This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About bradenmcg

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bradenmcg
‎11-07-2019
since ‎12-23-2009
L3 Networker
User Activity
User Profile
Latest posts by bradenmcg
View All
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎12-23-2009 11:36 AM
Date Last Visited ‎11-07-2019 07:30 PM
Posts 64
Total Likes Received 2

Authentication profile + Kerberos + group restrictions - should work?

by in General Topics
‎10-26-2011 11:38 PM
‎10-26-2011 11:38 PM
Running 4.0.5 here. I setup SSL VPN a while ago, and setup an authentication profile to pull from our Active Directory via Kerberos.  I have an AD group and I only want the members of that group (or members of groups that are children of that master group) to have VPN access. I only add that single group to the allow list, and nothing else. For some period of time, this was working correctly.  I have users that are in that group and could access the VPN, as well as users in sub-groups that could also access it. After some period of time, with zero changes to anything SSL-VPN or authentication related, this has stopped working.  I'm now getting a generic "invalid username or password" error, when it was working perfectly in the past. If I edit the authentication profile and remove the group restriction and instead change to "all," everything works again, but I am no longer restricting VPN access as I would like. What's going on here? I have found from searches that group restrictions are not supported with LDAP... but I'm using Kerberos and couldn't find anything about it one way or another.  If it is not supposed to work with group restrictions, how the heck was it working for me in the past!? ... View more

Re: Allowing the PAN to respond to tracert

by in General Topics
‎10-04-2011 02:21 PM
‎10-04-2011 02:21 PM
What is your management policy for either interface?  If there is no management policy in place for an interface, IIRC it won't respond to ping or any other ICMP messages. ... View more

Re: long time to implement "commit"

by in General Topics
‎09-06-2011 07:08 PM
‎09-06-2011 07:08 PM
Rumor has it that one of the major improvements in 4.1.x when it releases is speed improvements to the GUI and possibly to commit as well. But yes, it's slow.  It's the tradeoff.  I'll gladly take it for a device that is far better than everything else on the market. Why are you adding users to the firewall, you have no other LDAP/directory infrastructure?  Much easier to add people to that directory and have the PAN access LDAP/ActiveDirectory instead. ... View more

Re: DHCP, AD and VLANS

by in General Topics
‎07-14-2011 12:41 PM
1 Kudo
‎07-14-2011 12:41 PM
1 Kudo
If this is an Active Directory domain, it's generally not a great idea to take DHCP away from your domain controllers.  Reason is that normally, DHCP will work with DNS on AD servers to enable dynamic updates, so a machine's hostname is always associated to its correct IP. If the machines aren't on the domain it doesn't really matter as much, but it's still not recommended.  MS suggests that you use their DHCP along with AD because of dynamic updates. I'm not sure how you would be able to remove the RADIUS server in your scenario, because I assume you're using 802.11x authentication (with RADIUS) in order to drop the ports on the procurves into the correct VLAN based on user authentication.  Unless you want to move the RADIUS function to the PAN - you can't do this, the PAN isn't a RADIUS server. ... View more

Re: PANOS 4.0.2 - User Management for Captive Portal

by in General Topics
‎05-25-2011 02:16 PM
‎05-25-2011 02:16 PM
Most people doing captive portal would generally have it tied in to LDAP or RADIUS (or in 4.x, Kerberos directly to Active Directory)...  I haven't used Panorama, but I'd think that you would be able to configure both units with it to use the same group source and go from there? Unless your issue is that you don't have LDAP/RADIUS available, period, hence you are trying to use system-local users and groups for the portal? ... View more

Re: couple of questions of regard to disk.

by in General Topics
‎05-25-2011 02:11 PM
‎05-25-2011 02:11 PM
The amount of size "allocated" is what it reserves for logs/etc.  There is other space used for things like firmware storage, debug logging, etc.  I highly doubt that this is user-configurable, but I am curious to hear what PAN reps say. The disk in a 20xx series is a normal SATA drive, I believe ours is a Western Digital or Seagate, IIRC it was 7200RPM though. ... View more

Re: Multiple External IP Problem

by in General Topics
‎03-22-2011 04:33 PM
‎03-22-2011 04:33 PM
dkraus - this is not the correct way to do multiple IPs on the external interface of a PAN. If you add the address a.b.c.d/24, the firewall will ARP for any address in that subnet.  You don't need to add extra addresses on the interface, you just add the NAT rules you need and the firewall will answer for any IP that has a matching NAT rule. This is different from many firewalls, where you have to explicitly add each individual IP you want to answer on the external iface. If you do only want to use a single address, or say 3 addresses out of a /28 block or something, just add each of those individual ones as /32 on the external interface.  This insures that the PAN couldn't possibly attempt to ARP for any of the other addresses. ... View more

Auto-block admin "hammer" attempts?

by in General Topics
‎02-25-2011 11:27 AM
‎02-25-2011 11:27 AM
I've been seeing stuff in the system log like the following: User 'caitlen' failed authentication. Reason: Authentication profile not found for the user From: [some hacker in China's IP]. There are a huge string of these, obviously it's reading through a dictionary and trying a bunch of accounts. Is there any way to get the PAN to ignore the IP for some period of time after a certain number of failed authentication attempts? I'm still using the default "Admin" account, is there a document anywhere that would allow me to tie Admin authentication to LDAP or RADIUS, and then am I able to disable the admin account completely? ... View more

Re: Problems with SMTP after latest Vuln Profile update?

by in General Topics
‎02-18-2011 09:04 AM
‎02-18-2011 09:04 AM
232-884 Apps, Threats Full 12 MB 2011/02/15 10:46:28 I believe I'm seeing it in relation to a recent SSL cert update I installed on my mail and anti-spam units (both of which do send outbound mail as well).  I don't know if the latest threat update is at fault; it may happen with the previous releases as well (but I don't want to roll back right now to test). The new cert is a wildcard cert from DigiCert, and I have several subject alternative names (SANs) on it, which make the whole thing much longer than a standard cert when it is presented in an SMTP HELO/EHLO. The vuln profile itself may not actually be at "fault" here in that it may not be the newest version causing the problem...  however, a completely legit EHLO responding to a STARTTLS request shouldn't be triggering the profile to block traffic. ... View more

Problems with SMTP after latest Vuln Profile update?

by in General Topics
‎02-17-2011 02:55 PM
‎02-17-2011 02:55 PM
Anyone else seeing a bunch of their SMTP connections blocked by this signature after the latest update? Name: SMTP EHLO/HELO overlong argument anomaly ID: 30384 Description: This anomaly would be triggered when an overlong parameter is sent to the HELOcommand of SMTP protocol. Some servers such as Tabs Laboratories MailCarrier2.51 might be prone to an overflow vulnerability while parsing the craftedrequest.A successful attack could lead to remote code execution with the privileges of the current logged-in user.  I don't use any of the affected software so I am going to whitelist that ID, but the fact that it was just added to the system and caused me problems seemed to be something that shouldn't happen... ... View more

Re: Two separate yet identical subnets, possible?

by in General Topics
‎01-12-2011 11:30 AM
‎01-12-2011 11:30 AM
Well, if I have to change the IP for the "sister" network on the PAN that shouldn't be a major problem, as long as I can keep the subnet the same.   It's only 4-5 servers and I can just change their default gateways to a new IP. My biggest concern was that traffic would somehow get mis-directed, but if I'm using two separate VRs I don't really see how that would be possible. The larger concern was that the remote VPN'd systems are all pointing back to individual IPs (I have no idea why they didn't use hostnames), so I'm stuck with the 192.168.1.x subnet for the sister company until we can hit all of the remote sites and change the computers to connect to Citrix via hostname/etc.  Since we are going to have to do that when we transition their data onto our network anyway, I'd rather NOT have to change when the equipment is moved over here, only when we do the actual data migration. ... View more

Two separate yet identical subnets, possible?

by in General Topics
‎01-12-2011 11:00 AM
‎01-12-2011 11:00 AM
My subject isn't too clear, so let me describe what I'm looking to do.  I'm not sure if it's possible. I have an existing network setup here on 192.168.1.0/24, the PAN is .1 on Ethernet 0/2. We are aquiring hardware from a sister company that is going to be eventually merged with us.  I am going to put their gear on a separate VLAN, and wanted to dedicate a separate interface on the PAN to that gear.  They have remote locations that are using IPSec VPN to get back to their equipment, so I am going to change the VPN tunnels to point back to my PAN and route the traffic over to their little segmented network.  I would like to avoid making changes to their hardware and I want to leave their subnet alone.  However, they are also using 192.168.1.0/24, and due to the VPN their remote sites are hard-coded to connect to specific IPs in that subnet (for Citrix, etc). Is there some way I can mangle the traffic such that I can terminate their IPSec tunnels and have the traffic hit "their" 192.168.1.0/24 without it having any affect on "my" 192.168.1.0/24?  Here was my line of thinking... Add a second "internet" interface, assign a single external IP from our static pool Add a new internal / trusted interface for this sister company's equipment, assign it 192.168.1.1/24 Create a new virtual router for this setup, and put the above two interfaces in the VR Setup IPSec tunnels and assign them to the same VR Assuming I keep all of the traffic for the sister company in a separate Virtual Router, it shouldn't "conflict" or upset my traffic on my existing VR (also using the 192.168.1.0/24 subnet), correct? ... View more

App Override - should it be "instant"? Also, SFTP?

by in General Topics
‎12-17-2010 01:19 PM
‎12-17-2010 01:19 PM
I have some stuff that is getting mis-categorized, so I setup app-override rules.  After committing the config, if I go over to the ACC tab, should the formerly-uncategorized traffic be automatically put in the right place?  Or does the app-override only apply to future traffic after the commit? Secondly, what is the correct application to catch SFTP (which I believe is similar to cp running inside of an SSH tunnel, as it runs on port 22)?  Should I be using the normal SSH app, or is "ssh-tunnel" correct? ... View more

Re: Security policies, mixing app and "service" options, ping, PPTP and NAT?

by in General Topics
‎10-04-2010 01:19 PM
‎10-04-2010 01:19 PM
Back to the PPTP then - I already have 1:1 NAT setup for the PPTP "server."  Do I just need a security rule for Application pptp then?  I'm not sure how to forward GRE traffic, unless the pptp App rule will take care of that? Not related to any of the other questions - SSL-encrypted IMAP or SMTP, do those fall under the generic "ssl" Application?  I imagine that if I setup SSL decryption / MITM for the PAN, then it would be smart enough to expose the underlying apps, but otherwise I'll need to use "ssl" instead? ... View more

Re: Security policies, mixing app and "service" options, ping, PPTP and NAT?

by in General Topics
‎10-04-2010 09:21 AM
‎10-04-2010 09:21 AM
Regarding Citrix again - most of the traffic uses the normal predefined Citrix ports.  The only traffic we have on 8080 is the XML Browser traffic (i.e. the "HTTP" portion of TCP/HTTP when using a Citrix client).  Do I still need to configure the Service port, or can I just allow the Citrix app and this will be passed?  The description of the Citrix app itself doesn't mention the browsing portion of Citrix (or at least not the ports it runs on), hence my confusion. The "standard ports" listed for Citrix are: tcp/443,2512,2513,2598,1494, udp/2512,2513 XML browsing normally runs on 80, or 443 as an option (SSL-encrypted browsing).  However you can define it to whatever port you want.  I'm just not sure if the app signature will be able to identify the traffic, and I don't have the luxury of putting a Citrix server behind the PAN to test until I'm ready to go live with it. As a general rule, is it "better" or more efficient to use Application, or Service definitions when talking about Security Rules on the PAN? ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎11-07-2019 07:30 PM
Latest Tags
No tags yet
Likes Given To
View All
Likes From
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks