About mrsold

Greetings, Currently, we have a project underway to extend our internet redundancy.  We have a pair of 5050's that have 3 Vsys at our main DC and a pair of 5050's which currently had two identical Vsys (the 3rd Vsys is irrelevant in this case and will only reside on that one pair).  Here is the breakdown (some simplification happening): Vsys 1 = Enterprise Traffic Vsys 2 = Guest Traffic Vsys 1 Ingress - E1 Egress - E2 Vsys 2 Ingress - E3 Egress - E4 In our redesign (due to some fiber limitations from our core to our FW) we'd like basically have the a single ingress point for both Vsys and then just some policy-based forwarding (as in, if you are coming from a specific source, you get punted to vsys2) - it's almost like a shared gateway but reversed.  Since we obviously don't want to collapse the two vsys into one, we had the thought of doing an intra-chassis patch.  So: Patch E5 (assigned to vsys1) to E6 (assigned to vsys2) then, have a policy based forwarder that says anything coming from one of our guest networks is forwarded across that link thus making E6 the new ingress for vsys 2.  Does this method make sense?  Any other thoughts on design? Thanks! ... View more

Hey all, So, we have a need to block everyone but a small AD group access to a couple pages.  Now, we don't want to just "deny" them in the rule (we have a comfort page that promps them they are blocked and allows them to request access) - I don't want to see all those tickets about a site not loading.  So, here is what I did: Rule 1 Allow:  Anyone from "AD Group"  via "web-browsing" or "ssl" to (website 1 and website 2) - allowed. Rule 2 Block:  Anyone from anywhere else via "web-browsing" or "ssl" to (website 1 and website 2) - allowed.  However, I created a "block all" URL group so that nothing is allowed through and they are given our block page. Website 1 is a standard http site and works great.  Website 2 is an SSL site.  When I try and go to it, I see that it's hitting the "block" rule but it never presents the block page.  It just sits there churning. Any thoughts? ... View more

So, I'm trying to get a clear understanding of QoS on the PA's.  Any feedback / answers would be appreciated: Maximum Egress - Straight forward - the maximum amount of traffic you are allowing out. Guaranteed Egress - This one I'm foggy on.  Is it only applied during congestion?  Or does it literally "carve out" that much of the pipe for that class? The different classes - Do these funcion only to map traffic to priority queues or are classes serviced in order?  As in, if I have class 2, 5 and 7 mapped to "High" will the PA service class 2 before 5?  Or are priority queues just handled FIFO within themselves (as in if packes from Class 2 and 7 hit the egress queue at the same time, it's whichever packet hit first). Thanks! ... View more

All, We are trying to start building URL filtering.  I'm noticing that when I try and set groups in the "Group Include List" it stops at a certain letter and just gives me the "more" option but I can never finish populating the list. Any thoughts? ... View more

Hello, So, we currently authenticate administrators to our PA's via Radius (TACACS).  Is there a way to configure the PA's that it will only use the local DB / Administrators if Radius isn't available?  Thanks! ... View more

So, interesting thing.  We use a PA-500 for our enterprise guest networks.  We currently have a couple rules that go like this: 1.  Allow guest networks to use Skype / Skrype-Probe 2.  Block guest networks from using Risk 4 and 5 P2P  (this catches stuff like Bittorrent, etc.) We just got an email that someone on our guest network is torrenting.  Low and behold the PA is still letting the app "bittorrent" through even though its blocked in that application filter. Thoughts? ... View more