About junior_r

Hi Tommy,   Just did a test anytime I add a URL category to a deny rule I get the block page with or without the URL filtering profile. The URL filtering profile just adds extra entry in the URL filtering log.   Thanks ... View more

Hi Tommy,   will you still get a block page if URL filtering profile had all categories set to alert and action on rule set to deny?   Thanks ... View more

@pulukas in this setup would the server send arp-reply to arp request from the circut?     ... View more

@gwesson wrote: Just to be sure, you're saying:  server(1.1.1.50) <---> [e1/3]PAN[e1/1] <---> Router And you want the PAN to respond to ARP requests for 1.1.1.50 that originate from the router?   If that's correct, there are two ways I can think of offhand: 1. Proxy ARP will do this if you do destination-NAT on 1.1.1.50 to some other internal address. There's a good doc on that here: https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/networking/nat/nat-policy-rules/proxy-arp-for-nat-address-pools   2. Use virtual wire (vwire) interfaces instead of layer 3. A virtual wire doesn't terminate layer 2 or 3, so the ARP request will directly hit the server, and the response will come from the port that eth1/1 is connected to. Docs on that here: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/virtual-wire-deployments https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/networking/configure-interfaces/virtual-wire-interfaces/configure-virtual-wires   (1.1.1.50) [e1/4]FW 2[e1/7] 10.10.10.11/24 <----> [e1/3]PAN[e1/7] 10.10.10.10/24 <---> [e1/3]PAN[e1/1] <---> Router   Two Firewalls PAN and FW2 If i do a destination NAT on 1.1.1.50 to internal IP would the packet even make its way to ETH3? I cannot modify any IPs behind e1/3     ... View more

@jperry1   wouldn't  VM-Series to Device be slower...even if I take the VM with higest resources?   Thanks ... View more