About treysgrun

Was running 9.1 on all firewalls.  10.0 on Panorama.  Then something stupid happened and couldn't sync my HA pairs. I was forced to upgrade everything to 10.1.5.   In the name of all that's stupid, on my local firewalls, when I log in, it shows me both the locally configured ipsec tunnel and the panorama configured tunnel object (the green gear). Is it possible to show me just ONE????   I have been searching for the last 2 hours for how to hide one or the other - the local or template pushed configuration elements, I don't really care which since they should be identical, and I'm sure it's simple, but why isn't it obvious.  Screenshot for reference - we have over 300 tunnels:       ... View more

All - I have 2 systems at two different locations connecting to the same BGP AS and I am accepting an advertised default route.   On the LAN side, I have a basic OSPF area0 which has a fiber-optic connection between the two locations configured as a P2P OSPF link.   I need access to the internet to fail over dynamically between these sites.  To that end, I attempted to configure the PA systems to "Allow advertise default route" for their OSPF process. This did NOT work even though the learned BGP default route was installed in the routing table.  OSPF did not start originating the default route until I specifically configured an export rule for 0.0.0.0/0.   The problem this creates is  that when either router loses their BGP connection and the BGP learned default route is no longer in the table, the export rule ensures the firewall that can not forward to the internet is still advertising a default route via OSPF.  That means that the networks transported through the down PA can't reach the internet unless I manually log in and stop OSPF on PA site A.   The LAN routers are Cisco which means I can do static route tracking or eem scripts or a few other things, but life would be much, much easier if the PA's handled default route advertising from OSPF in the way that Cisco does:  'default information originate' will advertise a default route via OSPF only if there's one in the route table, 'default information originate always' will result in the behavior the PA's are showing me now.   They won't advertise a default route *unless* an export rule for 0.0.0.0/0 is configured. Remove that rule, and it stops advertising.  Can someone please help me determine if Pan OS is capable of only advertising a default route if there's one in the Global routing table, or if it's on/off with nothing in between?   the connectivity could not be more basic, I'm uploading a paint diagram of the scenario.     I actually think I need to redistribute that default route from BGP into OSPF, but when I use the 0.0.0.0/0 "filter" for the redistribution profile, it redistributes everything in the BGP table. I guess I'll try 0.0.0.0/32, but the default route origination documentation is terrible. It doesn't work as documented (In my attempts to set this up, it would NOT send the default route with out an export rule, which is NOT outlined in the document).   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkmCAC  <-- Not 100% correct. ... View more