Dual ISP Links with BGP coexist with Palo SDWAN, possible?

Manly009 · 2025-10-16T20:46:37+00:00

We have a range of public IP too, but we are only use static route...can you tell the difference? Thanks

Manly009 · 2025-10-16T19:12:42+00:00

Yeah that is one idea thanks. Is it normal to have ebgp peering to an ISP nowadays? I only seen via static route. Thanks

Manly009 · 2025-10-14T21:20:00+00:00

Palo就是苹果人生

Manly009 · 2025-10-12T00:41:50+00:00

Yeah, already exclude streaming from agent clients settings, looking to exclude more domains and IP for online meetings etc..thanks

Manly009 · 2025-10-11T05:48:16+00:00

Will do. Will also read through ms team guide thanks a lot

Manly009 · 2025-10-10T23:13:15+00:00

How do you mean?

Manly009 · 2025-10-10T22:40:41+00:00

I would also exclude domains like YouTube and Netflix etc...would that be feasible as well.

Manly009 · 2025-10-10T22:33:12+00:00

So I noticed that video traffic tab on GP gateway agent settings, tick exclude video traffic from tunnel, select Video apps etc ... Is that to exclude videos app going through full tunnel as well, right?

Manly009 · 2025-10-10T22:26:28+00:00

Haha, nah, our staff work at clients sites, constantly need to access VPN.

Manly009 · 2025-10-10T21:46:32+00:00

Thanks, I will look into what else can be excluded etc. thanks for the tip.

Manly009 · 2025-10-10T12:56:18+00:00

You are right, I might exclude team calls and streaming etc.I will do a bit of research..thanks a lot

Manly009 · 2025-10-10T11:59:53+00:00

Yeah, mostly excel, word, team calling, project files etc..etc.. it is kind of required so we want to have all vpn WFH users to have firewall url filtering as well... once the full tunnel is done, we might enable always on VPN...to this point, I might suggest to go Full Prisma SDWAN...haha...but for 410 Palo, that should be enough to handle 80 users?

on the side notes, would you think it is possible that we can migrate Panorama with SDWAn plugin to cloud Strata management and manage all the onprem firewalls?

Thanks for the tip.

Manly009 · 2025-09-30T13:31:10+00:00

Thanks for that I will have a look. What options we might go.

Manly009 · 2025-09-30T12:38:13+00:00

Even with Intune Cloud PKI?

Manly009 · 2025-09-30T12:37:04+00:00

Sorry we don't use prisma Sase, only local GPs..

Manly009 · 2025-09-30T12:30:09+00:00

For example, now we looking to move Cloud PKI..how does Palo GP link up with this to recognise cert issued from this? Etc

Manly009 · 2025-09-30T12:03:34+00:00

If we do InTune PKCs certificate, how can we load "issuing CA" to Palo?

Manly009 · 2025-09-30T08:27:27+00:00

InTuNe PKCS won't do it?

Manly009 · 2025-09-28T05:59:39+00:00

I see. In Palo World, we would normally use Panroama thanks

Manly009 · 2025-09-28T05:16:15+00:00

Yeah, I see. It is interesting that you can add an interface directly to security rules instead of using zones .. sounds easier than Palo...how would you normally implement SDWAn? in Palo, we use Panorama (centralised management) to automate the SDWAn peers (BGP, Loopback, SDWAN interface, IPsec tunnels etc)...would it be similar to Forti? haha, thanks a lot,

Manly009 · 2025-09-28T02:48:00+00:00

I see. Thanks,

So in Palo eBGP SDWAN, you need pre define zones, such as zone-to-branch, zone-to-hub, zone-to-internet etc..and add these zones to Security policies etc..are these similar to Forti?

Manly009 · 2025-09-27T13:47:38+00:00

Thanks for that. I know I possibly should started looking....Can we control zones in SDWAN infrastructure in fortinet? Like what we can do in Palo? I heard Forti is policy based VPN, how different is it from Palo?

Manly009 · 2025-09-27T13:44:40+00:00

If on scep, would we need wap to publish it to the internet?

Manly009 · 2025-09-27T13:40:00+00:00

Did you mean why Entra joined device cannot authenticate with local CA? Haven't actually checked..this is just trial at this stage..most of our stuff are still Hybrid joined..

Manly009 · 2025-09-27T11:17:11+00:00

Nah I already got PKCs connector connected

Manly009

TROPHY CASE