https://live.paloaltonetworks.com/t5/general-topics/isa-tmg-problem-with-pa-500-in-vwire-mode/m-p/9269#M6784 <HTML><HEAD></HEAD><BODY><P>users who are a member of selected group hit rule one. anyone outwith rule one hits rules two (as you would expect)</P><P></P><P>we seem to have our user group issue solved kal.</P><P></P><P>now the main problem is getting rid of rule two and why the pa-500 is restricting our edge firewall from communicating with the network.</P></BODY></HTML> Thu, 26 Jan 2012 12:43:49 GMT d_ballam 2012-01-26T12:43:49Z https://live.paloaltonetworks.com/t5/general-topics/isa-tmg-problem-with-pa-500-in-vwire-mode/m-p/9267#M6782 <HTML><HEAD></HEAD><BODY><P>background:</P><P></P><P>we have a new installation of a PA-500 (running 4.1.2) which sits behind our edge firewall (TMG 2010) in vwire mode.</P><P></P><P>basic setup. the pa-500 external interface connects directly into the edge firewalls internal interface and the pa-500 internal interface connects directly to our production network. our DNS, AD etc are all on this production network. the PA-500 is only doing content filtering for web / applications.</P><P></P><P>we have have the following rules (simplified but basically the important parts)</P><P></P><P></P><P>rule #1 allow internal to external for &lt;selected users&gt;</P><P></P><P>rule#2 allow internal to external for any users</P><P></P><P>rule #3 deny from internal to external for any</P><P></P><P>as you can see rule one is used for selected members on the domain</P><P></P><P>rule 2 <STRONG>shouldnt</STRONG> be required as this basically lets anyone who isnt a member of the selected group from rule 1 out to the internet anonymously.</P><P>and rule 3 is ther as a deny all (which should be there by default)</P><P></P><P></P><P>as you can see rule 2 should be removed BUT the problem is this</P><P></P><P></P><P>If we remove rule#2 our TMG firewall loses connectivity with the production network so loses its secure channel with the domain / domain controls. this causes the firewall to stop authenticating users thus the firewall kills all conenctions.</P><P></P><P></P><P>can you pleae confirm that rule#2 should never be in the pa-500 setup and confirm that in vwire mode the device should not stop non web/application protocols from communicating.</P></BODY></HTML> Thu, 26 Jan 2012 09:48:54 GMT https://live.paloaltonetworks.com/t5/general-topics/isa-tmg-problem-with-pa-500-in-vwire-mode/m-p/9267#M6782 d_ballam 2012-01-26T09:48:54Z https://live.paloaltonetworks.com/t5/general-topics/isa-tmg-problem-with-pa-500-in-vwire-mode/m-p/9268#M6783 <HTML><HEAD></HEAD><BODY><P>Hi Dave,</P><P></P><P>Could you please confirm if "selected users" are hitting rule #1, or are they hitting rule #2.&nbsp; If there a few users from the&nbsp; "selected users" used in rule #1 and are hitting rule #2, then we would need to look how the User-ID agent has been configured.</P><P></P><P>Thank you</P><P>Kal</P></BODY></HTML> Thu, 26 Jan 2012 11:01:14 GMT https://live.paloaltonetworks.com/t5/general-topics/isa-tmg-problem-with-pa-500-in-vwire-mode/m-p/9268#M6783 kalyanram.piratla 2012-01-26T11:01:14Z https://live.paloaltonetworks.com/t5/general-topics/isa-tmg-problem-with-pa-500-in-vwire-mode/m-p/9269#M6784 <HTML><HEAD></HEAD><BODY><P>users who are a member of selected group hit rule one. anyone outwith rule one hits rules two (as you would expect)</P><P></P><P>we seem to have our user group issue solved kal.</P><P></P><P>now the main problem is getting rid of rule two and why the pa-500 is restricting our edge firewall from communicating with the network.</P></BODY></HTML> Thu, 26 Jan 2012 12:43:49 GMT https://live.paloaltonetworks.com/t5/general-topics/isa-tmg-problem-with-pa-500-in-vwire-mode/m-p/9269#M6784 d_ballam 2012-01-26T12:43:49Z