About RFalconer

It's under the vsys config. edit template myTemplate set config vsys vsys1 zone ......... ... View more

In your Authentication Profile, what are the values for 'User Domain' and 'Username Modifier'?   I do remember having an issue going from 6.1 to 7.0 and I'm also using radius with Cisco ACS. I think I might have changed the value in one of these fields. ... View more

On the desired interface on the IPv4 tab, select PPPoE. On the Advanced tab, you can specify a static address. You should be able to include the /29 with the static address. ... View more

Has this method of user-id ever worked correctly? ... View more

One other thing you can check is the 'Max Rows in User Activity Report'. If you hit the maximum number of rows for the report based on 4 days of activity, it won't show any activity further back.  If you've changed the activity report to included detailed browsing, increasing the number of rows in the report, this would possibly cause an issue. ... View more

What do your NAT and Security policies look like? Do you have any other traffic being NAT'd successfully? ... View more

If you remove the secondary, does the primary sync? I saw this issue when the NTP servers were providing slightly different times back to the PA. If they are different, NTP will fail. ... View more

Have you tested passing traffic into the subnet you're advertising, using NAT rules bound to the interface on a different subnet? I've never been able to do this without either a loopback or a null route. ... View more

If you want the full config, you can export the configuration from the production Panorama and import into the test unit. If you only want to export/import the security policies, you can do a copy an paste from the CLI. Maybe grab the rules with 'show | match pre-rulebase' and 'show | match post-rulebase' and then paste them.  The license is done by serial number and won't be included in any export. ... View more

Here's an example. The direct connection to the isp is a /30, 10.1.1.2/30. Your public IP space is 128.1.1.0/24 (This doesn't have to be BGP advertised. It can just be another subnet that the ISP has assigned to you that they route to 10.1.1.2) Create a static route for 128.1.1.0/24. I usually set the interface to the untrust and the next hop to 'None'   By creating this static route, it puts the prefix in the routing table. BGP will only advertise prefixes that exist in the routing table. Also, when NAT statements are created for the public subnet, an entry for this public network must exist in the routing table or the processing of the traffic will fail. Check out page 4 on this doc:  https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/learning_tkb/189/2/DOC-1628.pdf A forwarding lookup is done before NAT is even processed. If the destination doesn't exist, then traffic is discarded before it even gets to the NAT lookup. By having a route to null0, the prefix exists and the flow continues.  ... View more

You can re-order using the CLI but you can't create rules with sequence numbers to place them where you want in the policy. (That would be a nice feature) So if you really wanted to get the rules in order as you go, you would have to use a 'move' command after creating each nat rule. Maybe something like this, depending on what order you want things in. set device-group <groupname> pre-rulebase nat rules NAT1 ....... move device-group <groupname> pre-rulebase nat rules NAT1 before CURRENTNAT (or you could use 'top' instead of 'before' if you want it first) set device-group <groupname> pre-rulebase nat rules NAT2 ....... move device-group <groupname> pre-rulebase nat rules NAT2 before CURRENTNAT (or you could use 'after NAT1' if you want it beneath) ... View more