https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46139#M33904 <HTML><HEAD></HEAD><BODY><P>Screenshot:</P><P></P><P>1. setup vwire on ethernet0/5 and ethernet0/6 with (both) trusted interface</P><P>2. no policies where applied to either interface</P><P>3. from the lan I could not browse to controller nor see broadcast SSIDs </P></BODY></HTML> Tue, 08 Nov 2011 23:11:15 GMT psimilien_1 2011-11-08T23:11:15Z https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46131#M33896 <HTML><HEAD></HEAD><BODY><P>I am currently running a PA-500 in IPS mode and is setup as a VWire behind my ASA. I have an environment that consist of a Cisco wireless controller and APs. How do I monitor my wireless traffic or better yet how do i setup policies for this? </P><P></P><P>By the way I had a conversation with support this morning and it went no where.</P></BODY></HTML> Tue, 08 Nov 2011 13:21:12 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46131#M33896 psimilien_1 2011-11-08T13:21:12Z https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46132#M33897 <HTML><HEAD></HEAD><BODY><P>My question has not been answered yet </P></BODY></HTML> Tue, 08 Nov 2011 22:43:34 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46132#M33897 psimilien_1 2011-11-08T22:43:34Z https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46133#M33898 <HTML><HEAD></HEAD><BODY><P>P,</P><P>I think part of what you are asking is really a professional services design question as opposed to a configuration issue.</P><P style="text-align: left;">As far as monitoring your wireless traffic, unless the traffic crosses the wire and passes through either a switch or the PA-500 it won't see the traffic - so any wireless to wireless traffic will not be seen unless you are able to span that traffic out to the PA-500.</P><P style="text-align: left;">Hope that is of some help</P><P style="text-align: left;">James</P></BODY></HTML> Tue, 08 Nov 2011 22:55:06 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46133#M33898 jcostello 2011-11-08T22:55:06Z https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46134#M33899 <HTML><HEAD></HEAD><BODY><P>Your question is rather broad. Could you give us some more specifics about your implementation?</P><P></P><P>Are you going to allow all traffic bidirectionally? If not what applications will you allow and in which direction?</P><P>Do you need to identify users and map them to IP addresses?</P><P>I assume you will be implementing security profiles to block viruses, malware, spyware and attempts to exploit vulnerabilities. Please confirm if you plan to do this?</P><P>Do you plan to implement file blocking?</P><P>Will you implement data filtering?</P><P>Are you going to implement URL filtering? (requires a license)</P><P></P><P>thanks,</P><P></P><P>Benjamin</P></BODY></HTML> Tue, 08 Nov 2011 22:56:11 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46134#M33899 bpappas 2011-11-08T22:56:11Z https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46135#M33900 <HTML><HEAD></HEAD><BODY><P>What I would like to do is create a vwire for the traffic from the controller to the core switch. My problem is that, in doing so traffic is block without any policie setting. How can I set this up? </P></BODY></HTML> Tue, 08 Nov 2011 23:00:22 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46135#M33900 psimilien_1 2011-11-08T23:00:22Z https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46136#M33901 <HTML><HEAD></HEAD><BODY><P>The anwser to your questions are yes and yes. I would like to setup a vwire or layer 3 interface (if needed) to map ip to users..ect... </P></BODY></HTML> Tue, 08 Nov 2011 23:02:32 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46136#M33901 psimilien_1 2011-11-08T23:02:32Z https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46137#M33902 <HTML><HEAD></HEAD><BODY><P>Could you please post a screengrab of your security policies?</P><P></P><P>Once I see that I can give you some specific guidance on most of the questions that you have.</P><P></P><P>Thanks,</P><P></P><P>Benjamin</P></BODY></HTML> Tue, 08 Nov 2011 23:06:53 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46137#M33902 bpappas 2011-11-08T23:06:53Z https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46138#M33903 <HTML><HEAD></HEAD><BODY><P>P-</P><P>Here is a link to an older configuration document on how to set up a Virtual Wire evaluation</P><P><A class="jive-link-external-small" href="https://live.paloaltonetworks.com/docs/DOC-1165">https://live.paloaltonetworks.com/docs/DOC-1165</A></P><P>The core concepts have not changed.</P><P>You will need a set of policies to pass traffic between the interfaces - the simplest are</P><P>1. Zone 1 to Zone 2 allow any address to any application and services</P><P>2. Zone 2 to Zone 1 allow any address to any application and services</P><P>You can add complexity with more rules as you go.</P><P>Hope that helps</P><P>James</P></BODY></HTML> Tue, 08 Nov 2011 23:10:55 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46138#M33903 jcostello 2011-11-08T23:10:55Z https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46139#M33904 <HTML><HEAD></HEAD><BODY><P>Screenshot:</P><P></P><P>1. setup vwire on ethernet0/5 and ethernet0/6 with (both) trusted interface</P><P>2. no policies where applied to either interface</P><P>3. from the lan I could not browse to controller nor see broadcast SSIDs </P></BODY></HTML> Tue, 08 Nov 2011 23:11:15 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46139#M33904 psimilien_1 2011-11-08T23:11:15Z https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46140#M33905 <HTML><HEAD></HEAD><BODY><P>P -</P><P>You will still need to configure a trust to trust rule. Traffic passing between interfaces on a Palo Alto Firewall still needs to have zone relative rules to allow the traffic to pass.</P><P>Since you do not have a security policy from trust to trust, no traffic is passing.</P><P>James</P></BODY></HTML> Tue, 08 Nov 2011 23:23:42 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46140#M33905 jcostello 2011-11-08T23:23:42Z https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46141#M33906 <HTML><HEAD></HEAD><BODY><P>Will let you know the outcome of this soon, thank you. </P></BODY></HTML> Wed, 09 Nov 2011 15:57:10 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-setup-pan-to-inspect-monitor-wireless-traffic/m-p/46141#M33906 psimilien_1 2011-11-09T15:57:10Z