This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About dtran

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
dtran
‎04-08-2024
since ‎04-16-2016
L4 Transporter
User Activity
User Profile
Latest posts by dtran
View All
User Badges
Community Statistics
Member Since ‎04-16-2016 09:37 AM
Date Last Visited ‎04-08-2024 06:17 PM
Posts 91
Total Likes Received 19

Re: Paloalto TAC support

by in General Topics
‎01-26-2021 02:58 PM
‎01-26-2021 02:58 PM
Been waiting on the call for over 80 minutes, and still waiting.  Talked to the TAC engineer and went over the issue with her.  Before ending zoom, I asked her if she fully understood the issue.  She responded yes.  Today she emailed back asking me the same question that I thought she understood.  I am speechless.  I called TAC support and been waiting for over 80 minutes.  ... View more

Re: not able to access certain web sites from host behind PAN firewalls

by in General Topics
‎01-26-2021 01:57 PM
2 Kudos
‎01-26-2021 01:57 PM
2 Kudos
I found the solution here:  https://www.networkdefenseblog.com/post/wireshark-tcp-challenge-ack   Apparently many users who are behind PAN firewalls have issues access this site. ... View more

Re: not able to access certain web sites from host behind PAN firewalls

by in General Topics
‎01-20-2021 05:34 AM
‎01-20-2021 05:34 AM
No issue with DNS, URL filtering, NAT....  Did I mention that if I replace the PAN with Cisco or Checkpoint, I don't have this issue?   This issue is reproducible from multiple customers that are behind the PAN firewalls, from different locations and different ISP. ... View more

not able to access certain web sites from host behind PAN firewalls

by in General Topics
‎01-19-2021 11:41 AM
‎01-19-2021 11:41 AM
I am trying to access http://www.brokercheck.com from behind the PAN firewall via dynamic NAT without any success.  I have other customers behind different PAN firewalls, regardless of PAN OS version, with the same issue access website http://www.brokercheck.com.   The FW rule is wide open "any any accept log"   It works for customers NOT behind PAN firewalls.  In other words, hosts behind Cisco ASA and checkpoint firewalls can access http://www.brokercheck.com without any issues.    I have a TAC case opened with PaloAlto support and waiting to hear back from them.   Thoughts? ... View more

Re: delete ikemgr.log without impacting existing VPN tunnels

by in General Topics
‎01-07-2021 07:21 AM
‎01-07-2021 07:21 AM
@reaper:   I also notice that "debug software restart process ikemgr" does NOT impact ALL VPN tunnels.  For example, I have two IPSec VPN tunnels from this PaloAlto, running version 8.1.17, an IKEv2 with a Cisco ASA firewall and an IKEv1 with a Cisco IOS router.    When I perform "debug software restart process ikemgr", it took down the IPSec tunnel with the Cisco ASA but not the IPSec tunnel with the Cisco IOS router.   Still waiting to hear back from TAC.  Not very good support. ... View more

Re: delete ikemgr.log without impacting existing VPN tunnels

by in General Topics
‎01-07-2021 07:04 AM
‎01-07-2021 07:04 AM
" why do you want to restart the ikemg process? restarting that process will impact all vpn tunnels     you can simply delete the ikemgr.log without needing to restart the process and  if the file is growing too large too quickly  you may want to look into setting the log level lower: debug ike global show debug ike global on normal   @Tom Piens:   If I delete the ikemgr.log file without restarting the process, I will not be able to see any new IPSec debug.  That's my issue.    Is there anything in PAN like vi that I can get into the file and remove everything without deleting the file? ... View more

delete ikemgr.log without impacting existing VPN tunnels

by in General Topics
‎01-07-2021 05:40 AM
‎01-07-2021 05:40 AM
This file is getting too big for me and it takes forever to search for things in that file.  I would like to purge/delete this file WITHOUT impacting existing VPN tunnels.  I want to be able to debug VPN tunnels later on as well.   1- delete debug-log mp-log file ikemgr.log 2- debug software restart process ikemgr   Is this going to impact EXISTING VPN tunnels?    TIA ... View more

Re: Paloalto TAC support

by in General Topics
‎12-28-2020 02:44 PM
‎12-28-2020 02:44 PM
@jdelio:  I am not sure what you meant by "Our TAC support is taken seriously, and when this happens to anyone, we want to help the best way possible.".    I have a ticket opened this morning with PAN support.  I asked the TAC engineer to call me back.  He didn't and put some links in the ticket and I am not sure he knows about it himself.  I called into TAC support three hours later, spoke to another engineer and asked that the original engineer call me back to discuss the case that I opened I opened this morning.  The second engineer assured me that the original engineer will call me back in 15 minutes.  I am still waiting for that call more than three hours later.   Btw, I have premium support with PAN. ... View more

Re: Blocking certain Facebook features while allow others with PAN version 8.1.17

by in General Topics
‎12-25-2020 09:06 AM
‎12-25-2020 09:06 AM
@BPry:    1- I really don't want to decrypt "everything" because it might cause performance issues on the firewall, even on the 5250 platform.  This firewall is does everything for both inbound and outbound traffics, including globalprotect.   2- Why do I need to decrypt "everthing" outbound, just for Facebook.  I thought I only need it for "social-networking" URL category.  If I decrypt "everything", it might choke the firewall.   On a side note, have you ever done what I described in my original thread before?  Does it actually "work"? ... View more

Re: Blocking certain Facebook features while allow others with PAN version 8.1.17

by in General Topics
‎12-24-2020 02:06 PM
‎12-24-2020 02:06 PM
I decrypt everything listed in "social-networking" URL category so I assume FaceBook is one of them. Can't decrypt "everything" because that will choke the PAN firewalls ... View more

Re: SolarStorm attack - Share your thoughts

by in General Topics
‎12-23-2020 11:08 AM
‎12-23-2020 11:08 AM
I heard that even PAN got hacked as well because it is using Solarwinds in its environment. ... View more

Blocking certain Facebook features while allow others with PAN version 8.1.17

by in General Topics
‎12-23-2020 08:05 AM
‎12-23-2020 08:05 AM
I am trying to block certain Facebook features while allowing others.  For example:   Facebook – block - chat, file-share, post, video, voice   However, after implementing it on the PAN, I can still do this with Facebook:  I could post, like and upload pictures. Chat doesn’t work at all, though I can see the page.   Is this normal?  Is the application "aware" in PAN working as advertised or no? ... View more

Re: IPSec VPN and Dead Peer Detection (DPD) in IKEv1 and Liveness check in IKEv2

by in General Topics
‎12-11-2020 04:43 AM
‎12-11-2020 04:43 AM
@BPry:  "If you want/need to have traffic traverse from the PAN side constantly you would want to setup tunnel monitoring. "   PAN VPN Peer is 1.1.1.1 and Cisco VPN Peer is 2.2.2.2 PAN Encryption Domain is 192.168.1.1 and Cisco VPN Encryption Domain is 192.168.2.   https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/vpns/set-up-site-to-site-vpn/set-up-tunnel-monitoring/define-a-tunnel-monitoring-profile.html   What IP address do I put in the box?   ... View more

IPSec VPN and Dead Peer Detection (DPD) in IKEv1 and Liveness check in IKEv2

by in General Topics
‎12-10-2020 04:44 PM
‎12-10-2020 04:44 PM
I have two different IPSec VPN tunnels between a PAN and two different Cisco devices, let call them R1 and R2, as folllows:   PAN IPSec IKEv1 <<---->> Cisco R2 IKEv1 PAN IPSec IKEv2 <<---->> Cisco R1 IKEv2   I enable Dead Peer Dection (DPD) in the IKE gateway between the PAN IKEv1 and Cisco R2 router.  On the Dead Peer interval and retry, i set it to 5 and 5, respectively.  On the Cisco router R2, I set "set crypto isakmp keepalive 10".  On the IKE gateway between the PAN and Cisco R1 IKEv2, I set the "liveness check" to 5.  I also set "crypto isakmp keepalive 10" on the R2 cisco router.   Well, on the IKEv2 VPN tunnels, I see traffics every 5 seconds between the PAN and Cisco R2 even when there is no traffic going across the tunnel which is expected.  However, I am not seeing traffics between the PAN and Cisco R1 even with DPD enable.   Is that expected?  If not, is this another bug in PAN?   I am running 8.1.15 hotfix 3.      ... View more

Re: PaloAlto and DNS

by in General Topics
‎12-06-2020 06:54 PM
‎12-06-2020 06:54 PM
I know how DNS works and I also know how tcpdump work but that is not my question.    If the PAN can NOT communicate with DNS over the MP for FQDN resolution, will there any messages in the system log file that will tell me?  Apparently, I see messages in the system file for LDAP, but not DNS.  Why? ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎04-08-2024 06:17 PM
Latest Tags
Likes Given To
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks