About BPry

@Rajendranahak, This is a known limitation; you can't have more than 250 proxy-IDs assigned on any one tunnel, and it looks like you do.  ... View more

@SAugustin, Do you actually have an active GlobalProtect subscription on this firewall? If not, you can go to the support portal and generate a trial subscription for the next 60-days.  ... View more

@JohnQuile, Changing to Always-On doesn't require you to re-install the agent, it will simply update it's configuration in the background the next time it connects to the portal. Short answer is this will work perfectly fine, here is a KB article about getting it setup. ... View more

@vmtechzakirhussain, To verify that what I'm saying was understood; if you want to pull data from two different domains you would do this by installing the standalone user-id agent on windows server, instead of using the integrated user-id agent on the firewall. You would simply configure the firewall to connect to these windows-based user-id agents and pull the information from these agents.    Windows-user-id Agent Configuration Numerous Mapping Sources Documentation ... View more

@Graeme_Riddell, So your system log forwarding will be under Device->Log Settings in the GUI, which is probably where your SIEM is getting these logs, not the log forwarding profile. Look what you have under 'System' and configure the filter as required for the entry sending the logs to your SIEM.  ... View more

@jfritchey, This should be working perfectly fine, the one thing that you have to check when doing something like this, is if the traffic is actually being allowed through your security rulebase (if it's passing through your firewall).  ... View more

@BrianAllison, Unless you absolutely need 5.1, I would be sticking with 5.0.6. 5.1 is still early in its release cycle and I've found plenty of odd bugs with it. If you absolutely need 5.1, reach out to TAC and open a case on it.  ... View more

@vmtechzakirhussain, This is only a limitation of the built-in user-id agent; if you setup the agent on antoher Windows machine the firewall can pull information from two different domains easily.  ... View more

@idelconsulting  You're just missing the rsa-nbits part of the command. request certificate generate name "paab.xyz.local" certificate-name "paabself" algorithm RSA rsa-nbits 2048 ... View more

@Shawverr @1onerobertone1, There really isn't a good way to do something like this through the firewall itself. I know that creating a custom data pattern and utilizing it within a DLP profile was a way that people have worked around this limitation in the past.  Sadly the way that Google recommends restricting this access with a special HTTP header isn't something that PAN supports at the moment, and Google doesn't offer anything to make categorizing the application anything other than gmail.  So a custom data pattern is going to be the best solution that you can really do at the moment, but that isn't the best solution and isn't without problems in it's own.   ... View more

@vravindra, This can be a large number of things, without additonal insight into how you have things configured saying exactly what it is isn't going to be possible. I personally would be reaching out to TAC so that someone can actually look at how a firewall you are deploying is actually configured. A few things to check though: The firewall has corresponding routes for all subnets pointing to the first IP of the subnet the firewall is attached to. Ensure the interface itself has IP Forwarding enabled on the Azure side of things when configured through terraform.  The UDR is being properly assigned to the subnets.  ... View more

@iscott, The process that you are looking at is very specific to the management interface; if the data is going across a dataplane interface you would simply follow the usual PCAP process.  ... View more

@nextgenhappiness, So you went from a non-recommended upgrade path to mirroring the recommended upgrade path and your issues went away, funny how that works out 😉  ; - )   In all seriousness, this is exactly why I stress following the actual recommended upgrade path as much as I do. 95% of the time it won't matter and everything will work perfectly fine, but then 5% of the time something breaks and can cause an outage. It's better that you follow the proper process and need a bit more time for the maintenance window than have an issue and cause an unexpected outage or unexpected extended maintenance.    ... View more

@alterioc, Because you are utilizing user-id  to accomplish this, you'll only ever be able to utilize this via a single IP address at a time.  ... View more

@deepak12, Is this just for ease of use for the GUI/CLI or for automation? If it's for automation, you can actually utilize the API call below to show the high-availability state result. Once you have the result it's just as simple as parsing the result to determine the peers HA state, and then you can pass your automation calls to the active peer.  https://firewall/api/?type=op&cmd=<show><high-availability><state></state></high-availability></show>&key=myfirewallkey   If this isn't for automation and you simply want to have an easy way of only ever hitting the active unit, you don't have any other option outside of setting up an interface management profile as mentioned by @OwenFuller.   ... View more

Couple ways you can do it, as @OtakarKlier has already mentioned: CLI: set address "My Server" ip-netmask 192.168.1.1/32 You could set all of your set statements how you want and paste them in, which would work fine.    Configuration File:   # FQDN # <entry name="updates.cuasvc.com"> <fqdn>updates.cuasvc.com</fqdn> <tag> <member>Barracuda-Updates</member> </tag> </entry> # Netmask # <entry name="Test-GlobalProtect"> <ip-netmask>172.16.253.128/25</ip-netmask> <tag> <member>GlobalProtect</member> </tag> </entry> You can locate where these go in your configuration file easier if you search for <address-group> since <address> is referenced a bit in the configuration file.    API: https://192.168.1.1/api/?key=MYAPIKEY&type=config&action=set&xpath=/config/shared/address/entry[@name='Google-DNS']&element=<ip-netmask>8.8.8.8/32</ip-netmask>   You can use any of these methods to build out your address object base quickly. Personally; I'm a big fan of modifying the configuration file itself and feeding it back into the firewall, because you can put the configuration file into Git, but I also find XML easy to work with.  ... View more

@alo_palto, Are you just talking about creating large numbers of address objects?  ... View more