This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About kbrazil

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
kbrazil
‎08-18-2015
since ‎04-08-2009
L4 Transporter
User Activity
User Profile
Latest posts by kbrazil
View All
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎04-08-2009 04:41 AM
Date Last Visited ‎08-18-2015 09:06 AM
Posts 217
Total Likes Received 83

Re: Combined source & destination NAT in one rule

by in General Topics
‎10-29-2010 11:31 AM
‎10-29-2010 11:31 AM
Absolutely - no problem. Cheers, Kelly ... View more

Re: Security policies, mixing app and "service" options, ping, PPTP and NAT?

by in General Topics
‎10-04-2010 12:14 PM
1 Kudo
‎10-04-2010 12:14 PM
1 Kudo
Hi Bradenmcg, In general you should try to use application instead of, or in addition to services if possible. What I would do in your situation is create a separate port-based rule with the application as "any" above the other application rule.  Then after some time, review the logs and see what application is being identified on that port.  Then change application to the correct one.  If the application is being identified as the same application as the rule below, then you may not need this extra rule. The cool thing is that the app-id still happens and is logged even if you don't use it in the rule. Cheers, Kelly ... View more

Re: ARP Question

by in General Topics
‎09-28-2010 05:30 PM
‎09-28-2010 05:30 PM
Yep, that should do the trick! Kelly ... View more

Re: ARP Question

by in General Topics
‎09-28-2010 05:25 PM
‎09-28-2010 05:25 PM
Hi Kevin, Yes, if there are more than 500 devices on the same subnet as the PA-500, then this will be a problem.  More devices can be supported with a Layer 3 hop between them and the PA-500.  The PA-500 can handle up to 64,000 sessions. Cheers, Kelly ... View more

Re: Routing question with semi-private (MPLS) connection

by in General Topics
‎09-24-2010 02:31 PM
1 Kudo
‎09-24-2010 02:31 PM
1 Kudo
No worries! You are absolutely correct - the PAN will understand that more specific subnets take precedence in routing, so connected routes on your LAN will supercede more general static routes.  You should be able to get away with two static routes pointing to your MPLS: 10.0.0.0/8 and 192.168.0.0/16. When you take a look at the routing table (show routing route) you will notice the connected routes and the static routes living in harmony. Cheers, Kelly ... View more

Re: Routing question with semi-private (MPLS) connection

by in General Topics
‎09-24-2010 02:16 PM
‎09-24-2010 02:16 PM
Hi There, The simplest solution would be to keep the MPLS interface in the same VR as the others and put it in the Trust zone.  This way your networks will route and nat just like the local LAN traffic and you don't need any security policy for traffic to flow between sites. If you use a different zone, you will need to allow the traffic with a security policy. If you use a different VR, you will need to somehow route between them.  Today that would require a physical cable between VR's and static/dynamic routes.  I would not recommend doing this. Since there is only a single connection to the MPLS cloud, the easiest routing solution would be to configure one or more static routes out to the MPLS next hop in the same VR as the other links.  You could also use a dynamic routing protocol if your provider supports it and you are currently using that for your other sites, but there is probably no point since there is only a single connection. Hope that helps. Cheers, Kelly ... View more

Re: High Availability with Virtual Wires?

by in General Topics
‎09-09-2010 12:34 PM
1 Kudo
‎09-09-2010 12:34 PM
1 Kudo
Hi there, You can think of Virtual Wires as CAT5 cables.  The failover for Virtual Wire is very simple - it's like moving a CAT5 cable from the Primary unit to the Secondary unit.  The traffic failover is dependent on the devices on either side of the Vwire detecting the link moved over and reconverging. As of PANOS 3.1 if one side of the Vwire goes down, the other interface tied to the Vwire will also go down by default.  This helps with failover so the surrounding devices will both see the original path is down and re-route. Cheers, Kelly ... View more

Re: NAT or policy based routing in multiple ISP case

by in General Topics
‎08-16-2010 02:26 PM
1 Kudo
‎08-16-2010 02:26 PM
1 Kudo
Hi Ismail, I believe you are on the right track with the PBF and NAT.  PBF does not take care of NAT so you will have to do that separately.  The final configuration will depend on how you want the ISP redundancy to work (if any).  In any case you will have a combination of default route, PBF rules, and NAT rules. Cheers, Kelly ... View more

Re: factory-reset in PAN-OS 3.0 CLI not availabe in 3.1

by in General Topics
‎08-16-2010 02:23 PM
‎08-16-2010 02:23 PM
Hi Ismail, In 3.1 the following command may help you:   request system private-data-reset This clears all the data and configuration but does not do a full factory reset (keeps current code). Cheers, Kelly ... View more

Re: How to setup SSLVPN and MGMT on the same IP?

by in General Topics
‎08-11-2010 03:22 PM
‎08-11-2010 03:22 PM
Hi Ismail, I was thinking you could do a port translation dst NAT from the external interface to the internal mgt interface (or any other interface that has management enabled) and use any arbitrary port. Then assign the SSL VPN portal to a loopback interface or any other L3 interface and then do a port translation dst NAT from the external interface to it.  I don't believe you can change the SSL VPN port since the client will always try 443. Then you can do a normal dst nat with some other port to an internal SSL server. Service Outside Port NAT to Inside Management 44443 Mgt Interface on port 443 SSL VPN 443 Loopback Interface on port 443 Web Server 4443 Internal IP on port 443 Cheers, Kelly ... View more

Re: How to setup SSLVPN and MGMT on the same IP?

by in General Topics
‎08-11-2010 12:50 PM
‎08-11-2010 12:50 PM
Hi Ismail, I don't see any reason why you could not do that, so long as you make sure to define unique listening ports for the NAT port translation for each service/server.  This way you are essentially modifying the listening port for the service. Cheers, Kelly ... View more

Re: BGP authentication

by in General Topics
‎06-27-2010 07:16 PM
‎06-27-2010 07:16 PM
I'm not sure how many routes are supported in the Control Plane, but the Data Plane forwarding engine is limited to 20k routes on the high-end platforms, so this will probably be the max routes you want to use with BGP. Cheers, Kelly ... View more

Re: NAT question

by in General Topics
‎06-25-2010 04:03 PM
‎06-25-2010 04:03 PM
Hi Jo, Typically when traffic is not hitting a NAT or Security policy it is due to some sort of routing or lower-level issue.  To debug these types of issues you might check the drop counters or do a debug flow basic to see how the traffic is being processed and at what stage it is being dropped.  Support can also help out with this. Here is some quick information on how to check the counters and the debug flow basic: Show Drop Counters Set a filter to control what traffic is counted debug dataplane packet-diag set filter match <criteria> debug dataplane packet-diag set filter on Show the drop counters (absolute or relative to last time command was run) show counter global packet-filter yes | match drop show counter global filter severity drop packet-filter yes delta yes Debug Flow Basic Set a filter to control what traffic is logged debug dataplane packet-diag set filter match <criteria> debug dataplane packet-diag set filter on Enable debug logging debug dataplane packet-diag set log feature flow basic debug dataplane packet-diag clear log log debug dataplane packet-diag set log on View the debug log (tail or less) less dp-log pan_packet_diag.log tail dp-log pan_packet_diag.log Hope that helps, Kelly ... View more

Re: NAT question

by in General Topics
‎06-25-2010 12:11 PM
1 Kudo
‎06-25-2010 12:11 PM
1 Kudo
Hi Jo, The destination NAT IP does not need to be in the same subnet as the interface IP in our implementation for this to work.  The PAN device will ARP for the address and all should work fine. There are a couple ways to convert a ScreenOS MIP to PANOS NAT rules: Create two separate NAT Rules: One destination NAT inbound with zones Untrust to Untrust.  Then another source NAT outbound with zones Trust to Untrust or Create a single source NAT outbound with zones Trust to Untrust, then flag it as bidirectional (PANOS 3.1 and above) Once you have your NAT rule(s) then make sure the Security Policy has correct rules allowing the traffic in using the original (pre-NAT) IPs. Cheers, Kelly ... View more

Re: BGP authentication

by in General Topics
‎06-25-2010 12:03 PM
1 Kudo
‎06-25-2010 12:03 PM
1 Kudo
Hi there, Yes this is supported and is configured under "Auth Profiles" which can be applied to the individual peers. Cheers, Kelly ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎08-18-2015 09:06 AM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks