About tshiv

Hello hshah, Your understanding is not correct. Flow basic clearly shows that If the action associated with the policy is "deny", we won't even install the session for inspection to happen. We just record a discard log saying that the traffic is dropped. Hope this helps. Thanks ... View more

Hello saeed, I am not sure if you have checked this setting or not but, just want to put it out there. Under active/passive settings, there is something called as "Monitor hold down time". It is the length of time (minutes) that a firewall will spend in the non-functional state before becoming passive or active (depends on the priority). This timer is used only when the failure reason is a link or path monitor failure. By default it is set to 1 min. The range is from 1 to 60 min. There might be a possibility that you might have configured it to hold the non functional state for more then 1 min. Hope this helps. Thanks ... View more

You can also check to see if the LDAP authentication profile being used has attribute "sAMAccountName" configured. Sometimes failing to configure the attribute in the LDAP authentication profile can also lead to the error message you have seen. Thanks ... View more

I do agree that this lead to duplicate address objects but bi-directional NAT policy is a static NAT i.e 1-to-1 mapping. Hence the need to specify /32 address. This is expected. You would be better off referencing the ip-address itself to avoid duplicate address objects. Hope this helps. Thanks ... View more

It is well known fact among all the customers that PA-2000's are not well equipped on the management plane. - First step is to identify if there are unnecessary jobs carried out by the management plane which can be verified with support by opening up a support case. - If the management plane of the device is still being maxed out with all the necessary configuration and settings in place, then it is better to upgrade the hardware. PA-3000's are very well equipped on the management plane. They have much faster commit times and presents minimal management plane issues. You can also take help from your Account manager/ Sales Engineer in this case. Thanks ... View more

Just wanted to share this link with you. It says that for IEC 320 C13 connector, the acceptable input voltage is 90-250V. Hoe this helps. http://www.apc.com/resource/include/techspec_index.cfm?base_sku=ap9870 ... View more

If the PA firewall is just a pass through device for site-to-site VPN traffic, then we cannot subject it to threat scanning. But in your case since we are the end points for tunnel traffic, you can skip threat scanning by not configuring security profiles and attaching them to the security rules that allow inbound and outbound encrypted traffic over the tunnel. It is as simple as that. I am not sure about your question on filtering though. Can you elaborate please? Thanks ... View more

The behavior is quite odd. Usually, if there is application shift i.e application is first identified as web-browsing and later after the firewall has seen more packets, the same traffic gets identified as oracle, it should trigger a second policy look-up. Clearly this is not happening. If the issue is still persisting, i would suggest opening up a ticket with support. ... View more

I have also seen the above authentication failure messages in case of ldap authentication due to mis-configuration. Most common one is that "sAMAccountName" attribute missing from the authentication profile. See below for details: ... View more

You might look into using XML API to achieve what you are trying to do here. Following document might be helpful: Sample API workflow for Dynamic Address Objects Thanks ... View more

Observing incomplete sessions could mean that the tcp handhshake did not go through or there was no data packets received after the tcp handshake completed. As HULK mentioned, session info will give us more idea. I am speculating that you might be running into asymmetric routing wherein SYN goes out through one interface of PA but the response with SYN-ACK is being received on a different interface. By default, PA drops packets in case of asymmetric routing. You can check using counters to see if that is the case. The command is : > show counter global filter delta yes   =====>>> run this command about 4-5 times at the time of passing traffic. you should see "tcp-non-syn-reject" counter increment Hope this helps. Thanks ... View more

Hello alpana,   Your description of the issue is not clear. I am assuming this is an active-active setup because you mentioned HA-3 link. HA-3 link would only be used if session setup load sharing option decides that the peer device is responsible for session setup. If it the load sharing option decides that the session setup has to be done on the local firewall, then no data is transmitted through HA-3 link to the peer device. There are important bits and pieces of information missing in your description of the issue. I would suggest you to open a ticket with Support and have the behavior investigated. Thanks ... View more

Hello mr.linus,   The dhcpd daemon can only be restarted from the root of the firewall. There is no command from the command line interface that can be used to directly restart the dhcpd daemon. As a workaround, management server process can be restarted. The command is : > debug software restart management-server Thanks ... View more

Hello infotech,     Can you try clearing the specific ike-sa and ipsec-sa. Use the commands below : - clear vpn ike-sa gateway <name> - clear vpn ipsec-sa tunnel <name> Then try and clear the specific vpn flow by using the command: - clear vpn flow name <flow name> Clear the ipsec-esp sessions on the firewall as well using the command: - clear session all filter protocol 50 (or) clear session all filter application ipsec-esp Note that above command will clear all the IPsec flows. If there are other tunnels configured, they will be affected as well. You can clear the specific ipsec-esp session by browsing through the options you have in clear session all command from CLI. Once above steps have been carried out, you can try and force the re-negotiations using the commands below : - test vpn ike-sa gateway <name> - test vpn ipsec-sa tunnel <name> If the above steps do not work, then I would suggest building the config from scratch. I would also like to suggest not configuring the lifesize on both the gateways. Thanks ... View more