This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About EdwinD

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.

EdwinD
‎05-18-2018
since ‎01-23-2012
L3 Networker
User Activity
User Profile
Latest posts by EdwinD
View All
User Badges
Community Statistics
Member Since ‎01-23-2012 11:53 AM
Date Last Visited ‎05-18-2018 05:20 PM
Posts 65
Total Likes Received 8

Can AD User Agent 5.0.0-22 be used with PanOS 4.1.x?

by in General Topics
‎11-07-2012 03:29 PM
‎11-07-2012 03:29 PM
I have a large number of AD servers at remote locations all running AD User Agent 4.1.6-5.   I do have problems with PanOS 4.1.7 talking to this user agent; it forgets who is signed onto a PC. Can I install User Agent 5.0.0-22 on my AD servers and expect my 4.1.7 - 4.1.9 PanOS firewalls to talk to this new user agent, as well as function properly? ... View more

Re: 4.1.7 Problem with Domain Users enumeration persists.

by in General Topics
‎10-29-2012 12:51 PM
‎10-29-2012 12:51 PM
Support did resolve the issue.  Apparently there are multiple ways to setup the domain, and one way works better than the other.  Basically, create only one LDAP mapping per domain, and then import all the groups you desire through the single mapping.  Do not create a single mapping per LDAP group. ... View more

Outbound NAT pool question

by in General Topics
‎10-15-2012 08:59 AM
‎10-15-2012 08:59 AM
For reasons I will not go into here, I want to take outbound traffic from secure to unsecure and convert it from a many to 1 NAT rule to a many to many NAT rule.   I have 1024 public IP addresses.  I want to take a section of my network and provide around 1000 devices with a NAT pool of around 254 addresses.   Is this possible?   I've tried this with other firewall vendors and have run into bugs. I found this in the admin guide. Dynamic IP—For outbound traffic. Private source addresses translate to the next available address in the specified address range. Dynamic IP NAT policies allow you to specify a single IP address, an IP range, or a subnet as the translation address pool. If the source address pool is larger than the translated address pool, new IP addresses seeking translation will be blocked while the translated address pool is fully utilized. And I found this document: which leads me to believe that the over subscription issue applies to Dynamic-IP, but not to Dynamic-IP-and-Port. Can I oversubscribe Dynamic-IP-and-Port without running into the blocking issue? ... View more

Re: Allow Vimeo From Specific Website

by in General Topics
‎10-09-2012 02:31 PM
‎10-09-2012 02:31 PM
I understand you have an answer you like.  As this post comes up when searching for Vimeo and YouTube, and for the sake of completeness in the forums, I'd like to point out that allowing player.vimeo.com allows Vimeo on just about any other website embedding Vimeo.   While this may be fine for what you are doing, it may not be the result others are after. I am attempting to block Vimeo by use of blocking the URL category streaming media on my own network, while using Vimeo to stream videos from my own website.  I do not have the "application" blocked, just the URL category. To accomplish this, I created a custom URL category whitelist and added these to the whitelist; player.vimeo.com/log/ player.vimeo.com/crossdomain.xml av.vimeo.com/crossdomain.xml player.vimeo.com/play_redirect Specific video embeds in this category whitelist; player.vimeo.com/video/50993603 player.vimeo.com/video/51007252 player.vimeo.com/video/51007253 Specific videos in this category whitelist; av.vimeo.com/31334/214/121592329.mp4 av.vimeo.com/61936/541/121558466.mp4 av.vimeo.com/61936/541/121558411.mp4 This is working to my desired effect. This also works for YouTube; This is my whitelist; *.youtube.com/crossdomain.xml *.youtube.com/embed/B4bPp7AjpIc *.youtube.com/get_video_info *.youtube.com/player_204 *.youtube.com/ptracking *.youtube.com/ptracking?ptk= youtube_none&pltype=content&pl id=AATGtFZcMl6pi-dt&video_id=q T1QXR6QMsE *.youtube.com/user/NewPrimeInc *.youtube.com/videoplayback *.youtube.com/watch?v=B4bPp7AjpIc *.youtube.com/watch?v=SmPhaLrmbc4 www.youtube.com/v/4AFGR7d4yLA While these examples specify my videos, you would need to figure out your own video GUIDs/identifiers and add them.   The YouTube example has been working for me for years with minor additions over the years.  The Vimeo whitelist is new to me. ... View more

Re: 4.1.7 inspection causes corrupt download and speed issues

by in General Topics
‎10-04-2012 07:34 AM
‎10-04-2012 07:34 AM
Thank you.   We have other bugs for which I need to upgrade to 4.1.8.   I just am waiting for 4.1.8 to be out long enough that any major issues become known in the forums. ... View more

4.1.7 inspection causes corrupt download and speed issues

by in General Topics
‎10-03-2012 10:28 AM
‎10-03-2012 10:28 AM
I have two 2050's in an HA pair A/P on 4.1.7.    I have a BGP setup with 100Mbps on one link and 250Mbps on another, and Gb to the LAN and DMZ.  I have transferred just over 3G through the PA in the last 60 minutes. When I turn on inspection (Antivirus, IPS/IDS, Data Filtering, File forwarding) I see corruption in downloads.   For example, when downloading Java or the latest Antivirus Pattern file updates I may just get 20-30% of it.   The second download attempt is usually fine.   This is hit or miss, but it happens often enough to be a problem.   I see "active" (vs PASV) FTP connections that break in the middle of downloading many small files.   This problem has existed for the 10 months that I have had this device, including all the OS upgrades I have made use of. If I create a security rule for a person having problems, specify their source IP and no inspection, then these problems do not occur. I use to have an eSafe Web Security Gateway which did these same types of content inspection.  This problem is very reminiscent of having antivirus inspection enabled on that device.  The eSafe gateway had many destination IP addresses as exclusions due to this.  I no longer have that device. Is this a known issue with PanOS, is this just how it works (as it was with eSafe), or am I just under powered?   ... View more
Labels:

Re: Panorama 4.1.8 LDAP Failure

by in General Topics
‎09-25-2012 12:31 PM
‎09-25-2012 12:31 PM
This is specifically LDAP authentication into the administrative website of the Palo Alto *only*, correct? I am having other issues in 4.1.7 that I really need resolved and are known fixes in 4.1.8.    I use LDAP for user based rules, however my admin users are all locally defined to the PAs.    Thanks. ... View more

Re: 4.1.5 and 4.1.7 Upgrades (Including hotfix 2)

by in General Topics
‎09-25-2012 12:07 PM
‎09-25-2012 12:07 PM
Add me to the list.   GUI/CLI and the serial console all quit working.   I can authenticate at the serial console, but that's it.   Requires a hard reboot to get things working again.  4.1.7 2050's in an active/passive pair. ... View more

How to create executive report by LDAP user group?

by in General Topics
‎09-07-2012 08:49 AM
‎09-07-2012 08:49 AM
I have moved from a dedicated URL filter to the Palo Alto with the URL Filter add on.  I now need to figure out how to create executive reports based on LDAP groups. I have LDAP groups such as Sales, Marketing, Accounting.   I need to deliever a weekly report to managers which could allow them to see if they have any obvious abuses within their department. My previous filter had such a report and I could schedule to run weekly based on AD LDAP group. I already have LDAP intigration in place, though these specific groups are not yet included in my import.   I already have the IP to user agent working.   I have found individual user reports, and I have found the PDF Summary Reports. I just can't figure out how to create an executive summary based on LDAP group.  Can anyone point me to this? ... View more

Re: 4.1.7 LDAP lookup unstable

by in General Topics
‎09-06-2012 02:51 PM
‎09-06-2012 02:51 PM
I opened a case which got escalated. Issue #1)  Under Group Mapping Settings, I had a seperate mapping for each active directory group I wanted to use on my PA 2050.  I have a single forest/AD.   Support recommended having a single group mapping setting which included all of my active directory groups that I wanted to use within my Palo Alto rules. Issue #2) Under Server Profiles / LDAP we modified the settings to use port 389 instead of the GC port 3268.   We modified the Bind DN from user@domain.com to CN=user,OU=grouping,OU=container,DC=domain,DC=com   (That's not my actual user or domain.)   Support states this works better. Issue #3)  The command show user user-IDs | match joe  is not showing all of joe's group membership as this is filtering out lines with joe.  The group membership list includes lines that do not have joe in the line.  So I was using the command incorrectly.  The proper command is show user user-IDs match-user joe Considering I didn't have the LDAP instability for a few weeks, and then it poped up it's ugly head, only time will tell for certain if these are the fixes. ... View more

Re: Negate please

by in General Topics
‎09-06-2012 02:41 PM
‎09-06-2012 02:41 PM
To be honost, I'm not sure how to do this.  I have Palo Alto Networks support through a 3rd party.  Is there a formal feature request document, or do I just pass it on through my 3rd party support? Thank you. ... View more

4.1.7 LDAP lookup unstable

by in General Topics
‎09-05-2012 04:23 PM
‎09-05-2012 04:23 PM
I have three active directory servers configured within the LDAP settings of my Palo Alto.  I have tried using both 389 and the GC port of 3268 as per this doc: https://live.paloaltonetworks.com/docs/DOC-3120 I have two 2050's in an active/passive pair.  I have AD IP agents on each DC and the PAs are set to query them. The problem is that while I can see the users in my traffic logs, they are getting the wrong security policies applied to them.  The user to IP is working, it is the user to LDAP group which is not.   I am not using the user agents as LDAP group membership proxies. If I do show user user-IDs | match joe  I may get back the proper group, but I may only get back one of three groups the user is a member of.   I'm talking about 1 of 3 groups I've defined to the Palo Alto, not all Active Directory groups.   The results are very random.   If I run the same command on the second PA in the pair, I will often see different results.  I have ran the command  show user group-mapping state all   and while I did have some nested groups, I do not anymore.  Because I cannot negate user groups in a security policy, I have user groups which contain 1500+ users.   I have the maximum timeout value set to 30 seconds, which is the max I can set it to in 4.1.7.   Per the state all command, it is taking no more than 5 seconds to enumerate these groups. Can anyone please shed some light on what's going on, and how to fix this? ... View more

Re: Dropbox Signature Change?

by in General Topics
‎08-29-2012 03:03 PM
‎08-29-2012 03:03 PM
I believe this signature needs updated.   The current version of Dropbox failes to "establish secure connection" when decription is enabled, regardless of the fact that Palo Alto has an exclusion.     4.1.7, with all of the latest dynamic software signatures installed. I believe this might be because Dropbox is making use of the Amazon S3 network, which may have a different SSL certificate.  I am not certain that this is the issue, but it looks likely. ... View more

Negate please

by in General Topics
‎08-29-2012 02:00 PM
‎08-29-2012 02:00 PM
I am running PanOS 4.1.7, migrating from a Checkpoint R75 platform.   I have a lot of rules in place, but we are heavy into excpetions.  I keep running into situations that would be very easy to handle if I simply had the Negate option. For example, I have a rule that allows domain users out to specific web apps using my URL filtering, along with data filtering, and other policies in a single rule. I have around 20 of these rules based on AD user group. Below these rules, I block access to the Internet.  If someone fires up a non domain VMware guest and uses a bridged connection, they basically get no Internet access. At the top and then in the middle of these rules, I have application filters blocking apps such as proxy, DNS, video, audio, etc.   The location is based on which users can use these apps. The problem is I need to block things like http-audo and http-video, yet exclude specific sites from this blocking for everyone.  Life would be a lot easier if I could block using an application filter, while negating my URL custom category of "white listed sites."    Or if I could create a rule that blocks by application filter to all users while negating a specific AD user group. I know how to make this work with 4.1.7, I just really would love to see more Negate options in future releases. ... View more

The publisher could not be verified

by in General Topics
‎08-17-2012 02:48 PM
‎08-17-2012 02:48 PM
I noticed that when I download programs from the Internet with Decryption turned on, the downloaded file says "The publisher could not be verified", whereas if I grab the same file off a non-decrypted connection I do not get this same message. How do I resolve this? ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎05-18-2018 05:20 PM
Latest Tags
No tags yet
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks