About delliott_6784

From recent experience shadowing another engineer on a project, stay on 5.6.  A void 6.2.1 for now for sure, 6.1.4 may be ok in some circumstances but probably wait for 6.1.5.  Issues encountered include software proc restarts and false positives with tunnel monitoring.  We are hoping for something better in 6.1.5 but are stuck with 6.1 on newer (ION3200, ION5200) boxes or we would probably be on 5.6 code.  We are told by TAC that 6.5 should be available beginning of October. ... View more

Sounds like NGFW is involved in allowing your flows.  "Try disabling multichannel on the Windows server and client. Because of the way that SMBv3 multi-channel works in splitting up files Palo Alto Networks recommends disabling SMB multi-channel through the Windows PowerShell."   This advice comes from this article -- Why is SMB traffic slow ? (paloaltonetworks.com) Have you seen this article on SMBv3 multi-channeling?  ... View more

Would a SDWAN report provide the metrics required by the client?   https://docs.paloaltonetworks.com/sd-wan/3-1/sd-wan-admin/monitoring-and-reporting/generate-an-sd-wan-report#id4580ddd7-7f2d-41e4-8355-4063f027aabd Also, is the POC licensed for ADEM? ... View more

If the underlay is the issue and not the overlay SDWAN interfaces, I would look for layer 2 channel issues or seek help from Comcast support to remediate a MAC ghosting issue.  ... View more

Look for TCP retransmissions in pcaps as windows ramp up during transmits.  Might be a MTU issue.  set your MTU down to low 1430 to test if currently at 1500.  ... View more

Would it be possible to assign a user-id statically to the IP address you wish to block and use that user/IP mapping in the security policy to block the user and IP? ... View more

I think your other option is to add another physical interface (if avail) for Guest with separate IP for gateway.  Could add to a new virtual-router and add a default-route to next-vr. ... View more

 @ClintL, is your switch trunking to eth1/1?  If so, its egress port or interface is sending traffic with vlan tags and you would need to receive/send that tagged traffic on tagged sub-interfaces.  usually, the only interface untagged is the non-sub-interface in your case eth 1/1 where all sub-interfaces carry tagged traffic.  If it is not trunking, there would be no way to diff the traffic across the link.  the same would go with vWires. ... View more

I  don't know the hardware you are working with but these instructions should help.   https://docs.paloaltonetworks.com/hardware/pa-400-hardware-reference/install-the-pa-400-firewall/set-up-a-connection-to-the-firewall   ... View more

Hey @ronan , from the brief description of your network, panos native SDWAN in Panorama will work well without knowing your full checklist of needs. To handle the device-group parent-child relationships for pre and post rules, I recommend this document - Manage Your Device Group Configurations on Panorama (paloaltonetworks.com) and make sure you configure a Master Device, & Reference Template.  You can store objects in a Parent DG instead of shared to keep from overloading smaller firewalls but there is a checkbox in Panorama to only download objects used by the firewall.  Since your zone name characters/case are identical, you should be able to share much of your policy via parent DG.    For Templates/Template-Stacks, you will use variables to identify different IP addresses & FQDNs for different firewalls using the same Template-Stacks.    ... View more

Expedition is the tool of choice and the only one supported by PAN.  If you have issues using the tool that are not answered on the Expedition site Expedition | Palo Alto Networks or Expedition live forum, you can contact the Expedition dev team at fwmigrate@paloaltonetworks.com for help.  They continually release updates and provide notes. ... View more

You ROCK!  I searched everywhere (from my chair) with no luck.  Thank You. ... View more

did not and still looking for Prisma SDWAN, ION, CloudGenix stencils. ... View more