This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About Raido_Rattameister

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Raido_Rattameister
‎10-31-2025
Cyber Elite
since ‎02-10-2015
Cyber Elite
User Activity
User Profile
Latest posts by Raido_Rattameister
View All
User Badges
Community Statistics
Member Since ‎02-10-2015 12:44 AM
Date Last Visited ‎10-31-2025 12:57 PM
Posts 1,649
Total Likes Received 519

Re: Block page for security policy matches

by Cyber Elite in General Topics
‎12-05-2016 03:58 PM
‎12-05-2016 03:58 PM
If user tries to browse to website that is running on IP that is not permitted then this attempt is blocked before connection get's to HTTP. Initial SYN packet gets tcp-rst back and connection is taken down.   What you can try is to: Create top rule that permits traffic to your country IP addresses, application web-browsing, action allow. Create second rule below it where destination is any, application is web-browsing and action is block. And edit application response page. If I were you I would add some Javascript to it so if application equals to web-browsing then show text "You are browsing to website hosted outside our country".   ... View more

Re: VM PA to VM PC Unable to ping.

by Cyber Elite in General Topics
‎12-04-2016 05:47 PM
1 Kudo
‎12-04-2016 05:47 PM
1 Kudo
What version are you using? Starting from 7.1 you can configure Palo firewall to use mac address assigned by hypervisor. With older versions (and default 7.1 setup) you should get mac address from Palo and set it on the hypervisor network interface.   https://live.paloaltonetworks.com/t5/VM-Series-Articles/How-to-Configure-Interfaces-for-VM-Series-to-Work-in-L3-without/ta-p/55969 ... View more

Re: Put Cisco MAC on PAN firewall? / Change interface MAC address

by Cyber Elite in General Topics
‎12-04-2016 05:43 PM
‎12-04-2016 05:43 PM
You can send Gratuitous ARP from Palo after you switch over so that devices would update their ARP table.   https://live.paloaltonetworks.com/t5/Management-Articles/Trigger-a-Gratuitous-ARP-GARP-from-a-Palo-Alto-Networks-Device/ta-p/61962 ... View more

Re: HA sync-passwords both devices

by Cyber Elite in General Topics
‎11-18-2016 04:53 PM
1 Kudo
‎11-18-2016 04:53 PM
1 Kudo
What password did you change? Firewall local account password?   ... View more

Re: debug flow does not show NAT and threat related drop information

by Cyber Elite in General Topics
‎11-16-2016 09:50 AM
‎11-16-2016 09:50 AM
Hey reaper do you know any document that explains those diferent flow options in more detail? ... View more

Re: How to limit bandwidth with URL

by Cyber Elite in General Topics
‎11-16-2016 09:36 AM
‎11-16-2016 09:36 AM
First you create custom url category and then add all your url's into it. ... View more

Re: Proxy id between Palo Alto firewall and Cisco ASA

by Cyber Elite in General Topics
‎11-02-2016 07:53 AM
‎11-02-2016 07:53 AM
I have not used IKEV2 so maybe someone who has can help here. ... View more

Re: Proxy id between Palo Alto firewall and Cisco ASA

by Cyber Elite in General Topics
‎10-28-2016 08:32 PM
1 Kudo
‎10-28-2016 08:32 PM
1 Kudo
Palo does not care about Proxy ID because it uses routing table to decide where to send traffic (route based vpn). But as to negotiate IPSec configuration needs to match at both sides so Proxy ID in Palo is just to make Cisco happy. Cisco on the other hand uses policy based vpn and encryption domains there are used to decide if traffic should be routed into tunnel or not. So yes you have to have all subnets added to Proxy ID to have traffic flowing. 5 subnets at both sides for example means 25 Proxy ID's -> 5x5. ... View more

Re: Monitoring VPN tunnel

by Cyber Elite in General Topics
‎10-18-2016 10:26 AM
‎10-18-2016 10:26 AM
If you want live view and don't want to keep historical data then install Pan(w)achrome plugin for Chrome. It will give you nice overview of physical and logical interfaces plus a lot more. You can click on values to see graph.   ... View more

Re: google not working with chrome update if unknown-udp is blocked

by Cyber Elite in General Topics
‎10-18-2016 10:17 AM
1 Kudo
‎10-18-2016 10:17 AM
1 Kudo
Chrome uses quic by default that runs over udp. Probably they changed the behaviour and Palo AppID does not match any more.   Temporary workaround might be to disable quic in Chrome. You can't decypt quic anyway so you loose visibility when users access Google services with Chrome so disabling it might be good idea anyway.   https://www.google.ee/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=chrome%20disable%20quic ... View more

Re: How App-ID identify encrypted application

by Cyber Elite in General Topics
‎10-13-2016 11:19 AM
4 Kudos
‎10-13-2016 11:19 AM
4 Kudos
When you visit SSL site then firewall sees certificate. If you go to www.facebook.com then there is just Facebook and app is identified as facebook-base. If you go to any Google service (maps.google.com, www.gmail.com etc) then cert says *.google.com and firewall is unable to identify exact application and uses broad google-base as application. If there is no application for specific site then traffic is just identified as SSL.   If you have decryption policy in place then firewall can also detect subapplications like facebook-apps, facebook-chat etc ... View more

Re: Blocking macro-enabled Office files (docm, xlsm, etc)

by Cyber Elite in General Topics
‎08-12-2016 07:40 AM
1 Kudo
‎08-12-2016 07:40 AM
1 Kudo
Block macros with GPO. https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/ ... View more

Re: PA and AD Integration

by Cyber Elite in General Topics
‎08-10-2016 12:42 PM
‎08-10-2016 12:42 PM
Hey   By default it is 1 hour. https://live.paloaltonetworks.com/t5/Management-Articles/What-is-the-Default-Update-Timer-Value-for-Group-Mapping/ta-p/53437   You can manually update with cli command below. debug user-id refresh group-mapping all https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Force-User-Group-Mapping-Refresh/ta-p/62597 ... View more

Re: Application Dependencies

by Cyber Elite in General Topics
‎08-09-2016 12:39 PM
‎08-09-2016 12:39 PM
You can create custom URL categories without license and use those. ... View more

Re: Application Dependencies

by Cyber Elite in General Topics
‎08-08-2016 02:57 PM
‎08-08-2016 02:57 PM
Yes But you can limit down destination where connections can be done with "Destination",  "URL Category" and "URL Profile". ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎10-31-2025 12:57 PM
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks