This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About TDC

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
TDC
‎05-07-2018
since ‎04-25-2012
L1 Bithead
User Activity
User Profile
Latest posts by TDC
View All
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎04-25-2012 04:55 PM
Date Last Visited ‎05-07-2018 01:32 AM
Posts 14
Total Likes Received 1

Re: No Source User displayed

by in General Topics
‎05-29-2014 01:51 PM
1 Kudo
‎05-29-2014 01:51 PM
1 Kudo
Hi All I managed to fix this by creating a new zone and interface and reconfiguring the gateway to use the new interface etc. As soon as this was committed the Source User started showing up again. I then just changed the policy rules to use the new zone and service was resumed. Thanks for reading. Alan ... View more

No Source User displayed

by in General Topics
‎05-28-2014 05:50 PM
‎05-28-2014 05:50 PM
Hi We have just completed an upgrade from PANOS 5.0.3 to 6.0.2. Everything seems OK with the exception of the GlobalProtect agents (and Shrew VPN) not being allowed onto the network. A successful connection is made by GlobalProtect but you can't connect to servers or see the network as everything gets dropped by a policy rule that drops everything coming from the Tunnel. What we do is have several different rules that controls which users can see which servers. As an admin I get to see the entire network. The rules use the 'source user' to decide what you can see. All fairly standard stuff and it was working fine when we ran 5.0.3. However since the upgrade everything gets dropped by the drop rule. To clarify the rules:- 1. Allow DNS traffic to the DNS servers. 2. Allow users A,B and C access to server one. 3. Allow users D,E and F access to server two. 4. Drop all traffic from the Tunnel. When I monitor the traffic logs and filter to just look at stuff coming from the Tunnel zone I've noticed that there is nothing listed under the 'Source User' column (user accounts were listed under 5.0.3). The fact that the packets are dropped by the 'drop everything from the tunnel' rule this tells me that the source user isn't being seen by the policy (otherwise it would have been allowed by a previous rule). There is one rule (the first one) that allows DNS lookups and this rule works but the policy doesn't use Source User in its settings. I've checked that UserID is enabled still on the Tunnel interface and the following command returns the correct data for 'domain' and 'user':- show user ip-user-mapping ip 10.10.100.19 IP address:  10.10.100.19 (vsys1) User:        domain\user From:        GP Idle Timeout: 10558s Max. TTL:    10558s Groups that the user belongs to (used in policy) When I look at the System logs I can see the GlobalProtect agent connect and it shows the correct user account details. I see UserID's correctly on the LAN interface so UserID is working. Anyone got any thoughts as to why after the upgrade the Source User isn't being seen by the policy? As I said, it was working fine in 5.0.3 and short of doing the upgrade, nothing has changed (I'm going through the config audit to confirm). Any help would be appreciated. Alan ... View more

Re: Custom URL Filtering

by in General Topics
‎04-01-2013 03:37 PM
‎04-01-2013 03:37 PM
Hi bulent and achitwadgi Thanks for the replys. Sorry for not replying sooner but its been a long weekend. Yes, I chose Outlook-web, SSL and Web-Browsing. All traffic gets seen as SSL to port 443. I'm not using a certificate at the moment and yes the traffic gets seen going to the FQDN of the server (thanks for the info on the pulling of the CN from the cert) so I'll look at adding SSL decryption to pop open the traffic and see if that helps. I noticed that the logs generated indicated that the URL being seen is the FQDN of the server without the '/ecp' or '/owa/' so the path seems to being dropped or ignored on the request. In my custom URL filter I include the path so when I look the logs the URL is listed as 'unknown'. When I removed the path from the URL in the custom filter it gets clasified correctly as the custom URL. I'll continue to look at the SSL decryption and how that will help but if anyones got any ideas why the paths are being ignored I'd love to here them. Cheers for all the support. Alan ... View more

Custom URL Filtering

by in General Topics
‎03-27-2013 05:20 PM
‎03-27-2013 05:20 PM
Hi All I am trying to get customer URL filtering working and it's not making much sense to me. What I need to do is protect the Exchange server by allowing only connections to OWA and not ECP etc. I've created a Customer URL Category called 'OWA Sites' and listed the following as sites (note there are no external URLs to go off as the external URL is currently pointing at an ISA server): www.xxx.yyy.zzz/owa server.mydomain.co.nz/owa I've then created another Custom URL Category called 'OWA Sites Blocked' and listed the following sites: www.xxx.yyy.zzz/ecp server.mydomain.co.nz/ecp I've then setup a URL Filtering Profile and selected 'allow' next to 'OWA Sites' and 'block' next to 'OWA Sites Blocked' Finaly a rule was setup to allow the appropriate traffic to the exchange server and the new filtering profile was selected in Profile Settings section. Now if I goto the site www.xxx.yyy.zzz/owa I get a security certificate error (understandable) and then get prompted to login - as planned. If I go to the site www.xxx.yyy.zzz/ecp I get the certificate error and then can log in to the ECP site. Surely the filtering profile should have blocked the site? I've then gone and set the profile type to 'none' and then used the URL filter within the services/URL category tab of the rule to see if I can control it that way but no, I can't get onto either site now. Anyone got any ideas on what I'm doing wrong? How are you controlling the access to the Exchange sites? We're using 5.0.3. Cheers Alan ... View more

