About jcostello

another option is to use the command line Connect via SSH type configure <enter> for an address group type set address-group name [ address1 address2 ... address last ] <enter> example set address-group local_networsk [ DMZ Net_10.1.0.0 Net_172.16.1.0 Net_172.16.11.0 ] for a NAT translation type set rulebase nat rules name from zone source [ address1 address 2 ... address_last]  service any to zone destination address_external  destination-translation address_internal <enter> example set rulebase nat rules webservices from Untrust source any to Untrust destination Web_External service any destination-translation Web_Internal don't forget to issue a commit when you are done. hope that helps. James ... View more

On the Cisco or Juniper configuration the ISP will forward/route the second range traffic to the IP of the firewall. You would then create static entries for NAT translation. It is also possible to set an interface IP address on the second range to connect VPN traffic. The configuration suggestions I have seen on other questions involve having multiple gateways and using PBF. We would like to avoid PBF and multiple default routes so that we can float the SSL VPN and VPN traffic between sites. ... View more

It might be possible to use policy based forwarding to push all of the http and https traffic to your proxies if you were to put the proxies in another zone. ... View more

PAN Firewalls can participate in both OSPF and BGP. Basic configuration information can be found starting on page 102 of the Palo Alto Networks Administrator.’s Guide version 4.0 This document goes into further detail on BGP configuration https://live.paloaltonetworks.com/docs/DOC-1572 Hope these help James ... View more

Forget about routing, the PAN is more than a layer 3 device. Routing will not occur if there is not a rule. There is an implicit deny in place at the end of the policy rules. The implicit deny does not log, if you want to see what is being denied you will need to create an implicit rule. Can you provide an output of what a ping or traceroute shows when the rule allowing ping is not in place or disabled. ... View more

from the command line you can show all of the Application Groups with the following command after going into configure mode. show application-group This will show all of the groups and you can review those results. Thanks James ... View more

Clarification question. Do you have the firewalls in separate Device Groups on Panorama? Thanks James ... View more

Let me review what I understand Segment A is your trusted zone Segment B is your untrusted zone Segment C is your server zone. For traffic to pass between these zones you have to configure security and NAT policies. For  traffic to get from segment A (internal user) to segment B (website on  someonet else's network) you have to create a security policy that  allows that traffic and a NAT policy to translate the source traffic to  the assigned external IP. For traffic to get from segment B  (Internet user) to a load balanced server on segment C you have to  create a security policy for the allowed traffic and a No translation  NAT policy for the source and destination For traffic to get from  segment A (internal user) to a load balanced server on segment C you  have to create a security policy for the allowed traffic and the  appropriate translation of the source traffic. Your  ping/traceroute traffic was not going off into segment B, it did not  have a policy to allow it to the proper destination and was following  the default route on the PaloAlto on which it could go. Additionally if Segment A and Segment C are in the same zone, there would need to be an intra-zone rule that would allow it. (Source and destination zones are both the trust zone) ... View more

Dave At this point it does not appear that there is a wild card feature on the command line for the url profile. Though that would be nice to have in the policy section. The following command line will configure all of the other categories to block by default: set profiles url-filtering minimal block [ abortion alcohol-and-tobacco auctions content-delivery-networks cult-and-occult dead-sites dynamically-generated-content educational-institutions entertainment-and-arts financial-services games government health-and-medicine image-and-video-search individual-stock-advice-and-tools internet-communications internet-portals job-search keyloggers-and-monitoring legal local-information military motor-vehicles news-and-media not-resolved online-greeting-cards online-music online-personal-storage open-http-proxies parked-domains personal-sites-and-blogs philosophy-and-political-advocacy phishing-and-other-frauds private-ip-addresses proxy-avoidance-and-anonymizers real-estate recreation-and-hobbies reference-and-research religion search-engines sex-education shareware-and-freeware shopping social-networking society spam-urls sports streaming-media training-and-tools translation travel unconfirmed-spam-sources unknown web-advertisements web-based-email web-hosting ] It would be nice to have a default action option at the command line when configuring actions with multiple options like this. Hope that helps. James ... View more

Clarification question: Which system is being marked with the rdp user login? Server or workstation? Thanks James ... View more

Eugene, Have you checked the switches for speed and duplex mismatch errors? What speeds does the report give if done in front of the  Palo Alto? Thanks James ... View more

Samuel, Just to clarify. Are you asking why some Palo Alto firewalls show measureable drops in performance on the Spec Sheets when the IPS features are activated? Thanks James ... View more