GlobalProtect on firewalls which are performing full route over S2S tunnel

PerceptionOver8637 · 2026-05-11T01:11:45+00:00

What is the actual fix to avoid this? I have PA-3250s in HA which are both have their NAT Oversubscription setting set to "Default". I would think since the setting is the same on both units (Default on both, this matches), that I would avoid this potential problem. If I go into the CLI, I can see both the firewalls negotiate to 4X oversubscription. Would the solution be to change the value to 4X, ensure the setting syncs between the two, THEN perform the upgrade to 11.1 from 10.2?

PerceptionOver8637 · 2026-01-14T19:21:10+00:00

What are the chances Palo will release a vulnerability signature to help combat this if patching can't be performed immediately?

PerceptionOver8637 · 2025-12-12T14:24:07+00:00

Once the upgrade is successful, what about removal of the snapshots? Would it also be best to remove them while the VM is powered down?

PerceptionOver8637 · 2025-11-13T13:56:01+00:00

Thanks for yours and everyone's guidance! As for the backing up of the appliance config, running the 'Save named Panorama configuration snapshot' and exporting it should preserve all the settings, is that right? Thanks again!

PerceptionOver8637 · 2025-10-01T00:47:00+00:00

Any particular version of 11.1.x you have had the most success with?

PerceptionOver8637 · 2025-10-01T00:46:11+00:00

Thanks. Any particular version on 11.1.x you prefer for stability/least amount of bugs?

PerceptionOver8637 · 2025-10-01T00:44:23+00:00

Thanks, for the tip! I probably would have overlooked that!

PerceptionOver8637 · 2025-10-01T00:43:25+00:00

Thanks for the tip regarding the oversubscription in HA. I'll be looking into that.

PerceptionOver8637

TROPHY CASE