This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About 9t89m8fu

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
9t89m8fu
‎06-16-2021
since ‎09-11-2012
L2 Linker
User Activity
User Profile
Latest posts by 9t89m8fu
View All
User Badges
Community Statistics
Member Since ‎09-11-2012 07:38 AM
Date Last Visited ‎06-16-2021 11:15 AM
Posts 19
Total Likes Received 7

Re: advertising a default-route to a single eBGP peer in the Palo Alto.

by in General Topics
‎07-17-2019 07:00 AM
1 Kudo
‎07-17-2019 07:00 AM
1 Kudo
  Look into BGP export filters   ... View more

Re: SPI Value in phase 2

by in General Topics
‎07-17-2019 06:52 AM
‎07-17-2019 06:52 AM
This is mandated by RFC 4303 ... View more

Re: OSPF in a Active/Passive Firewall setup

by in General Topics
‎06-14-2019 04:24 AM
1 Kudo
‎06-14-2019 04:24 AM
1 Kudo
  That article is outdated. Current versions of PANOS support Graceful Restart for OSPF.     ... View more

Re: IPSec VPN throughput

by in General Topics
‎05-30-2019 08:34 AM
‎05-30-2019 08:34 AM
10Mbit/s is a far cry from 50. What's more likely to be your problem is that performance is getting degraded due to fragmentation. Try dropping the MTU on your tunnel interfaces to about 1400 and make sure MSS is getting clamped. Also check your algorithms. You should be using AES instead of 3DES, try GCM instead of CBC, etc. ... View more

Re: GRE support on PAN-OS 8.0

by in General Topics
‎08-30-2018 06:01 AM
‎08-30-2018 06:01 AM
  Slightly off-topic, but Palo Altos can in fact terminate non-encrypted IPSec. Both AH and null-encryption ESP are supported in PAN-OS 8.0.     ... View more

Re: Do BGP and OSPF have to have same router-id on a virtual router ?

by in General Topics
‎07-26-2018 05:25 AM
‎07-26-2018 05:25 AM
  There is no functional requirement for the RID to be the same (hence why this is a warning instead of a commit failure). It's easy to see how this could lead to a confusing situation for administrators, however, which is presumably why the PAN-OS devs decided to display a warning. ... View more

Re: Route & Path Selection

by in General Topics
‎07-16-2018 06:48 AM
1 Kudo
‎07-16-2018 06:48 AM
1 Kudo
@MarioMarquez wrote:   I am assuming that if traffic hits a virtual router & there are multiple routes to the same destination address the Palo Alto will first prefer the route with the most specific destination prefix (longest prefix match) and if the prefix's are the same for all routes the Palo Alto will prefer the route with the lowest Administrative Distance & if the Admin Distance is the same for the for all routes the Palo Alto will prefer the route with the lowest Metric.  Is this theory correct?   Correct   ... View more

Re: BGP filtering question

by in General Topics
‎01-09-2018 04:45 AM
‎01-09-2018 04:45 AM
Correct, but bear in mind BGP export filters are per-peer or peer group. What controls what passes from the OSPF RIB to the BGP RIB (LOC-RIB) is your redistribution profile.       ... View more

Re: OSPF and Cisco Routers

by in General Topics
‎01-08-2018 06:50 AM
1 Kudo
‎01-08-2018 06:50 AM
1 Kudo
Cisco TAC recommended adding an mtu ignore command on the core routers which brought everything online. This was bad advice. Tricking the devices into thinking their MTUs match can result in a DBD packet being sent that is too large for the recipient to process, leaving you stuck in exstart, as you have seen. You need to fix the MTU mismatch, not hide it.   ... View more

Re: Edge Firewall Design

by in General Topics
‎12-28-2017 06:46 AM
‎12-28-2017 06:46 AM
First off, ECMP does not require a dynamic routing protocol. You can do ECMP with static routes if you want (not that I'm recommending this, but it's an option).   Second, there is absolutely no reason you couldn't run an IGP between your firewall cluster and L3 switches. This is perfectly fine, and common in larger networks. If your switches are not stacked, this is your best option (if anything, I would personally avoid stacking core switches).   Third, depending on your firewall model, ECMP may not get you any benefit. If your firewall can only process 1Gb/s for example, there's little benefit in having two ECMP 1Gb/s downlinks. All you really care about in that scenario is redundancy.   ... View more

Re: Need to enable Multicast on Site to site IPsec Tunnel

by in General Topics
‎12-28-2017 06:27 AM
‎12-28-2017 06:27 AM
What have you tried so far? ... View more

Re: VPN Tunnels between two PA over an MPLS infrastructure

by in General Topics
‎10-31-2017 05:30 AM
1 Kudo
‎10-31-2017 05:30 AM
1 Kudo
With this config you are only controlling the outgoing interface of each PA. This will not affect the incoming interface on the other side (assuming both links connect to the same provider and MPLS cloud).   You will want to prepend your advertisements out the secondary links to make sure incoming traffic is not received on them. ... View more

Re: Routing protocol preference .

by in General Topics
‎09-07-2017 05:22 AM
1 Kudo
‎09-07-2017 05:22 AM
1 Kudo
Prepending only affects BGP decisions; you can't make a neighbour prefer an OSPF route over a BGP route by prepending. ... View more

Re: VPN FAILOVER

by in General Topics
‎08-31-2017 07:08 AM
‎08-31-2017 07:08 AM
Yes. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎06-16-2021 11:15 AM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks