About Smi12

Hello I'm currently configuring a PA-2050 running PAN 5.0.9 Can anyone confirm if the Application Override Policy match criteria should be configured to match on the Pre-NAT or Post-NAT zones and IP addresses.  I'm assuming it will match in the same way as a security policy does, and use the Post-NAT Zone, while the IP address match is based upon the Pre-NAT original packet destination? I've just read the PAN 5.0 Admin Guide and it makes no mention of the Application override match criteria with regard to NAT and neither does .  Any help would be appreciated, thanks in advance.  ... View more

We are in the process of replacing an internet facing Check Point (NokiaIP560) deployment with Palo Alto (PA-2050) running PAN-OS 5.0.9. The current checkpoint deployment has two equal cost default routes to the upstream providers routes.  These two next hop IP addresses are the multi-group VRRP IP addresses to achieve outbound load sharing.  Below is the "show route" output from the Check Point firewalls routing table, it appears to show two equal cost static default routes. S     0.0.0.0/0           via x.x.x.209, eth-s4p1c0, cost 0, age 31245795                                via x.x.x.210, eth-s4p1c0 Does anyone know if Palo Alto will support the above equal cost/metric default route in the way Check Point does?  If we attempt to add the two static routes as above, the commit fails with the error: In virtual-router default, the static route Default-2 metric value 10 is not unique among static routes to destination 0.0.0.0/0.(Module: routed) Config commit phase 1 aborted(Module: device) Commit failed If we are not able to duplicate the Check Point routing, we believe this would mean sending all outbound traffic on a single default route to a single upstream router IP address, and essentially loose the ability to load share the two upstream Internet circuits thus loosing 50% of outbound bandwidth. Does anyone have any suggestions on our scenario? ... View more

I've inherited the management of a PA-500 that was previously linked to a Panorama server. When I try to commit I receive the following error VSYS1     Error: Number of profiles (4294967292) exceeds vsys capacity (50) (Module: device) Commit failed I've looked through the the configuration and there only appears to be a handful of av, malware, threat etc... profiles.  I've even deleted every profile I can find and I still receive the above error.  Short of a factory default I'm not sure what else to do. We are running PAN-OS 5.0.8 Can anyone help? Thanks ... View more