About mikand

you can do that when the test is being runned with snmp (various counters there) - but dunno how to get the stats afterwards... ... View more

A linknet is what you call the small network (usually /30 or /29 if using redundancy) setup between two layer3 (routing) devices. This linknet is to be able to setup nexthop addresses in each device routingtable. For example... lets assume you (for some odd reason) have 10.0.0.0/16 as client network (10.0.0.0 -> 10.0.255.255) which means 65534 mac addresses which the device which will be default gateway for all those must be able to handle. However your PA can only do 1000 mac address per interface (or how large the limit now is). So to fix this (except for doing a better segmentation than having 65k clients on the same layer2 network 😃 is to plugin a L3 device which can handle that many mac address on a single interface and then setup a linknet towards the PA device. So the result will be: PA <{192.168.0.0/30]> L3 device [10.0.0.0/16] If the PA have 192.168.0.1 and the L3 device have 192.168.0.2 then the routing table in the L3 device will be: ip route 0.0.0.0/0 nexthop 192.168.0.1 When looking in the PA you will see all the 10.0.0.0 -> 10.0.255.255 clients when looking at srcip, but when looking at mac address there will be only one - the mac address for 192.168.0.2 (the mac address of the L3 device). The PA must of course have a returning route like: ip route 10.0.0.0/16 nexthop 192.168.0.2 ... View more

Why not download their public root cert and import it as a trusted authority in your PA so it will successfully decrypt their traffic (because traffic coming from a gov site doesnt necessary mean that it is clean ) Otherwise you can add excludes to a "whitelist" in the PA (listed at ) Unfortunately I dont currently recall what the CLI command is for that... ... View more

Good question... My current guess is that both will fire since they have the same info: https://threatvault.paloaltonetworks.com/Home/ThreatDetail/35017 https://threatvault.paloaltonetworks.com/Home/ThreatDetail/35018 so first it will reset-client and then it will log (alert)... but that sounds odd because if default action is reset-client then logging is included in that - isnt it? Or if someone wants just to monitor/log if/when such packets are seen then they would set this manually to alert wouldnt they? ... View more

ECMP is available from most manufacturers nowadays. The core switches in this case... are they perhaps L3-switches? 🙂 ... View more

Could it be some issue with the update servers? The ip was recently changed and perhaps the new (or old) server(s) didnt get the update as it should and by that customers (or support.paloaltonetworks.com for that case) doesnt see or have the latest update available? Because at least I would expect that when the mail is sent (or arrived 🙂 the update should be available on the updateservers (and in support.paloaltonetworks.com). ... View more

Pff, photoshoped 😉 ... View more

Yes, the routers will do the loadsharing (decide which PA will get the traffic/session). A more fancy solution is to use a true loadbalancer such as F5 or so but since most routers supports ECMP and ECMP is enough for this case I see no reason to invest in two (well four for redundency) F5's for this matter. Compared to active-active config each PA will not know that there is another PA in the network. Another difference compared to active-active is that with active-active, even if both PA are active - only one "owns" the session which gives that the total throughput (or number of concurrent connections) is the same as with active/passive. On the other hand, this limit (active/active wont give you 2x performance - only 1x) is good when one box fails because you have the same throughput with only one still functional box. However... PA-5060 is rated for 10Gbit throughput (threat prevention) which means if you need lets say 40Gbit throughput PA currently doesnt have any option for that (as a single box). This is where an ECMP setup can be handy: 1) Setup ECMP in the routers before and after the PA array. 2) Connect 4x PA-5060 individually configured (no HA). 3) Done! 40Gbit in total throughput (but still max 10Gbit per session - same as when using ether/portchannel/lacp). There are other "loadsharing" methods one can apply in such situations (depending on how your network is setup) - one is to statically "loadshare" based on VLANs instead. Like VLAN 1-999 goes through PA-5060_1, VLAN 1000-1999 through PA-5060_2, 2000-2999 through PA_5060_3 and 3000-4096 through PA-5060_4 (or which VLAN id is the highest that PA supports). The drawback here will instead be if you have for example your fileserver and mailservers at VLAN 101 and 102 which might be like 90% of your total utilization this traffic will slam into PA_5060_1 while the other three boxes will basically just idle (compared to an ECMP setup where all four would work). The good thing on the other hand is that you wont get a decrease in bandwidth if one box fails (well given the PA-5060_x is actually two boxes running in active/passive). Regarding failover condition ECMP will react if the interface goes down and then push that traffic over one of the other paths (in this case it depends on how you have setup your PA regarding tcp-reject-non-syn if the moved sessions will fail or continue to function) - otherwise you can use IP-SLA (or similar) to withdraw the route if, for example, a ping doesnt reach to the other side of the PA for a particular path. For example a setup like: Outer-Router: int0/1: VLAN101 10.0.101.2/30 int0/2: VLAN102 10.0.102.2/30 ip route x.x.x.x/x next 10.0.101.1 track 1 ip route x.x.x.x/x next 10.0.102.1 track 2 PA-boxes int1: VLAN10x 10.0.10x.1/30 int2: VLAN20x 10.0.20x.2/30 Inner-Router: int0/1: VLAN201 10.0.201.1/30 int0/2: VLAN202 10.0.202.1/30 ip route 0.0.0.0/0 next 10.0.201.2 track 1 ip route 0.0.0.0/0 next 10.0.202.2 track 2 The IP-SLA config could be something like (example for Inner-Router): ip sla 1 icmp-echo 10.0.101.2 source-interface int0/1 timeout 1000 threshold 2 frequency 3 ip sla schedule 1 life forever start-time now track 1 ip sla 1 reachability ip sla 2 icmp-echo 10.0.102.2 source-interface int0/2 timeout 1000 threshold 2 frequency 3 ip sla schedule 2 life forever start-time now track 2 ip sla 2 reachability This way Inner-Router will use each physical interface to ping the equal interface at Outer-Router and by that be able to detect if the PA in this particular path is functional or not (and if not then remove the route connected to this particular ip-sla through track). For more information on IP-SLA: http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/813-cisco-router-ipsla-basic.html What I havent verified yet is if track will enable ECMP or not (if both track 1 and 2 are successful, will both routes have the same metric and therefor have ECMP enabled?). ... View more

Which hardware model did this occur on? ... View more

It depends on which equipment each ISP has at your end (CPE) but in short I meant: 1) Configure each PA as a single device (no HA) - the only thing that will differ is basically just the ip addresses on the interfaces. 2) Use Panorama to make the security policies etc equal on both PA's (otherwise you could of course manually configure each PA but each time you reconfigure the security policies you then must do the work twice). 3) In the routers before (and after) your array of PA boxes you will use ECMP to make the routers loadshare the traffic through your PA boxes. Dont forget to use "ip load-sharing per-destination" (which is default but still) which will make sure that a srcip+dstip combo will always use the same physical path (until that fails). ECMP means that the router have two (or more) nexthop for a particular route with equal cost/metric. For example: ip route 0.0.0.0/0 nexthop <PA1> metric 10 ip route 0.0.0.0/0 nexthop <PA2> metric 10 The above will bring you twice the performance in total (but not for a specific client since a specific client will only use one PA at a time) compared to active/passive or active/active (because in active/active the traffic is still owned by just one of the boxes which will be the limit of total performance). ... View more

The update mail arrived 8 hours ago but I still dont see it in the dynamic updates section at https://support.paloaltonetworks.com (when logged in) - only previous versions (328 and older) is currently available. ... View more

Again that depends on how you have setup your proxy. If you proxy is a non-transparent one (see previous posts in this thread for an example of the differences) then you can just make the PA to force the traffic into the proxy by specify translated address into proxyip:proxyport. But if you use a webproxy in transparent mode changing the dstport will break things in how the webproxy will handle the traffic. This is what will happen (when things go bad if you try to change dstport when using a transparent proxy): 1) Your client wants to go to http://www.google.com and your dns resolver replies to the client with 173.194.71.105. 2) Client will now try to establish a tcp connection towards 173.194.71.105:80. 3) Traffic goes through your PA who (what you request if I understood your question correctly) will change dstport from 80 into 8080. So on the other end of the PA the packet has now 173.194.71.105:8080. 4) Traffic reaches your transparent proxy who accepts it and process it. On the other side of the transparent proxy the session which the proxy tries to establish will go to 173.194.71.105:8080 and not 173.194.71.105:80. 5) Since www.google.com [173.194.71.105] doesnt listen to TCP8080 the traffic cannot be established from the proxy and the proxy will reply to the client "ERROR: server unreachable" (or similar). Now, in order for a DNAT redirecting traffic into your proxy (with changed dstport) to function you must configure it to non-transparent mode (and configure the clients to use proxy). Meaning that the proxy will look within the http header instead of ip header on where to make the outbound connection. Another solution is to configure your transparent proxy to listen to TCP80 (and TCP443 and other ports you might expect http traffic on) which when using DNAT you will leave "translated port" empty and things will work... ... View more

I dont know if PA itself supports ECMP or not but usually (in my opinion) the ECMP will be setup in the routers before and after the PA-cluster (cluster of PA's who are individually configured (meaning no active/passive or active/active) in order to gain performance). Most modern Cisco routers supports at least 8 paths of ECMP (meaning up to 8 nexthops with the same metric/cost and they all will be used). What you must make sure is to use "ip load-sharing per-destination" (default when CEF is enabled) so that the traffic will use a single path for all src+dstip traffic (compared to ip "load-sharing per-packet" which would break things in this situation): " Configuring per-Destination Load Balancing Per-destination load balancing is enabled by default when you enable CEF. To use per-destination load balancing, you do not perform any additional tasks once you enable CEF. Per-destination load balancing allows the router to use multiple paths to achieve load sharing. Packets for a given source-destination host pair are guaranteed to take the same path, even if multiple paths are available. Traffic destined for different pairs tend to take different paths. Per-destination load balancing is enabled by default when you enable CEF, and is the load balancing method of choice for most situations. Because per-destination load balancing depends on the statistical distribution of traffic, load sharing becomes more effective as the number of source-destination pairs increase. You can use per-destination load balancing to ensure that packets for a given host pair arrive in order. All packets for a certain host pair are routed over the same link (or links). " ... View more

Cant you in the Translated Packet -> Destination Translation just leave the ip address blank and put in a value for translated port? ... View more