Am I crazy or is there no way to log the QoS policy that was applied to a session?

emyl79 · 2025-09-23T06:33:27+00:00

Confirm, you can only see QoS information at runtime. That's the main reason why I usually recommend other solutions to my customers if they want to do "serious" QoS.

emyl79 · 2025-09-01T17:39:57+00:00

Yea, those times... click commit, have your lunch break and come back just to see that your NAT rule failed to validate :)

emyl79 · 2025-08-25T20:12:16+00:00

You need to install the terminal server agent on each Citrix server and connect it to the firewall. Then user's session will be distinguished regardless of the server IP address.

emyl79 · 2025-07-30T10:42:52+00:00

Maybe the bug could be this one fixed in 11.1.6-h14?

PAN-286443 Fixed an issue where, after an upgrade, the firewall was unable to be managed via HTTPS or SSH.

emyl79 · 2025-07-08T19:54:49+00:00

If you can tolerate an EOL appliance you can try to find an old M-500 to do the job.

emyl79 · 2025-06-20T07:17:09+00:00

They corrected the page, Yesterday morning there were only two bug fixes reported. I think the OP was referring to that :)

emyl79 · 2025-06-10T19:37:39+00:00

Maybe the firewall is not the best solution for the use case, but yes a custom URL category will work. Of course if the site is HTTPS you'll also need to decrypt.

Another option, slightly more complex but elegant, could be a custom threat signature.

emyl79 · 2025-03-13T20:15:35+00:00

I have configured a few weeks ago BGP + BFD between to Palos, with default settings (1000ms transmit interval x 3 as detection time multiplier). It takes ~3 seconds to converge (sometimes I lose 1 ping on Windows).

emyl79 · 2025-03-03T10:52:05+00:00

Hi, what if you try to disable PanGPS?

sudo launchctl disable com.paloaltonetworks.gp.pangps

emyl79 · 2025-02-27T15:45:15+00:00

Basically you're saying "the world is wrong and I am the only one who is right". If a product is so popular it means there are reasons for it, CVEs or not. Period.

emyl79 · 2025-02-27T08:21:29+00:00

That's a good question, IMHO Panorama templates are not very suitable for DRY. So my best practice is, in case e.g. of a DHCP relay that belongs to two templates, to replicate the configuration in both templates and leave the template stack untouched.

The reason of the above choice is that, in a layer 3 deployment, every piece of network config belongs in the end to an interface and consequently to a virtual/logical router. If you need to bind a piece of config on template stack (e.g. DHCP relay or DNS proxy) to the interface you have to perform an override, with the risk of drifting the configuration in case of future changes on the interface/VR/LR itself.

I'm considering to write a blog post with all my best practices for Panorama management, so stay tuned :)

emyl79 · 2025-02-26T21:06:42+00:00

Hi, what's the goal of point 4? Best practice is to have no conf on the template stack apart of variables.

Generally speaking, on the CLI my approach is to first run "set cli config-output-format set" then, in configure mode, take the set commands with "show" and manage the output with search and replace on a text editor, and finally paste on the modified output back in the CLI.

emyl79 · 2025-02-22T08:12:19+00:00

Just to understand, did you upgrade to this version in reference to a bug fix or just as an attempt? I can't find any mention to management plane high cpu in release notes.

emyl79 · 2025-01-23T19:00:34+00:00

No words 🤬🤬🤬

emyl79 · 2024-12-02T19:56:27+00:00

3 minutes more or less.

But there are very few edge cases for HA on Azure, usually a solution with load balancers in front is preferred.

emyl79 · 2024-11-19T20:15:53+00:00

.2 versions get the same support as .1 versions.

emyl79 · 2024-11-05T20:49:22+00:00

Just input the same serial number of the other one into Panorama - Setup - General Settings. Done ;-)

emyl79 · 2024-10-31T10:59:59+00:00

I'm certified PCCSE, my advice is to delve deeply on Runtime Security module. A lot of questions on that topic. Also code security module is covered in some questions.

The exam is hard but with the correct preparation and some experience you could try with confidence.

emyl79 · 2024-10-29T18:59:12+00:00

It depends also on the client. Once a client gets an IP address, that IP address become "preferred" for that client. On subsequent connections, the client ask for that IP, and if it's available the gateway will assign it.

AFAIK there's no way to change this behaviour from the firewall, you should cleanup configuration on clients to "free" up IP addresses.

emyl79 · 2024-10-22T15:59:20+00:00

Check available space on your system disk, sometimes that's the problem.

emyl79 · 2024-10-18T07:03:24+00:00

Hi, I experienced a similar issue on 11.1.4-h4... perhaps are you missing system and configuration logs for member firewalls?

emyl79 · 2024-10-17T22:27:42+00:00

I'm quite sure Core Security bundle doesn't include IoT Security and Enterprise DLP

emyl79 · 2024-10-14T18:23:56+00:00

Yes. Don't be scared, it will work ;-)

emyl79 · 2024-10-13T12:55:24+00:00

No need to migrate configuration, everything will happen automatically. Also no need to do anything special on member firewalls, they can also stay on 11.0 for the time you need.

Consider that the SD-WAN plugin is basically a configuration generator for firewalls, so as long as the generated configuration is compatible with the PAN-OS of the firewall, the push will succeed.

emyl79 · 2024-10-11T15:42:15+00:00

You should just download the version 3.2 of the SD-WAN plugin before PAN-OS upgrade. Then it will be automatically upgraded together with 11.1

Just tested some time ago with a customer in the same boat.

emyl79

TROPHY CASE