intact in the GUI, however, all the certificates signed by the previous certificate no longer work at all, for any function, SSL Decryption, GlobalProtect, Secure comms etc, and all need to be re-issued/signed by the new certificate.   So I dugout the original certificate request from a few years ago, and tried to submit that instead, and it also seems to present me with a new certificate rather than one maintaining the serial number. So what is the process to renew the certificate without invalidating the signed certificates? ... View more

Hi all,   Some help on this would appreciated.   Evaluating a client panorama that has a variety of templates on it, with much of the configuration in the templates being done in the "Shared" location, and much of it in "vsys1" location, including a number of certificates that have been imported to one or the other inconsistently over the years.   The problem is primarily, I'm trying to setup various settings in Device->Setup->Management such as the SSL/TLS Service Profile, and Local Certificates/Certificate Profiles for secure communication settings etc - and a number of the certificates are stored in vsys1, but the configuration only allows me to reference configuration in "Shared" - this is despite the mode being set to "Single vsys".  So when I try refer to the certificate I want, it won't let me - I have to re-import the certificate into the Shared location and then re-do profiles etc, this is a laborious process and I feel like I must be missing something?   None of the firewalls use multi-vsys, so why would the Device Management settings only be able to refer to configuration in "Shared" location? How do I normalise all of this configuration? ... View more

Hi all,   I am having recurring issues deploying zone protection profiles for VM series firewalls in Azure, from Panorama templates, revolving around SCTP settings, whenever I try to push the template the commits are failing with the below error -   Details: .   Validation Error: .   network -> profiles -> zone-protection-profile -> Untrusted_Zone-VM100 -> flood -> sctp-init constraints failed : SCTP security is not enabled .   network -> profiles -> zone-protection-profile -> Untrusted_Zone-VM100 -> flood -> sctp-init is invalid However the SCTP settings are not configured on the profile, the tick box is unchecked and settings unchanged.   Enabling SCTP allows for it to be accepted, but I don't want to unnecessarily enable it across all the firewalls, it's not enabled on the hardware based firewalls, so why should I have to on the VM series firewalls?  Has anyone else had this issue before,  I feel it must be something obvious I am missing but I can't seem to see it?   Thanks. Tony. ... View more