https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE
Generate the the cert and make it active
Delete the old cert
Wait a few minutes for azure cloud to update
Download the xml
delete old certs from palo
Import the xml into palo this will create cert and SAML IDP profile
Don't tick validate check box
Select the new IDP profile in your azure auth profile
Making a note because its a bit different to cisco ASA
NAT rule
OUTSIDE > OUTSIDE
Public src > Public dst
FW rule
OUTSIDE > INSIDE (counted as inside because of the NAT)
Public src > Public dst
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client-v4x/220247-configure-anyconnect-dynamic-split-tunne.html
Have an issues but not sure of the cause, sometimes the GRE tunnel does not re-establish over a S2S VPN.
Save backup config and check routes
Ensure your S2S VPN config is correct, usually you will see VPN p1 up but GRE tunnel showing as up/down.
shut down both tunnel interfaces on either end
save the router config
reboot the remote router config
bring up tunnel interface in HQ router
Now bring it up on the remote router
Ensure all routes are in place
remote > HQ (tunnelxx)
HQ > remote (tunnelxx)
Create a blank policy called onboarding with nothing attached
This is if you are moving FTD's between FMC there is some unique things like NAT and interface zones so best to
Make sure to backup your policy
ASA side IP / routing conifg
delete the manager
wipe FTD
add to new manager (onboarding policy)
Once added switch to your new real policy
The eol doc will recommend a replacement path. If not your will need to figure it out.
check software and hardware
check for fibre connections
check cdp
check routing (2 eigrp neighbors we may need advantage license)
sh ver (check port numbers)
sh inv | i stack (check stack cables)
sh switch
