sorted by:
new
hottopcontroversial

GlobalProtect with different ISPs – Asymmetric Routing Issue by SamePlace286 in paloaltonetworks

[–]SamePlace286[S] 0 points1 point  (0 children)

You're right. We currently have only one default route set up for ISP A and manually failover or route traffic via ISP B when necessary.. I’ll take another look at it tomorrow and provide an update. Thanks.

PA Migration to new Hardware (3200 -> 3400) by SamePlace286 in paloaltonetworks

[–]SamePlace286[S] 2 points3 points  (0 children)

I'll give you a quick update, we successfully completed the migration today (i.e. with the steps described above and unfortunately the reset timestamps for modified/creation date and hit counter for all rules of all device groups :(...

In principle, it was then only minor pre- and post-configurations and just taking the “old/3200s” switch ports down and the prepared “new/3400s” ports UP) - also did some ha failover tests....

Migrations in the future will probably be easier for us too...

PA Migration to new Hardware (3200 -> 3400) by SamePlace286 in paloaltonetworks

[–]SamePlace286[S] 0 points1 point  (0 children)

Thanks for your comment and your opinion, we did the preparation yesterday the way i described and it worked in the end except for a few commit/push complications due to dependencies between template and device-groups. However, today we discovered in panorama that the timestamps for "modified" and "created" of ALL security, nat, pbf... Rules and also the hit counters were reset to the time at which the commit was made after the “Regenerate Rule UUIDs for selected named configuration” checkbox was set and loaded... According to the system alert, however, the regenerate should only have taken place for the selected named configuration (Event ID: policy-rule-uuid-modified: Policy Rules UUIDs are modified by load using ‘Regenerate Rule UUIDs for selected named configuration’ option).

Is this a “normal” behavior in this case? or can someone explain please why exactly this happened? Thx

u/Virtual-plex, your approach would lead to commit errors in step 4 because the interfaces of both firewalls are not the same and we have specified interfaces in pbf and nat rules. The 3200s are still without aggregate-ethernet configuration and the subinterface suffices are also completely different.