This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About santonic

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
santonic
‎01-07-2025
since ‎01-26-2011
L6 Presenter
User Activity
User Profile
Latest posts by santonic
View All
User Badges
Community Statistics
Member Since ‎01-26-2011 05:56 AM
Date Last Visited ‎01-07-2025 03:06 AM
Posts 672
Total Likes Received 191

Re: PPTP NAT and site-to-site IPSEC VPN on same IP address

by in General Topics
‎12-15-2014 11:28 PM
‎12-15-2014 11:28 PM
PPTP includes TCP session on port 1723 and GRE session. Yes, I can make more specific NAT rule for TCP session. But I can't use application or protocol in NAT rule so I can't make specific NAT rule for GRE. I also can't make no-NAT rule to prevent NAT for VPN tunnels as it also uses ESP which can't be used in NAT policy. ... View more

Re: PPTP NAT and site-to-site IPSEC VPN on same IP address

by in General Topics
‎12-15-2014 04:57 AM
‎12-15-2014 04:57 AM
A bit more complications: yes i know I can make a no-nat rule above the mentioned DNAT rule for known VPN endpoints. But a couple of VPN endpoints will have dynamic IP addresses ... View more

PPTP NAT and site-to-site IPSEC VPN on same IP address

by in General Topics
‎12-15-2014 04:53 AM
‎12-15-2014 04:53 AM
Hello. I'm doing a firewall migration where i encountered a following situation: - customer has site-to-site VPNs terminated on public IP address, let's say 1.1.1.1 - customer is using PPTP VPN solution which is also terminated on same IP address 1.1.1.1 and DNAT-ed to PPTP server, let's say on address 10.10.10.10 - on current fw they have a DNAT rule for just TCP 1723 and GRE protocol which translates packets with destination 1.1.1.1 to 10.10.10.10 But as PA doesn't support use of GRE (protocol or application) in NAT rules i have to make a more general rule which translates every packet coming to 1.1.1.1 to 10.10.10.10 Will site-to-site VPNs terminating on PA on IP address 1.1.1.1 still work in such scenario? Or will they be forwarded to PPTP server? Best regards, Simon ... View more
Labels:

Re: Error: Threat database handler failed (Module: device)

by in General Topics
‎11-05-2014 06:45 AM
1 Kudo
‎11-05-2014 06:45 AM
1 Kudo
I've found another weird situation when I get the same error message. I was testing DLP. After I finally managed to get rid of "pattern must be at least 7 bytes" configuration check I tried to commit the configuration. but I got "Error: Threat database handler failed  (Module: device) Commit failed." message. I've tried reverting threat database, upgrading, reinstalling... but nothing helped. Then I deleted my "Data Filtering" profile and "Data Patterns" object and commit was succesful. There is probably a configuration check missing and the commit fail message is a bit misleading. Or is it just a bug. Btw this happened on PAN-OS 6.1. ... View more

Re: URL filtering - incosistency with online BrightCloud database

by in General Topics
‎11-04-2014 06:02 AM
‎11-04-2014 06:02 AM
Restarting device-server solved the issue. Thanx! ... View more

URL filtering - incosistency with online BrightCloud database

by in General Topics
‎11-04-2014 01:27 AM
‎11-04-2014 01:27 AM
Hello. A while ago website www.rk-celje.si was recognised as malware-site. But in last couple of months the website seems to be clean and online BrightCloud lookup (URL/IP Lookup | Webroot BrightCloud) recognises it as 'Trustworthy' and categorizes it correctly as 'sports' But PA device using BrightCloud for URL filtering keeps saying it's malware-site. I've tested it with 2 version of URL filtering database and I've cleaned URL cache every time. Why is the categorisation wrong? Is PA overriding BrightCloud info when they find some malware? If so why don't they report that info back to BrightCloud as well? xyc@PA-3020> show system info | match url url-db: brightcloud url-filtering-version: 4394 xyc@PA-3020> test url www.rk-celje.si www.rk-celje.si malware-sites (Base db) xyc@PA-3020> xyc@PA-3020> show system info | match url url-db: brightcloud url-filtering-version: 4405 xyc@PA-3020> test url www.rk-celje.si www.rk-celje.si malware-sites (Base db) xyc@PA-3020> clear url-cache all All entries in URL cache removed! xyc@PA-3020> test url www.rk-celje.si www.rk-celje.si malware-sites (Base db) xyc@PA-3020> ... View more
Labels:

Re: IPS - new signature's action set to default instead of the action specified in rule

by in General Topics
‎11-03-2014 06:11 AM
‎11-03-2014 06:11 AM
tshiv We did some testing and we found out that rule order does matter in IPS profile. So if a signature matches 2 rules, the action will be set by first rule it hits, matching the rules from top to bottom. ... View more

Re: FTP session logged as 2 TCP sessions

by in General Topics
‎10-30-2014 07:17 AM
‎10-30-2014 07:17 AM
Thanx all for your replies, they've been really helpful. ... View more

Re: FTP session logged as 2 TCP sessions

by in General Topics
‎10-30-2014 12:55 AM
‎10-30-2014 12:55 AM
hshah Thanx for your info. Yep, to me it looks as well like the sessions are in pair. But session IDs are different. So I'm still worried the data sessions will be blocked. I don't have info about FTP server, i'll check with the client where the issue appears. Do you know if PAN supports multiple DATA sessions back or only looks for 1? lewis You saw data sessions (with source port 20) to internet and they were allowed despite the fact you didn't have such traffic allowed with rule? ... View more

Re: FTP session logged as 2 TCP sessions

by in General Topics
‎10-29-2014 12:31 AM
‎10-29-2014 12:31 AM
Ok, I understand about PREDICT sessions, but we all agree those shouldn't be seen in traffic logs? And I agree I shouldn't have to create a rule for traffic back, but in that case the session back in logs will be blocked? And Session IDs for pair of such connections are different. Here is the screenshot of such sessions for easier understanding: Another thing: for the security zone where the FTP server is we have a zone protection profile which doesn't reject Non-SYN TCP sessions and bybasses Asymmetric Paths. But the mentioned FTP traffic isn't asymmetric so this zone protection profile shouldn't have any influence on these sessions. ... View more

Re: FTP session logged as 2 TCP sessions

by in General Topics
‎10-28-2014 07:54 AM
‎10-28-2014 07:54 AM
dreputi Yep, I copied it wrong. It should be like this: Every time a client starts FTP session i see 2 TCP sessions in logs: - TCP session from 1.1.1.1:yyyy to 2.2.2.2:21 application ftp - followed by TCP session from 2.2.2.2:20 to 1.1.1.1:xxxx application ftp I agree that I shouldn't be opening session for the DATA traffic in the other direction. But that means 2nd session will always be blocked when we implement the drop rule. Will FTP still work? hshah Yes, I agree that predicted sessions aren't logged and that there is no such application as ftp-data needed. But I do see a TCP session in other direction in traffic log, it's recognised as ftp application, there was some data transfered through it and it always appears after a ftp session from client to server. And that means I need to explicitly open everything from source port 20 in the other direction? ... View more

Re: FTP session logged as 2 TCP sessions

by in General Topics
‎10-28-2014 06:35 AM
‎10-28-2014 06:35 AM
Thanx for the tip, i'll try to catch such session live. Do predicted sessions go into traffic log as a seperate (TCP) session? ... View more

FTP session logged as 2 TCP sessions

by in General Topics
‎10-28-2014 06:07 AM
‎10-28-2014 06:07 AM
Hello. I have a problem with the way PA handles FTP sessions. I have a general rule which allows privileged user groups to have full access to a certain network. So application and service in this rule is 'any'. One of the applications users will be using is FTP. When I look at traffic logs i see 2 TCP session for each use of FTP application. Let's say client is at 1.1.1.1 and FTP server at 2.2.2.2. Every time a client starts FTP session i see 2 TCP sessions in logs: - TCP session from 1.1.1.1:yyyy to 2.2.2.2:21 - followed by TCP session from 2.2.2.2:xxxx to 1.1.1.1:20 I know FTP application consists of 2 TCP session. But shouldn't PA as an application firewall match DATA session with CONTROL session and regard them as single use of FTP application? This will be a big issue when the traffic from the mentioned network towards user segment will be set to 'deny'. I don't think having to open port 20 towards user segment is the way to go on application firewall. Best regards, Simon ... View more
Labels:

Re: WildFire Question

by in General Topics
‎10-22-2014 03:57 AM
2 Kudos
‎10-22-2014 03:57 AM
2 Kudos
They're repacking their malware file so it avoids signature matching security engines? ... View more

Re: VPN port and default port the same?

by in General Topics
‎10-22-2014 03:49 AM
1 Kudo
‎10-22-2014 03:49 AM
1 Kudo
Yes, you can use single ethernet interface towards internet for all functionality: user access to web, IPSEC VPN termination, GlobalProtect portal and gateway, external management of firewall (in that case mgmt port changes to 4443).. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎01-07-2025 03:06 AM
Likes Given To
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks