About jpeters

Yes currently there is now way to hide it or rather limit the network pages by vsys. Would be a great feature for a future release. Recommend reaching out to your SE and suggest it as a feature request.  ... View more

Allow means the file was allowed by policy and not flagged to be forwarded to wildfire. The file was clean. ... View more

It doesn't get much more segmented than that lol. One thing I was not clear on was are your remotes in a mesh or hub and spoke topology?   Since vlan tags are at layer 2 and ipsec layer 3 passing along vlan tags over your vpn tunnels using PANs would not be possible. You would need MPLS capable devices to accomplish this and at that point wouldn't really need the VPNs 🙂   Also I wouldn't say the firewall is switching but is basically acting as a router on a stick with the sub-interfaces. I am assuming your port 1/2 is trunked to a switch on your LAN? This is actually pretty common if you can't spare a seperate interface on the firewall per vlan. And yes switches are good at segmenting layer 2 by vlans, but are blind to ip traffic (unless they are L3 switches) so unless you had one firewall per vlan, this seem like a good setup and also pretty common.   -I would say scale back to one vpn zone and 1 tunnel interface per site in that zone -I would scale back to one VR per firewall with all interfcaces in the same VR. -Setup your routes accordingly out the tunnel interface -Setup security policies from your office zone subnets in site A to your Site B office subnets and vice versa with VPN as the destination zone. -Setup another rule with your lab zone subnets from site A to lab subnets Site B (and vice versa) with VPN as the destination zone.. One can do these within one rule per zone (office, lab) which would look something like this... Rule 1: Src Zone: Office, VPN -- Src IP: <officeA IPs>,<officeB IPs> -- Dst Zone: VPN, Office -- Dst IP: <officeB IPs>,<officeA IPs> -- Allow Rule 2: Src Zone: LAB, VPN-- Src IP: <labA IPs>,< lab B IPs> -- Dst Zone: VPN, LAB -- Dst IP: < lab B IPs>,< lab A IPs> -- Allow   You would configure these on both firewalls A and B. A being a data center firewall and B a remote. If you need the remote labs and offices from each of the 7 sites to speak to each other respectively through a central point you would be looking at many more subnets in your rules and vpn routes, but essentially the same concept.    You already have office and lab in seperate zones and a no interzone traffic rule in place. Segmenting therouting tables and VPN tunnels isn't giving you any more security then you already have with the interzone security rules. There is no way anything in your lab zone will be able to communicate with your office zone (and vice versa) if you have proper security rules in place and your interfaces assigned to the correct zones.   What you have now is 'virtual' segmentation since the traffic enters and leaves the same device over the same physical links, its not truly segmented at all. So I'd say simplify it, rely on good security policy and strip off all the extra config.       ... View more

Hi unfortunately this is currently not a supported feature. However since they are read only users they would not be able to make any changes even if they can see them. Also, with your read-write users there isn't a way to only allow them access to change interfaces within their specific vsys either. Access domains and RADIUS are the only way it is possible to have the scenario where a user can only view logs, ACC, policies etc... for their Vsys only and the network interface info as well.    You may want to consider using a vsys based admin role instead of a device based admin role. It would remove the ability for these users to see the network interfaces, vlans, VRs, network profiles etc... altogether while still showing the zones and global protect info per vsys.  ... View more

Try this article... https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Enable-WildFire-to-Block-File-with-malicious-Verdict/ta-p/54376 ... View more

Wildcards are not supported in the traffic log filters. ... View more

It varies based on how busy your MP is. But in the example I observed, commit times dropped from 15-20 minutes down to 5-6 minutes. Still not as great as a 3k, but might at least be manageable. Your performance should not decrease though. ... View more

7.0.2 runs on a 2k, in fact I have seen an improvement in commit times.  ... View more

No there is no option for this. You can view the commands entered from your last CLI session by using the up arrow. Sounds like a good feature request though. ... View more

Not sure if your version supports it, but you can try this command...   delete debug-log mp-log file *   These are debug log files only used by tech support and not needed by the firewall to operate. This can clear up enough space for you to get into the gui. The logs will regenerate so this is a temporary fix.   What version of PAN-OS are you running? Also, what model? PA-200? ... View more

What version of PAN-OS are you running? I have seen a significant improvement in the 2k commit times running 7.0.2.  ... View more

Hi Saruulbat,   You can not control the fan speed on a PA-500. Your show system environmentals output seems to be off, as it should show only one True/False for alarms. Yours is showing False then True.  Try running this command to see what the RPMs are instead...   show system state | match fan   You may want to reboot the firewall and see if the results from the show system envrionmentals appear the same. If the issue persists you should open a case with support.  ... View more

Does the captive portal page load on newer versions of IE? Do you get a page load error or just a blank page? Being IE 6 is pushing 14 years old, the solution may ultimately be to update the browser. I found this link which may provide something to test. Internet Explorer 6 and redirected anchor links | Ian Hoar – Passion for Technology – Geeking Out ... View more