About PavelK

Hello @Dereje   we are currently in similar situation, however our goal is to move to IPv6 native instead of dual stack. Although, I do not think I can give you an answer whether to go with option 1 or 2, I would like to share a few points.   - For duplication of the rules if you have any IPv4 rule with GEO location, you will not be able to have exact the same equivalent as currently there is no support for IPv6 GEO database. There is a feature request for it: #2865. - Watch out for User-ID mapping if your IPv4 rules are leveraging source user information and you will duplicate this setting to IPv6 rules. This part caused some delay with deployment in our case, as additional tuning, troubleshooting and testing was required. - During migration process, we ended up with duplicating of existing IPv4 rules into IPv6, however since deployment of IPv6 apart of business reasons presented a chance of re-design of almost everything for IP addressing, routing design, policies, we aimed to duplicated only standardized policies through Panorama. All legacy local exceptions were not duplicated in an effort to declutter policies. After you enable dual stack end to end, your endpoints will in most cases prefer IPv6 over IPv4, so new IPv6 rules will likely get more hits. This might be a good chance to clean/tune up some of the policies.   Kind Regards Pavel ... View more

Hello @MMurphy1   I am sorry for late response.   From the screenshot you provided everything looks correct to me. To make sure that you are not running into overlapping custom URL categories, could you search the: " media.officedepot.com " in global find located in the top right corner:      Also would it be possible to come back to the first point I mentioned in my last reply? Are you able to open "media.officedepot.com"? To me it looks like that this sub domain does not exist.   Kind Regards Pavel ... View more

Hello @MMurphy1   thank you for reply.   I can see 2 potential issues:   - Regardless of geo location I tested it from (North America, Europe, Asia), the domain "media.officedepot.com" has re-direction to "cloudinary.com". By doing a quick subdomain search, it appears that while officedepot.com has many subdomains, the subdomain "media.officedepot.com" does not exists. I believe that users behind the firewall should navigate to main domain: "officedepot.com" instead.   - When it comes to troubleshooting this kind of issues with unpredictable result, it is often caused by overlapping categories: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzSCAS From the first screen shot you provided it is matching correct category in green circular and also something else in red circular:   Could you please check all details by expanding window? From this limited view in screen shot it is hard to judge.   Also, again I would like to bring up again to the attention that setting URL category to "allow" will not provide any logs, it will only silently allow user to visit site without Firewall logging it. This is not so convenient for troubleshooting. Since you see some of the URL logs where you captured screen shot, it is hitting something where action is set to something else than allow.   Kind Regards Pavel ... View more

Hello @MMurphy1   it looks like URL shopping category is set to action: "continue". You can change the action by navigating to: Objects > Security Profiles > URL Filtering > [Name of URL filtering profile] > Categories > Shopping, then change action to: "alert" (Allow and generate log) or "allow" (Allow and no log generated):     Kind Regards Pavel ... View more

Hello @sskannan   what was your original PAN-OS version you upgraded from? From version 9.0.4, you must change the default administrator password (admin/admin). Here is the KB for reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNOYCA4&lang=en_US%E2%80%A9   Kind Regards Pavel ... View more