General discussion

Public·1 member

April 28, 2025

Anyone with exp in PAN-OS SD-WAN without panorama for VPN S2S Dual ISP ?

Hi PANGURUS-community, how's it going ?

Does anyone have operational functional experience of pan-os sdwan ( firewall sdwan without panorama and without cloudgenix appliances ) deployments operating and running sites with two ISPs for IPSEC S2S VPN connections.

Today we have operating only pan-os sdwan for internet outbound, with 2 unified links, operating well, however with limitations but it works and good well.

Now thinking of moving to VPN S2S using pan-os sdwan scheme, anyone has experience of deployment in their environments ? if it operates correctly ? Points, tips, points to focus on, recommendations, headaches, etc. If you have had any unexpected problems, what has been your feedback, your experience operating between HQ to VPN S2S branches of at least 5, 10 or more pan-os sites between your PANW firewalls of branches against the HQ.

17 Views

CyberforceZero

Apr 28, 2025

Hi MetgatzGR,

They say that SDWAN can't be done without Panorama because if you have S2S VPN, each side needs to know the other's info such as tunnel interface IPs. This comes from Panorama, there's no other easy way to have each site know about each other. Unless you're running the SDWAN in some very limited way?

MetgatzGR

April 8, 2025

PANW - Router RIP - Help Fortigate to PANW

Hi master reaper, thanks as always for your time, collaboration and patience

I have the following issue, I am reviewing documentation, validating, everything, but I have big doubts, at cisco CCNA level I understand well RIP.

I am migrating some Fortigate to PANW, everything excellent, everything good, nothing new, everything OK expedition,

I have been debugging for hours and days but everything is fine.

But RIP, I have huge doubts, it is a simple config, but IN Palo Alto Networks filter example does not have and also is a config so simple that I am embarrassed, someone can support me to move it from fortigate to PANW, I have clear that I must apply the redistribution profile for what is connected and static, but look is just this, maybe I'm getting too complicated, obviously has slight adjustments, but the base is the same: config router rip

config distribute-list

6 Views

MetgatzGR

April 3, 2025

Globalprotect Azure-AD SAML Integration - Policy Based Groups Azure-AD

Globalprotect Azure-AD SAMLIntegration - Policy Based Groups Azure-AD

Hello PanGurus! , how's it going? I hope it's going well.

For licensing issues Azure AD only has Azure-ad then at the enterprise app level I can only assign users, but I have my doubt operates well with groups, ie in the Assign part, I can assign Groups and not just users to authenticate without having problems with GP? at the level of the enterprise app with Azure-AD SAML Globalprotect PANW.

Is it feasible to make group based policies, ie:

GP source zone - destination DMZ01 Azure Source Group: IT01

I.e. Azure Group-AD IT01@contoso.com , another with SEC01@contos.com Infra@contoso.com.

12 Views

MetgatzGR

Apr 08, 2025

Hi master reaper, thanks as always

So can for the auth assign group and the enterprise app will do it right and validate the users within the group, in the assign group of the enterprise app, for the OK, auth, for the GP Auth from the enterprise APP, entering the user within the assigned groups of the Azure enterprise app for SAML office 365?

Understanding that they are two different processes, that means I must have something com LDAP Mapping for the groups to then use them in the security policies.

But what happens when the costumer only has azure ad and group and will use SAML for authentication, can I simply in the policy put a group and it will recognize the group user(s) or must it look for the method as it is done with ldap ad onprem ??

Thank you master for your time, collaboration and great patience.

Anonymous

February 26, 2025

IPv6 Firewalling

Can someone explain what it is and what the difference is between checked and unchecked?

I read this, "To enable firewall capabilities for IPv6 traffic, Edit and select IPv6 Firewalling.

The firewall ignores all IPv6-based configurations if you do not enable IPv6 firewalling. Even if you enable IPv6 traffic on an interface, you must also enable the IPv6 Firewalling option for IPv6 firewalling to function."

But it's not really registering in my head exatcly what that means in plain English.

21 Views

Reaper

Feb 26, 2025

So basically:

if you don't enable ipv6 on your firewall, clients using ipv6 will bypass your firewall

If you don't want to allow ipv6, enable it on the firewall and don't set any rules

Members

Reaper

See All Members (1)