This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About darren_g

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
darren_g
‎06-24-2025
since ‎09-16-2012
L4 Transporter
User Activity
User Profile
Latest posts by darren_g
View All
User Badges
Community Statistics
Member Since ‎09-16-2012 09:05 PM
Date Last Visited ‎06-24-2025 04:02 PM
Posts 287
Total Likes Received 57

Re: Strange system error messages

by in General Topics
‎07-26-2017 10:01 PM
‎07-26-2017 10:01 PM
@TranceforLife wrote: I would strongly advise you to get the devices upgraded as you are on EOL release:   https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary I did an upgrade to 6.1 today.   And my fears were correct - it broke things.   Luckily, they were easy to fix things, but now I know why I was holding off on upgrading.   Oh well. I'll wait a while until I go to V7, methinks. ... View more

Re: Strange system error messages

by in General Topics
‎07-25-2017 04:56 PM
‎07-25-2017 04:56 PM
Thanks - I'll continue to ignore it for now. It doesn't appear to be breaking anything anwyay.   Yes, the upgrade process is fairly easy and can actually be done without any downtime. However, be very careful of the behavior changes. It's a big leap from 6.0 to 7.1. Check through all the tech-docs about behavior changes, what's new, new features, upgrade/downgrade considerations, etc.     That's the main reason I haven't upgraded yet - I have other PAN devices running later versions, but this is my main production cluster, and has many, many more policies and features enabled - and I don't have time to validate the upgrade and check if anything will break.   I might bump it to 6.1 in the near future and let that run a while before going to 7.   Thanks again.     ... View more

Strange system error messages

by in General Topics
‎07-19-2017 08:27 PM
‎07-19-2017 08:27 PM
Folks.   I have a pair of 3050's in a HA cluster, and recently I'ver been noticing some weird messages ont he system log on the primary.   I happened to log into the secondary the other day, and say a heap more.   has anyone seen messages like the following   Failed to upload the new HA URL file to RAM. Failed to upload the old URL file to RAM,Starting with an empty file. Received callback from peer for completion of handle url_sync; file /opt/pancfg/opt/pan/content/pan/panurldb.bin.ha.   The corresponding error on the active reads   Failed to sync PAN-DB to Peer: Peer user failure   Are these something I should worry about? I shoulod note that this pair is running qutie an old software version - getting a time to upgrade is not easy - they're currently on 6.0.15   Thanks for any pointers. ... View more

Re: NAT configuration - DMZ zone to Trust zone

by in General Topics
‎06-08-2017 08:12 PM
‎06-08-2017 08:12 PM
Thank you Sir, you are a legend.   I was applying the inbound security rule on the wrong zone, and everything was failing.   Now it's not.   Appreciate your assistance. ... View more

NAT configuration - DMZ zone to Trust zone

by in General Topics
‎06-08-2017 05:24 PM
‎06-08-2017 05:24 PM
I've had a total brain fade, and am unable to figure this out. Hoping you guys can help.   Network topology is relatively simple. Firewall has three zones - outside, inside and DMZ - DMZ has a /25 of "real" Internet addresses on it. Outside has a /30, also of "real" address, and most traffic from inside is translated to the interface address of the outside zone. Inside if RFC1918 IPv4 addressing with multiple static routes to upstream networks.   I need to NAT an IP address which is in our public space in our DMZ zone - call the address 1.1.1.123/32 - to a host which is inside my network - call it 10.10.10.10/32 - on a one-to-one basis - no port translations, nothing. BI-directional NAT - any packet coming in to 1.1.1.123 goes to 10.10.10.10, and any packet going OUT from 10.10.10.10 appears to be from 1.1.1.123 as far as the Internet is concerned.   Thing is, I don't know if I can do this.   I've put in two NAT rules - one translating anything going to 1.1.1.123 to 10.10.10.10, and one translating anything from 10.10.10.10 to 1.1.1.123 - but it's not working.   I don't know if I'm screwing up the security policies related, or if what I'm asking can't be done.   So, questions for guys who have done more NAT than I have   1. Is the NAT policy I want even possible? 2. Is the methodoligy I've described right? 3. What IP address/interface should I be applying security policies (inbound and outbound) on? The translated address? The untranslated address? Both?   Can anyone shed some light for me, please? I'm scratching my head here.   Thanks ... View more

Re: Restricting VPN access to internal services on per-user basis

by in General Topics
‎12-12-2016 06:48 PM
‎12-12-2016 06:48 PM
@santonic wrote: Source zone would be the zone which you assigned to tunnel interface for GP users. You can also check logs and see ehich zone is assigned to GP users.     Thanks - looks like I'm out of luck - because the source zone and destination zone are the same. I might have to fiddle with moving the server into a different zone maybe.   No, scratch that - I'm an idiot.   I put in a rule to allow traffic to the given server - but forgot to put in one to deny everything else! ... View more

Re: Restricting VPN access to internal services on per-user basis

by in General Topics
‎12-11-2016 06:13 PM
‎12-11-2016 06:13 PM
@baudy wrote: Hi,   In addition to specifying users or groups in your security rules, you could configure different IP address pools for different types of users (if you have PanOS 7.0+). This way, your staff can configure their servers or other equipment to let VPN connections coming from the staff pool, and not from the support organisation address pool.   Benjamin   hi.   Haven't upgraded to PanOS 7 yet, so this one's not going to work.   Thanks for suggesting, though. ... View more

Re: Restricting VPN access to internal services on per-user basis

by in General Topics
‎12-11-2016 06:12 PM
‎12-11-2016 06:12 PM
@BPry wrote: The security policy with a specified source user would work perfectly fine, just make sure that you have the source zone setup correctly then setup the rule to only allow access to the machines and the ports that they would need access to.    hi.   OK, so the source zone would be the zone the VPN terminates on (outside zone), or the one it spits out into?   I'm figuring the former, but I could be shooting in the dark.   thanks ... View more

Restricting VPN access to internal services on per-user basis

by in General Topics
‎12-07-2016 02:26 PM
1 Kudo
‎12-07-2016 02:26 PM
1 Kudo
Folks.   I have a normal Global protect portal for internal staff which works fine.   I now have been asked to provide access for a support organisation which is not staff - not employed by our company - but which needs access to certain devices inside our network.   Does anyone know if there is any way I can restrict what they access via Global Protect? Would a security policy rule on source user work, or is there some other way?   Thanks.     ... View more

Warning on commit new config - anyone recognise the cause?

by in General Topics
‎10-09-2016 03:53 PM
‎10-09-2016 03:53 PM
Folks.   I made a rule change this morning - first one in a while (fairly static environment of late) - and when committing, got the following warning   Error: Invalid id 6 for os WindowsUWP.(Module: useridd)   Anyone recognise this/know the cause/know what I need to do to fix it?   Cheers ... View more

Re: Dual Factor Authenticatin for Global Protect - possible?

by in General Topics
‎09-13-2016 05:25 PM
‎09-13-2016 05:25 PM
@bgmncwj wrote: We've been using Duo two factor along with requiring client certs on machines with a lot of success. This allows us to use two factor and ensure that we only have company approved equipment connect to the VPN.   We have the gateway set to use the Duo radius server (https://duo.com/docs/authproxy_reference) for authentication, which then verifes against AD and sends a push request to the users device to confirm authentication along with having a certificate profile setup to verify that a company issued AD cert is installed.   On the portal side we just have it verifying against AD directly with no certificate profile. That seems to be the best blend so users don't get requested to authenticate with two factor for config updates, just to actually log in.   That looks like it might be a workable solution - and has specific guides for PAN setup - I'll give it a closer look - thanks for the pointer. ... View more

Re: Dual Factor Authenticatin for Global Protect - possible?

by in General Topics
‎09-13-2016 05:22 PM
‎09-13-2016 05:22 PM
@reaper wrote: have you checked out this article: GlobalProtect Dual Factor Authentication with Client Certificate for Windows   Yes, I have - but that's not really dual factor authentication in the context I'm using.   Compromise a user account and steal a laptop/PC with the certificate already installed - and you're in.   With an RSA os similar, you can steal the laptop, you can compromise the account, you can steal the token - but unless you're torturing the token owner for their PIN, you're not going to get in regardless of having the token. ... View more

Dual Factor Authenticatin for Global Protect - possible?

by in General Topics
‎09-12-2016 09:09 PM
‎09-12-2016 09:09 PM
Folks.   Does anyone know if it's possible to integrate dual-factor authentication (SecureID or similar) into Global protect authentication?   Our business is requiring more and more rigid access control for VPN access (among other things), and I need to look into getting some form of 2FA integrated into our VPN sign on in the short to medium term.   Is this possible? Any pointers to guides anywhere?   Thanks ... View more

Re: App and Threat content update release 609 MIA?

by in General Topics
‎08-31-2016 03:39 PM
‎08-31-2016 03:39 PM
@googol wrote: It is because it is another massive failure of an update and they had to yank it due to issues it caused...   Need some QC/QA here.   Thanks. Suspected as much - yet again, my biggest bitch with PA rears its ugly head - their Quality control simply *sucks*. ... View more

Re: Connecting L3 Port of Palo Alto to the Switch

by in General Topics
‎08-31-2016 03:37 PM
‎08-31-2016 03:37 PM
@harmander wrote: Hi there,   On Palo Alto I have configured L3 interface and assgined ip address to it. I would like to connect this interface to the switch. The switch has an SVI configured with the port in the same vlan as the SVI. Can I connect the Palo Alto interface to the switch port which is configured with a vlan or do I need to make the switch port as a routing port.   Thanks Guys   I do exactly that on my core switches to allow for the HA configuration.   Firewall is configured with an L3 interface, switch cluster is configured with an RVI (Juniper speak, not Cisco), each port for the firewall is a simple access port in the associated VLAN for the RVI. I just post routes to the RVI address.   That way, it doesn't matter which firewall is active at the time - both are connected into the same routes, and an ARP flood when HA failover occurs means I rarely even lose a packet in the event of a HA event. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎06-24-2025 04:02 PM
Likes Given To
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks