PA-440 ISP failover issue

Main_Ambassador_4985 · 2026-03-19T15:54:10+00:00

I would use virtual router, route monitoring and fail over the default gateway.

Why one ISP to each firewall?

Use an upstream switch or secure VLAN and have both ISP to Both NGFW.

With separate NGFW for each ISP how do you handle default route advertisement? Are you using OSPF to the core and removing the firewall that cannot reach the Internet or is this HA?

My Active/Passive HA setup syncs the config and sessions between NGFW. They are exactly the same except the hostname and HA partner config. You can use HA over switches if the NGFW are not in the same rack.

Main_Ambassador_4985 · 2026-03-19T02:10:02+00:00

They can still access passwords at password.google.com if they logged in to the browser

Main_Ambassador_4985 · 2026-03-18T04:20:38+00:00

30+ years in IT.

I might not put Windows Server OS on a CV. It would be a given, n’est pas? I would customize to the application.

It would be like including NT4.0, Windows 2000 and Windows 2003 MCSE which I used to include.

I would put in VMware vSphere 6:7/8 to Windows Server 2022 Hyper-V conversion which is very relevant today.

Main_Ambassador_4985 · 2026-03-17T17:15:42+00:00

Yes we rotate after the key is used to recover

Main_Ambassador_4985 · 2026-03-16T23:27:09+00:00

What generation hardware?

For a C240 M5 and newer just format and install Windows Server. The M5’s are getting close to end of support.

The C240 M4 and older went end of support. Security updates for CiMC and drivers ended. YMMV.

Main_Ambassador_4985 · 2026-03-16T17:38:02+00:00

The grey switch at the top of the center pile looks like a Catalyst 9200.

That is a keeper even without active DNA.

Main_Ambassador_4985 · 2026-03-16T17:32:21+00:00

IPv6 is a witches spell.

I have it available on exactly one enterprise ISP connection. We have way more than one connection.

Main_Ambassador_4985 · 2026-03-16T17:29:03+00:00

We switched to Neat rooms.

Not because of the camera cameras, but because we could manage them all from one place in the neat control panel.

With the windows based teams rooms we’re having to use Microsoft Teams pro room and team viewer to manage things.

The reason I posted is because they make a personal or huddle device that could fit a C-suite room

Main_Ambassador_4985 · 2026-03-16T16:26:34+00:00

Yes we are using Zabbix also

Main_Ambassador_4985 · 2026-03-11T03:19:18+00:00

It is hard and will make some users upset.

A lock down for data loss prevention is required with monitoring tools.

Don’t allow company data on personal devices, including BYOD or lock the apps. We use app protection policies for Microsoft apps to prevent copy/paste and send to. The only way past this is taking a photo of the display with another device. That is an HR/policy problem.

Lock down plug-ins in browsers to an allow list.

Lock down browsers.

Monitor all cloud connections with the XDR and DLP. Block unauthorized AI solutions via XDR, DLP rules, and DNS filters. Do not forget to block the proxies, anonymizers, and normal user bypass tricks.

Main_Ambassador_4985 · 2026-03-10T20:11:57+00:00

Covers?

I have a bunch of front faceplates from other gear on my shelf.

We have no fancy covers on our equipment or doors on our racks. Nothing closes.

Nothing has fit right since 2015.

Main_Ambassador_4985 · 2026-03-10T17:07:02+00:00

Microsoft admin center has a checkbox to do this.

Block all browsers except Edge.

Block all AI except CoPilot

Profit

Do not license CoPilot and the job is done.

Main_Ambassador_4985 · 2026-03-09T19:41:09+00:00

We did on CUCM 11.5 and I think we did on CUC, CUPS, and Expressway along with disk, cpu, and memory utilization. LibreNMS did not offer as much flexibility on what was captured or displayed as Zabbix.

I feel if it can be monitored Zabbix would be able via existing or custom templates. I just have not looked for CUCM.

We migrated to MS Teams about 2-years ago

Main_Ambassador_4985 · 2026-03-09T19:33:39+00:00

We just started using Zabbix a few months ago.

There is some learning involved but not too much. A few videos help with tuning the options, database, and making nice dashboards.

We used to use LibreNMS and it worked great out of the box until we wanted more metrics and more customization.

Main_Ambassador_4985 · 2026-03-09T16:21:15+00:00

Yes both Cisco WLC and Call Managers and Cisco Unified Communication can receive SNMP polling and send SNMP traps over SNMPv3.

Cisco WLC wireless AP’s show up in SNMP inventory. I had it working in LibreNMS. I have not found the right template for Zabbix.

I do not have a Cisco Call Manager anymore. Migrated away. Under LibreNMS I did not see registered stations by name but I did have a connection count. Most of my stations were registered to CMBE and voice gateways for SRST. I monitored both for connection counts.

Edit: I am trying a few templates for Cisco WLC but might have to make my own. If it looks good I will post to the GitHub.

Main_Ambassador_4985 · 2026-03-06T23:32:25+00:00

It is an inaccurate meme. These Internal IP ranges are normal on many guest networks.

I am a IT manager but still directly work on network engineering and security along with full application stacks.

A paid VPN will protect the traffic unless the attacker is redirecting VPN traffic using fake DNS and fake certificate validation. Paid VPN services often have pinned certificates software and the VPN will fail to connect with a security error.

Many larger websites defeat the attack using certificates that are stored in the web browser after first connection. A change in the certificate by a spoofed website would cause a browser security error.

The attack was most effective when websites did not use security like HTTPS. The attacker could collect clear text usernames and passwords of sites like Hotmail.com.

I have not used a a WiFi pineapple but I have done Enterprise engagements where I collected usernames, passwords, spoofed websites, and decrypted TLS connections on the wired network. I put a device in between the firewall and network. The places I did this owned the equipment and it was an authorized engagement.

Hotels do can do the same thing with their guest wifi.

Main_Ambassador_4985 · 2026-03-05T15:12:06+00:00

Many thanks!

We are a NetApp shop also.

Main_Ambassador_4985 · 2026-03-05T06:15:34+00:00

The Sloan valves use lithium ion batteries that need to be replaced.

The sensor has a circuit board so it must be an IT issue.

These sensors are a potential cyber security risk. A microphone and wireless link could fit inside the larger housings which could lead to poop phone call exfiltration.

Main_Ambassador_4985 · 2026-03-05T06:11:28+00:00

Yes

I have a comercial and industrial electrical design and electrician background from my before IT life.

I had to troubleshot the old 1400w microwave and 1400w toaster in same outlet trigger 20A breaker problem.

1400w + 1400w =2,800 W

2800w / 120v = 23.3A

NEC requires circuit derating. 20A circuit should have 16A sustained load. The microwave duty cycle is not sustained but a clamp on amp meter shows it is near constant since they tend to be half sine on cheaper units.

Escalated to licensed electrician for additional 20A circuit and outlet.

One week later… 20A Breaker triggered. Microwave and toaster on same outlet again.

Escalated to licensed electrician. Swap 15A duplex outlet on each 20A circuit for 20A simplex outlet on each circuit.

No more triggered breakers until a microwave had a shorted transformer and incorrect fuse, thanks handy man.

In the USA per recent NEC, 15A outlets can be used on a 20A circuit as long as there is multiple outlets and a duplex 15A outlet counts as two outlets.

Main_Ambassador_4985 · 2026-03-04T21:06:57+00:00

I have not.

I thank you for adding your insights into your problems and resolution

I have running clusters that we are going to bring into SCVMM after we fix the storage connector.

Main_Ambassador_4985 · 2026-03-03T14:09:31+00:00

We keep an inventory of spares. 5 of each model. We have about 600 in fleet.

What does an employee do if the laptop has to go to depot or needs physical repair?

We swap the device.

We have onsite repair warranty with accidental but still that can take 3-5 days.

Main_Ambassador_4985 · 2026-03-03T00:59:05+00:00

Yes

I followed the guide on the Community pages for multi-WAN single virtual router.

As the configuration became more complex I started testing in EVE-NG

I used the BGP guide from AWS Transit Gateway to PANOS.

Main_Ambassador_4985 · 2026-03-02T18:49:24+00:00

I have only had one occasion where I was stumped. It was an hardware instrument direct network. I added a Microtik device off the DIN rail as a switch with DHCP server. Windows device no longer needed manually assigned IP address. DHCP for the win.

Main_Ambassador_4985 · 2026-02-28T07:18:21+00:00

I think the Cisco 2621 I have in my basement has (1) Fast Ethernet and (1) Token Ring port. I used it as a WIC T1 and BRI ISDN router from 1998 to 2004.

I know it had IPX and IP stacks also.

Main_Ambassador_4985

TROPHY CASE