About MichaelBorg

Hi,   I am having some trouble successfully creating a NAT/PBF combination. Long story short...:   We have an office with two WAN switches that have IP addresses in the same range as that office LAN WiFi IP range. Thus if anyone in the office or on their VPN tries to SSH to these switches the core switch routes it back to the LAN as that is where the IP range of the WiFi lives. I am trying to implement NAT/PBF go get SSH from the LAN to these WAN switches to work.   At first I thought I could create NAT/PBF rules to get this working if the LAN machine SSH to 2.2.2.2 but it isn't. Please see attached screenshots. I created a NAT rule with the Original packet source address as the LAN machine IP, destination address as 2.2.2.2 and the Translated packet as the WAN switch IP address. I then created a PBF rule with the Source as the LAN machine IP Destination address as the WAN switch IP and the Forwarding Egress interface as the interface connected to the WAN switch.   When I try to SSH using 2.2.2.2 I see the firewall logs as destination IP address 2.2.2.2 which is of course incomplete. Does the PBR take place before the NAT? If so I am not too sure how to get this to work. Many thanks in advance! ... View more

Hi everyone,   I   am a network engineer and we have recently swapped out some Palo Alto firewalls for newer models. The old firewalls were managed in Panorama and I recently tried to integrate these new firewalls to Panorama. I want both the Device Groups (Policies and Objects tabs) and Templates (Network and Device tabs) to be managed by Panorama apart from the Device > High Availability and Setup sections which I want managed locally. It went smoothly until I reached step 8 in the below Palo Alto document. https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management.html I decided against selecting 'Force Template Values' when I pushed the config to the firewalls because Device > High Availability and Setup should be managed locally, not by Panorama. I was hoping that if I skip selecting 'Force Template Values' I can simply click on everything apart from High Availability and Setup and click Revert locally on the firewall to have this managed in Panorama. When I started doing this however on the Interfaces I got the below error:   Error deleting Ethernet Interface member cannot be deleted because of references from: network -> virtual-router -> VR-1 -> routing-table -> ip -> statis-route -> SER_GW -> interface network -> virtual-router -> VR-1 -> routing-table -> ip -> statis-route -> CanyonRanch -> interface network -> virtual-router -> VR-1 -> routing-table -> ip -> statis-route -> test -> interface   I have tried to revert VR-1 then do a commit then revert the interfaces but I am still getting the same error above. I don't want to 'Force Template Values' on Panorama as the High Availability and Setup on the local firewalls will be deleted. Any idea how I can add the Template (Network and Device tabs) to be managed by Panorama without adding High Availability and Setup too?   Panorama is version 9.1.8 and model M-100 Firewalls are version 9.1.8 and model PA-5250 in Active Passive setup.   Many thanks in advance! ... View more