About FarzanaMustafa

We are currently running a Panorama virtual appliance in PANORAMA mode running on the ESXi host. Based on the predictable logs per second (LPS) estimation, we have allocated 16 CPUs and 32GB memory while the virtual appliance initially built up.   At the moment, we only have one managed firewall connecting to Panorama and sending logs to the Panorama log collector, we noticed that the Panorama CPU utilisation baseline is around 1-2%.   Advised by Palo Alto (reference) that "If the minimum resource requirements are not met for PANORAMA mode   when you Install   the Panorama Virtual Appliance, Panorama defaults to Management Only mode", I would like to know that   after we have successfully install the appliance running on PANORAMA mode, can we then reduce the CPU below the resource requirements and keep it running on PANORAMA mode?   That will be great if we can dynamically resize the resource of the PANORAMA appliance and keep it with the PANORAMA mode, as currently the oversubscribing CPU from the ESXi host will cause the waiting time of other VMs, while the Panorama virtual appliance doesn't need that many CPU resource with the current usage.   Would you please advise? Thanks   reference: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/set-up-panorama/set-up-the-panorama-virtual-appliance/setup-prerequisites-for-the-panorama-virtual-appliance.html#id4430de3f-a44c-4b24-b9c3-52cef1f0bc96 ... View more

We are using VM-100 and would like to use this as a load balancer for our Web services.   We have checked the link below and would like to know if this  EMCP load balance incoming traffic to Web servers? Or does this just load balance egress traffic between 2 different ISP’s?   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF8CAK   ... View more

  HIP object is correctly setup.   We are testing the missing patches HIP check object and noticed that an VPN endpoint is showing 3 missing patches (on the HIP report). However the machine is showing it's installed these patches already. How does Palo detect the missing patches as Windows is showing them as installed?   Using ver: 8.1.10 ... View more

Currently in User-ID, one ip address is associated with three usernames. Two of which are the hostnames of the computer and not the user so when the staff tries to access something, they are getting blocked. Do you have any suggestion to fix this? Clearly AD is pulling this information. Do I need to adjust something on Active Directory to fix this?     ... View more

Is there a session limit on number of active connections while using GlobalProtect advanced features?   Currently the PA box 3220 supports 1024 concurrent SSL connections and has a GP Gateway Advanced license installed. ... View more

We are using PA-3050 and would like to know how to limit Youtube usage to a certain Active Directory group (students) to 200mb per day.   Please outline the steps. ... View more

We are using PA-850.   We are constantly getting alert:  Error for user group count exceeds 1000 threshold.   We understand the error is due to hardware limitation of the PA model and it is restricted to 1,000 AD groups.   We would like to know how  to use filtering or search scope so the Palo Alto device is no looking at the entire AD. ... View more

PANOS 8.1.9   When we are doing the config backup we do not see all the config is getting backed up – for example, the firewall rules, NAT and port forwarding rules are not seen in the backup – Apparently a very fraction of the configuration is saved.   Can you please suggest how to fix this? ... View more

Our client is having issues with LDAP connectivity. We are trying to configure "Group Include List" in the Group Mapping Settings in User Identification but when we click on the Base DN to browse available groups, we get "Connect error".   Same thing showing on CLI:   PA-850-1(active)> show user group-mapping state all Group Mapping(vsys1, type: active-directory): ADMap         Bind DN    : CN=svc_paloalto_auth,OU=Service Accounts,OU=Consult Cloud,OU=Hosted,DC=cloud,DC=local         Base       : DC=cloud,DC=local         Group Filter: (None)         User Filter: (None)         Servers    : configured 2 servers                 192.168.10.21(636)                         Last LDAP error: Connect error                 192.168.0.25(636)                         Last Action Time: 19 secs ago(took 0 secs)                         Next Action Time: In 41 secs                         Last LDAP error: Connect error         Number of Groups: 0   When doing tcpdump, we can see TCP connection established on port 636 (we're using SSL), but AD server resets the connection. Any idea how to resolve this issue? ... View more