About CHammock

Some of the predifined filters are great, Show Duplicate Names and Values is great for identifying duplicate objects to be deleted (or merged).  Show Duplicate Names is great for identifying objects that need more investigation.   When you are working with Panorama it is common to have Duplicate Names as objects will exist in different device groups including shared generally this is fine and wont impact anything if pushed to the device providing the values are the same.   However usually if I want to identify potential issues I need to see Duplicate Names and NOT Duplicate Names and Values.  These will show only the duplicate objects the don't have duplicate values.   As an example if I have 1655 duplicate names and 1660 duplicate names and values I only need to worry about 5 objects but how can you identify just those 5 objects. ... View more

I can't find anything which goes into enough detail on Active-Active design around NAT and more importantly ARP. The easiest way to explain the current deployment is as follows: Site 1 / Firewall A Site 2 / Firewall B Each firewall is connected to unique networks and routers internally and externally.   The expectation is to provide redundancy by putting both firewalls in HA A/A and setting floating addresses so that each firewall will be the primary for its site as listed above but in the event of a site or firewall failure the remaining firewall will take over both site and firewall responsibility.   From a network point of view we have L2 connectivity for all networks across both sites. The A/A config is such that floating IPs mean the correct firewall will ARP for the correct addresses for that site. Everything works fine apart from the NAT. DeviceID 0 is Primary, DeviceID 1 is Secondary   Destination NAT for Site 1 is fine. I have bound all destination NAT rules for Site 1 to the “Primary” device.  So Firewall A arps for all destination NAT addresses.  If Firewall A fails the remaining device becomes primary and ARPs for all destination NAT addresses.   The Problem 1: Destination NAT for Site 2 can only be bound to DeviceID 1 which means if it fails the remaining firewall doesn’t arp for the Destination NAT. If I change the NAT binding to both I get an arp conflict for the IP as both firewalls are on the same L2 network and its hit and miss as to which firewall the routers send the traffic.   The Problem 2: Source NAT can only be bound to DeviceID 0 or DeviceID 1. Which means similar to problem 1 I either get no failover or an ARP conflict.   I feel like the solution is to have a "Secondary" bind option and to allow Source NAT rules to be able to be bound to both Primary and Secondary devices.   Am I missing something from the network design or is this a limitation of the Active-Active Technology. A work around would be to disable the NAT rules from ARPing and it all being managed by the HA floating address configuration.  Is there a CLI command to disable NAT rule ARPing?   Any advice appriciated. ... View more

My first question would be is it possible to configure a firewall with no vsys license to query more than one domain without deploying the UserID windows agent? My second question would be if yes then how given that there is only 1 WMI authentication username, one list of DCs and also that the ignore user list would only apply to a single domain as you don't specify the domain prefix. ... View more

I have found little information on how this works other than the Primary Device makes the UserID Agent connections and sends them to the secondary.   User to IP Mappings What I have found which is of note is that when the primary sends the userid mappings to the secondary the timeouts are offset by the clock difference. So I have already resolve one issue where the secondary user ID mappings all timeout becuase the primary and secondary system clocks are 10 minutes out of sync (because the NTP server access was being blocked). You can force a refresh of the userIDs on the secondary by running the command "debug user-id refresh user-id agent all” on the primary device.  It seems this will force a push of the mappings to the secondary device. User and Group Enumeration So the problem I now have is how do the group mappings work between the Primary and Secondary, it appears to be similar to the User to IP mapping where none of the refresh commands work on the Secondary and all the stats on the secondary show zero.  However I have a specific problem where the customer is adding a user group to AD and its showing on the Primary but not showing on the secondary.  The configs are identical for group mappings and the system clocks are now synced.  If we run a “debug user-id reset group-mappings all” on the Primary the new group shows on primary but not on the Secondary. So I guess my question or discussion is How does the group mapping process work with an Active Active Pair of Palos.  Any input welcome ... View more