This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About TSchepers
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About TSchepers
11-17-2020
9Posts
0Likes
0Solutions
Nov 17, 2020Last Visited
User
Activity
User
Profile
Latest posts by TSchepers
| Subject | Views | Posted |
|---|---|---|
| 5638 | 04-11-2019 06:00 AM | |
| 5649 | 04-10-2019 10:03 AM | |
| 5756 | 04-10-2019 08:39 AM | |
| 7056 | 07-20-2016 04:41 AM | |
| 7152 | 07-20-2016 03:07 AM | |
| 2776 | 09-03-2015 07:40 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 4 Likes |
User Badges
Community Statistics
| Member Since | 10-16-2014 04:28 AM |
| Date Last Visited | 11-17-2020 10:35 AM |
| Posts | 9 |
04-11-2019
06:00 AM
All I'm going to say about that is that even without automated updates, PAN still won. But regardless how anyone feels about airgapping an PAN deployment, fact is that PAN supports it: *activation via uploadable license keys on both panorama and firewalls *uploadable software updates *uploadable content updates It's quite frustrating to find out you then need to open a connection to the palo alto update server after all, because the firewalls can't report their license status to panorama. At that point, everything you need is already present in the airgapped segment!
... View more
04-10-2019
10:03 AM
Indeed, no Internet access whatsoever is the goal. It's required by a customer. Both firewalls and panorama are deployed in airgapped scada network segments that can't have any connections to the outside. At the moment it seems like the only time we'd need an outside connection is when panorama retrieves license information. Updates can be uploaded to the airgapped network. This makes no sense, since there is a license key system in place for both firewall locally, but no way for the firewall to relay this information to the panorama, and no way to import the firewall's license key on panorama. But the fact that we can activate panorama using license keys and upload OS versions and content updates seems to point to support for a fully airgapped panorama. So close...
... View more
04-10-2019
08:39 AM
Hi guys, I was wondering if anyone has any experience using a totally airgapped panorama/firewalls deployment. At the moment I have a case where none of the devices are allowed any outside connections. I thought it would be do-able since both software and content updates can be manually uploaded to panorama and deployed like this, and license keys can be downloaded and uploaded to the firewalls... That should cover all bases, right? Now we realize that panorama isn't aware of licenses manually uploaded to firewalls. The only way to make panorama aware of the licenses present on a firewall is by letting it connect to the outside license server (updates.paloaltonetworks.com I suppose...). Since we need a valid suppport license to be known on the Panorama to push software updates and content packs, the whole thing falls apart. It doesn't make sense to me. They implemented ways to do version and content updates in an airgapped system, but you still need to break the airgap to allow panorama to retrieve the licenses for the airgap solutions to work. I must be missing something, right?
... View more
07-20-2016
04:41 AM
Thanks for your reply. Exactly what I was thinking. 'Just to be safe'. Since HA can be very sensitive to version differences. But there has to be some sort of official Palo Alto recommendation for situation like this, right? So my upgrade path would now become something like this: download 6.0 on both devices Suspend Primary and upgrade to 6.0.X Suspend secondary and upgrade to 6.0.X Suspend Primary and upgrade to 6.1.X Suspend Secondary....
... View more
07-20-2016
03:07 AM
Hi, I'm going to upgrade a PANOS 5.0.14 to version 7.1. As I understand, the correct sequence is: Update PAN-OS 5.0.14 to 7.1.x: Download 6.0.0 Download + install latest 6.0.x release (reboot) Download 6.1.0 Download+Install latest 6.1.x release (reboot) Download 7.0.1 Download + install latest 7.0.x release (reboot) Download 7.1.0 Download + Install latest 7.1.x release (reboot) It's pretty straightforward to do this on a single device, but when you do this in an HA setup, is it a good idea to update 1 device to 7.1 while the other trails behind on version 5? Won't that create issues? Or do I need to get primary and secondary to the same major version so there isn't a large difference between them? F.e.: Get both from version 5 to 6 before carrying on to version 7,... Thanks for your help Tim Schepers
... View more
09-03-2015
07:40 AM
I tried updating a PA3050 HA active/passive setup from 6.0.10 to 6.1 to eventually go to 7. The update works for both devices, everything seems to be working like it should, except for the tagged subinterfaces of the aggregated interfaces. They simply stopped working. They appear to be up, traffic seems to be allowed through them, but everything ages out. Did a rollback to 6.0.10 . Anyone any ideas on what differences between the 6.0 and 6.1 releases could cause an issue like this? Thanks, Tim
... View more
- Tags:
- update
Labels:
- Labels:
-
Configuration
-
High Availability
-
Network
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks