This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About Rboehme

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Rboehme
‎01-21-2020
since ‎01-23-2015
L2 Linker
User Activity
User Profile
Latest posts by Rboehme
View All
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎01-23-2015 01:05 AM
Date Last Visited ‎01-21-2020 05:25 PM
Posts 21
Total Likes Received 4

Re: enabling interface ping

by in General Topics
‎07-11-2019 08:37 AM
‎07-11-2019 08:37 AM
From the description I understood he wants to ping his own gateway. Therefore there is no policy needed. (intra-zone).   Is traffic from inside vlan.101 accepted and processed by the firewall? ... View more

Re: Default deny logging question

by in General Topics
‎07-11-2019 08:26 AM
‎07-11-2019 08:26 AM
Hi James,   from my point of view there is no downsite. If your ruleset is appropriate there is no reason to let the intra-/inter-zone Default rules not log events. As mentioned by other user you can have a deny/any/any rule before the default rules but this is basically only useful if you have setup policies for everything. Imagine some customer/partner wants to setup a VPN with your outside interface. As he is based within the outside zone as well as your outside interface this would normally hit the "intra-zone default rule" - which can not being hit when a deny/any/any statement is placed before.   The best practice is to set logging to "at session end" and you can safely enable the logging on those rules as I do primarily assume you do not want this rule to be it but when it gets hit you want to see it in the logs.   Kind regards, Rene ... View more

Re: HA1 encryption issues?

by in General Topics
‎07-11-2019 07:54 AM
‎07-11-2019 07:54 AM
Dear CRDF18,   please try the following steps:   SSH into FW2 sourcing from FW1 (just connect and accept the key) SSH into FW1 sourcing from FW2 (just connect and accept the key) Enable HA1 encryption again and let us know the outcome 🙂   Kind regards,   Rene   ... View more

cfg export + master key hash

by in General Topics
‎05-17-2019 02:11 PM
‎05-17-2019 02:11 PM
Dear Community,   I have found this side note in an article regarding the master key on the firewall.   "Without the Master Key, when a configuration is exported from a firewall, the password is hashed and can be copied."   Basically its the exact answer of the question I originally had. I am facing a situation where a firewall crashed. I have received the new firewall and have the certificates and the running config saved locally.    When trying to import the config the firewall skips basically every entries in regards to password or keys and shows this as error messages. I do understand the firewall is unable to decrypt those data without a matching master key.   However from where do I retrive the master key hash and do I assume correclty to use the hash as the password for the imported config?   Thanks.   Kind regards,   Rene ... View more

Does "pre-logon" user belongs to "known" user?

by in General Topics
‎12-19-2018 06:05 AM
‎12-19-2018 06:05 AM
Dear Comm,   I was googleing alot about this topic and but only found this:   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXlCAK   My specific question is, if a the User ID agent show the username "pre-logon" learned via "GP" - does this "user" counts to the "gruoup" of "known"-user which I can use in security policies?   Thanks for your support.   Kind regards,   Rene ... View more

Re: Default Master Key lifetime

by in General Topics
‎12-19-2018 06:00 AM
‎12-19-2018 06:00 AM
@BPry Thanks a lot sir. that helped me out. ... View more

Default Master Key lifetime

by in General Topics
‎12-12-2018 03:40 AM
‎12-12-2018 03:40 AM
Dear Comm,   I do understand that we use the master key for encrypting our private keys and passwords stored on the firewall. However I am wondering why we should touch this key at anytime? What is the default lifetime of the default master key? I assume it to be 0 (=infinite) as I cant find anything about this question even in the PANOS admin guide. Please clarify:   - What is the default lifetime of the native/default master key? - Why should we change it (periodically? How often?)   Thanks and kind regards, Rene ... View more

Re: How to verify firewall operational mode (fips, cc, normal)

by in General Topics
‎01-11-2018 03:43 AM
4 Kudos
‎01-11-2018 03:43 AM
4 Kudos
Dear comm,   sorry for the stupid question. Right after posting it came into my mind:   admin@Roob_Stark(active)> show system info | match operation operational-mode: normal   Thanks 😛 ... View more

How to verify firewall operational mode (fips, cc, normal)

by in General Topics
‎01-11-2018 02:54 AM
‎01-11-2018 02:54 AM
Dear comm,   when searching for operational modes you will find a bunch of guides how to change mode from normal to CC or FIPS. However I would like to know where I can check the current mode running. I know you can clearly see it when using Panorama but this is not the case here. Where can I check the operational mode on a standalone firewall?   Kind regards,   Rene ... View more

Re: Multiple LDAP servers in a single profile - behavior

by in General Topics
‎08-15-2017 08:56 AM
‎08-15-2017 08:56 AM
Dear Trancefor,   thank you for your answer. I am confused by this:   Usually four LDAP servers are more than enough to authenticate all the users in the domain, and to provide redundancy in case a LDAP server goes down.   This sounds like:"Hey, I will use one LDAP forever, if it goes down, I just will pick the next in the list".   Sometimes, larger companies have more than four LDAP servers with distributed environments in which users connect to dedicated LDAP servers. Users may contact LDAP servers that are not one of the four servers, and will try to authenticate to them.   So this sounds to me like (if the first statement above is true):"Hey I will use the first LDAP server of the first entry of the authentication sequence. If this authentication fails, I will contact the first LDAP server of the second entry of the authentication profile."   Bascially if you have two groups of LDAP servers:   Group1: 1,2,3,4 Group2:5,6,7,8 Authentication Sequence: Group1,Group2   Assuming no LDAP server goes down ever: LDAP1 will be contacted and LDAP5 might be contacted, the rest of the server will never be contacted. Am I right here?   Kind regards, Rene ... View more

Multiple LDAP servers in a single profile - behavior

by in General Topics
‎08-15-2017 07:56 AM
‎08-15-2017 07:56 AM
Dear comm,   when I have several LDAP servers in a profile for user authentication. How is this list utilized? Is only the first entry used? Are authentication requests distributed over all configured servers? How does it work?   Kind regards,   Rene     ... View more

PANOS 8.0.x restart IPSEC tunnels from GUI

by in General Topics
‎05-05-2017 05:30 AM
‎05-05-2017 05:30 AM
Dear all,   we found out that we are not able to restart VPN tunnels in PANOS 8.0.x from GUI because its grayed out and it is an expected behavior as you can see the message "Restart disabled because OK".   The conclusion is that on version 8.0.x it's not possible anymore to restart the tunnel from GUI if the tunnel is up and running, but you can still restart the tunnel from CLI.   Unfortunately there is no official document discussing this subject yet.   Will Palo Alto support us with an official document in the near future? We dont wanted to open a TAC case for this question so we are directing this question to the community.   Thanks and kind regards,   Rene ... View more

Policy Rules order

by in General Topics
‎11-23-2016 05:48 AM
‎11-23-2016 05:48 AM
Hi there,   if we are going to the tab "Policy" we will see 7 different sub tabs. The tabs are:   Security NAT QoS PBF App Override Captive Portal DoS Protection   So I know for example that Security rules are always checked before NAT rules but whats about the rest? I spent planty of time google for this information but without success. ... View more

LDAP servers for fault tolerance only?

by in General Topics
‎10-18-2016 07:43 AM
‎10-18-2016 07:43 AM
Dear community,   I am struggling around with a though I cant find an answer for. I every documentation I found they state that additional LDAP server are for fault tollerance only. Imagine the follwing setup:   A customer is loadbalancing user authentication against more than one LDAP servers.   So actually that means the firewall will only monitor one of maximum 4 LDAP servers (per profile). Think about all of the servers are up and running but user logon is distributed across all four LDAP servers. How will I be able to discover complete user ID information?   Kind regards,   Rene ... View more

Re: virtual routers

by in General Topics
‎10-13-2016 05:08 AM
‎10-13-2016 05:08 AM
Actually what you can to is:   - attach your trust interface to the VR - attach your untrust interface to the VR - go to the CLI and enter "ping source <ip-of-trust-interface> host <ip-of-host-in-untrust-zone>   A setup like this would normally be trust (LAN) to untrust (internet) so in my case it would be:   ping source 192.168.0.1 host 8.8.8.8   If the ping succeeds you know that your VR is working.   ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎01-21-2020 05:25 PM
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks