About santonic

Yes, it's not a widely used protocol. But we have an opportunity where we need to extract files (and send to WF) from it. And they don't get mails as SMTP anywhere in their network (long story). They are also looking for ways to get just mails out of their Lotus Notes server as SMTP but they are not certain yet if it's possible. And then we will have a problem as PA can't be MTA 🙂   I tried to decode traffic on port 1352 as SSL but it didn't look good. Some packets were marked as SSL in Wireshark, but no packets were recognised as SSL handshake.   ... View more

Ohh, good info, ty! It's on TCP 1352, I'll try again.   ... View more

After almost 2 years this issue came up again. This time I was able to analyze at least client to server traffic recognised as lotus-notes-base by PA. I did a packet capture but i couldn't find any SSL/TLS handshake in the traffic. So it must be some proprietary encryption.   If someone can prove me wrong or find a way around it please let me know.   ... View more

Destination zone in security policy must be post-NAT zone. ... View more

Suspending device means making it non-functional. So yes in a way it's like taking it out of a cluster as it won't take active role again even if the other shuts down. So you want to make it functional again asap. Pre-emptive will control how cluster behaves when primary device returns. ... View more

For session end reason you don't have to do anything on PA (unless it's actually denied by PA). And reset (either by server or client) is a normal ending of TCP session. Session time out is also a normal occurence for non TCP sessions. So no action is needed there, these are just helpful info PA provides.    Incomplete means TCP 3 way handhsake didn't finish. It can be either routing issue or just destination server not listening on that port.   Unknown-tcp (or -udp) means there is some traffic passing through FW but PA can't recognise the application. These are the cases you should investigate; what is at source IP, which service is listening at destination IP, maybe do a packet capture for this traffic... Idea is to identify the traffic as you don't want any unknown traffic in your network. Once you identify it and find the reason you can either block it or tell PA how to identify it (by Application Override or with custom application signature).         ... View more

Which interface are you using for updates? Management interface as it is default settings? If you are using some other interface (through service route configuration) you won't be able to download updates as that interface is always inactive on passive cluster member. ... View more

Actually if 3-way handhsake completes and nothig much else passes through i think the verdict would be insufficient-data. But yeah, incomplete would mean 3-way handhsake wasn't completed.   ... View more

PA sends traffic where you tell him too. You should tell him to send to cluster IP (or however it's called in HSRP). If that doesn't fix it then it's something wrong with your HSRP. ... View more

Just keep in mind this: traffic must match every coloumn in the rule for rule to hit. Let's say you have a rule with app SSH and port 8080.   SSH on standard port 22 doesn't match the service field. Web-browsing on port 8080 doesn't match the application field. Only SSH aplication on port 8080 would match that rule.   If you want to have both in the same rule put both SSH and web-browsing in application field, and both port 22 and port 8080 in service field.   This is all assuming that your http application will be recognised as web-browsing.     ... View more

All rules inspect traffic up to lvl 7 (with 1 exception but irrelevant to this situation).   For example: if you put in the same rule application 'ssh' and in service coloumn 'tcp port 80' you aren't opening ssh and http traffic. You are only allowing ssh traffic on port 80. So ssh on port 22 won't be allowed by this rule. And http traffic on port 80 also won't be allowed. In other words traffic must match all coloumns of rule for that rule to apply.   Considering your example; never put icmp and ping in rule which has services listed as you can't make service for protocol. You need to specify 'application default' for application which don't use TCP or UDP protocol.     ... View more

Yeah, that's it. Thanx! ... View more

Thanx! Can't mark it as solution as I started this topic before my account migration 🙂 ... View more

You will never see any traffic to MGMT interface in traffic log as that interface is not a part of firewall.   If you don't get MAC address of PA non-mgmt IP then you have issues at layers below level 3. So untill you get MAC address you won't be able to send any traffic to PA. So logs will remain empty till then.  ... View more