This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About networkadmin

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience.

networkadmin
‎09-16-2017
since ‎02-12-2010
L4 Transporter
User Activity
User Profile
Latest posts by networkadmin
View All
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎02-12-2010 10:34 AM
Date Last Visited ‎09-16-2017 04:35 PM
Posts 242
Total Likes Received 16

"Top Domains" report?

by in General Topics
‎03-22-2010 09:23 AM
‎03-22-2010 09:23 AM
I think I've asked this but can't find the thread.  What is the recommended way to get some kind of "Top Domains Visited" report? Everything seems to default to rdns of the endpoint which is not much use sadly with cloud/online content providers i.e. your users visit Amazon/BBC but the resolved destination is node-17-cluster-5.eu.akamai.com and so on. Thanks. ... View more

Re: Exchange Active Sync

by in General Topics
‎03-17-2010 11:46 AM
‎03-17-2010 11:46 AM
What I did, and I'm happy to be told it's not "best practise" but it works for us is: Uploaded our website cert to the PAN for the reverse proxy. Created an SSL inspection policy. Created a rule that allows the https service to our exchange server. On that rule I applied a URL filtering policy that only allows the Exchange virtual directories to that server. ... View more

Re: Websense's Dynamic Protection against Web Malware

by in General Topics
‎03-17-2010 11:43 AM
‎03-17-2010 11:43 AM
On the PAN side of things there is a "dynamic updates" option, but I too would be interested to know a bit more about how it works. I'm assuming, using Google as the example that you've given, that if someone wants to visit Google than the PAN would first check its internal Brightcloud database and only uses the dynamic lookup for sites it doesn't have listed? ... View more

Re: When is 3.1 out?

by in General Topics
‎03-17-2010 11:40 AM
‎03-17-2010 11:40 AM
OK so I see it's out and shows for download now - strangely quiet in here though, has anyone upgraded? ... View more

Re: NAT/Can a subnet span multiple interfaces?

by in General Topics
‎03-11-2010 12:31 PM
‎03-11-2010 12:31 PM
Thinking about it I don't need to subnet down do I... We already NAT a couple of those public IPs through our external interface i.e. Outlook Web Access to our Exchange server on our internal LAN. So I could allocate an interface on the PAN to 192.168.1.x/24, put it in a zone called "DMZ", put my webservers on it, and add the zone to my default virtual router. Then I simply create NAT and Security policy rules (including a NAT/security policy for the DMZ server to access internet and other resources as required i.e. to pass SMTP to our Exchange server). I get it now I think, seems every firewall has its own set of terminology ... View more

Re: NAT/Can a subnet span multiple interfaces?

by in General Topics
‎03-11-2010 11:37 AM
‎03-11-2010 11:37 AM
Ideally I was hoping not to have to change any of the public IP addresses and the associated DNS, which I'd have to do if I split the subnet down. ... View more

Re: NAT/Can a subnet span multiple interfaces?

by in General Topics
‎03-11-2010 09:48 AM
‎03-11-2010 09:48 AM
I don't think I have an issue with using NAT, obviously it will take a little time to bind private IPs and change IIS/services to use different IP's but when it's done it's done. I'm more interested in doing it the right/best way - NAT shouldn't be an issue as these are just web/ftp/dns services. What I wasn't sure of was if I have: int1  LAN, private IP int2  External default route, public IP of x.x.x.1/24 int3  New interface, webserver connected with private IPs on webserver How do I go about getting the PAN to proxy the public IPs of those sites and do all the NAT'ing? I think where I'm getting confused is over whether int3 is actually listening on the public IPs or whether int2 would be doing that as the public IPs of the websites are on the same /24. ... View more

NAT/Can a subnet span multiple interfaces?

by in General Topics
‎03-11-2010 09:30 AM
‎03-11-2010 09:30 AM
We currently have our PAN configured with a simple 2 NIC L3 setup, the internal NIC is on a private IP, the external NIC is on a public IP on a /24. We have a bunch of  public facing websites that are currently outside of the PAN on a server that is connected to the same switch as the external NIC of the PAN, so each website/service on that server has its own public IP on the same /24 as the PANs default external NIC. Given that the PAN can do a bunch of smart stuff it seems to me it makes sense to look at moving those websites into a DMZ/dedicated interface on the PAN and presumably using NAT. What I'm unclear on is: a)  Is NAT the best approach i.e. change the IP's on each website to private IPs? b)  Can the PAN deal with having two interfaces each using addresses that are on the same subnet? Hopefully the above makes sense, I guess I'd appreciate some clarification on how to best go about this. We have a fresh/valid support contract if necessary, but I figured I'd sound out the options here first. Thanks in advance. ... View more

Re: When is 3.1 out?

by in General Topics
‎03-11-2010 09:23 AM
‎03-11-2010 09:23 AM
Brilliant, thanks for the confirmation. ... View more

When is 3.1 out?

by in General Topics
‎03-10-2010 07:22 AM
‎03-10-2010 07:22 AM
Had emails/links to it being released, just wanted to check I hadn't missed something and that it shouldn't be on my Device/Software option list of versions? Thanks. ... View more

SSL Forward Decryption - Understanding Override

by in General Topics
‎03-01-2010 10:01 AM
‎03-01-2010 10:01 AM
I'm looking at the pros and cons of enabling forward decryption.  I noticed there's an "Are you happy to continue" over-ride option but it's global i.e. it's simply on or off. I assume this won't play nice with any non-browser based https downloads? Also I couldn't work out if you say "yes" what constitutes a session, for example I went to https://domain1.com and got prompted, to which I said to continue, but I thought if I went to https://domain1.com in a different browser, or to https://domain2.com in either browser that I would be prompted again as it's a different site/cert etc. Also can I clarify exactly what forward decryption does - I presume it allows inspection for viruses, malware and threats as well as the ACC showing less "SSL" and more applications as the PAN is able to work out that it's gmail, facebook and so on? Thanks. ... View more

Re: Creating Custom Applications - Dummies Guide?

by in General Topics
‎02-24-2010 11:35 AM
‎02-24-2010 11:35 AM
Hmm I spoke a little too soon - the rule works and classifies traffic, but on the ACC page all I have for "risk" is a little white square - there is no risk rating listed, even though on the objects/applications it shows with the expected green "1" icon. Why might this be please? I tried changing the risk to "2" just to see if it's some weird caching/rendering thing but it does it consistently in Chrome/Firefox/IE, just a white box. If I look at the properties of the white box it's "risk_0.gif" though when I click the application to break down the ACC view it definitely shows with whatever risk level I give it. ... View more

Re: Logging - Best Practise?

by in General Topics
‎02-24-2010 09:36 AM
‎02-24-2010 09:36 AM
Bumpity bump.. Any way of logging this info off-box without Syslog until PAN OS 3.1 (I'm assuming this does it to FTP?) ... View more

Re: Creating Custom Applications - Dummies Guide?

by in General Topics
‎02-24-2010 09:35 AM
‎02-24-2010 09:35 AM
Brilliant thanks Mike - I was coming at it from the wrong angle and assuming I'd need to know a lot of low-level detail to create the custom app, so all I've done is fill in the new app detail using the basics and used the starting TCP port as it won't let me specify a range in an app. Right now this isn't an issue, but is there any way to define an override against a URL/set of URLs vs. a "raw" IP address or network?  It's something I can foresee for a couple of things we may be using. Thanks. ... View more

Creating Custom Applications - Dummies Guide?

by in General Topics
‎02-24-2010 08:16 AM
‎02-24-2010 08:16 AM
Is there a dummies guide to creating custom application please? We have a couple of "in-house" apps that always pass traffic on certain ports, always to/from a certain IP range, and I'm struggling to see how to put "something" in place that says "If this traffic is between source A and destination B and is on port XYZ it is CustomApp"? Equally we have a couple of apps that need a stupid amount combination of ports/port-ranges open.  AIUI with a custom app you can only specify one port at a time?  How would this work if your source and destination are always the same but the ports could be one of several hundred i.e. the app uses port(s) 7000-76500 TCP/UDP? Essentially I just want to not have "Unknown TCP/UDP" in the ACC for traffic matching those policies if possible. Thanks, ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎09-16-2017 04:35 PM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks