This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About SDorsey

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
SDorsey
‎10-27-2020
since ‎04-18-2012
L4 Transporter
User Activity
User Profile
Latest posts by SDorsey
View All
My Liked Posts
View All
My LIVEcommunity Articles Contributions
View All
User Badges
Community Statistics
Member Since ‎04-18-2012 08:18 AM
Date Last Visited ‎10-27-2020 06:38 PM
Posts 149
Total Likes Received 23

Re: generic:beerwineandcupcakes

by in General Topics
‎01-18-2014 11:07 PM
‎01-18-2014 11:07 PM
I struggle with this too. Hard to really determine what to look further into. ... View more

Re: EIGRP?

by in General Topics
‎01-18-2014 11:04 PM
‎01-18-2014 11:04 PM
I had no idea they were opening it up. Interesting. I wonder how PAN will react. ... View more

Re: PANOS 6

by in General Topics
‎01-14-2014 11:38 AM
‎01-14-2014 11:38 AM
The features document will help a lot. As far as the beta, 6.0 comes out next week so I would just wait until the final as oppose to messing with the beta. ... View more

Re: Ignoring control flags

by in General Topics
‎12-19-2013 06:19 PM
‎12-19-2013 06:19 PM
kadak Thanks for the info but I am confused on one part.. Increase the timeout-tcpwait value. This can be done using the following command. Maximum value is 60 seconds. In the configuration mode #set deviceconfig setting session timeout-tcpwait <1-60> #commit force The above change can be cross checked with the following command. I changed the timeout-tcpwait value to 100 seconds You said the max value is 60 seconds then set it to 100 seconds.. how does that work? ... View more

Ignoring control flags

by in General Topics
‎12-19-2013 06:38 AM
‎12-19-2013 06:38 AM
Is it possible to ignore tcp control flags in the Palo Alto? I have a client where several nodes talk back to a server through the PAN. The nodes will send a FIN packet so the PAN will drop the session.. however, the vendor requires the session to stay up. In the ASA world, there is an option to -ignore control flags-. ... View more

Rate limiting egress on perimeter install

by in General Topics
‎12-11-2013 08:08 PM
‎12-11-2013 08:08 PM
I have a client where I would like to rate limit egress traffic from an internal source IP. This source IP tends to be a major bandwidth hog. I currently have no QOS profiles setup but I do see the option to limit egress I believe. Are QOS profiles the easiest / only way to do this? Does QOS allow you to limit based on a single IP? ... View more
Labels:

Data Filtering - Reverse possible?

by in General Topics
‎10-21-2013 07:09 AM
‎10-21-2013 07:09 AM
For a client, we are working on a regulatory need where we need to block any administrator attempts to login to a web application sitting behind the firewall. I created a data filtering rule which looks for the admin names and it DOES block it, however, this is an explicit deny and is the opposite of best practices. What would work best is if we could only ALLOW the 4-5 standard user logins and block anything else. Is there a way to make the data filtering work in reverse? ... View more
Labels:

Custom APPid based on user login

by in Automation/API Discussions
‎10-09-2013 06:35 PM
‎10-09-2013 06:35 PM
I am working with a client in an interesting situation.. We are basically needing to limit sections of the network where certain users and login to a web server. For example, only admins can login from zone1 and only users can login from zone2. The application on the web server is not a custom one built by the client but there is no current ID for it in the app-id db. Currently, we would like to make the policy decisions based on app.. and have a separate ID based on admins or users. I created an APP-ID for the application itself and tested it; it works! I also checked "Continue scanning for other applications". Next, I used a proxy to monitor the packets and found that the username is submitted via HTTP PARAMS. So, I cloned the original APP-ID and made a new one (we will call it App-User). I added an AND condition to the original signature and it looks for: Context: http-req-params pattern: user (I have also tried username=user). Qualifier is http method = POST. After committing this.. the PAN IDs the traffic as the original APP-ID but does NOT change the app identified once someone sends posts requests with the specific username identified. Will this not work in the manner I think it would? Any better suggestions? FWIW: I don't have to create an AND rule for each user. The user base all share a generic ID for this system. ... View more

