About LCMember4427

We find that an increasingly number of students never get the captive portal auth dialog popping up once we switch on CP (when we are having a test or exam) for their subnet.  The dialog pops up as expected for most of the students, but there are always a significant bunch that somehow never get the chance to authenticate, hence the FW classifies them as 'uknown users' and let them pass by our restrictive traffic rules.   All computers are non-domain and from we started using PA-500 8 years ago this setup worked without any problem.  Now we are using a VM-100 (currently on the latest v8).  It seems that the number of non-authenticated clients augments little by little, but the problem don't seem to affect the same users each time we switch on CP.   The user computers may have been in hibernation from before CP was switched on and / or they may have any browser open at the moment we switch on CP.  However I thought that any http or https request issued after CP had been switched on would trigger the CP auth dialog to pop up, but apparently this is not the case.   I have also tried issuing a 'clear session all filter from <class-zone>' but that does not help either.   I am at a loss where to start tracking down this.  Please pop in with tips or info on what mechanisms are triggered both on the fw and on the client computers when CP is switched on and where / what to test for in this case...   It seems to me that something like this would be nice:  while unknown/unauthenticated users exist when CP is active then kick up the CP auth dialog for each of them 🙂   Thanks in advance for help on this 🙂   ... View more

Hi, I need to list the host properties (CPU properties etc) recognized / used by my VM-100 which is running under vmware-esxi 6.  I assume there are CLI commands which list such data..?   It has currently 24Gb RAM and I consider upgrading to PanOS v9.  The iron is a Dell PE2950.   Anyone seeing problems in upgrading this oldie to v9?  It's humming nicely on 8.1.6 now.  Data plane CPU never over 25%   Thanks a lot for comments 🙂   regards Tor  ... View more

I'm running a VM-100 with several zones where I have MS AD / WSUS in one, two zones with lots of wireless device management, another zone for vmware management etc.   Every day I run into web browsers yelling about unsecure acces to local device management due to lack of trusted certificates.  I know I can just continue to create and import local certs to keep the noise low, but I wanted to ask here if there is a possibility to purchase a cert from a trusted provider and that this cert can be used to 'certify' all of my local zones / subnets including local MS WSUS servers, Work Folders etc...   I've been told that this must be a wildcard cert, but I'd be grateful if you can enlighten me of my options and point me in the right direction(s).  ... View more

We have enjoyed Cacti statistics from our PA-500 box for years.  But when I replaced the PA500 with a VM-100 then Cacti could no more connect to fetch data via SNMP.  I thought both models used the same protocol and version.  Below you'll see a screenshot of the cacti settings that worked with our PA500.   What do I need to change here to connect cacti to the VM-100?  They are on the same physical subnet so there is no firewall policies in between.  Do I have to enable something in my VM-100?  Does it use SNMP v3 instead of v2 as did PA500?   Thanks a LOT if someone can help me out with this 🙂   Tor     ... View more

Hi,   On a certain Zone I need to block access to anything else but these URLs on a whitelist like this:   edition.cnn.com/health edition.cnn.com/travel money.cnn.com/technology/   How can I do that most elegantly (I have a VM-100 with latest PanOS)   Thanks a lot for a quick reply on this, I have tried with URL filtering but to no avail...   Tor ... View more

Hi, We have migrated a PA500 500 config to a newly installed VM-100 (ver. 8.1) running as the only VM under a standalone ESXi 6.5 host (not in vSphere).  All interfaces are assigned and I have verified the assignment of each by plugging and unplugging cables and checked the different vmnics' status.  Furthermore all the VM-100 interfaces are correctly assigned to each VMWare virtual port groups and vSwitches.   However something is prohibiting traffic, when connecting a notebook directly to vmnic ports assigned to VM-100 interfaces with basic DHCP servers involved (no VLANs etc) I'm not able to receive an IP lease or ping the VM-100 interface.     What is the culprit?   Do you have some white paper describing how to troubleshoot this situation?  There must be something obvious I have missed....  Please comment.   regards Tor ... View more

Hi We have imported a config from a PA500 into a newly installed VM-100 v8.1 (under vmware).  After having done some VLAN changes to interfaces, we suddenly started to get the below error message when committing:     Can someone point us in the correct direction to look for the culprit..?   Thanks a lot 🙂   regards Tor         ... View more

Hi,   I'm in the process of deploying a VM-100 under VMWare ESXi 6.5 as standalone host (not member of a VCenter).   Everything has passed smoothly, however I want my V-100 network interface list to display the TRUE link status of each physical NIC port at the VMware host.  (I.e. whether or not live cables are plugged in to their respctive host NICs).   I have tried to follow the cookbook and enabled Promiscuous mode, MAC Address Changes and Forged Transmits for every vSwitch connected to their respective vmnics.  But still all VM-100 NIC display as Connected despiter when I unplug cables.   The only way I can force a VM-100 NIC display as disconnected is to disconnect its vmnic inESXi's V-100's VM settings.   What am I doing wrong?  I assume it is correct that we should be able to monitor the TRUE NIC link status (i.e. cable connected or not) from the VM-100's point of view?   Thanks a lot for comments on this 🙂   best regards Tor ... View more

Hi,   We have a Dell PowerEdge 2950 with 2x Quad Core 2.5GHz CPUs and 32Gb RAM.  It runs an empty 2012R2 Hyper-V.   Is this sufficient computing power to run a VM-100  with the above mentioned internet bandwidth..? I just don't want to trash a well running server 🙂   Thanks a lot for comments on this   best regards Tor     ... View more