Re: Best practice for OWA and OMA

by in General Topics
‎02-24-2013 02:17 PM
‎02-24-2013 02:17 PM
Correct. The one think that the firewall won't do is 'publish' OWA in the sense that ISA does (its not a reverse proxy in that sense). However, with the SSL cert the firewall can decrypt the data as it passes by to ensure there are no hidden nasties. Also with what Kelly mentioned, you can control what web sites are being hit to ensure only the ones you want to publish (again not in the ISA sense) are the only ones available - still trying to get the fine control working. I will admit, I still get a warm fuzzy feeling publishing OWA/OMA via ISA as its not exposing the Exchange server directly to the big bad web but then again its using ISA and comparing that to our PA-500 its obvious the Pa-500 is in a different league.... Cheers Alan ... View more

Re: Best practice for OWA and OMA

by in General Topics
‎02-21-2013 08:13 PM
‎02-21-2013 08:13 PM
Hi Kelly Thanks for the reply. I'm looking at the URL filtering now and hope to have something working by Monday (I've already got it working but just want to fine tune it a bit). Interesting information on PAN-OS 5.0 and I'm going to bring my upgrade to the latest version forward a bit to take advantage of the new features. Once again, thanks for the help. Cheers Alan ... View more

Best practice for OWA and OMA

by in General Topics
‎02-20-2013 07:14 PM
‎02-20-2013 07:14 PM
Hi I'm getting rid of our old ISA server which we used to expose OWA and OMA and want to use our PA-500 to allow domain users access to OWA and OMA (for their iPads etc). I've noticed that the application 'Outlook-web' is used for OWA and its dependancies are SSL (understandable) and Web-Browsing (not so understandable but it must be needed otherwise it wouldn't be a dependancy). I'm going to look at loading the SSL certificate we use onto the PA-500 so it can decrypt the data but what else should I be looking at doing to provide maximum protection to the Exchange server (we just have one Exchange server that runs the CAS, HUB and Databses)? Any best practices? Many thanks for reading and any help or advise would be really appreciated. Edit:- we are using PAN-OS 4.1.7 Cheers Alan ... View more
Labels:

Re: Global Protect client can't be disabled

by in General Topics
‎09-23-2012 09:08 PM
‎09-23-2012 09:08 PM
Hi sdurga Many thanks for taking the time to test this out. I'm contacting our Premium Support partner now. Cheers Alan ... View more

Re: Global Protect client can't be disabled

by in General Topics
‎09-20-2012 07:06 PM
‎09-20-2012 07:06 PM
Hi I've just noticed something else. In the Client Config I've got set "allow user to manually rediscover network location" and the option is greyed out in the client as well. I've also set the Agent User Override to "with-passcode" and entered a passcode but thats made no difference either. Cheers Alan ... View more

Re: Global Protect client can't be disabled

by in General Topics
‎09-20-2012 06:55 PM
‎09-20-2012 06:55 PM
Hi thanks for the reply I've restarted the laptop several times and I've created a test client config to try and resolve my issues with so I don't effect current users. I've confirmed in the logs that I'm getting the new policy. Still not able to disable the client. I've just  made a change to the policy by setting the "Display welcome page" to factory default (previously it wasn't set) and restarting my test laptop. Now connecting the client I get the welcome page pop up so I know its got the right config. Still no disable option. Weird. Any other thoughts. Cheers Alan ... View more

Global Protect client can't be disabled

by in General Topics
‎09-20-2012 05:43 PM
‎09-20-2012 05:43 PM
Hi I've just rolled out the Global Protect client (version 1.1.6) to some contractors that need remote access to our network. I've got it setup as follows: Portal config - Client Configuration Options:- On Demand Agent:     Enable advanced view - true                User can save password - true                Passcode - blank                Confirm - blank                Agent User Override - with comment                Agent User Override Timeout - 0                Max Agent User Overrides - 0                Display welcome page - false                Welcome Page - none Agent Conf: Allow user to manually rediscover network location - true                     Allow user to manually resubmit host information - true I'm not doing any HIPs stuff. What I need to happen is that the consultant launchs the agent when they need to connect and then shutdown the agent when they have finished using it. At the moment the agent runs everytime the PC starts and you can't close it once its running (the disable option is greyed out). I thought that enabling the Agent User Override option to "with comment" that they'd be able to shut the agent down. Is it possible to stop the agent from running all the time and what could I have done wrong that means the agent can't be shutdown once its running? Any help would be appreciated. Cheers Alan The actual VPN connection is working great and everything seems to be working except this one last little issue. Anyone got any thoughts? Cheers Alan ... View more
Labels:

Re: Using ISA for OWA

by in General Topics
‎09-18-2012 01:20 AM
‎09-18-2012 01:20 AM
Hi Got it working. I analysed a working session in ISA and noted that when the Fortigate unit was in place the source IP (according to ISA's logs) was that of the firewalls DMZ interface (in this case 192.168.20.1) and not the original source IP (obviously a public address). I therefore concluded that the fortigate was somehow NATting the source address as well as the destination. Modifying my DNAT rule to include translating the source (dynamic-ip-and-port) to that of the DMZ interface caused ISA to work as before. I guess thats why ISA was dropping everything as being spoofed, it wasn't expecting to see the original source IP on a network of 192.168.20.0/24. Anyway, a big thanks to Mikeand for his help and suggestions. Cheers Alan ... View more

Re: Using ISA for OWA

by in General Topics
‎09-16-2012 05:27 PM
‎09-16-2012 05:27 PM
First off, many thanks for your detailed reply - really appreciate it. Yes I'm using a private addresses in the DMZ. Thanks for the advice on using "bidirectional". The reason I set it up like this was because I'd got a NAT rule working for Citrix and decided to copy it and modify it to remove any NATting issues (it was 2am in the morning and wanted to remove any chance of config error). Taking your advise, I'll be changing the bidirectional rules to DNAT ones as in most cases the server doesn't initiate traffic to the Internet - ironicaly I've configured our email using DNAT and SNAT based rules rather than bidirectional. I've now created the ISA DNAT rule and when I was checking the security rule noticed that the destination zone was set to LAN and not DMZ. I changed both the NAT and security rule so many times during the night that I don't know if this error was there at the start or end. Anyway the config looks good now but I can't test it until tomorrow night when I can take the network down again. I'll update this post with the results. Edit: Since most traffic for OWA/OMA is https-based I would strongly recommend you to use ssl termination in the PA in order to be able to inspect the content of the ssl sessions (and using the PA IPS, AV, FILE and such features). I'm going to start looking into this now (thanks for the suggestion) as I really want to remove ISA from our network and save the cost of the license. Cheers Alan ... View more

Using ISA for OWA

by in General Topics
‎09-13-2012 07:10 PM
‎09-13-2012 07:10 PM
Hi All I'm looking to replace our Fortigate 110c with a new PA-500 and I've managed to write the security and NAT policies which when tested seemed to work well apart from OWA. We have an ISA 2006 server which publishes OWA and OMA on a public IP and have configured the NAT rule and security rule as I did for all the other sites (like Citrix etc) which work fine. The NAT rule looks like:- Source Zone:- DMZ Destination Zone:- Internet Source Address:- ISA_Server Destination Address:- Any Service:- service-https Source Transalation:-     static-ip                                        NAT_ISA_Server_Public                                        bi-directional: yes The associated security rule basicaly allows all https traffic to NAT_ISA_Server_Public from the Internet and I log at session start and end. This is basicaly the same as the Fortigate config. When I try and connect to OWA I get a timeout. I jumped on the logs to see whats happening and saw that the NAT rule seemed to be working. I then checked the ISA firewall logs and was seeing connections being dropped for packet spoofing. So why would the packets forward by the PA-500 be seen by ISA as being spoofed when the packets forwarded by the Fortigate aren't? Putting the Fortigate back in place and OWA started working fine again. I'm desparate to get rid of the Fortigate and get the PA-500 working in production (something I'm going to have to do on Tuesday 18th). So I guess my questions are:- Can anyone see what I've done wrong in the config of the PA-500 that stops ISA from working? Should I be using ISA? Can I just forward directly to Exchange? If so what are the best practices for doing this securely? Any help or advise on OWA/OMA publishing would be appreciated. Cheers Alan ... View more
Labels:
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎05-07-2018 01:32 AM
Latest Tags
No tags yet
Likes From
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks