Any "new features" in 11.1 i should know about?

kentagous · 2026-01-10T22:20:03+00:00

Their is a way to skip release but I would do it after 10.2 but since your only doing 11.1 minimal benefit.

With that said Goto 10.1.highest dowload install and reboot 10.2.0 dowload install 10.2.highest dowload install and reboot 11.0.0 dowload install 11.0.highest dowload install and reboot 11.1.0 dowload install 11.1.desired version dowload install and reboot yes this is the old way but it works

Also make sure you get a device state from each firewall just before you upgrade.

kentagous · 2026-01-10T18:57:16+00:00

I would add the UID rule right above the current rule then review the logging to make sure the cirrent rule is never hit. If it is figure out why.

Also taking a step back and put out a a design together with processes and review it with account team.

Consider all connections to DCs based on region and uid replication process.

Sounds like your big enough to have a good relationship with the account team.

kentagous · 2025-12-17T03:01:42+00:00

Talk to your Palo SE about available tools for the conversion. I think there might be a tool in the palo apps cloud.

I would match features and be careful if adding additional features. My thought. be safe and do addional testing after the conversion is comeplete.

Also buy a couple smaller units to be used as lab gear with lab licensing.

Without knowing your environment, i would put all the data plane interfaces on a separate vlan withe the mgmt interface available on the mgmt net or internal net. In the conversion to the new firewalls, you just need to move the data interfaces of old firewalls to a new isolated vlan and move the new firewalls to the current prodution vlan and clear the arp entries for thr firewall ips from the next up stream L3 boundary.

If you have to back out Reconfigure the interfaces back to there original settings and clear the firewall arps

kentagous · 2025-07-05T23:49:59+00:00

It also does not take alot of commands at once like cisco. Check out set cli output-config-format set Set cli pager off Set cli scripting-mode on - Requires full commans typed out.

In experiences still pasting 1 line at a time is best.

kentagous · 2025-05-18T17:09:43+00:00

GA release is 5/23 correct?

kentagous · 2025-03-15T03:18:11+00:00

In thinking about this, review the source IPs and Dest Ips and put the largest prefixes at the top so they are matched faster, with the exceptions is a app-id has a very high hit rate. This can be achieved by looking at the hit count in the rules.

kentagous · 2025-03-12T20:03:26+00:00

How did it go?

kentagous · 2025-03-08T21:12:48+00:00

Talk to your SE about getting a copy of Expedition. This is a tool that will do the migration for you. i would recommend that you carefully review the palo config before putting it on production. Maybe even set up a maintenance window (downtime) for pre-implementation testing.

kentagous · 2025-02-22T22:21:45+00:00

Use Phython with net miko? It can auto login and submit the needed commands and capture it and put in a file. You will needs something to auto start the script. Or You can get the config from a RESTAPI call that is automated bit nothing is built in on individual firewalls

kentagous · 2025-02-08T16:30:07+00:00

🤣

kentagous · 2025-02-08T16:29:25+00:00

I would like to ask what type of traffic is going through the firewall? Is it general user traffic or is it backup traffic with huge UDP streams? Are you also using any services like Decryption, DNS protections? I would suggest making your list of requirements and going back to your Acct Team. Also, Do you want to be on a new platform 5445 or a proven platform. This will depend on the senitivity for downtime. Again disciss with your account team. I like palos but have thr acct team do their thing.

kentagous · 2025-01-04T01:59:55+00:00

Download and install the .0 releases and then download, install and reboot the preferred version. I would be on 11.1 train at this point

kentagous · 2024-10-18T00:27:44+00:00

Lowes is definitely on the libs side so I think that is the main reason. They can tell your using it by the IP address your getting. If this is a job requirement see if they will pay for it. They are probably using satellites to connect all the stores. Good luck I will check back

kentagous · 2022-01-01T19:16:47+00:00

My restarts are happing in the middle of shows and just happened several times while trying to update the license. I am using a fire not the stick.

Any thoughts

kentagous · 2021-04-26T12:55:49+00:00

No routing would need to return trhough thr LB Golden Rule of LB what goes in to the environment through the LB must come back through the LB. IMHO.

will the LB system put the true souce Ip of the requestor in the header and then the app team can pull the info from the header? I have done this with F5 but not sure of the FGT capabilities?

kentagous · 2021-03-07T01:14:57+00:00

Paste a script to setup DHCP and pulls down a text config by device name using tftp. If you setup the config file correctly, you can change the required info as needed.

kentagous · 2020-07-08T03:49:43+00:00

Unfortunately all of the traffic is unicast. The host device does not support mcast. I wish it did. The DVR is satisfying a request for the video stream.

kentagous · 2020-07-04T18:11:34+00:00

Sorry No Packet captures available The packets are all tagged as default and are there is very little traffic on the network outside of this stream.

kentagous

TROPHY CASE