This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About SDorsey

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
SDorsey
‎10-27-2020
since ‎04-18-2012
L4 Transporter
User Activity
User Profile
Latest posts by SDorsey
View All
My Liked Posts
View All
My LIVEcommunity Articles Contributions
View All
User Badges
Community Statistics
Member Since ‎04-18-2012 08:18 AM
Date Last Visited ‎10-27-2020 06:38 PM
Posts 149
Total Likes Received 23

Re: PAN Dual ISP Failver Best Practices

by in General Topics
‎08-11-2014 05:26 AM
‎08-11-2014 05:26 AM
Yeah I understand DNS can only have a single A record mapping to an IP at a time. I'm not sure I have a practical use-case scenario for what I'm asking.. just curious if it is possible from a routing perspective in the PAN. ... View more

Re: PAN Dual ISP Failver Best Practices

by in General Topics
‎08-09-2014 01:45 PM
‎08-09-2014 01:45 PM
Is it possible that if you have say dual ISPs and you are hosting a publicly accessible web server.. that it be accessible on the public IP of either ISP at any given time? The current setups have it where it is only accessible on the active ISP line due to the PBF rules. ... View more

Re: PAN Dual ISP Failver Best Practices

by in General Topics
‎08-09-2014 11:43 AM
‎08-09-2014 11:43 AM
Well nevermind on question two. I tested it and no for sure you can NAT just fine with all ISPs being on same zone. ... View more

Mgmt webgui kicks me out since panos 6.0

by in General Topics
‎08-09-2014 10:54 AM
‎08-09-2014 10:54 AM
Wanted to see if anyone else has had this issue. Ever since our clients have been updated to PANOS 6, the webgui will periodically kick you back to the login screen. This seems to happen in both Chrome and FF. It still happens with 6.0.4. We see this on 200s, 500s, 2000s and 3000s. Has anyone else run into this? Is it a known bug? ... View more
Labels:

PAN Dual ISP Failver Best Practices

by in General Topics
‎08-09-2014 10:49 AM
‎08-09-2014 10:49 AM
I have setup dozens of PANs with multiple ISPs and failover but have some questions in regards to best practices.. 1. Is PBF the only way to handle failover? If not, can the same be achieved via HA Link/path monitoring or is that specifically for device/firewall failover? 2. This is mostly in regards to what is processed first in the firewall. If you setup two ISPs, are there any issues with putting them in the same zone so you can manage them as a single zone from a security perspective? My question mostly revolves around NAT. If you have two NAT policies which match Internal to External but the policies have two different source NAT IPs.. will the firewall look at the PBF table, see which interface it is going to go out of, then apply the appropriate NAT policy? Or do you have to put the ISPs in separate zones? ... View more
Labels:

Re: 6.0.4 group mapping issue?

by in General Topics
‎08-07-2014 06:11 PM
3 Kudos
‎08-07-2014 06:11 PM
3 Kudos
Eureka. Apparently 6.0.4 may have a problem processing group names which have a hyphen. I create a new group with the same users which lacked a hyphen and it matched as expected. Added a hyphen to the new group and it stopped. ... View more

6.0.4 group mapping issue?

by in General Topics
‎08-07-2014 05:51 PM
1 Kudo
‎08-07-2014 05:51 PM
1 Kudo
I started running into this group mapping issue after update a client to 6.0.4. We have a policy which matches on an Active Directory group for SSLVPN and what they can access. The same A.D. group is used in the Kerberos authentication profile to auth to VPN. After the update, these users are no longer matching on this policy. There is a policy just above it utilizing a different A.D. group and users from that group match just fine. I did notice in the CLI if I do a show user group mapping ?, it lists the LDAP format of the group name as oppose to domain/group... whereas for the group which is working, it shows domain/group. If I go to the policy and delete the group then add the group back name in via the LDAP format, it auto-resolves it to the group\domain format as soon as I hit enter. ... View more
Labels:

Re: File blocking profile for Evernote application

by in General Topics
‎08-04-2014 11:22 AM
1 Kudo
‎08-04-2014 11:22 AM
1 Kudo
To add on to what Steven said.. Create a security rule which matches on the evernote-app ID. Then configure a file blocking rule which blocks the uploading of files and attach this file blocking profile to the security rule which matches on the evernote app. ... View more

Re: FQDN Address Objects Not Resolving - PANOS 6

by in General Topics
‎07-16-2014 11:58 AM
‎07-16-2014 11:58 AM
Thanks! Do you have any idea when 6.1 may drop? I thought it was the end of this year and that seems like a bit to wait for this bug fix. ... View more

FQDN Address Objects Not Resolving - PANOS 6

by in General Topics
‎07-16-2014 06:55 AM
‎07-16-2014 06:55 AM
I have a few different clients with the same issue. I have some FQDN address objects and I assign a TAG to each of those objects. Then I create a Dynamic address object group which contains address objects with that tag. Then I add the dynamic group to a policy. Traffic is not matching on that policy; it is matching on explicit deny rule. If I run "request system fqdn show", I get: sharepoint.domain.org  (Objectname SharePoint):                         Not used From the PAN, I can surely resolve the specific names. It just isn't storing them in the object db it appears. If I change the address object group to a static group and add the address objects manually as opposed to tagging/dynamic, it works fine. ... View more
Labels:

Re: Activate Brightcloud URL DB

by in General Topics
‎07-12-2014 07:49 AM
‎07-12-2014 07:49 AM
Well that did it. Thanks for your input! Does Brightcloud Url filtering always have to be seeded via CLI now? ... View more

Activate Brightcloud URL DB

by in General Topics
‎07-12-2014 05:58 AM
‎07-12-2014 05:58 AM
Has anything changed with the way to activate Brightcloud URL filtering db in version 6? I updated several other boxes which use the pandb db and do not have issue. The one box in the wild we have with Brightcloud Url filtering is the only issue. It does not show as activated under Licenses (with no button to activate it). Its license is valid through 2016. The Apps/Threats and AV updates are coming in successfully. In version 5.. after you updated your Apps/Threats and checked for updates again, it would list another available dynamic update for url fitlering. I do not see it now. Any pointers? ... View more

Re: IPSEC Tunnel to ASA - PeerID issues

by in General Topics
‎07-11-2014 09:08 AM
1 Kudo
‎07-11-2014 09:08 AM
1 Kudo
The crypto settings under number 2 showed me what to change. Thank you! ... View more

Re: IPSEC Tunnel to ASA - PeerID issues

by in General Topics
‎07-11-2014 09:03 AM
‎07-11-2014 09:03 AM
I appreciate the input but that's not quite it... The issue is that it is receiving a FQDN for the PEER ID from the Cisco ASA. I am looking for how to determine in the ASA where it is sending its FQDN as an ID because I do not see anything in the ASA that would send its FQDN. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎10-27-2020 06:38 PM
Latest Tags
No tags yet
Likes Given To
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks