About santonic

santonic · ‎03-30-2012

Yep, that would work. However customer is ok with having his service up only on primary link when primary ISP is up so no complications needed atm

santonic · ‎03-28-2012

@mikand Yep, having multihomed server with public address in DMZ would solve this. But at this point we are not allowed to be changing any IP addresses at customer.

santonic · ‎03-28-2012

Thank you for your answer. Any workarounds for this which are available now?

santonic · ‎03-28-2012

Ok, thanx a lot.

santonic · ‎03-28-2012

Hello. I have to do NAT for GRE protocol and as i've read here in knowledgebase that can only be done with static NAT without specifiying ports. However the customer also has other services on same public IP address, like SMTP and DNS. Would this work? Rule1 - Public_address -> ports 53TCP/UDP -> NAT -> private_server1 Rule2 - Public_address -> port 25TCP -> NAT -> private_server2 Rule3 - Public_address -> NAT -> private_server3 (for VPN GW without specifying port) Will DNS requests go to server1, mails to server2 and everything else including GRE to server3?

santonic · ‎03-28-2012

Yep, in first part you describe NAT for incoming traffic just the way i was planning to do it. But I don't think 2nd part for outgoing traffic will work. Packets originating from DMZ will have source IP of DMZ and destination IP some random public IP outside of company's network. So you can't distinguish packets by ISP there. Unless!!! (Your example mentioning source NAT gave me an idea.) When I do destination NAT translation for incoming traffic (from public to private IP) for each ISP i can do source NAT at the same time. That way source address of packet will connect packet with correct interface. So server will reply to that translated address and hopefully PA will handle the traffic correctlly then. Any thougths if this would work?

santonic · ‎03-28-2012

Hello. I have a specific question about certain situation. There is a customer with 2 ISPs, let's call them ISP1 and ISP2. Customer has a single PA device to which both ISPs are connected. Each ISP provides a block of public IP addresses which are routed to the PA device. With PBF we'll make a rule, which sets ISP1 as primary ISP and ISP2 as secondary. So default route will be set to ISP1 when ISP1 is up and to ISP2 when ISP1 is down. So far it's all pretty standard situation. Now let's say teh customer has some server in its DMZ zone. Server has a local IP address in DMZ zone so NAT is needed. Customer wants the server to be available on BOTH ISPs all the time, Therefore we make 2 NAT rules; one for each ISP. Let's say ISP1 is active at certain moment so default route is pointing towards ISP1. But someone tries accessing server over ISP2. In that case packet comes from ISP2, gets translated to private IP address, enters DMZ zone, server replies, packet reaches PA device again and now the PA device has to put packet on proper interface. In this case; will PA put packet on ISP1 interface where default route is pointing, or will it know that packet originated from ISP2 and will correctly put it on ISP2 interface? Ok, I know this sitation can be avoided with proper use of DNS records or BGP, but it's a temporary solution so I'm really interested what PA will do in exactly such situation.

santonic · ‎01-18-2012

hi! thank you for your answer. since I'm still a bit confused I would like to ask you one more question. let's say we have a rather simple setup - a single firewall connection an enterprise LAN and DMZ segment to the Internet. in this scenario we would like to allow our employees to access internal MS terminal servers when on the road. since only a basic GP functionality is needed at the moment (the ability to set up a secure VPN connection and assign each remote client a virtual IP address to avoid potential routing issues) we were wondering what type of licenses we would need if we would like to use full GP functionality? would GP portal licence still be needed even if we have a single entry point? BR, A

santonic · ‎01-03-2012

hi! I would need some help understanding the PAN licensing model fo VPN clients. we are planning a new deployment and would like to offer our clients (Windows and iOS based) the possibility to access corporate resources. since only a very basic functionality is needed in this case (the ability to establish a SSL/IPSec session and assign a remote client a virtual IP address to ease routing and security issues when accessing corporate servers). are separate GlobalProtect licenses needed in this case? BR, Andrej

santonic · ‎12-08-2011

Makes sense, thanx for the explanation.

santonic · ‎12-02-2011

hi! it turned out that changing the action from "block" to "alert" in the URL filtering profile completely changed the device's ability to detect Youtube. if the option "alert" is used both our PA-2020 and PA-2050 deployed in TAP mode are able to correctly identify Youtube traffic. br, Andrej

santonic · ‎11-29-2011

hi! since PA-2050 is deployed in TAP mode, we are actually only monitoring internet traffic. you are indeed correct about application identification: in the URL filtering log access to www.youtube.com/watch?.... is always identified as web-browsing. BR, Andrej

santonic · ‎11-24-2011

hi! I'd say we are running the latest available signatures Application version 278-1187 Threat version 278-1187 Antivirus version 618-840 URL Filtering version 3745 BR, Andrej

santonic · ‎11-23-2011

hi! digging through the logs of our PA-2020 showed that at some point after Nov 3rd it was not able to recognize youtube as an application any more. since we upgraded from 4.0.7 to 4.1.0 a few days later, I was wondering if you have any idea what might be the cause of this behavior since all other applications seem to be recognized correctly? broken application signatures? BR, Andrej

santonic · ‎04-04-2011

hi! I was wondering how to use BGP in a HA active/standby deployment? a common design with floating IP addresses (HSRP/VRRP like) is to use two additional switches to connect to two upstream ISPs so a link failure doesn't result in an active member takover within the cluster. can you please help me understanding how routing tables are synchronised between cluster members? should we use iBGP like in a typical CE deployment? BR, Andrej

Member Since	‎01-26-2011 05:56 AM
Date Last Visited	‎11-29-2024 07:11 AM
Posts	672
Total Likes Received	190

Online Status	Offline
Date Last Visited	‎11-29-2024 07:11 AM

About santonic

Re: Telemetry - Hostname/url is in illegal/bad format

Re: Config Audit Failure

Importing (Cisco) switch configuration to Expedition

Re: Config Audit Failure

Re: Expedition - re-assign zones after change in routing

Re: Panorama management for Cloud NGFW

Re: Expedition - re-assign zones after change in routing

Re: Expedition - re-assign zones after change in routing

Re: QoS configuration based on destination (sub)interface on 3400 series

QoS configuration based on destination (sub)interface on 3400 series

Re: Can't generate output files

Re: Browser not prompting/selecting client cert for GP portal

Re: Panorama management for Cloud NGFW

Re: App Identification and ALLOW rule - does this make any sense?

Re: What is PA equvalent to show Xlate to view NAT translations

Why is SMB traffic slow ?

Re: Expedition - re-assign zones after change in routing

Re: Panorama management for Cloud NGFW

Re: Why is SMB traffic slow ?

The World’s First ML-Powered NGFW

Re: Dual ISP, PBF and DMZ

Re: Dual ISP, PBF and DMZ

Re: Dual ISP, PBF and DMZ

Re: NAT and GRE

NAT and GRE

Re: Dual ISP, PBF and DMZ

Dual ISP, PBF and DMZ

Re: licensing VPN clients

licensing VPN clients

Re: youtube

Re: youtube

Re: youtube

Re: youtube

youtube

BGP in a cluster deployment

Nebula Hardware Beta

Nebula Beta

Unlock your full community experience!

About santonic