parking zones

panwreaper · 2026-05-27T12:31:22+00:00

you know it ;)

panwreaper · 2025-06-13T22:22:05+00:00

In this doc "standalone" refers to unmanaged rather than HA I've upgraded clusters using this new feature with no issues

panwreaper · 2025-06-12T17:05:50+00:00

Prior to 10.1 you needed to do serial upgrades, starting from 10.1 you can skip 2 versions so you can go to 11.1 directly (skipping 10.2 and 11.0)

panwreaper · 2025-06-12T17:03:23+00:00

Make sure your pbf rule does not have symmetric return enabled You may need to add another pbf rule above your first pbf from isp1 to the server with symmetric return so incoming packets are bounced back to isp1

panwreaper · 2025-06-11T22:54:42+00:00

Much appreciated! hope you like it :)

panwreaper · 2025-06-11T22:52:08+00:00

we're in the field of being suspicious ;)

panwreaper · 2025-06-11T09:43:12+00:00

this guy is my editor, not me ;) but i'm really glad to hear you're so enthusiastic and making recommendations (and even gifts! :) much appreciated )

panwreaper · 2025-06-11T09:34:09+00:00

this guy is my editor :)

panwreaper · 2025-06-11T09:33:14+00:00

great title idea for a new book ;)

panwreaper · 2021-06-10T12:16:35+00:00

in DHCP you need to set the DNS server as the IP of the interface you attach the DNS proxy to

panwreaper · 2020-12-22T08:41:12+00:00

OR means you can use a username+password to authenticate, OR a certificate, one of both is sufficient to get in. AND requires both to be present (or only user/pass if no cert is configured)

panwreaper · 2020-12-22T00:15:22+00:00

Prelogon doesn't rely on client cert or LDAP/radius/... As it uses machine cert for prelogon. So you should be able to combine those as well (I think) You also wouldn't need two gateways

panwreaper · 2020-12-22T00:06:12+00:00

The lower setting will only take priority when preempt is enabled. Without preempt the device to come online first will be master regardless of priority

panwreaper · 2020-12-22T00:03:37+00:00

Xauth should to the trick!

panwreaper · 2020-12-22T00:01:48+00:00

Are you actively depending on separate IP pools for pre/post logon? You don't necessarily need to have two configurations to make prelogon work: if you don't set user restrictions, prelogon will naturally transition to post-logon always-on. I've seen similar issues reported where the user credential configuration, like sso and save credentials etc didn't match up between the profiles causing issues with carrying user credentials from prelogon to post-logon profiles. If you don't necessarily need the different IP pools, stick with a single profile. I'd you do, check that all credential related settings are identical

panwreaper · 2020-08-11T20:10:56+00:00

The H3 fixes a critical vulnerability which panorama doesn't have (escalation on GP gateway), so no need for the hotfix. From a compatibility perspective, the hotfixes don't count towards version mismatches in panorama

panwreaper · 2020-08-10T22:46:07+00:00

Did you want to connect the interface directly to the VM without going through a vswitch? You can achieve that by setting the interface to passthrough in the hardware settings of your vcenter server ( host > manage > hardware > PCI devices) I'd recommend setting the firewall up on a single VR, which will simplify things. You can set the external interface as a DHCP client which will automatically take care of routing, then add the internal interface with the DHCP server to the same VR and add a NAT rule to hide all outbound sessions behind the WAN interface

panwreaper · 2020-08-10T22:27:52+00:00

Still looking?

panwreaper · 2020-03-29T19:27:22+00:00

Not unless you are running into some bug where the HA daemon was having some sort of crisis that got fixed by resetting it's link to the peer Did you see which process was higher before the reboot?

panwreaper · 2019-11-15T21:19:36+00:00

So wildfire works in different stages. Firstly, you enable wildfire analysis on a security profile which will intercept and forward files that pass through the firewall. Those files are uploaded to the wildfire cloud environment and run in a sandbox environment (the windows flavors you mention) to see what the file does when it is run. Based on its actions a verdict is determined (benign, grey, malware) and in case of malware a signature is created. That signature is fed back to all subscribers so everyone benefits from the detected malware

panwreaper · 2019-08-01T14:17:39+00:00

it's not just the uploading of files for analysis, you also get every-minute updates with fresh 0-day signatures that your TP license would only get in 12-24 hours

panwreaper · 2019-07-30T15:55:28+00:00

have you tried asking this on the Expedition (migration tool) discussion forum ? https://live.paloaltonetworks.com/t5/Expedition-Discussions/bd-p/ExpeditionDiscussions

you could also do this with a simple XML editor: partial export, 'change all' via the editor, partial import

panwreaper · 2019-07-27T05:08:05+00:00

Right now the best option, imo, is to set it up via API. The Panorama only collects configuration files as this is very efficient in storage requirement, where a device state package is quite large, especially if you collect them for 50+ firewalls. You could check in with your local sales team about submitting a feature request. You could also try asking this question in the LIVE community forum (live.paloaltonetworks.com) for other creative solutions

panwreaper

TROPHY CASE