Custom App ID - Derived from usernames/http params

by in General Topics
‎10-08-2013 02:10 PM
‎10-08-2013 02:10 PM
I am working with a client in an interesting situation.. We are basically needing to limit sections of the network where certain users and login to a web server. For example, only admins can login from zone1 and only users can login from zone2. The application on the web server is not a custom one built by the client but there is no current ID for it in the app-id db. Currently, we would like to make the policy decisions based on app.. and have a separate ID based on admins or users. I created an APP-ID for the application itself and tested it; it works! I also checked "Continue scanning for other applications". Next, I used a proxy to monitor the packets and found that the username is submitted via HTTP PARAMS. So, I cloned the original APP-ID and made a new one (we will call it App-User). I added an AND condition to the original signature and it looks for: Context: http-req-params pattern: user (I have also tried username=user). Qualifier is http method = POST. After committing this.. the PAN IDs the traffic as the original APP-ID but does NOT change the app identified once someone sends posts requests with the specific username identified. Will this not work in the manner I think it would? Any better suggestions? FWIW: I don't have to create an AND rule for each user. The user base all share a generic ID for this system. ... View more
Labels:

Loopback Interfaces in VPNs

by in General Topics
‎09-21-2013 08:59 PM
‎09-21-2013 08:59 PM
In my configs, I generally reference the actual egress interface on the PAN device. I have run across some configs where the original engineer tied the GP portal to a loopback interface which basically just pointed to the same IP tied to the egress interface. Is there a benefit to using the loopback instead? ... View more
Labels:

Proper Way to allow Split-tunneling

by in General Topics
‎09-16-2013 07:00 AM
‎09-16-2013 07:00 AM
Greetings all! I am trying to allow split-tunneling for a client so they can access their home network while connected via VPN. I see in split-tunneling box, the option to add specific network ranges but hope there is a better way since I could not hope to know all of their home network ranges. I am sure I am missing something. Thanks in advance! ... View more
Labels:

Re: Troubleshooting device with orange status light

by in General Topics
‎08-22-2013 05:38 AM
‎08-22-2013 05:38 AM
panos wrote: you may do factory reset after backing up the config. Is there an easy way to backup the config with only console access? I don't have an scp box onsite to shoot the config to. That was the only option I saw. ... View more

Re: Troubleshooting device with orange status light

by in General Topics
‎08-22-2013 05:37 AM
‎08-22-2013 05:37 AM
show jobs all doesn't show anything running. Client PRI    State Progress -------------------------------------------------------------------------               routed  30     init        0             ha_agent  25     init        0               device  20     init        0               ikemgr  10     init        0               keymgr  10     init        0    (op cmds only)              logrcvr  10     init        0                dhcpd  10     init        0              varrcvr  10     init        0                l3svc  10     init        0               sslvpn  10     init        0               rasmgr  10     init        0              useridd  10     init        0                 satd  10     init        0              websrvr  10     init        0               sslmgr  10     init        0                authd  10     init        0               pppoed  10     init        0            dnsproxyd  10     init        0 Overall status: init. Progress: 0        0    (op cmds only) Warnings: ... View more

Re: Troubleshooting device with orange status light

by in General Topics
‎08-21-2013 08:39 PM
‎08-21-2013 08:39 PM
It also does not respond to pings or pass traffic. This was NOT following any software update or anything. Client left office one day and it worked fine and next morning, it was in this state. ... View more

Re: Troubleshooting device with orange status light

by in General Topics
‎08-21-2013 08:34 PM
‎08-21-2013 08:34 PM
I take it back. The current up time is over 2 days. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎10-27-2020 06:38 PM
Latest Tags
No tags yet
Likes Given To
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks