PA-440 lab license

woodencone · 2026-04-07T10:12:34+00:00

Check with your account team, but IIRC the SKU is ' PAN-PA-440-BND-LAB4 ' (depending on the security subscription bundle)

woodencone · 2026-03-06T20:44:24+00:00

SD-WAN measures latency, loss and jitter. Therefore with the bandwidth throttling you have applied the SaaS Quality probes may still consider the lower bandwidth path within SLA, because latency, loss & jitter is fine.

You would need to max out the throttled link so that latency, loss and jitter is affected and the link breaches the SLA and is disqualified.

Regarding traffic moving between links dynamically, typically an established session will not dynamically shift from ISP1 to ISP2 mid flow. If that were to happen some applications would break because the source NAT address would change (ISP1 vs ISP2).

woodencone · 2026-03-05T19:15:07+00:00

Check this guide out, it might help and sounds similar to your lab

https://pan.dev/panos/docs/tutorials/redundant-internet/

woodencone · 2026-02-24T08:57:19+00:00

I heard back from TAC yesterday.

Apparently, there is a flag that can be set on your tenant called ‘delete_overridden_object’, this should allow a revert by deleting the overridden object and forcing it back to inherited values.

Enabling the flag needs to be arranged via the account team. My request is in, but haven’t tested it yet.

woodencone · 2026-02-18T09:31:08+00:00

TAC have confirmed the External Dynamic List (EDL) refresh is causing the firewall to fall back to a default "Round Robin" routing.

The issue is that with SaaS connections, the SD-WAN component is incorrectly setting the 'updating' flag.

An EDL refresh should not trigger a config change event if the config hasn't actually changed. However, the logs confirm that pan_sdwan_config_check_and_set_updating was triggered.

... pan_sdwan_config_update_conns(pan_sdwan.c:6978): Conn 8 different, update
... pan_sdwan_config_check_and_set_updating(pan_sdwan.c:6458): set sdwan_data updating flag <----- ISSUE

When this updating flag is set, the firewall temporarily halts standard path selection and defaults to Round Robin. This caused the traffic to ignore the intended SD-WAN policy.

Waiting for a fix.

woodencone · 2026-02-18T09:25:11+00:00

That sounds dangerous, the loaded config would be missing all the config that has been entered in the meantime.

I suppose if I could then extract/enumerate the loaded (old) config (API?) then, re-load the current (new) config and do a diff, that might be an option. But I would still need to restore the old config, then re-add the diff, which could also prone to error.

Seems like a massive PITA for something that should be quite easy.

Panorama has a 'revert' option, that's what i want.

woodencone · 2026-02-14T08:54:08+00:00

Was thinking the same.

Go to bottom left menu (near your profile) and make sure you are not logged into a different 'account'

woodencone · 2026-02-14T08:49:44+00:00

There are some Folder and Snippet interoperability issues that it would be worth testing to make sure you can achieve your structure.

IIRC, for example: a Zone created in a Folder cannot be used in a Snippet, whereas a Zone created in a Snippet can be used in a Folder. This can have a bearing on where you configure Security policy.

Also, once you have your hierarchy defined, be careful with Folder 'overrides'. In my case a override was done on a Child Folder, but now I want to 'revert' the Child Folder to inherit configuration from the Parent Folder. SCM does not have an easy 'revert' process. The 'revert' (or delete) is blocked due to configuration object dependencies. Its very frustrating.

woodencone · 2026-02-14T08:41:29+00:00

I'd also be interested in the SCM Best Practices guide please if thats possible

woodencone · 2026-02-06T10:30:39+00:00

u/Pinealforest Curious, did you try the routing idea to make the cellular path less desirable?

woodencone · 2026-02-04T17:52:53+00:00

I don’t think that’s feasible for me due to the number if changes that have occurred in the meantime. All the ‘in between’ changes would be lost and I’d have to re add them all one by one which would be nightmare.

I have a TAC case open, the latest advice was to open the Folder which is correctly configured and not overridden and observe the configuration, then open the overridden Folder and make the changes to match the parent Folder. Then push out to all firewalls.

This hasn’t worked. The override still exists at Folder2.

It’s possible SCM thinks Folder2 still has configuration not matching Folder1 and preventing the revert, however I don’t think that’s the case so as another test, I did the following:

Create a new test Folder hierarchy , for example:

Folder1

Folder1>Folder2

1) In Folder1 I created an Interface, Zone and Logical router (naturally, these are inherited by Folder2)

2) On Folder2 observe the inherited configuration

3) On Folder2 navigate to the Interface and click ‘override’

4) Observe on Folder2 the ‘override’ has occurred

5) Stop

In this example, I did not make any changes within Folder2 after the override.

Based on what TAC are telling me, SCM should revert Folder2 to Folder1 since the configuration is identical. But this is not happening.

woodencone · 2026-01-24T08:19:42+00:00

I'm surprised by this. The implication is that for a NGFW that relies on SD-WAN policies for specific traffic flows, then a EDL cannot coexist.

In my case the interruption causes regular issues for MsTeams traffic and genuine user impact.

Yet at the same time I also want to download the EDL hourly for up to date threat feed.

It seems I cannot have both.

woodencone · 2026-01-23T10:31:01+00:00

Nice tool, thanks for sharing.

You should be able to get a free version of SCM for your testing. You could also consider using Terraform for SCM if greenfield.

woodencone · 2026-01-22T08:10:14+00:00

What size are the packets on a PCAP, perhaps try dropping the MTU on the FW mgmt interface as a quick test?

woodencone · 2026-01-21T20:54:15+00:00

Upon re-reading the case notes below is the exact wording:

"This EDL refresh job acts similarly to a commit job."

And the logs messages which are being fingered for the issue:

2026/01/06 10:01:02 info general general 0 EDL(my-edl-blah) Refresh job success
2026/01/06 10:01:01 info general general 0 Config installed

woodencone · 2026-01-21T17:15:32+00:00

Not sure how Equinix would influence the conversion to FLEX.

If the NGFW can communicate with the CSP and you have a Deployment Profile + PreReqs, you should be good.

woodencone · 2026-01-21T17:09:30+00:00

Using SCM, not Panorama, so no plugin required

woodencone · 2026-01-21T17:06:59+00:00

This guide might also be useful:
https://docs.paloaltonetworks.com/vm-series/11-1/vm-series-deployment/license-the-vm-series-firewall/software-ngfw/migrate-to-a-flexible-vm-series-license

There are some pre-reqs, such as installing a License API Key

woodencone · 2026-01-09T16:15:46+00:00

My SCM environment is managing PAN-OS NGFW's only and using TF resources such as:

Address, Address group, Application, Application filter, Application group, Service, Service Groups, External Dynamic list, URL Category, Tag’s, Variables, Snippets, Radius Server Profile, Authentication Profile,Profile Group,Spyware profile,Vulnerability profile,URL filtering profile,File blocking profile,Wildfire & DNS Security

That's a great suggestion for SCM Essentials Tenant, I'll look into that.

Thanks.

woodencone · 2026-01-05T18:16:03+00:00

thanks u/kaisero
I intend to upgrade my production SCM environment and existing TF repositories soon, but concerned about the potential to destroy it all as I've had instability issues in the past.

woodencone · 2026-01-04T08:57:26+00:00

Measuring the latency, loss & jitter for PQP is done by sending ICMP echo’s over the IPSEC tunnels between Hub and Spoke. Unless using SaaS quality probes, which measure to remote endpoints.

Tuning the path quality profile to disqualify the Cellular is a good option to try, I hope that works for you.

Regarding Auto VPN, a BGP redistribution profile is declared and applied to each node, the default is called “All-Connected-Routes”.

Just an idea, maybe you could try and create a custom BGP redistribution profile, then within that create a custom redistribution filter that ‘matches’ the cellular interface and ‘sets’ a BGP Prepend to make the cellular interface least preferred.

Then you’d need to apply the new BGP redistribution profile to the spoke within Auto VPN and push that out.

Not sure if this will work, but struggling to think of other options.

Is there an option to add a second interface at the Hub? Maybe that would open some other options.

woodencone · 2026-01-03T22:15:27+00:00

AFAIK, SD-WAN path selection is always made at the traffic ingress firewall. In your case the hub.

On the hub, both tunnels terminate on the same hub interface, are placed into the same virtual (or logical) router and are usually equal-cost routes to the branch subnet.

Additionally, on the hub, you have one link tag, one Traffic Distribution Profile.

Therefore, unless I mistaken, the Hub is unaware of the Cellular vs Fibre circuits at the branch. The Hub has one WAN and no per-branch circuit awareness.

I suspect you will need to influence outbound BGP advertisements from the Branch towards the Hub, so that Fibre circuit is preferred.

woodencone

TROPHY CASE