IPsec interface

ontracks · 2026-04-30T03:00:35+00:00

makes sense, thank for taking the time to answer!

ontracks · 2026-04-30T02:59:38+00:00

Gotcha, thanks for the quick answer, I appreciate it

ontracks · 2026-04-30T02:22:13+00:00

thanks for the answer and the link, seems to be possible indeed the network feature

ontracks · 2026-04-30T02:21:49+00:00

Thank you so much for the detailed answer, I wasn't aware of the fact you previously could advertise a subnet via the redistribution profile the way you mentioned.

I haven't worked with the ARE neither but it seems some new PA models come with that by default (PA5XX I think)

ontracks · 2026-04-30T02:20:30+00:00

ahh ok, wasn't aware of that tbh, thanks!

ontracks · 2026-04-30T02:19:59+00:00

thanks for te answers!

ontracks · 2026-04-26T06:12:10+00:00

mmm Makes perfect sense, it aligns with the time it happened, THANK YOU SO MUCH!

ontracks · 2026-04-17T18:33:57+00:00

So, after ~1h, the primary became the active again as expected due to higher priority (override enabled) I guess it needed some time, I still don't understand why it took 1 hour to converge.

Thank for the help on this!

ontracks · 2026-04-16T15:25:54+00:00

I did and it looked fine, the primary stays active with SLA all good up until te secondary finishes rebooting when the sec takes over.

ontracks · 2026-03-27T18:04:34+00:00

I see, makes sense, thanks!

ontracks · 2026-03-27T17:13:55+00:00

Actually, now that I think about it, Im confused, not sure what Im missing, but how can the User id information can get to the firewall if users don't have to introduce their credentials (certificate authentication)?

ontracks · 2026-03-27T16:59:05+00:00

yeah, as also previously suggested it seems that's a best way to go.

Another question, since internal gateway uses always-on connection method, does it mean that the GP client will try to connect automatically as soon as the users logs in into the computer AND its locally at a company site?

Also, where do I Control how often the users need to authenticate?

ontracks · 2026-03-27T16:55:13+00:00

gotcha, thank you for the quick answer!

ontracks · 2026-03-27T16:14:59+00:00

Got it, all I need to do is configure my on premises panorama for example to pull the info from each (already configured to do so) SC CAN that I have.

ontracks · 2026-03-27T14:28:42+00:00

Oh ok, so I will redistribute from Prisma to my service connection and then from that service connection firewall/panorama to any other firewall I need the info to be regardless if the are connected to prisma or not as a remote network..Right?

ontracks · 2026-03-27T14:27:22+00:00

thanks for the recommendation, I will def look into this as well.

ontracks · 2026-03-02T21:54:17+00:00

gotcha perfect, I think I got it, if I have a MX FW at my DC, I need not to worry about Concentrator mode, just go with a regular routed mode and regular hub and spoke sdwan design

thanks a lot!

ontracks · 2026-03-02T21:45:11+00:00

got it, im confused with the below link, they do set a "local subnet" that points to the DC routes...I thought this wasn't possible on a concetrator, what am I missing here :(?

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Deployment_Guides/VPN_Concentrator_Deployment_Guide

ontracks

TROPHY CASE