About MGRashmi

Hi All,    We are exploring the firewall deployment options for one of our customers who have a requirement to stretch few VLANs across 2 data centers most probably using VXLAN/EVPN. The options currently being explored are:   1. Active-Standby firewalls in each data center 2. Active-Active firewall  with one node in each data center   Are there any design/deployment references for these scenarios especially how to avoid double firewalling and the possible scenarios for asymmetric routing and how to avoid them.  ... View more

Hi,    I am trying to configure user-id based authentication in Palo Alto 5220 (Pan OS 9.0.2). I have integrated Palo Alto with AD using LDAP profile. I am not able to add the AD groups in the "Group Include" list as they are not being listed in the GUI. I am using panorama to manage the firewall. However, i am able to view the groups in CLI of the firewall if i give the command "show user group list" lists all the AD groups in CLI. Also, i am able to view the "user-ip" mapping in CLI. However, i am not able to select groups in GUI under "Group mapping" and security policies. Please suggest.  ... View more

 Hi,    We have a setup in which a switch is used for interconnecting several virtual systems to a perimeter router. The switch is going end of life and needs to be replaced. Is it possible to replace this switch with a "Virtual router" in Palo Alto? Below is the setup:   1. All virtual systems have their own virtual routers.  2. Default routes from the virtual systems are pointing to the corresponding SVIs in the switch 3. From the switch traffic gets routed to perimeter router 4. There are NAT IPs in each Vsys. Switch has reverse routes pointing to those NAT IPs to the particular interfaces of the vsys.   Query:    1. Is it possible to replace the switch with a new virtual router? Will the new virtual router be visible to all vsys? 2. If i select next hop as "Virtual router" while adding a static route, it does not allow me to choose an interface in the next hop vritual router.  Will this work for static routes configured for NAT IPs in the next hop VR? And also for static routes? In the diagram below, 192.66.2.2 is a NAT IP configured in vsys1. My question is if the "Switch with SVIs" is replaced by a new virtual router, will I be able to add routes for 192.66.2.2 pointing to next hop virtual router as "vsys 1" in it?     ... View more

We have a requirement to configure OSPF & multicast in a sub-interface of Palo Alto for one of our customers. I would like to understand how it would impact the CPU, memory and throughput and the guidelines and best practices to be followed while configuring OSPF. A comparison against having static routes vs processing OSPF routes. Please suggest. ... View more

Hi,    I am preparing to migrate configuration from cisco FWSM to Palo Alto 5250 which is managed by Panorama. The converted configuration gets exported to Panorama but while attempting to commit to the firewall, i get the following error. I have done "re-mapping" of Vlan interfaces in Cisco FWSM to Palo Alto aggregate interface sub-interfaces. Please help.  I am using expedition tool. My Panorama version is 8.1.2   Error Message: . Validation Error: . vsys -> vsys2 -> import -> network -> interface 'ae1.251' is not a valid reference . vsys -> vsys2 -> import -> network -> interface is invalid . Can't get interface ae1.516 id(Module: routed) . Error: unknown interface ae1.516 . Error: virtual router configuration error . (Module: device) . Commit failed Warnings: ... View more