About cosx

Running 6.1.2 and keep up-to-date with the application-threat updates.   Yeah, it all worked fine when we weren't allowing quic. We didn't start seeing problems until we expressly allowed it. ... View more

If you are using a loopback address that is in the same range as the Ethernet interface, are you sure that the provider router is finding the loopback via ARP? Since the address is local to the provider's address on that link, it is going to try to resolve it directly rather than route it to your firewall on the next-hop address.   FWIW, we terminate a bunch of VPNs on a loopback, and it works fine. The loopback is "behind" the firewall from the provider router's point of view, so it routes to the firewall as the next hop. ... View more

Yes, I can limit source IP addresses at either the Interface Mangement level or within the Security Policy. But any administrator will then be able to access from the allowed IP addresses. I want to restrict some IP addresses to only certain administrators. For example, the administrator "johndoe" can only access HTTPS or SSH management via the management interface and/or from 10.100.0.0/16. Another user, "joefailsafe," can get in over an Internet-facing interface from <some-public-internet>/29 addresses. Whether joefailsafe also has access via the management interface and internal IPs, I don't care. What I do not want is for johndoe to be able to get in from the Internet at <some-public-internet>/29. Using the features mentioned in the two previous responses, there is no difference in accessibility for johndoe and joefailsafe. (Again, I'm not sure that there is a way to do this in PANOS. I  thought I had seen the feature somewhere, but now I'm pretty sure I must have imagined it or be confusing our firewalls with some other device/OS.) ... View more

For the record, I did go to PAN support with this. They provided a patched version of Panorama, 6.1.2-h1, with the fix. I assume that the fix will be present in future releases. ... View more

Yes, it does show lifetime. I was looking for the lifesize. There is a mention of it in the flow output,         packets received           when lifetime expired:0           when lifesize expired:0 But that's not about what the current lifesize counter is at. I guess you can use the encapsulated and decapsupated byte counts to figure it out. ... View more

The firewall/router in question is not an ABR between two areas. It is only in a single area. It is an ASBR. The external routes it is bringing into OSPF are static routes configured on itself. It is listing itself as the forwarder. Section 2.3 of RFC2328 discusses what the forwarding field is used for,   "...the OSPF protocol allows an AS boundary router to specify a "forwarding address" in its AS-external-LSAs. [The ASBR] would specify [the other router's] IP address as the "forwarding address" for all those destinations whose packets should be routed directly to [the other router]." There is no other router in this case. The ASBR itself is the correct next hop for the traffic. It also doesn't seem to make sense for a router to specify itself as the forwarder. The field should be zeroed if the ASBR itself is the next best hop. ... View more

Sorry about that, the version is actually 4.1.6. (When I first looked at the "show system info" output, the "logdb-version: 4.1.2" line caught my eye first.) However, now I'm not really sure I even have a problem... Upon some more testing, it look like even though I have 92 translations "in use," when I actually try to create a new translation, it works. One of the translations that's listed gets bumped out. Presumably it's one of those that has no active sessions associated with it. Maybe the PAN retains some memory of inactive sessions so internal IPs get the same external IP address next time, but those external IPs are still available to new active sessions if needed? So now I may have to look elsewhere for what caused our problems... or maybe we really did run out of mapped addresses. Seems I can't tell by just looking at "show running nat-rule-ippool" how many addresses are really available, if the IP pool is at 100% usage. ... View more

I am using the original IP address for the <source> and the translated address <xlate-source> since those would be the IP addresses the firewall would see on the original packet that hits the system. So for example, from the "show running nat-rule-ippool" I see, 172.26.202.152   xxx.xxx.xxx.104 1     And I can find, crclark@scea-rhq-sc-pa5050a(active)> show session all filter source 172.26.202.152 -------------------------------------------------------------------------------- ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port]) Vsys                                      Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 889910  playstation-network ACTIVE  FLOW  NS   172.26.202.152[51781]/bp-gaming/6  (xxx.xxx.xxx.104[51781]) vsys1                                     54.241.139.10[443]/internet  (54.241.139.10[443]) However, if I look for, 172.26.200.133   xxx.xxx.xxx.161 30              crclark@scea-rhq-sc-pa5050a(active)> show session all filter source 172.26.200.133 No Active Sessions And if there were to have been an incoming connection (there really shouldn't be, but since I'm troubleshooting, I want to cover all possibilities), it would be found with, crclark@scea-rhq-sc-pa5050a(active)> show session all filter destination xxx.xxx.xxx.161 No Active Sessions Since that would have been the IP address on the original packet that came in from the Internet side before NAT. So I understand why 172.26.202.152 is still holding a slot in the IP pool, but why is 172.26.200.133? ... View more

I am indeed doing one-to-one NAT, "dynamic IP" only. I do get output from "show running nat-rule-ippool." Are you saying the output is bogus? crclark@scea-rhq-sc-pa5050a(active)> show running nat-rule-ippool rule "Gaming to Internet" Rule: Gaming to Internet ----------------------------------------- Reserve IP: no 0.0.0.0-255.255.255.255 => xxx.xxx.xxx.100-xxx.xxx.xxx.191 Source           Xlat-Source      Ref. Cnt   TTL(s)    ---------------- ---------------- ---------- ---------- 172.26.200.133   xxx.xxx.xxx.161     30                   172.26.200.250   xxx.xxx.xxx.101     980                  172.26.75.32     xxx.xxx.xxx.108     17                   172.26.201.27    xxx.xxx.xxx.166     1                    172.26.202.152   xxx.xxx.xxx.104     1                    [snip] Total IPs in use: 88 Total entries in time-reserve cache: 0 Total freelist left: 92 ... View more