This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About kbrazil

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
kbrazil
‎08-18-2015
since ‎04-08-2009
L4 Transporter
User Activity
User Profile
Latest posts by kbrazil
View All
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎04-08-2009 04:41 AM
Date Last Visited ‎08-18-2015 09:06 AM
Posts 217
Total Likes Received 83

Re: Opening file download for specific URLs

by in General Topics
‎04-05-2011 10:44 AM
‎04-05-2011 10:44 AM
Hi There, Yes, you should be able to do this with a custom App-ID.  Within the App-ID, use web-browsing as the parent application and create a regular expression looking for microsoft.com in the URI header.  You may have to play around with this to get it right and make sure you don't affect other App-ID's for Microsoft applications/updates.  Use that custom application in a Security Policy rule and attach a file-blocking profile that allows those file types.  Make sure this Security rule is above your other rule with the more restrictive file-blocking profile. Cheers, Kelly ... View more

Re: DOCX, XLSX, PPTX, ASPX files to be allowed when zip is blocked

by in General Topics
‎04-05-2011 10:37 AM
1 Kudo
‎04-05-2011 10:37 AM
1 Kudo
I'm not sure what you can do here since the file is first identified as ZIP, then unzipped and further identified as a DOCX file.  To allow DOCX you will also need to allow ZIP files. You might be able to create more restrictive Security Policy rules above the existing ones and only allow ZIP and DOCX files to/from certain sources and applications. Cheers, Kelly ... View more

Re: PAN-2020 is taking 45 Minutes to 1 Hour for committing the changes

by in General Topics
‎04-05-2011 10:31 AM
‎04-05-2011 10:31 AM
Also, do you have any custom Vulnerability, Application, or Data-Filtering signatures?  Those can take a while to compile during a commit, depending on the changes made. Cheers, Kelly ... View more

Re: Active Active HA on PAN 4.x

by in General Topics
‎04-04-2011 10:48 AM
‎04-04-2011 10:48 AM
Hi Eugene, I believe your question was answered above with ARP Load Sharing.  This does not require an L4 switch as it shares the load between the active units automatically.  This really only works well with directly connected hosts initiating traffic outbound. The intention for Active/Active HA is not to share the load for higher performance but to address asymmetric routing scenarios. The directly connected HA3 links in the cluster will make sure traffic is correctly forwarded in cases where the traffic was delivered to the wrong firewall. You may need to have a further discussion with your local SE to get more information on how to design and configure an Active/Active cluster if you find that design is really necessary.  Try to stick with an Active/Passive design, if possible, as it is much more simple to design, config, and troubleshoot. Cheers, Kelly ... View more

Re: BGP in a cluster deployment

by in General Topics
‎04-04-2011 10:35 AM
‎04-04-2011 10:35 AM
Hi Andrej, Attached is a document with some scenarios I came up with.  I have highlighted some that I would recommend over others, though the final recommendation depends on many factors.  I have not tested all of these, but in theory it seems they should work fine.  I listed some prerequisites and pros/cons in the scenarios.  There are many ways to skin a cat with BGP. Hope this helps! Cheers, Kelly ... View more

Re: Youtube video categorization.

by in General Topics
‎03-31-2011 10:03 AM
1 Kudo
‎03-31-2011 10:03 AM
1 Kudo
Hi Sam, It looks like we only control Youtube safety-mode and uploading today. For more information, see https://live.paloaltonetworks.com/docs/DOC-1451 It might be possible to create custom app-id signatures for categories if Youtube exposes that information in any of the headers. Cheers, Kelly ... View more

Re: is it support ECMP protocol ??

by in General Topics
‎03-31-2011 09:56 AM
‎03-31-2011 09:56 AM
Hi Eugene, ECMP is not a protocol, per se, but a way to allow multiple links chosen from the routing table to be installed in the forwarding table.  Then some sort of algorithm is used to load share traffic between both links. The Palo Alto Networks firewall does not support ECMP at this time.  Only a single best path is installed in the forwarding table from the routing table. Cheers Kelly ... View more

Re: L3 install issue - two internet lines of L3 mode installation on same networks

by in General Topics
‎03-31-2011 09:46 AM
‎03-31-2011 09:46 AM
This is certainly an interesting design! I don't see two physical interfaces with IPs in the same subnet very often. If the ISP cannot change your external addressing or you cannot use just a single outside interface, then you might try the following: Create two Virtual Routers (You can have overlapping subnets using multiple Virtual Routers) and put each external interface into its own.  Call them Default and Server.  Both have a 0.0.0.0/0 route next hop of 100.100.100.100. Create three L3 interfaces: Inside interface goes into Default Virtual Router, Inside zone .198 goes into Default Virtual Router, Public zone .197 goes into Server Virtual Router, Public zone Create your NAT rules as you have defined in the diagram Make the Server rule static, Bidirectional Make the Client PC rule dynamic-ip-and-port Create two PBF rules: Inbound PBF rule for the Server:  from .197 interface, then send to Internal interface Outbound PBF rule for the Server: from 10.1.1.2/32 address, then send to .197 interface Create an any any allow Security rule to test Seems like this should work in theory. You are basically using normal routing for the bulk of the traffic and PBF to force the Server traffic over the other link. Cheers, Kelly ... View more

Re: Delete logs and ACC monitor data

by in General Topics
‎03-30-2011 09:40 AM
‎03-30-2011 09:40 AM
Your best bet might be to create a template of a simple config you want to use for rollouts and then do a "request system private-data-reset" (or factory reset).  Then upload your template config. Clearing the logs does not clear the old reports in the system.  To do that you can use the "delete report ..." command.  I'm not sure if you can use wildcards or if you need to delete each one individually. Cheers, Kelly ... View more

Re: Policy based forwarding for traffic filtering

by in General Topics
‎03-29-2011 07:18 PM
‎03-29-2011 07:18 PM
I think using different zones for interfaces 1/3 and 1/7 might make this work.  This way the firewall will see the packet coming from a different zone and will not match the original PBF flow. Just be careful about the return traffic, though.  You may need some creative security policies to make this work. You might even consider having the external device not send the traffic back through the firewall, if possible. Cheers, Kelly ... View more

Re: Policy based forwarding for traffic filtering

by in General Topics
‎03-29-2011 07:04 PM
‎03-29-2011 07:04 PM
I believe you cannot do PBF by destination interface or zone because the device only knows the egress interface after consulting the routing table, but PBF is performed before routing.  You can configure PBF by destination address, however. Cheers, Kelly ... View more

Re: Policy based forwarding for traffic filtering

by in General Topics
‎03-29-2011 07:00 PM
‎03-29-2011 07:00 PM
The policy looks good.  I think this may be working as designed - when the first packet hits the device a flow is created.  I think packets returning from the security device are matched against the original flow since the source and destination zones match. I imagine if you do a "show session id <xxx>" for the session you will see the PBF enabled which probably applies no matter what interface the packet ingresses after the first match.  Another way to look at it is the packet is seen as the same packet that matched the PBF policy the first time the firewall saw it, so it keeps applying the PBF policy to it, even though the packet is now ingressing on another interface. I think one way to get out of this may be to change the zone names for both internal interfaces and re-do some of your PBF and Security policy. I think the alternative option I provided in my post above may not work since the rule will never match (since the packet is already applied to an existing flow). Hope that helps. Cheers, Kelly ... View more

Re: Policy based forwarding for traffic filtering

by in General Topics
‎03-29-2011 06:24 PM
‎03-29-2011 06:24 PM
Hi there, Can we get a screen capture of your PBF policy?  If the policy is correct, it might be a bug and I imagine you could work around it by putting e1/7 into a new zone and using the source zone in the policy instead of source interface.  Alternatively you could exempt PBF forwarding for traffic sourced from 10.2.43.20 with another PBF rule above the existing rule. Cheers, Kelly ... View more

Re: hard disk specification??

by in General Topics
‎03-29-2011 03:19 PM
1 Kudo
‎03-29-2011 03:19 PM
1 Kudo
One point of clarification - when you add a second SSD hard drive of the same size to a PA-5000 device it automatically becomes mirrored in a RAID 1 configuration. Cheers, Kelly ... View more

Re: Routing IP address range through firewall

by in General Topics
‎03-24-2011 02:32 PM
‎03-24-2011 02:32 PM
Absolutely - all policy rules are evaluated top down and terminate on match. Cheers, Kelly ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎08-18-2015 09:06 AM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks