About darren_g

Hi folks.   I need to configure a L3 iterface with a trunked conenction to my core switching infrastructure - twos eperate VLAN's on the one physical interface which MUST be seprate VLAN's, security zones and IP ranges.   I can't figure out if I'm mking this work right - I add sub interfaces tot he physical interface configuration, and they are tagged - but the main interface isn't.   Do I need to create VLAN's to match the sub-interface definitions? VLAN INterfaces? Or does the act of creating the sub interface get it working?   I'm quite confused over this one.   Thanks. ... View more

Hi folks/.   I have a situaiton that is doing my head in, and I need some help.   I have an installation which looks like this   "A" end - Palo Alto Active/Passive cluster, public IP for IPSec VPN termination   "B" End - Juniper SRX cluster, Active/Active with TWO IP addresses (separate links) for IPSec VPN initiation   I have configured two tunnels from the SRX to the Palo Alto - different tunnel interfaces, different IPsec tunnel and IKe configurations - and they come up just fine (after some fine tuning).   Where I'm running into trouble is getting routing to work.   I've added a static route for the remote subnet into the virtual router pointing to the main tunnel, and a second one pointing to the secondary tunnel with a higher metric (administratifve distance), but for some reason if the primary tunnel drops (there are issues with re-keying I'm working on with the Juniper side), the routing does not switch to the secondary.   Can I configure the routing on the Palo Alto so that it checks for the other end - even if the tunnel is up - and fails to the second route if it gets no reply across the primary tunnel?   I am scratching my head here - for the life of me, I can't make these things match up on both ends - so I'm looking for help on the Palo Alto end here to see what I can do to try and improve things.   Thanks for anything you guys can point to. ... View more

Folks.   I'm trying to generate a CSR for a new security certificate for one of my firewalls.   I can generate the CSR just fine. it shows int he certificate list as "pending". Which is what I expect.   What I can't do it export the CSR. I select it, click "export" from the action options, and the screen just blanks for a few seconds and goes back to where I started.   This happens if the config holding the pending certificate is committed or not.   Has anyone seen this and know how the heck I can get the CSR out of the box to give to the CA for certificate generation?   Box is a 3020 running 7.1.17   Thanks to anyone who can help ... View more

HI.   We run global protect for a reasonable number of remote users on our PA3050's without much in the way of issues.   One thing which pops up, though, is that our Virus management server (McAfee) gets hugely confused about which machines are on which IP address.   We've done a little digging, and it apepars to be related to te fact that all machines conencting via global protect appear to get the same virtual MAC address for the tunnel interface - and this reports to the virus server.   Which means, of course, every time someone establishes a new VPN connection the virus server gets a new hostname assigned to the MAC address - which is normally wrong.   Does anyone know if there is any way I can force each new connection on GP to get a unique virtual MAC on the tunnel interface on the local PC?   If so, how? I've had a poke around and I can't seem to find any way to do it.   Thanks ... View more