Jump to content
How to unhide the content
ExamFerret

Palo Alto software images, any platform, any release

By ExamFerret, in OTHER SHARES

Recommended Posts

knightwillhem    20

knightwillhem
Posted

I have a few questions for people in this topic.

I am thinking about purchasing a used PA-3050. I don't know a lot about the physical units.

What should I look for before purchasing?

Does it need to be activated, or can I use it as a firewall and router without having to purchase any licenses? I am not really interested in IDS/IPS or antivirus.

Any general suggestions before purchasing a unit?

Thank You for your input and help.

Share this post

Link to post
Share on other sites

foodisevil    1

foodisevil
Posted (edited)

I PA-500 has 5.0 and i need to upgrade to 8.1.x

I have 6, 6.1 ,7, 7.1, 8,0 and 8.1 but my PA-500 is at 5.0 and need 5.1 and you other files call APP_Id or something
 

I upgrade from 5.0 to 6.0 than trying to upgrade 6.1  i get error of  but i need context verison 451 or greater

Edited by foodisevil

Share this post

Link to post
Share on other sites

jeditec    122

jeditec
Posted
2 hours ago, foodisevil said:

I PA-500 has 5.0 and i need to upgrade to 8.1.x

I have 6, 6.1 ,7, 7.1, 8,0 and 8.1 but my PA-500 is at 5.0 and need 5.1 and you other files call APP_Id or something
 

I upgrade from 5.0 to 6.0 than trying to upgrade 6.1  i get error of  but i need context verison 451 or greater

Get MrFranklin files posted on March 28, 2019, and upload to dynamyc updates, just a heads up, the closer you get to 8.1.0 the slower the system is.

Share this post

Link to post
Share on other sites

Kreator777    308

Kreator777
Posted
On 10/14/2020 at 1:00 AM, knightwillhem said:

I have a few questions for people in this topic.

I am thinking about purchasing a used PA-3050. I don't know a lot about the physical units.

What should I look for before purchasing?

Does it need to be activated, or can I use it as a firewall and router without having to purchase any licenses? I am not really interested in IDS/IPS or antivirus.

Any general suggestions before purchasing a unit?

Thank You for your input and help.

Good HW device. Mostly of items sold w/o any creds so you'll have to factory reset them and no licenses will be inside.

Most precious feature as for me - application recognition will still work and in general, those PA-3000 series are really good. 

High Availability is working w/o any additional licensing as well (just need same PanOS).

Also one curious thing - 3020 has more noisy cooling system (I'd say 1.2-1.5x times more noise than 3050).

3060 is also cool device having 10Gbit ports, but of 1.5RU size. 

The only question before buying I would say - a PanOS version, since if you got it with old OS you'll have to do all upgrades then and between some major versions it will require also additional CLI steps and downloading application recognition files as well.

Latest PanOS available is 9.1 (thank to fellows here in this thread I came to know that for PA-3000 series PanOS 10 won't be available so you should also consider this fact if that matters).

Let me know if you have any questions.

Share this post

Link to post
Share on other sites

knightwillhem    20

knightwillhem
Posted
4 hours ago, Kreator777 said:

Good HW device. Mostly of items sold w/o any creds so you'll have to factory reset them and no licenses will be inside.

Most precious feature as for me - application recognition will still work and in general, those PA-3000 series are really good. 

High Availability is working w/o any additional licensing as well (just need same PanOS).

Also one curious thing - 3020 has more noisy cooling system (I'd say 1.2-1.5x times more noise than 3050).

3060 is also cool device having 10Gbit ports, but of 1.5RU size. 

The only question before buying I would say - a PanOS version, since if you got it with old OS you'll have to do all upgrades then and between some major versions it will require also additional CLI steps and downloading application recognition files as well.

Latest PanOS available is 9.1 (thank to fellows here in this thread I came to know that for PA-3000 series PanOS 10 won't be available so you should also consider this fact if that matters).

Let me know if you have any questions.

I guess my main question is, can it be used as a firewall, router and VPN endpoint without being licensed?

I have some Ubiquiti EdgeRouters, but am not really happy with the performance and looking for something a bit better performing.

I recently purchased a Cisco ASA 5550 and was not impressed with the over-complicated setup and usability. It was the first time using anything Cisco in a really long time. I immediately remembered why I don't like Cisco.

Thank You Kreator777.

Share this post

Link to post
Share on other sites

Kreator777    308

Kreator777
Posted
5 hours ago, knightwillhem said:

I guess my main question is, can it be used as a firewall, router and VPN endpoint without being licensed?

I have some Ubiquiti EdgeRouters, but am not really happy with the performance and looking for something a bit better performing.

I recently purchased a Cisco ASA 5550 and was not impressed with the over-complicated setup and usability. It was the first time using anything Cisco in a really long time. I immediately remembered why I don't like Cisco.

Thank You Kreator777.

Firewall - no issues w/o licenses/support

VPN - GlobalProtect can be used. Be aware it doesn't allow to connect mobile clients and for some reason known only to PA - linux as well (that will require lic). But there's an option to use L2TP - it works for linux and  should for mobile clients as well but I didn't have it tested though.

router - no issues.

As to additional protection you will be able to use DDoS for free as well.

BTW, I also had my self migrated from ASAs completely to the Palo Alto as I consider them best firewalls at present moment.

If you'll setup PA for a first time I'd recommend just buying course from Udemy and go over topics.

Interfaces / SNAT / DNAT / Policies setup is not a problem and is clear more or less, but for Global Protect VPN I'd definitely use a learning video since it is quite not strait forward,

 

Share this post

Link to post
Share on other sites

root0    38,480

root0
Posted (edited)

knightwillhem
Kreator777

What a problem to use FPR2100 or FPR4100 Series - it's more universal and cheaper than any PA, especially the issue of licensing has long been resolved, huge secondary market, and you can also buy Cisco Refresh Certified with more affordable price...

P.S. About ASA forget about it... RIP

About the price example for Cisco Refresh Certified - you can find in Telegram @cisco_collection

Edited by root0

Share this post

Link to post
Share on other sites

knightwillhem    20

knightwillhem
Posted
12 hours ago, Kreator777 said:

Firewall - no issues w/o licenses/support

VPN - GlobalProtect can be used. Be aware it doesn't allow to connect mobile clients and for some reason known only to PA - linux as well (that will require lic). But there's an option to use L2TP - it works for linux and  should for mobile clients as well but I didn't have it tested though.

router - no issues.

As to additional protection you will be able to use DDoS for free as well.

BTW, I also had my self migrated from ASAs completely to the Palo Alto as I consider them best firewalls at present moment.

If you'll setup PA for a first time I'd recommend just buying course from Udemy and go over topics.

Interfaces / SNAT / DNAT / Policies setup is not a problem and is clear more or less, but for Global Protect VPN I'd definitely use a learning video since it is quite not strait forward,

 

I have no experience with GlobalProtect, but prefer L2TP/IPsec anyway. I was just wondering how complicated L2TP/IPsec is to configure in Palo Alto?

I was originally going to setup pfSense on an R610 or R620 as my firewall/router, but was thinking that ASA or Palo Alto might be a good fit and could learn more in the process.

I am basically using the router/firewall to protect a couple of Dell VRTX units in my home lab running vSphere 6.5. I am also going to be using NSXv with the Ubiquiti EdgeSwitches. They can do minor Layer 3 routing and that is good enough for what I need.

Thanks for your help.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go To Topic Listing
×
×
  • Create New...