This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About santonic

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
santonic
‎10-08-2025
since ‎01-26-2011
L6 Presenter
User Activity
User Profile
Latest posts by santonic
View All
User Badges
Community Statistics
Member Since ‎01-26-2011 05:56 AM
Date Last Visited ‎10-08-2025 02:11 AM
Posts 677
Total Likes Received 193

Re: How to find Zone for an IP address in V Wire mode

by in General Topics
‎10-08-2018 06:02 AM
‎10-08-2018 06:02 AM
Usualy you have one interface of Vwire pair in trust/lan zone and the other in untrust/internet zone. So you put zones on ingress and egress interfaces of Vwire pair.  And yeah, you will see them in logs too. ... View more

Authentication policy for RDP

by in General Topics
‎10-08-2018 01:09 AM
‎10-08-2018 01:09 AM
I have succesfuly implemented auth policy for http and https (with decryption). But I can't get it to work for RDP. Yes, I know I need GP client for non-browser protocols.   Customer is using MS MFA server. As it's not supported by PA as MFA server we configured it as Radius server. I have auth profile which uses Radius server profile towards MS MFA. Captive portal is enabled, in redirect mode, redirects to internal interface of PA, response pages are enabled in mgmt profile, and it uses configured auth profile for MFA (Radius). We have an auth policy for any service to single server with authenticaon method web-form and same authentication profile for MFA (Radius). I've  set Enable Inbound Authentication Prompts from MFA Gateways to Yes and I entered both PA interface with captive portal and MFA server address as Trusted MFA Gateways.   When we try a RDP connection; we see the connection in session browser, details say that it hits the correct auth rule, has value False for captive portal and nothing happens. Session isn't logged in traffic log, no new entries in authentication logs, nothing in authd.log.  Packet capture  shows succesful TCP 3 way handshake and reset form server soon after.   ... View more

Re: where to define a static public IP for IPsec

by in General Topics
‎09-12-2018 02:30 AM
‎09-12-2018 02:30 AM
You simply add another IP to interface. First IP (primary) you define with correct mask (/28 or however it is). All the additional IPs from same subnet come with /32 mask.   To use it in NAT rules you don't have to define it on interface, but you can.    ... View more

Re: where to define a static public IP for IPsec

by in General Topics
‎09-11-2018 02:16 AM
‎09-11-2018 02:16 AM
If you want to select an address in IKE GW object you must define it on interface first. If you're just using it for NAT (source or destination) it's not mandatory. Both ways tell PA for which address it should answer to ARP request.     ... View more

Re: where to define a static public IP for IPsec

by in General Topics
‎09-11-2018 01:03 AM
‎09-11-2018 01:03 AM
Did you add /32 address on interface first? After that you should be abe to select it in IKE Gw settings. ... View more

Re: IKE traffic recognised as unkown-udp since September 6th

by in General Topics
‎09-10-2018 04:39 AM
‎09-10-2018 04:39 AM
Upgrade to PAN-OS 8.1.3 solved the issue for now (or the reboot that came with it). Hopefully it won't come back.  ... View more

Re: IKE traffic recognised as unkown-udp since September 6th

by in General Topics
‎09-10-2018 01:15 AM
‎09-10-2018 01:15 AM
It's happening on all VPNs, so I'm assuming it's not due to the device on other end. PAN-OS 8.1.2 on my end. ... View more

IKE traffic recognised as unkown-udp since September 6th

by in General Topics
‎09-10-2018 01:01 AM
‎09-10-2018 01:01 AM
Customer had an application based rule for VPN traffic. However since September 6th the traffic on UDP 500 is no longer recognised as IKE. Some VPNs stopped working, some still work even if they shouldn't really. Release notes of last 3 content updates don't mention anything about changes to IKE.   Anyone has similar problem?     ... View more

Re: unknown-tcp when tls decryption is enabled

by in General Topics
‎09-04-2018 12:04 AM
‎09-04-2018 12:04 AM
I've seen similar issue with inbound SSL decryption of activesync towards Exchange on PAN-OS 8.0.10. The session was first 'recognised' as unknown-tcp instead of activesync. Later we started getting decrypt error messages in logs. The certificate was correct and the supported cipher suites on server matched those on PA. Still researching this issue before opening a case. ... View more

Re: SSL Decryption breaks certain website functionality

by in General Topics
‎09-02-2018 11:59 PM
‎09-02-2018 11:59 PM
You're talking about inbpund SSL decryption, right? It can't be the issue with certificate pinning as certificate is the same (just moved from server to PA). Basically in SSL decryption scenario PA shoul be just listening to decrypted traffic and understand it because it has the apropriate certificate with private key. But in fact it does alter a session a bit as a colleague told me from debugging session with PA support. However for any details and logs about it you will probably have to ask support.   Another could be some external components having issues with decrytpion (if your application is using such).   ... View more

Re: Untrust to Untrust - Allow

by in General Topics
‎08-28-2018 01:58 AM
1 Kudo
‎08-28-2018 01:58 AM
1 Kudo
Somehow I was sure I read Untrust>Trust in his post. Sorry. Was before first morning coffee... ... View more

Re: Untrust to Untrust - Allow

by in General Topics
‎08-27-2018 10:54 PM
‎08-27-2018 10:54 PM
You would also allow all traffic to your servers visible from internet if you have some DNAT rules to inside (instead of DMZ). Let's say you make NAT rule for Exchange; if you NAT all services the rule you mentioned  will allow all traffic from internet to your server, smtp, https, rdp... Which is not something you want.   So make rules very specific, deny everything first then allow only what is needed.     ... View more

Re: Untrust to Untrust - Allow

by in General Topics
‎08-26-2018 10:56 PM
‎08-26-2018 10:56 PM
I always make 'default drop' rule which drops everything to override intrazone rule. ... View more

Re: Palo Alto's Version on ASA Packet-Tracer Command

by in General Topics
‎08-24-2018 04:19 AM
1 Kudo
‎08-24-2018 04:19 AM
1 Kudo
The only thing you need is logs. Enter filters for the session in question and look for any blocked events. Either in each log file seperately (traffic, threat, URL..) or in unified logs. Especially with threat logs keep in mind that source/destination of an event doesn't necesarilly match the direction of session. ... View more

Re: ACC - session number meaning

by in General Topics
‎08-20-2018 12:59 AM
‎08-20-2018 12:59 AM
Yeah, I think ACC is based on logs. So it can't be helpful with active sessions imo. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎10-08-2025 02:11 AM
Likes Given To
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks