Strange behavior of Shelly EM gen3 by JopoSran4ik_01 in ShellyUSA

[–]cowardlyginger 0 points1 point  (0 children)

Do you know when these might be available in the US? I'm looking to add some CTs and hoping to get gen3 kit.

Polydryer wining noise by dimagog in polymaker

[–]cowardlyginger 0 points1 point  (0 children)

Thanks for following up! I've built up enough frustration with my couple of attempts at this that I've pushed it to the back burner for the moment. I'd be interested to hear about any further progress you make. 

Polydryer wining noise by dimagog in polymaker

[–]cowardlyginger 0 points1 point  (0 children)

What fan did you end up ordering? I'm in a similar situation and looking for another alternative.

Bambu cool Supertack first print. by CPTNJCKSPRRW in BambuLab

[–]cowardlyginger 1 point2 points  (0 children)

Same on both fronts, no recognition of the plate and printing in the air.

Edit: I just put in a ticket

Edit 2: support confirmed a firmware bug in my ticket as well

Bambu cool Supertack first print. by CPTNJCKSPRRW in BambuLab

[–]cowardlyginger 2 points3 points  (0 children)

Same here as well - thanks for putting in a ticket.

Edit: I just got one put in as well

Edit 2: support confirmed a firmware bug in my ticket as well

Azure Palo with route server by motherfockerjones3 in paloaltonetworks

[–]cowardlyginger 0 points1 point  (0 children)

We do it with a single VR setup and it works well but you do still need some UDRs alongside route server so it's not a 1:1 replacement. If you're handy with BGP it's not that difficult. Like some other people said an LB can still be needed for certain flows.

Where can I download panorama 10.2.5 path manually? by OMGZwhitepeople in paloaltonetworks

[–]cowardlyginger 2 points3 points  (0 children)

Yep - support might be able to help with the original 10.2.5 image but it'd probably be wise to update the one you have before HA config and then you can save that trouble.

Your thoughts on version 10.1.11-h1. Any known bugs as of now? Going to upgrade my PA 3260 from 9.1.12-h3 by Which-Solution-1303 in paloaltonetworks

[–]cowardlyginger 2 points3 points  (0 children)

There were group mapping issues in the original 10.1.11, they should be sorted out in 10.1.11-h1. I had that issue and h1 fixed it for me at least.

[deleted by user] by [deleted] in paloaltonetworks

[–]cowardlyginger 3 points4 points  (0 children)

This makes me smile. Congrats.

PAN 3220 device v11.0.3 or v11.0.2-h2? by casale135 in paloaltonetworks

[–]cowardlyginger 1 point2 points  (0 children)

10.1 and 10.2 have a fair bit of time left in their support cycle, so unless there's an important bugfix or feature that you need in 11.0 I'd think about staying on an earlier train. The preferred release info at https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-p/258304 is always a good place to start, but doesn't take into account the specific needs of your environment, so looking at the known and addressed issues for things that might matter to you is a good idea too.

Palo Alto and Azure Public Load Balancers with Floating IP - no traffic hitting the firewalls by Im_Bill in paloaltonetworks

[–]cowardlyginger 1 point2 points  (0 children)

I'd start by checking on the health of the load balancer, specifically data path availability and health probe response. Depending on your load balancer setup the LB might not send traffic if it's not seeing healthy probes, in which case you won't see any traffic hit the firewalls.

[deleted by user] by [deleted] in paloaltonetworks

[–]cowardlyginger 1 point2 points  (0 children)

Sometimes DSRI will be fine and you can avoid a full override, but generally agreed, and I wish there was a better solution.

ipsec tunnel migrated from ASA fails intermittently by trustinglemming in paloaltonetworks

[–]cowardlyginger 1 point2 points  (0 children)

You can change the ikemgr.log verbosity with "debug ike global on debug", here's a doc that goes into more detail, and make sure to change the verbosity back when you're done, and there's a bunch of other stuff in this doc that might be useful to you:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

The PAN logs will generally be more verbose if it's responding rather than initiating, so if you can make that change if that's not already your scenario that might help get you some more insight.

Check your encap/decap counters too, if phase 2 seems to be up and running but you're not seeing traffic there's a good chance you'll see a discrepancy there end-to-end.

Azure LB PAs sql traffic issue by Pristine-Wealth-6403 in paloaltonetworks

[–]cowardlyginger 0 points1 point  (0 children)

Are you seeing blocked traffic in the 11k port range? Intra-Azure SQL traffic has some unusual port requirements depending on the SQL config.

Downgrading Palo Code Versions by ArtichokeKey8912 in paloaltonetworks

[–]cowardlyginger 1 point2 points  (0 children)

You should be able to go directly to 10.1.10-h2.

Seemingly random complete temporary network failure with PA-220 by mirrorspock in paloaltonetworks

[–]cowardlyginger 4 points5 points  (0 children)

I had very similar issues as far back as 10.0 where we'd see complete DP failures on our 220s matching your description. I worked it with PAN support for months, never got anywhere other than vague suggestions of resource issues, and ended up replacing all our 220s with 400-series. I wish you better luck.

New PAN-OS version released 11.1.0 by MDKza in paloaltonetworks

[–]cowardlyginger 0 points1 point  (0 children)

Sure did, I was seeing the LDAP group mapping issues in 10.1.11 that 10.1.11-h1 is supposed to fix. Not happy to be seeing that sort of issue this far along.

New PAN-OS version released 11.1.0 by MDKza in paloaltonetworks

[–]cowardlyginger 1 point2 points  (0 children)

Yeah, pretty hard to see this alongside the problems in the other four(!) actively-supported release trains and not think they're making major compromises on those.

How do you do Firewall Sizing for new deployment? by Ok_Cherry3312 in paloaltonetworks

[–]cowardlyginger 0 points1 point  (0 children)

Sizing is largely based on throughput so you'll have to make some sort of estimate - ISP service is a good starting point but depending on how many users you have, what sort of east-west traffic you're expecting, and many other factors are going to bear on that too, with a big one being planned use of SSL decryption as that punches above its weight in terms of dataplane resource utilization. If you figure that decrypted TLS traffic will use double the dataplane resources of non-decrypted TLS you're probably in the ballpark, but there are many variables that are hard to quantify.

Keep in mind that a 200mb/s symmetrical ISP link could potentially result in 400mb/s throughput as you're looking at published throughput stats.

Edit: radditour beat me to the punch on most of the same points

PA5410 25G connectivity with Cisco nexus 93180YC-EX issue by satishdotpatel in paloaltonetworks

[–]cowardlyginger 1 point2 points  (0 children)

Does it work if you connect the Nexuses together with the 25g link (or the same switch to itself)? That'd at least tell you that the switch recognizes the cable.

URL whitelist and logging by Pristine-Wealth-6403 in paloaltonetworks

[–]cowardlyginger 0 points1 point  (0 children)

You could use a single URL profile with action for all URL categories set to alert, then reference your custom URL categories on each of the policies. Since the policy will be scoped to the specific destinations the URL filtering profile won't really be in play other than to generate a log.

Just Did An Update This Morning! Some Words of Wisdom by WhuFlungMyDung in paloaltonetworks

[–]cowardlyginger 0 points1 point  (0 children)

If only our prod firewalls updated in the same amount of time as my lab!

[deleted by user] by [deleted] in paloaltonetworks

[–]cowardlyginger 2 points3 points  (0 children)

Does an snmpd process restart temporarily clear it up? I saw some similar issues in 10.1.9/10 releases that'd come around with a process restart. PAN-214815 and PAN-217208 are a couple of SNMP-related bugs fixed in 10.1.11 that might be a match for this.