This post is from a suggested group
Welcome to our group PANgurus Group! A space for us to connect and share with each other. Start by posting your thoughts, sharing media, or creating a poll.
top of page
Groups Feed
View groups and posts below.
This post is from a suggested group
How do I start preparing for the PCNSE exam?
I’m planning to take the PCNSE and not sure where to begin. Any tips or recommended resources to get started?
21 Views
This post is from a suggested group
Anyone with exp in PAN-OS SD-WAN without panorama for VPN S2S Dual ISP ?
Anyone with exp in PAN-OS SD-WAN without panorama for VPN S2S Dual ISP ?
Hi PANGURUS-community, how's it going ?
Does anyone have operational functional experience of pan-os sdwan ( firewall sdwan without panorama and without cloudgenix appliances ) deployments operating and running sites with two ISPs for IPSEC S2S VPN connections.
Today we have operating only pan-os sdwan for internet outbound, with 2 unified links, operating well, however with limitations but it works and good well.
Now thinking of moving to VPN S2S using pan-os sdwan scheme, anyone has experience of deployment in their environments ? if it operates correctly ? Points, tips, points to focus on, recommendations, headaches, etc. If you have had any unexpected problems, what has been your feedback, your experience operating between HQ to VPN S2S branches of at least 5, 10 or more pan-os sites between your PANW firewalls of branches against the HQ.
17 Views
CyberforceZero
Apr 28, 2025
Hi MetgatzGR,
They say that SDWAN can't be done without Panorama because if you have S2S VPN, each side needs to know the other's info such as tunnel interface IPs. This comes from Panorama, there's no other easy way to have each site know about each other. Unless you're running the SDWAN in some very limited way?
This post is from a suggested group
PANW - Router RIP - Help Fortigate to PANW
Hi master reaper, thanks as always for your time, collaboration and patience
I have the following issue, I am reviewing documentation, validating, everything, but I have big doubts, at cisco CCNA level I understand well RIP.
I am migrating some Fortigate to PANW, everything excellent, everything good, nothing new, everything OK expedition,
I have been debugging for hours and days but everything is fine.
But RIP, I have huge doubts, it is a simple config, but IN Palo Alto Networks filter example does not have and also is a config so simple that I am embarrassed, someone can support me to move it from fortigate to PANW, I have clear that I must apply the redistribution profile for what is connected and static, but look is just this, maybe I'm getting too complicated, obviously has slight adjustments, but the base is the same: config router rip
config distribute-list
6 Views
This post is from a suggested group
Globalprotect Azure-AD SAML Integration - Policy Based Groups Azure-AD
Globalprotect Azure-AD SAMLIntegration - Policy Based Groups Azure-AD
Hello PanGurus! , how's it going? I hope it's going well.
For licensing issues Azure AD only has Azure-ad then at the enterprise app level I can only assign users, but I have my doubt operates well with groups, ie in the Assign part, I can assign Groups and not just users to authenticate without having problems with GP? at the level of the enterprise app with Azure-AD SAML Globalprotect PANW.
Is it feasible to make group based policies, ie:
GP source zone - destination DMZ01 Azure Source Group: IT01
I.e. Azure Group-AD IT01@contoso.com , another with SEC01@contos.com Infra@contoso.com.
12 Views
MetgatzGR
Apr 08, 2025
Hi master reaper, thanks as always
So can for the auth assign group and the enterprise app will do it right and validate the users within the group, in the assign group of the enterprise app, for the OK, auth, for the GP Auth from the enterprise APP, entering the user within the assigned groups of the Azure enterprise app for SAML office 365?
Understanding that they are two different processes, that means I must have something com LDAP Mapping for the groups to then use them in the security policies.
But what happens when the costumer only has azure ad and group and will use SAML for authentication, can I simply in the policy put a group and it will recognize the group user(s) or must it look for the method as it is done with ldap ad onprem ??
Thank you master for your time, collaboration and great patience.
This post is from a suggested group
IPv6 Firewalling
Can someone explain what it is and what the difference is between checked and unchecked?
I read this, "To enable firewall capabilities for IPv6 traffic, Edit and select IPv6 Firewalling.
The firewall ignores all IPv6-based configurations if you do not enable IPv6 firewalling. Even if you enable IPv6 traffic on an interface, you must also enable the IPv6 Firewalling option for IPv6 firewalling to function."
But it's not really registering in my head exatcly what that means in plain English.
21 Views
Reaper
Feb 26, 2025
So basically:
if you don't enable ipv6 on your firewall, clients using ipv6 will bypass your firewall
If you don't want to allow ipv6, enable it on the firewall and don't set any rules
This post is from a suggested group
HA communication over HA2
We have a client who does not have a HA2 link and we expected the fail over to not be smooth because the sessions are not being synced, but we found that HA state information was also not being synced.
According to the documentation, this should happen over HA1, which is functional.
What am I missing?
Thank you!
20 Views
Squeaker
Nov 24, 2024
The firewall that should be passive was stuck in the initial state and would not become passive as it said it was waiting for HA state information.
I'll get the exact wording later today when I get back to my keyboard.
This post is from a suggested group
Change in NAT Oversubscription hotfix upgrade
During an upgrade from PAN-OS 10.2.3 to PAN-OS 10.2.12-h2 we saw the upgraded firewall go non-functional due to NAT Oversubscription mismatch.
I have seen this when upgrading between major versions, but not in such a minor change.
Is it expected to have a change like this when upgrading maintenance versions?
83 Views
Reaper
Nov 24, 2024
It's been required to have NAT oversubscription be identical on both peers since a long time
It's possible that in 10.2 this setting was actually not checked due to a bug and with the upgrade this was fixed (had a similar issue with HA1 going down due to ping on aux interfaces going from implied to explicit between 11.1.4 and 11.1.5 recently)
This post is from a suggested group
Device Group and Firewall Configuration Merge
Hi
I have a Firewall currently setup in a Panorama Device Group.
I now want to to manage a new Firewall that has a similar set of rules (not a HA) so I want to put it in the same Device Group, so the rules are synced going forward.
My question is what happens to the rules on the 2nd Firewall when I add it to the Device Group and push the policy? Does the Device Group Rules (currently from the 1st Firewall import) get merged with the existing rules? Will duplicates get removed? Or will it overwrite the whole config?
Many thanks.
60 Views
stevegreen000
Oct 31, 2024
Thank you for the reply.
What I was planning is adding the 2nd Firewall to Panorama using a push config bundle, so it is initially individually managed and then moving it to the existing Device Group and pushing the Device Group policy. This is where I am wondering if it will merge the configs.
bottom of page
Fyi "The PCNSE certification exam is scheduled for retirement on July 31, 2025" https://live.paloaltonetworks.com/t5/certification-articles/what-is-replacing-the-pcnse/ta-p/1227937 So make sure you pass it before July 31, 2025.
There are replacements for the PCNSE, discussed in PA's YouTube channel. There are 3 parts to this video.
June 2025 Fuel Workshop: Certifications - Part 1