About mikand

Speaking of hardcoding this seems to be valid for 10 and 100Mbit links but for 1Gbit and upwards the IEEE standard suggests one to use auto/auto (or auto/full, auto/half). So if you set one side statically to 1000Mbit it might end up with funny results depending on what you have on the other side. Note however that this depends on hardware being used. Some hardware when you force it to 1000Mbit will actually still use auto/auto but only propose 1000Mbit as supported speed (instead of 10, 100, 1000 as it would normally do). ... View more

This should work before you get BGP aswell, just use an ip out of your public range as loopback. Then when you configure the tunnel you set it to zone DMZ - this way you wont need any security rules for traffic going to the DMZ servers (because the tunnel and the server will be on the same zone). ... View more

When using VSYS you will still use a single management for them all (but the logs will use the hostname of each VSYS). The difference are in the GUI and how the dataplane will function. In the GUI you will select which VSYS you operate on and by that you only see the security policies defined for this VSYS (which can be handy, instead of having lets say 1500 rules you can with 3x VSYS have 500 each as example). VSYS can be seen as VDC in the (cisco)router-world. That is you can have two interfaces with the same ip but they have different routingtables and are part of two different physical networks (actually that is called VROUTER in PA regarding different routingtables which can be seen as VRF in the router-world). In most cases you can achieve the same things with or without VSYS so in reality VSYS are more for getting a logic segmentation for the administrators rather than a physical segmentation (it will be easier to think for the admin if you use VSYS rather than trying to setup the same thing in a single VSYS). VSYS can also help you in case (as already mentioned) have different people which should be able to configure different stuff. Lets say you have on the inside a SERVERFW and a BACKUPFW where the backuppeople should be able to take care of their own rules. Without VSYS the backup people will be able to see (and maybe also alter) all the rules in the firewall. With VSYS you can setup roles so that backup people can only alter security policies of BACKUPFW while the other firewall admins will be able to alter rules in both "devices". Another setup where VSYS is handy is when you will consolidate different physical hardware into a single PA cluster (given that you are allowed to use a single hardware for this - there are cases where you must or should use different physical gear). The first transition can be to just keep the current setup and use VSYS (one VSYS per device you replace with the PA cluster). The second transition will be to clean up rules along with make a revision if the physical design can be optimized further. Hopefully in future the VSYS's will be able to do QoS on VSYS level (that is in an overload situation VSYS1 should for example be favorized over VSYS2, or for that matter define a static resource limit for VSYS1 so even if VSYS1 is getting DDoSed (or such) VSYS2 will have resouces on its own to play with). ... View more

Another setup is to use both PA boxes as independent setups with no HA in between. You will lose the session sync but this way the routers before and after PA will take the loadbalance decisions (and along with IP-SLA through the PA boxes the external routers can decide which site to announce to the Internet or whatever you have on the outside and the internal routers could decide which site should be used to reach outside). In order to have equal setup (like policies etc) on both boxes you can use Panorama. You can also use PA in VWIRE mode (but then the dmz vlaning will have to be taken care of the internal router on each site). ... View more

What about buffering issues when one side is 1Gbit (or more) and the other is 100Mbit (or less) in a PA? Wouldnt it be more efficient to set both sides of the PA to the same speed and let the buffering be dealt with by the routers/switches between the PA and the client(s)? ... View more

If the switch interface supports both tagged and untagged on the same interface you should be able to have both tagged and untagged traffic on the PA connected to this interface if I fully understand your question 😃 ... View more

What do you mean by that you want to exclude traffic from policy? What comes to mind is to setup QoS on your PA box to lower the priority of your backup traffic so production traffic will have it easier to function when the backups are being transmitted. ... View more

At first I thought it could perhaps be that you use 1024 or lower for your SSL/TLS traffic which Microsoft has announced previously they would quit support for (I think SSL/TLS must be 2048 or higher from now on). But looking at Microsoft Security Advisory (2736233): Update Rollup for ActiveX Kill Bits it only mentions: " Microsoft is releasing a new set of ActiveX kill bits with this advisory. This update sets the kill bits for the following third-party software: Cisco Secure Desktop. The following Class Identifier relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable. For more information regarding security issues in the Cisco Secure Desktop ActiveX control, please see the Cisco Security Advisory, Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Third-Party Kill Bits section of this advisory. Cisco Hostscan. The following Class Identifier relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable. For more information regarding security issues in the Cisco Hostscan ActiveX control, please see the Cisco Security Advisory, Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Third-Party Kill Bits section of this advisory. Cisco AnyConnect Secure Mobility Client. The following Class Identifier relates to a request by Cisco to set a kill bit for an ActiveX control that is vulnerable. For more information regarding security issues in the Cisco AnyConnect Secure Mobility Client ActiveX control, please see the Cisco Security Advisory, Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client. The class identifiers (CLSIDs) for this ActiveX control are as listed in the Third-Party Kill Bits section of this advisory. " ... View more

Shouldnt it work if you setup a loopback interface out of your PI range (or whatever you use for BGP announcement) and configure your VPN to use this loopback interface? ... View more

Could you paste your interface configuration (preferly from the running-config.xml) - dont forget to obscure any sensitive ip addresses (if any)? Currently PA supports following service route configurations: route | { destination <value> source-address <value> | service { crl-status source-address <value> | dns source-address <value> | email source-address <value> | netflow source-address <value> | ntp source-address <value> | paloalto-updates source-address <value> | panorama source-address <value> | proxy source-address <value> | radius source-address <value> | snmp source-address <value> | syslog source-address <value> | uid-agent source-address <value> | url-updates source-address <value> | wildfire source-address <value> } } By best guess is that LDAP is included within uid-agent setting. So if you change uid-agent to use the interface you want it should work. ... View more

When using dynamic url filtering, how is this lookup being performed? By a dns query to your own dns-resolvers or by a direct connection to the brightcloud "cloud"? And if its the later - is this done with ssl or such and which data is being transmitted to brightcloud other than srcip for the connection along with the url which is being queried? ... View more

How come this is this way and is this due to a hardware limitation (or can it be fixed by a feature request)? Because if one just use dynamic ip then the source port will not be changed which means that if the source port is already used by some other client then client2 wont be able to establish an outbound connection (not until the first established connection is shutdown). This is fixed by using dynamic ip + dynamic port which will just select any >1023 available port and map this to the current connection (client) no matter who the client it is on the inside. But when using a pool along with dynamic ip + dynamic port I would expect the same behaviour. That it starts by 1 dynamic ip out of the pool per client. But when client M+1 shows up it would just select any available dynamic ip + dynamic port (and continue to use that dynamic ip pair) - or for that matter start again from the first ip in the pool. If we compare this to a manual setup it would be: client1+5, use dynamic ip 1.1.1.1 + dynamic port. client 2+6, use dynamic ip 1.1.1.2 + dynamic port. client 3, use dynamic ip 1.1.1.3 + dynamic port. client 4, use dynamic ip 1.1.1.4 + dynamic port. ... View more

Just to clearify regarding your user from local network, that is not to reach users on the public network but rather setup a VPN (or whatever) towards the portal-ip just like the public users? If its the later - what about if your local users connect to the internal L3 ip instead? You should be able to deal with this by the help of the dns. If the user is externally then your external authoritive dns-server will reply to "vpn.example.com" with the external ip. But when they are on the inside your internal authoritive dns-servers (or if you have the same hardware for both cases then use views in your dnsserver) will reply to "vpn.example.com" with the internal ip. ... View more

When you setup: acme.com *.acme.com doesnt that second line include what.ever.www.acme.com ? And to answer apackard: this is quite common when it comes to url-filtering, I have seen this behaviour on more devices than PA. I guess those who doesnt have this in the GUI will actually do the same thing in the backend. ... View more

Hmm, thanks for the reply... then its some error related to CEF (or configuration of it or receiving of it). ... View more