This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

About dieter_b

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
dieter_b
‎09-11-2017
since ‎01-25-2011
L4 Transporter
User Activity
User Profile
Latest posts by dieter_b
View All
User Badges
Community Statistics
Member Since ‎01-25-2011 03:03 AM
Date Last Visited ‎09-11-2017 09:36 AM
Posts 192
Total Likes Received 14

Re: problem with IP helpers after migration

by in General Topics
‎05-04-2017 04:55 AM
‎05-04-2017 04:55 AM
We went live again and problem came back. After 3 hours of troubleshooting (clearing arp/mac caches, rebooting servers...), replacing a network patchcord resolved the issue !! With the faulty cable we had physical link, but no connection... pff ... View more

Re: problem with IP helpers after migration

by in General Topics
‎05-02-2017 02:56 AM
‎05-02-2017 02:56 AM
Seems to be resolved in test environment. Probable cause was management-client Device was stuck in init state. Overall status was in init.   Commit force probably solved that. ... View more

Re: problem with IP helpers after migration

by in General Topics
‎05-01-2017 11:25 PM
‎05-01-2017 11:25 PM
  nothing fancy... and that worked (and still does) on the old device ... View more

problem with IP helpers after migration

by in General Topics
‎04-29-2017 09:11 AM
‎04-29-2017 09:11 AM
We're migrating from a PA-2020 to PA-3020. PANOS 6.1.12   Config migration went fine. And most functionality is ok on the new device. However our IP helpers don't work anymore. We use them on tagged subinterfaces. All subinterfaces on one interface connected to switch.   Capture shows the device receives the DHCP discoveries. But it does nothing with them: no drop, no forwarding.   Any ideas what may be causing this ? ... View more

Re: message security over http

by in General Topics
‎03-27-2017 07:55 AM
1 Kudo
‎03-27-2017 07:55 AM
1 Kudo
@dieterb wrote: @TranceforLife wrote: This is how l understand 3-way handshake :0 If you are not using user-id on trust zone please disable this future under the zone configuration We heavily use user-id for that zone. But for some traffic, that doesn't matter. User Any solves that problem for most cases. Ok, problem is indeed related to user-id: http traffic triggers an NTLM authentication request (if there's no user-ip-mapping) on the firewall. Application did not know how to handle that and resets session.   The trick was to put the client's fixed IP address in the exclude list for user identification for the zone. Not only in the user-id agent exclude list and/or PA user-id exclude list (what most of the time just worked because it was no http traffic). Now the firewall doesn't ask for NTLM auth and traffic passes fine.   I also found out that it's not possible to disable NTLM entirely, is that correct ? Maybe because of captive portal ? ... View more

Re: message security over http

by in General Topics
‎03-24-2017 04:22 AM
‎03-24-2017 04:22 AM
@dieterb wrote: Where can I find application specific timeouts ? nevermind, found it (Objects -> Applications) ... View more

Re: message security over http

by in General Topics
‎03-24-2017 04:20 AM
‎03-24-2017 04:20 AM
I have pretty much default general session timeouts   Connections are dropped way faster than that.   Where can I find application specific timeouts ? ... View more

Re: Issues with both client and clientless VPN on 220 running 8.0.1

by in General Topics
‎03-24-2017 01:20 AM
‎03-24-2017 01:20 AM
With "published app", do you mean Citrix by any chance ? ... View more

Re: message security over http

by in General Topics
‎03-23-2017 07:25 AM
‎03-23-2017 07:25 AM
@BPry wrote: @dieter_b if you don't have a profile associated with it the firewall should never issue a reset, since it should just be allowing the traffic. I would take a look at what the identified applications TCP Timeout, TCP Half Closed, and TCP Time Wait settings are. Just for giggles customize those to something completely unreasonably high and see if the issue persists. The firewall may not be seeing any type of response from the other server and terminating the session because it believes the session has gone stale.  Good idea, I will give this a try. I just hope our session limit is not reached, since we're talking about http 🙂 ... View more

Re: message security over http

by in General Topics
‎03-23-2017 07:23 AM
‎03-23-2017 07:23 AM
@TranceforLife wrote: This is how l understand 3-way handshake :0 If you are not using user-id on trust zone please disable this future under the zone configuration We heavily use user-id for that zone. But for some traffic, that doesn't matter. User Any solves that problem for most cases. ... View more

Re: message security over http

by in General Topics
‎03-23-2017 05:39 AM
‎03-23-2017 05:39 AM
That's all there is to the rule:   Sorry I can't give PCAP, would reveal too much info.   You say firewall ip would be seen as source ip of RST. That's not the case so I assume RST is really coming from remote server.   Can anyone confirm PA does not alter http content ? There's no such thing as http message security decryption ? Or an option that blocks encrypted http messages ? ... View more

Re: message security over http

by in General Topics
‎03-23-2017 03:43 AM
‎03-23-2017 03:43 AM
I have logging enabled for start and end. And I'm pretty sure the traffic should hit the rule. Logging is enabled for almost everything (except for some dns, ntp and "internal" traffic). So if there would be a deny somewhere or a threat blocked, I would see it.   So here's the fun part: If there's no user-to-ip mapping for the clients ip, nothing is logged. If there is a user-to-ip mapping, I have log entries.   Session end reasons are tcp-rst-from-client and tcp-fin, so pretty normal.   Known user or not should not even matter. The rule allows Any app/service for Any user from clients fixed ip. And for troubleshooting I don't even have a security profile attached.   In a wireshark capture on the client I only get a dry RST from the server. But that could be the firewall sending a RST.   Would the option "Disable Server Response Inspection" do any good ?     ... View more

Re: message security over http

by in General Topics
‎03-22-2017 05:56 AM
‎03-22-2017 05:56 AM
Right now the application seems to generate no logging at all... I will get back when I have something useful 🙂 ... View more

message security over http

by in General Topics
‎03-21-2017 08:22 AM
‎03-21-2017 08:22 AM
How does PA handle message security over http ? Whereas https secures the communication, message security secures the content.   I would expect PA does not touch http content. But we are having issues with an application that connects to a partners server.   Application throws this error, I guess it's a pretty default .net error: An error occurred while receiving the HTTP response to http://blabla/blablaConnectorHostService.svc. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down).   Partner says it has something to do with large transfers that get interrupted. I'm guessing it happens somewhere on the firewall. ... View more

disable inbound url filtering for performance

by in General Topics
‎10-25-2016 11:33 AM
‎10-25-2016 11:33 AM
Would it make sense to disable url filtering for inbound traffic to our servers for performance reasons ? Logging is hogging our resources (and that's a real problem on PA-2020). Would it make any difference ? We only host a few low traffic websites... In comparison, we have far more outbound traffic from our users to the internet. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎09-11-2017 09:36 AM
Latest Tags
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks