About BPry

@mudassar216, So everything you already have configured is technically already in vsys1 outside of shared objects, so nothing really "moves" when you enable multi-vsys as it's already present in the default vsys1. So every interface you have configured, including your aggregate, is already technically in vsys1.  Your aggregate interface needs to be assigned to a vsys and can't be left unassigned. I've never honestly tried having the VLANs split out between vsys coming across an AE assigned to another vsys, but I would guess that this would be an invalid configuration. ... View more

@RamBalaji, This currently is not possible. You can reach out to your SE to see if an existing feature request exists for this feature. ... View more

@ESJosephPrinz, I don't believe there is currently a way to get the DNS name of the host on the Network Mapper results, however you can export that so you can create a simple PowerShell or Python script or whatever to attempt to resolve the IP and run through your export.   As to testing the agent, I've not found a good way outside of confirming Network Mapper results with your endpoint results through exports and scripts to ensure that the agents are actually active across your device fleet. You can use wildfire.paloaltonetworks.com/publicapi/test/pe to test a detection on the endpoint and script that download and execution if you want to validate Cortex is actually working, but if an endpoint becomes unregistered it obviously won't trigger anything except on the functional hosts, so a review is what I recommend.  I have had agents become unregistered from the portal, albeit on a much lesser amount now than previously, that you won't know about unless you review your endpoint list and actively check for "Connection Lost" and manually reviewing your host list. This used to happen much more frequently, but we still run across it occasionally.  ... View more

@BChana, I'm not entirely clear on what you are trying to do and it sounds like your diagram describes what your network presently looks like, and not what you actually want? It sounds like both the "Internet" local internet breakout and the "Verizon WAN" MPLS connection you want to terminate on the PA-220 instead of the WAN connection directly on the core switch? If so, that'll absolutely work without issue with the proper routing setup.  ... View more

@PDelobel, The biggest thing to be mindful when doing this level of a migration is the port interface differences. If you have anything past Ethernet1/4 on your PA-850 be mindful that these will be copper interfaces on the PA-3220 instead of fiber. You may need to change around your interfaces, but that's not difficult, just something to be mindful of when planning the migration.  ... View more

@NormSil, If you were wondering about potential device impact since PAN uses OpenSSL in PAN-OS this isn't generally something they'll put any information out prior to it being patched, if it has any impact at all. You can subscribe to any security advisories that PAN releases through HERE, at this point no information is being publicly released.  ... View more

@risc527, I actually don't think this is available through the REST API; you would need to utilize the XML API for this.  ... View more

@eric1708, That's a setting that is set on the GlobalProtect portal side of things, not something that you can control on the client side. If you admin the service you are connecting to you can modify this under GlobalProtect Portal -> Agent configs.  ... View more

@Akhil_B, To figure that out you really need to be looking at the users route table and see how it's being set. It's pretty evident that the issue the user is running into is routing related, so you kind of need to go from there as far as troubleshooting goes.  ... View more

@Akhil_B, Sounds like something with the users route table got screwed up. This can happen depending on your agent settings and if you have IP overlap between the users local network and your enterprise network. GlobalProtect by design doesn't assign a gateway to the virtual adapter and will always show a /32. It installs routes into the route table to handle the actual traffic routing so the endpoint knows how to route traffic. There's some instances where you can see this type of behavior when the local network overlaps your enterprise network depending on how you have certain options configured (such as any split-tunneling or allowing local LAN access when connected to GlobalProtect) which would cause the behavior that this user was experiencing.  ... View more

@Akhil_B, Your question isn't entirely clear. When a client connects to the gateway they are assigned a preferred IP, and absent a few conditions they will continue to utilize that preferred IP for any further connections. That is expected and totally normal behavior. To be clear however, this is not the same as assigning a static IP to that endpoint. If you start running out of addresses in your address pool, the firewall will start re-assigning addresses from disconnected clients. So while addresses do largely stay the same when clients connect, it's not actually static and a number of conditions can get the client to pull a new address.    Hope that's clear enough and what you're actually asking about.  ... View more

@Paul.Allen, If you are running into an issue where Microsoft Store applications (UWP or the actual Store app itself) aren't working while connected to GlobalProtect this is likely an NLA issue. You can fix this via Group Policy https://docs.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/microsoft-store-not-open-domain-joine-computer-vpn ... View more