This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About mbehlok

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
mbehlok
‎06-01-2016
since ‎01-20-2012
L0 Member
User Activity
User Profile
Latest posts by mbehlok
View All
User Badges
Community Statistics
Member Since ‎01-20-2012 12:00 PM
Date Last Visited ‎06-01-2016 09:59 PM
Posts 17
Total Likes Received 6

Re: CNSE Anyone?

by in General Topics
‎03-28-2012 12:51 PM
‎03-28-2012 12:51 PM
All, Unfortunately, registration ended on 3/23/2012..  Now you have to wait till 4.1 exam is released, or take the older 3.1 exam. ... View more

Re: CNSE Anyone?

by in General Topics
‎03-28-2012 12:26 PM
‎03-28-2012 12:26 PM
"I would add IPSec VPN & its troubleshooting, and Global Protect SSL VPN." Totally agree..  Global Protect was huge on the exam. ... View more

Re: CNSE Anyone?

by in General Topics
‎03-28-2012 12:25 PM
‎03-28-2012 12:25 PM
I contacted Paloalto Education / Certification and they told me that it will be a few weeks before we get any results. Basically they have to tally up the scores and then come out with the results. Test was pretty brutal, right?  216 questions and 4 hours.. ... View more

Re: CNSE Anyone?

by in General Topics
‎03-12-2012 10:41 PM
1 Kudo
‎03-12-2012 10:41 PM
1 Kudo
I took the CNSE 4.1 beta exam today.  It was brutal because it was a Beta exam.  216 questions in 4 hours.  These are the areas that were concentrated on: 1) Panorama - Know everything Panorama.  How to push policies, read logs, HA and Panorama ettc.. 2) A ton on NTLM , Captive Portal and authentication methods. 3) Know how to create Security policies and NAT policies 4) Logging was a big item on the exam. 5) Know how to pull a support dump file.  Log forwarding, start / end of log and what that means. Basically, you need alot of hands on with a Palo device.  and if you can get your hands on panorama, that will definitely help as well. Know about HA and how to manage HA devices in Panorama.. Hope this helps, if I think of any extras I will make sure to add.. Mark   ... View more

Re: Cannot get OSPF to work through a tunnel interface..

by in General Topics
‎02-29-2012 07:56 PM
‎02-29-2012 07:56 PM
I appologize for not updating.  I was able to resolve the issue.  I ended up having to build a new tunnel interface on the Juniper side in order for OSPF to establish.  for soem reaosn it seems to have been an issue with the Point to Multipoint tunnels that were setup on the Juniper. Once i created the new tunnel, OSPF came up right away and has been working perfectly for a few weeks now. ... View more

Re: PAN 500 - 4.1.2 - Bypass Mgmt Interface

by in General Topics
‎02-19-2012 09:24 PM
‎02-19-2012 09:24 PM
My WAN is also a DHCP client per my ISP (Home Lab). Why dont you just configure the MGMT interface with an IP on your LAN and then just plug the MGMT interface to your LAN segment? That would get you around the issue with the MGMT interface not initially having an IP, and the updates and stuff will still work fine.. Also, for any incoming NAT rules, I had to create an address entry with my current IP address on the WAN side, in order for the PA to forward traffic in to the internal servers.  Not ideal, but that is the only way to get it working right now until the WAN DHCP Client portion of the software is fully fixed.  If my IP changes, I have to go in to the Address Book entry and modify it with the newly acquired IP address. Works perfectly on my PA-500.. My 2 cents.. Mark ... View more

Re: Captive Portal Persistence

by in General Topics
‎02-13-2012 08:09 AM
1 Kudo
‎02-13-2012 08:09 AM
1 Kudo
I have also used the timers within the PA.  I no have it set for 15 minutes of inactivity, but had it originally set to 12 hours and that seemed to work well. Running PA- 4.1.2 BTW ... View more

Re: Certificate Error in Global Protect Portal

by in General Topics
‎02-02-2012 08:03 AM
‎02-02-2012 08:03 AM
Thanks for the update Jambulo. I was actually able to get it to work by using the PA as the CA server. I did have to upload the CA Cert and the Client certs to my client though in order for the client to connect, before that I kept getting cert errors. I am on 4.1.2 PanOS and GP 1.1.2. Glad you got it working though. ... View more

Cannot get OSPF to work through a tunnel interface..

by in General Topics
‎02-01-2012 09:00 PM
‎02-01-2012 09:00 PM
Hello, I have been working on my PA-500 trying to get OSPF to work through an IPSEC site to site VPN. I cannot get OSPF to complete.  Looking at the status, I see LSAs sent, but none received. I verified that the other end is configured exactly the same, and even matched them to what I had in my old firewall that I just pulled out. Any help appreciated, Do I need to enable OSPF on the interfaces somehow, like the Host inbound traffic command that Juniper uses on the SRX?  It almost seems that something is blocking the LSAs from coming back from the far end, but I dunno because i have not done alot with OSPF. Here are some commands that I ran in the CLI: admin@PA-500> show routing protocol ospf summary   ==========   router id:                     192.168.254.254   virtual router:                Default_VR   reject default route:          reject   redist default route:          block   RFC1583 behavior:              no   area border router:            no   AS border router:              yes   LS type 5 count:               1   LS type 11 count:              0   LS sent count:                 203   LS recv count:                 0     area id:                     0.0.0.0       interface:                 172.16.254.3       interface:                 192.168.254.254       dynamic neighbors:        admin@PA-500> show routing protocol ospf interface   ==========   virtual router:                Default_VR   interface name:                tunnel.1   interface address:             172.16.254.3   interface type:                p2p   passive:                       no   area id:                       0.0.0.0   router priority:               1   status:                        p2p   transit delay:                 1   retry interval:                8   hello interval:                10   dead interval:                 40   IP of DR:                      0.0.0.0   IP of Backup DR:               0.0.0.0   LSA count:                     0   LSA refresh interval:          1800   auth type:                     none   interface metric:              100   ==========   virtual router:                Default_VR   interface name:                vlan.1   interface address:             192.168.254.254   interface type:                p2p   passive:                       yes   area id:                       0.0.0.0   router priority:               1   status:                        p2p   transit delay:                 1   retry interval:                8   hello interval:                10   dead interval:                 40   IP of DR:                      0.0.0.0   IP of Backup DR:               0.0.0.0   LSA count:                     0   LSA refresh interval:          1800   auth type:                     none   interface metric:              10 admin@PA-500> show routing protocol ospf dumplsdb   VIRTUAL ROUTER: Default_VR (id 3)   ========== VR  Area ID         Orig RTR ID     LS ID              LSA Type             Seq Number CheckSum   Age   3   0.0.0.0         192.168.254.254 192.168.254.254    type-1 (Router)      0x8000005F 0x00004D71 869               Options: [External]             Router LSA Options: [ASBR]               Stub Network: 172.16.254.3 Netmask 255.255.255.192, tos 0, metric: 100               Stub Network: 192.168.254.254 Netmask 255.255.255.0, tos 0, metric: 10 3                   192.168.254.254 192.168.254.0/24   type-5 (External)    0x8000002E 0x0000E2F2 869               Options: [External]             Mask 255.255.255.0, type 2, tos 0 metric: 255, forward 0.0.0.0, tag 0.0.0.0 admin@PA-500> show routing protocol ospf area   ==========   virtual router:                Default_VR   area id:                       0.0.0.0   range:   Normal Area   accept summary:                yes   rounds of SPF calc:            3   area border routers:           0   AS border routers:             1   NSSA translator role:          candidate   NSSA translate status:         disabled   transit capability:            no   LSA refresh interval:          1800   LSA count:                     1   LSA count (type 1):            1   LSA count (type 2):            0   LSA count (type 3):            0   LSA count (type 4):            0   LSA count (type 7):            0   LSA count (type 10):           0 ... View more

Re: Certificate Error in Global Protect Portal

by in General Topics
‎02-01-2012 08:09 PM
‎02-01-2012 08:09 PM
Ovan, I actually got it to work, and it seems to work very well, at least once I got the certificates to work. What can I do to help?  I can post up part of the configuration if that will help, or even some screen shots of the GUI. Or if you want, get me access to the firewall if its in a lab environment and I can see if I can help out. my direct email is mbehlok (at) sslmeetings.com BTW, GP 1.1.2 is out, give that client a try as well as it seems to work better for me. ... View more

Re: Close Global Protect

by in General Topics
‎01-31-2012 10:27 PM
1 Kudo
‎01-31-2012 10:27 PM
1 Kudo
Release notes for GP 1.1.2 seem to address the saved password and reconnect after hibernation issues. Have not tested yet, but will tomorrow, just wanted to put this out there.. From Release Notes: •35430 – When the GlobalProtect portal "Agent" settings "User can save password" and "Use single sign-on" are both disabled, the GlobalProtect client is still caching the login credentials and the "remember me" option is available on the client. • 35234 – GlobalProtect is not re-establishing a VPN connection after the host computer comes out of hibernate or sleep mode ... View more

Re: Certificate Error in Global Protect Portal

by in General Topics
‎01-31-2012 09:09 PM
1 Kudo
‎01-31-2012 09:09 PM
1 Kudo
Did you import the CA and the client cert to your browser? I had that issue as well but importing "Installing" the CA and client certs to my browser fixed that issue. Hope that helps. ... View more

Re: Any way to cange the MAC Address on the Untrust interface in PanOS 4.1.2?

by in General Topics
‎01-26-2012 10:40 PM
‎01-26-2012 10:40 PM
Thanks all.  I will submit the request to my SE. I deal with alot of customers that have many branches, sometimes in the hundreds.  Some of them having to have a DHCP internet conenction with the provider configuring a DHCP reservation so that the customer always receives the same IP address for VPN connectivity. Having this as a feature I believe will be very helpful is some of these unique situations. In my case, its not as big of a deal as is it only my lab at home affected and easily fixed. ... View more

Re: Any way to cange the MAC Address on the Untrust interface in PanOS 4.1.2?

by in General Topics
‎01-26-2012 03:51 PM
1 Kudo
‎01-26-2012 03:51 PM
1 Kudo
jdelio, Ok, answer me this.  Why can I change the physical MAC address on almost any other firewall / router?  Even on a $30 Linksys router, I have the ability to change the MAC address of the External Interface. Heres a snippet of the config from my old Juniper SRX Firewall where I WAS able to change the MAC when replacing the firewall for another for testing. fe-0/0/7 { enable; mac b0:c6:9a:39:ba:00; unit 0 { family inet { mtu 1500; dhcp; By doing this, I was able to maintain the same IP Address even though I changed the physical firewall because I was able to spoof the MAC address of the old router. I mean this has been available on other router / firewall for many years.  Just does not make any sense that this would have to be a feature request on a much more powerful, feature rich next gen firewall. I highly doubt this is a hardware limitation. i will have my SE send in the feature request to see what can be done, if anything. ... View more

Re: NAT Translation to web server in 4.1.2 when WAN in DHCP Client

by in General Topics
‎01-24-2012 04:51 PM
‎01-24-2012 04:51 PM
Thanks for the reply, I appreciate it. I come from the Juniper world.  On the SRX, if you are using DHCP on the WAN conenction, you basically specify the Destination-Address as 0.0.0.0/0 and it will use whatever ip address is assigned to teh WAN interface via DHCP. Heres a snippet of my original Juniper SRX config (Which has been replaced by the PA-500) Example of Destination NAT rule: rule-set Incoming {      from zone untrust;           rule RDP_3389 {                match {                     destination-address 0.0.0.0/0;                     destination-port 3389; Example of Security policy to allow RDP traffic in: policy rdp-in-vmutils01 {      match {           source-address any;           destination-address vmutils01;      application RDP3389; }           then {                allow;                log {                     session-init;                     session-close; In this scenario, even if the wan ip changes, all destination NATs will still function provided I have Dynamic DNS configured correctly on my end. Thanks again.  Is there any way to add that as a feature request?  and if so, whats the procedure? ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎06-01-2016 09:59 PM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks