This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About minow

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
minow
‎04-10-2022
since ‎04-05-2011
L4 Transporter
User Activity
User Profile
Latest posts by minow
View All
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎04-05-2011 05:40 AM
Date Last Visited ‎04-10-2022 04:34 AM
Posts 164
Total Likes Received 9

Re: cannot understand drop reason

by in General Topics
‎03-11-2014 01:55 AM
‎03-11-2014 01:55 AM
the weird thing is that there is only one route to the client and one route to the server ... View more

Re: cannot understand drop reason

by in General Topics
‎03-11-2014 01:55 AM
‎03-11-2014 01:55 AM
yes i will try but how can i see on which interface every packet received from and sent to ... View more

Re: cannot understand drop reason

by in General Topics
‎03-10-2014 03:45 AM
‎03-10-2014 03:45 AM
i can see the SYN from the client to the server and then i can see the SYN-ACK from the server to the client on the stages: receive, firewall and drop on my paloalto on the drop it is the same packets of the SYN-ACK (comparing the firewall and the drop pcaps ... View more

cannot understand drop reason

by in General Topics
‎03-10-2014 03:35 AM
1 Kudo
‎03-10-2014 03:35 AM
1 Kudo
hey i have a client that connects to a remote site using  GP, and that site have s2s vpn to my site, we have problems connecting to a server in that site, we can i cannot see and drops in the traffic or threat logs, i have put filter on the ips and used tha show global couters shows this drops: Global counters: Elapsed time since last sampling: 5.880 seconds name                                   value     rate severity  category  aspect    description -------------------------------------------------------------------------------- flow_fwd_zonechange                        1        0 drop      flow      forward   Packets dropped: forwarded to different zone -------------------------------------------------------------------------------- Total counters shown: 1 -------------------------------------------------------------------------------- i dont understand this drop error, but i have checked routes and have only one route to each direction and the s2s vpn is steady and up pings between the client and server works fine please help thanks ... View more

Rules proccessing

by in General Topics
‎03-02-2014 03:40 AM
‎03-02-2014 03:40 AM
Hey i have a problem that traffic does not match to a rule i have this rule "VIP Users" {                   profile-setting {                     profiles {                       file-blocking "Allowed file type-VIP";                     }                   }                   option {                     disable-server-response-inspection no;                   }                   from any;                   to any;                   source any;                   destination any;                   source-user [ "cn=vip internet......."];                   category any;                   application any;                   service any;                   hip-profiles any;                   action allow;                   log-start no;                   log-end yes;                   negate-source no;                   negate-destination no;                   disabled no;                 } and i can see in the logs that the traffic is matching on a lower rule, which have security profile on it, and i cannot understand why the "VIP Internet" is a security group and the user is a member of this group and "show user ip-user-mapping ip x.x.x.x" with the client ip is showing this group under the mapped user i have also try the test-security-policy command and also the result is matched on a lower rule what i don't understand is: 1) does the test-security-policy calculates the current group membership? 2) i know that PA will change the applied rule if a more specific application signature is matched, but if i have upper rule with the application "any" so the more specific app is inside the "any" application am i right? 3) how can i troubleshoot it deeper? ... View more

Response Pages Usable Parameters

by in General Topics
‎02-23-2014 11:44 PM
‎02-23-2014 11:44 PM
Hey does someone have the full list of the parameters i can insert into a custom response page? or i can only use the ones that are shown in the default response pages for example if i want to insert the IP address of the client into the response page for the URL filtering thanks dor ... View more

Terminal server 2012 agent support

by in General Topics
‎02-18-2014 11:59 PM
‎02-18-2014 11:59 PM
Hey when there will be support for win 2012 for the terminal server agent ? thanks dor ... View more
Labels:

Re: dynamic updates are downloaded but not installed

by in General Topics
‎02-09-2014 01:18 PM
‎02-09-2014 01:18 PM
yes but if the cluster had fail-over... why shouldn't this process be "wise" ?? i think there are a lot of tasks regarding cluster operation and a lot about panorama that could have been done better and need some improvement. lets say for example the update thing or when panorama should manage HA in active passive... so first you have to choose in the PA device to use the MGMT interface to register to panorama, because panorama cant push policy for example to the external interface.... amm actually it can be done, but the commit will commit only on the active device... it is like Panorama doesn't know (or should i say, does not check in the information it already has) that we are talking about a cluster, so i will send a commit to the active device with the SN of both of the device, and the best thing is that even when i push policy using the "external" interface, the active device wont issue a commit to the passive device like it will normally do when you commit locally. it is like those little thinks that are missing and you say how they didn't think about that ... View more

Re: dynamic updates are downloaded but not installed

by in General Topics
‎02-07-2014 11:53 PM
‎02-07-2014 11:53 PM
hey we just configured the two device to download and install the configuration and push to the other member on different times of the day, and now it work smoothly, I think PA should do or know how to handle it by it own, since it is a cluster and each device should know what the other one is doing, ... View more

Re: PA User identification

by in General Topics
‎01-31-2014 02:47 AM
‎01-31-2014 02:47 AM
yes, adn the zone of the GP user is defferent i have read that the the mapping of the user to ip of a GP user is bind to the connection of the client to the GW, so as soon as the user log in/out the mapping created and removed, can i remote the UID from the zone or exclude the mapping on the GP pool have someone tried that? ... View more

Re: PANOS 6 Port mirror decryption

by in General Topics
‎01-29-2014 09:56 AM
‎01-29-2014 09:56 AM
this would be a good idead ... View more

Re: GlobalProtect ip-user-mapping issue

by in General Topics
‎01-29-2014 09:54 AM
‎01-29-2014 09:54 AM
5.0.9 i have a user authenticate through Radius, and then RDP to a server and some shares then the user-ip-mapping changes to the AD user which have different policy ... View more

Re: PA User identification

by in General Topics
‎01-29-2014 09:49 AM
‎01-29-2014 09:49 AM
yes i know how it works but i have a GP user and sometimes the user is changed and sometimes does not i mean changed from GP to AD, only somtime after a user loging to RDP server, or does the UID service just update the IP-user-mapping regardless the current mapping source? IP address:  x.x.x.x (vsys1) User:        domain\user From:        AD Idle Timeout: 2692s Max. TTL:    2689s Groups that the user belongs to (used in policy) Group(s):   admin@PA(active)> show user ip-user-mapping ip x.x.x.x IP address:  x.x.x.x (vsys1) User:        domain\user From:        GP Idle Timeout: 17889s Max. TTL:    17889s Groups that the user belongs to (used in policy) Group(s):    ... View more

Re: PANOS 6 Port mirror decryption

by in General Topics
‎01-29-2014 09:44 AM
‎01-29-2014 09:44 AM
no such license ... View more

PANOS 6 Port mirror decryption

by in General Topics
‎01-28-2014 11:32 PM
‎01-28-2014 11:32 PM
hey where i should get the license mentioned here for enabling this feature • Decryption Port Mirror— Provides the ability to create a copy of decrypted traffic from a firewall and send it to a traffic collection tool that is capable of receiving raw packet captures—such as NetWitness or Solera—for archiving and analysis. This feature is necessary for organizations that require comprehensive data capture for forensic and historical purposes or data leak prevention (DLP) functionality. To enable use of this feature, you must download and install a free license. You can then configure a decryption profile (Objects > Decryption Profile) to enable forwarding to the decrypt mirror interface. Decryption port mirroring is available on the PA-5000 Series and PA-3000 Series platforms only. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎04-10-2022 04:34 AM
Likes Given To
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks