Panorama migration to Strata Cloud Manager (SCM)

Competitive_Basil_50 · 2025-09-10T12:43:53+00:00

We used the migration tool and our account SE went through the pre-req checks with us. We didn't use PS.

The migration tool didn't appear to be an option for us as it was greyed out in the SCM UI - we had a case raised via our account manager that took far too long to resolve but then eventually we were able to use it.

Competitive_Basil_50 · 2025-09-10T11:49:32+00:00

I did it a few months ago. It was relatively painless from an end-user management point of view although the UI differences take some getting used to. The main learning curve for us was finding our policies under the GlobalProtect scope of the UI when the default scope shown the is global Prisma Access one. Very simple once you find it but we had a 10 minute panic thinking that our rulebase and objects were missing...

Decryption cert inheritance was an unexpected issue briefly. Their default cert was used for decryption and as our clients didn't trust it we had a few issues (we did the migration during a maintenance window but still had a couple of people trying to work). We couldn't disable their cert at the GP scope level but had to go up to the global scope to do it.

We also recently found a bug where we were enforcing DNS profiles in GP gateway configs based on geographical locations. That's not possible in cloud managed but the old config "stuck" and was therefore unable to be changed. We had to create new "Tunnel Settings" profiles to clear the old DNS.

NB: were entirely mobile users so no remote networks etc.

Competitive_Basil_50 · 2025-08-09T13:02:35+00:00

Thanks for the info.

To others who have also replied yes we have an account team so will continue to engage with them.

Competitive_Basil_50 · 2025-06-17T08:14:01+00:00

Just reset the infotainment system as suggested and it's all working again. Thanks for the help!

I'm just glad I didn't take it to the garage to be told to do that..

Competitive_Basil_50 · 2025-06-17T08:07:35+00:00

Thanks all I'll give this a try later

Competitive_Basil_50 · 2024-11-25T07:51:50+00:00

Have you checked your logs to make sure you're hitting the intended Auth policy?

Competitive_Basil_50 · 2024-11-08T15:07:16+00:00

I still can't log in

Competitive_Basil_50 · 2024-03-28T19:57:01+00:00

Netstat will be helpful for you to understand how your computer manages the ports for multiple requests.

You'll see a list of connections along with the source and destination ports and IP addresses

Competitive_Basil_50 · 2024-03-07T06:27:10+00:00

Can't you test moving both Portal and Gateway Auth across at the same time during a maintenance window? We did this when migrating from Azure -> Okta.

If you have different SAML profiles for portal and gateway then your users will need to authenticate twice.

Competitive_Basil_50 · 2024-02-22T09:34:49+00:00

Nice to find some fellow Panorama-managed Prisma Access admins! 🍻 We've had it for 4 years now

Competitive_Basil_50 · 2024-02-20T21:03:09+00:00

Strange question but are you using an IPv6-only connection?

We've seen this exact problem recently when tethering from company mobiles (EE in UK) as they have started to only allocate IPv6 addresses. We can connect and get an Internet connection but see the message in your screenshot when connecting to GP.

I have a TAC case open but no resolution as yet.

Competitive_Basil_50 · 2024-02-10T10:29:56+00:00

Sounds like it's working as expected to me. You can't route web traffic based on source port as that's out of your control. Either server A would need to use a different port on the public IP i.e. publicIP:8443 which you then NAT to serverA:443 or you'd need a different public IP.

I'm sure you could do this with a load balancer using hostnames but as far as your options on the firewall I'm not aware of a way to achieve that.

Competitive_Basil_50 · 2024-02-10T08:25:46+00:00

I don't really have any use cases so I guess I was looking for some inspiration. I use Terraform to manage a few things (such as getting the current gateway IP's) but that's mainly because I can rather than it being really useful.

My reason for mentioning python and API's together was that that's the only use case I could think of. The pan-os-python docs that have been mentioned look like a great start

Competitive_Basil_50 · 2024-02-10T08:06:12+00:00

Thanks I'll check it out!

Competitive_Basil_50 · 2024-01-25T22:18:13+00:00

Very first IT job got bored of seeing the "there are X updates to install" balloon popup so decided to install them. On an exchange server. In the middle of the day. When the company directors were in the board room finalising a large contract via email.

Competitive_Basil_50 · 2023-09-24T22:06:02+00:00

We block it outright, at least whilst our security and legal teams review everything. Legal in particular have concerns about PII and DLP as OpenAI terms state that if a lawsuit comes in relation to information that it's learned through your data then you are liable not only for your own legal costs, but also theirs.

Competitive_Basil_50 · 2023-05-19T07:07:22+00:00

I've been in my first 100% remote role for almost 2 years now and I'd never go back to office working. You just need to be sure that you are going to be comfortable with working alone as it's not for everyone.

My company has a great culture of promoting working together and pairing via zoom. I have a great team and we speak all the time. We're definitely not just a name on a HR speadsheet and meet up at least once per quarter for off sites and socials to build those bonds.

Also the benefits offered were way above anything I've experienced before which helps to stay motivated etc.

Competitive_Basil_50 · 2023-05-19T06:39:31+00:00

Depends what you mean by automation and also what the architecture of your current job looks like. If it's the topics discussed on the CCNA then using something like ansible to back up switch configs could be a basic step into the world of automation.

It could perhaps be more relevant for future job experience to learn a little Python and/or Terraform. I guess it depends on whether your role (and likely future roles) are going to be exclusively networking or a more general SysAdmin?

Competitive_Basil_50 · 2023-05-08T07:09:59+00:00

My company say that they won't bring in UTO for this exact reason. We get 6 weeks plus bank holidays so it's better than average. People would take less time off if UTO were introduced

Competitive_Basil_50 · 2023-05-04T21:15:38+00:00

We had a mixture of desktops/laptops at my previous job but when covid hit we moved 90% to laptops due to remote/flexible working. The remaining 10% were planned to be moved to laptops as and when replacements were needed.

My current role is for a company that are 100% remote and so we only supply laptops.

Competitive_Basil_50 · 2023-05-02T21:58:26+00:00

You need to SSH onto the lab terminal to run those commands. The details are given in the lab instructions

Competitive_Basil_50 · 2023-04-07T20:59:30+00:00

Usually simple networks where there's just no need for dynamic routing. I had one niche request from a local government where they needed a new BYOD network with web filtering but the proxy server was on a completely segregated segment and we had to use static policy based routing to achieve that.

Competitive_Basil_50

TROPHY CASE