About kprakash

kprakash · ‎08-02-2013

Hi Panos, Did you check out this thread? https://live.paloaltonetworks.com/message/8076#8076 BR, Karthik

kprakash · ‎08-02-2013

I would suspect that either site did not rekey, to be the primary reason. Its not a mandatory setting for the rekeying timing to match on both the devices, but keeping the same value on both the devices, would force both the devices to rekey after the lifetime of the session keys have expired. Did you notice just the phase 1 going down, with the actual tunnel traffic still flowing (phase-2 being up and passing ESP traffic), or were both phase 1 and phase 2 down? If its the latter, then I would suspect the lost internet connectivity between them BR, Karthik

kprakash · ‎08-02-2013

Good Morning, There are couple of reasons for that: 1) The sites lost networks connectivity between them for a certain duration and during that time the ike and esp sessions timed out on the firewall 2) Either of the site did not rekey and hence after the session key became invalid, that the sites couldnt process the ike traffic. How long were the VPNs up and running prior to seeing this issue. Are both the devices PANFWs?

kprakash · ‎08-01-2013

You could create address objects for these IP addresses, and use these address objects under the NAT and the security rules,if you want to identify the users based on a string / identity. You also have an option of adding these IP addresses on the fly when creating the new rules. BR, Karthik

kprakash · ‎08-01-2013

Hi You can write a Destination NAT with the source IP address as the 10 IP adresses, the source zone as "untrust", the destination address with the public IP address of the ldap server, the destination zone as "untrust", service as 636 under the original packet section. Under the translated packet section, click on the check box of the "destination address translation" and give the private IP address of the ldap server. Write a corresponding security rule with the source IP address as these 10 IP addresses, the source zone as "untrust", the destination IP address as the "public IP address of the server", the destination zone as "trust ( or DMZ, where the server is located), application = LDAP, service =any, and action= allow. Best regards, Karthik

kprakash · ‎08-01-2013

Hi, Can you verify if the IP address that there is no overlapping subnet of your virtual adaptor from where you are connecting from and the IP address that is being assigned to you by the gateway? If so, you will still connect to the gateway,but will arp within the same network, that you are located and trying from, for the IPs that are behind the gateway. When you talk about other laptops connecting just fine, with the same username, could you uninstall and install the client on the machine that you are having difficulties connecting with? BR, Karthik RP

kprakash · ‎08-01-2013

No Mr.linus, that would break the concept of using a vwire. but I would recommend converting the vwire interfaces to layer 3 interfaces, unless there is a company norm for you to use vwire interfaces. Best regards, Karthik RP

kprakash · ‎08-01-2013

Hi Linus, I just verified that the DoS Protection profile doesnt support checking for Spoofed IPs. The firewall can detect an IP address as being spoofed, if it sees the packet on a different interface than the one for which it has learnt the route for. As there is no routing information per se on the vwire interfaces, the PANFW, ignores the route checks for the source and the destination IP addresses, and hence ignores the IP spoof check for these packets. BR, Karthik RP

kprakash · ‎08-01-2013

Hi Linus, As the vwire interfaces dont have an IP address, they wouldnt be subjected to IP spoofed attacks. But if you want to protect the servers behind the vwire interfaces, you can deploy a DoS Protection policy with a DoS protection profile, which includes protection for the IP spoof attacks as well. Best regards, Karthik

kprakash · ‎08-01-2013

Good Morning, We have a couple of avenues that you can check for assistance with custom signatures. You can post on the DevCenter (found on our support portal under communities - https://live.paloaltonetworks.com/community/devcenter) or you can request that an official signature be made through Applipedia (http://researchcenter.paloaltonetworks.com/submit-an-application/) Best regards, Karthik

kprakash · ‎07-29-2013

Good Morning Robert. We do not have a set of commands as such that we can use in order to connect to a service. Global Protect has the three features of on demand, user logon and pre logon, along with the single sign on feature. The client tries to connect to the portal and the gateway automatically. It uses an algorithm to locate the closet gateway, along with the most preferred one based on the gateway metric. We can also force the client to connect manually to a gateway. The closest thing that you can come upto is using the "on-demand" feature. You may want to talk to your SE to see if they can help you with writing a script for connecting to the gateways based on your requirements. BR, Karthik RP

kprakash · ‎07-29-2013

Good Morning Cheon, As of now, we can only fetch the ACC statistics for only one of the managed devices, or for the Panorama (based on logs from all the managed devices). We do not have an option of specifying a filter to fetch the ACC stats for a subset of devices, and that requires a feature request. Please contact your sales engineer who can raise the feature request on your behalf. BR, Karthik RP

kprakash · ‎07-29-2013

Thanks, If you have found the screenshots useful and if they helped you with resolving the problem, please mark my response as the "correct answer" for the benefit of other people having the same question. Thanks and best regards, Karthik

kprakash · ‎07-28-2013

Hi Panos, I hope you have had a chance to go through this thread: https://live.paloaltonetworks.com/message/30222#30222 Packets are subjected to QoS policing and scheduling only on the egress interface, which again requires to be a physical interface. You could still apply QoS for clear text traffic when sourced from a vlan interface, and its can e configured as mentioned on the above thread. BR, Karthik

kprakash · ‎07-28-2013

Hi Panos, Ensure that we use static aggregation instead of using aggregation protocols like PAGP, LACP or GLBP on the swithces. PANFW only supports static aggregation. BR, Karthik RP

Member Since	‎02-22-2012 01:19 PM
Date Last Visited	‎08-07-2025 08:55 AM
Posts	276
Total Likes Received	129

Online Status	Offline
Date Last Visited	‎08-07-2025 08:55 AM

About kprakash

Re: IPSec tunnel, delayed status update

Re: IPSec tunnel, delayed status update

Re: IPSec tunnel, delayed status update

Re: VPN with overlapping subnets

Re: Domain User Names not showing in Group-Mapping

Re: Can I create custom application with destination IP and TCP/UDP port?

Re: Domain User Names not showing in Group-Mapping

Re: about session offload

Re: about session offload

Re: Replay pcap

Re: DHCP server runs out of ip pool interface Error

Re: Shutting down/disabling subinterfaces

Re: Is it possible to group countries?

Re: Split internal and external DNS lookups

Re: link aggregation down

Re: In what partition is PANOS stored?

Re: export logdb for report

Re: full url address

Re: vpn issue

Re: vpn issue

Re: NAT for ldap

Re: NAT for ldap

Re: Global Protect will connect then immediately disconnect

Re: Spoofed IP address zone protection of vwire

Re: Spoofed IP address zone protection of vwire

Re: Spoofed IP address zone protection of vwire

Re: How to create custom vulnerability signature for SIP packets?

Re: GlobalProtect client pre-/post-connect commands?

Re: Can I look ACC of some devices in Panorama?

Re: How can I set connection limit per user or Source Address ?

Re: Qos Layer2

Re: link aggregation down

Unlock your full community experience!

About kprakash