About jhansf5

Excellent!  Glad it is working. ... View more

To echo rmonvon's comment... you can safely commit the shared config.  So long as you have not created any conflicting pre-rules in a firewall's device group, it will not break your existing policies.  To my knowledge, the only way to get the local device policy and objects into Panorama is by manually creating it. That said, you might look at using pre and post rules to make things more maintainable in your environment... We have firewall pairs at each of our remote offices that are managed by Panorama.  I used the same zone names at each site (in fact the firewalls were all configured according to a very specific config standard).  My rules for Internet access, MPLS, and local DMZs are all in the 'pre' and 'post' section of the rulebase.  These rules use the same security profiles enterprise wide - when I need to tune out a false positive, enable a signature, etc, I can change the profile in Panorama and do a global push. My local rules use global objects whenever possible. When I wanted to enable Wildfire, all I had to do was add the file blocking profile in my global rule.  In 5 minutes time, I had deployed Wildfire enterprise-wide. When we stand up a new domain controller, I can simply add it to our 'domain controller' group object.  Syncing to managed devices means that all rules, global and local, pick up the new IP. In our deployment, the local device policy is used only for site-specific rules.  Each site has, at most, 5 or 6 local rules.  Everything else comes from shared policy. ... View more

I don't see anything obviously wrong (though since is an L3 deployment, you should change interface state back to 'auto'). What is happening with spanning tree during the packet loss? Is anything logged to the switch, or to the system log on the firewall? Can you check interface stats on the switch and the firewall to see if there are any interface errors? ... View more

They do not support OSPF multipath - they will install only one route. Can't help with the second question, but I'm sure someone that has deployed in L2 can chime in. ... View more

Am I correct in understanding that the AE config works when you don't have HA enabled? If so, can you share your HA config? ... View more

I am sorry to hear that. If you would like some assistance, you can contact me over PM. ... View more

Kalyanram, Here you go... nat (inside) 0 access-list inside_nat0_outbound This statement is a no-nat rule.  Traffic that arriving on the interface "inside" that matches the ACL "inside_nat0_outbound" is not natted. nat (inside) 1 10.0.0.0 255.0.0.0 This statement does a hide nat for all traffic arriving on the interface "inside" that comes from 10.0.0.0/8.  It will hide it behind the global nat address that corresponds to ID 1, and the correct outgoing interface. nat (dmz) 1 172.16.50.0 255.255.255.0 This statement (you guessed it!) does a hide nat for all traffic arriving on your "dmz" interface that comes from 172.16.50.0/24.  It nats behind the same global statements as the prior rule. If you post (or PM me) the output of "show run | in global" and "show run | in static", I can explain the rest of the rules for you. The nat rulebase in your PAN should do the same thing... one rule from inside to outside that does not nat (matching that ACL), and one that does nat (you can create a single rule that handles traffic from both your dmz and inside zones). HTH, James ... View more

In what release will this functionality be restored? ... View more