About BPry

BPry · ‎11-29-2016

If you have access to the firewall you can check this by simply going to the GlobalProtect Gateway configuartion -> Gateway Name -> Client Configuration -> Network Settings and looking at your access routes and seeing if you are running specified routes or if you are running 0.0.0.0/0 and running everything. Couple things to Note: If your Windows 7 box is using the same IP range as your access routes you would have to change your network so you have IP addresses that don't fall into your access routes. To add onto that you need to make sure that your in tunnel mode to actually get this to work. If you are in non-tunnel mode then you will follow whatever is assigned to the physical network adapter instead.

BPry · ‎11-28-2016

@cgormley I imagine that there is likely a 'feature request' to get this moved online.

BPry · ‎11-28-2016

The application inspection is actually one of the leading reasons that people buy a Palo Alto product, and while it does but an increase load under the processor it is something that they are designed to allow. Further, the Palo Alto can actually be better at mitegratting a DoS attack when setup properly because it can drop packets for applications that you do not have publically available. If you are worried about a DoS attack I would recommend that you setup DoS Profiles and Zone Protection profiles on your untrust interface; both of these will allow you to not only be alerted when you have a potential DoS attempt, but will automatically start to drop packets if your set limits are exceeded. To point out as well, the PA firewall will actually stop doing application inspection if your processor reaches a certain percentage on new requests. This feature is to allow the firewall to continue to pass traffic and not 'lock up' because it's busy decrypting and analyzing the applicaiton.

BPry · ‎11-28-2016

That's why I recommended the URL Filtering, more than likely I can't imagine that you are going to be given the go ahead to decrypt student traffic.

BPry · ‎11-28-2016

You might want to look into MineMeld. They have a node exactly for this and it will handle everything for you and you just set the ebl as the output for that node. That way you won't have to manually add/remove the ip addresses and everything will happen automatically.

BPry · ‎11-25-2016

I think what reaper was saying is that the interfaces that make up the ae do not need to be assigned a vsys, which they don't. When making an ae you do need it assigned to a vsys just like you would if you configured an additional 'single' interface. You can assigne ae1.2 or whatever other subinterfaces you configure to different vsys and you can import ae1 into whatever vsys you wish but it needs to be assigned somewhere.

BPry · ‎11-25-2016

You could simply apply an applicaiton override policy to that traffic that looks like the screenshot I took. Simply put it will label anything that goes to that specific port and to the specified destination addresses as 'stun' traffic. One thing to point out is that looking at the rule that you shared it doesn't look like you are using an 'application-default' service entry; therefore you should be seeing the traffic being allowed as long as it is hitting that rule.

BPry · ‎11-25-2016

The output node shrinks things down to be as simplistic as possible. If your list includes duplicate entries then you will not see the duplicate entires as the node will ignore duplicates; if you have multiple addresses that are within a range it will also combine them to be an actual range instead of multiple entries. For Example: I might have a range inputted as the following on my miner node: 50.116.122.1 50.116.122.2 50.116.122.3 50.116.122.4 On the Output node the only entry that it will make is: 50.116.122.1-4 Since I chewed up 4 indicators in my miner node and the output node shrunk it down to just a network range instead in this example alone I will have three more indicators on my miner node than what shows up in my output node. P.S you might want to stick MineMeld questions in the MineMeld discussion forum. You are likely to get more response and at least one of the developers are actually pretty active in that forum.

BPry · ‎11-25-2016

@FJU-ITCS I've actually done this perfectly fine on a PA-200 (not the exact versions obviously). As long as you have installed 7.0.1 then on any PA you just need to make sure you have downloaded 7.1.0 to get all of the dependant bits and bytes before you perform the 7.1.6 install. I believe that the reason PA does this is to avoid pushing out larger update files than needed for people to upgrade in the same software path; most devices are switching to this model instead of just downloading a full system image because it takes longer and saves bandwidth on their own servers since everybody isn't downloading massive files.

BPry · ‎11-25-2016

As @reaper pointed out you don't have any active licenses according to your screenshot besides the GP portal license which no longer needs to be renewed. You will need to get in contact with your sales rep and renew your lab licenses to be able to actually donwload anything again. If you would have installed any of the GP clients when you had active licenses you would still be able to setup this portal; however since you never donwloaded any of the client software you will need to renew the lab bundle.

BPry · ‎11-25-2016

We had an issue with this on a PA-3020 with 7.0.8 that was quickly fixed by just clearing out the connection info and adding it back in and letting it sync up again. I'm not sure when it actually took place as prior to me taking over that particular firewall they were not really utilizing it at all. Upgradding the PA-3020 to 7.0.10 and then to 7.0.11 and I haven't had the issue come up since.

BPry · ‎11-23-2016

Could be a few things: 1) No Split-Tunnel setup on the VPN. 2) You are navigating to a public ip without split-tunnel and you can no longer resolve the address due to you being 'inside' that public ip. I'd be leaning more towards your not doing a split-tunnel and you are trying to connect to a local Win7 computer.

BPry · ‎11-23-2016

Thanks, I'll have to look into pandevice more. I keep hearing that it's really nice and easier to use.

BPry · ‎11-23-2016

@Farzana Sometimes we get a little out of hand 🙂 I would just point out to the client that the legacy Cisco VPN is no longer supported and does not work properly with anything greater than Windows 7. Even if you do the legwork to get this to function it isn't a supported function; you also run into the issue of security when using a VPN client that is no longer being updated for known security holes.

BPry · ‎11-22-2016

Okay, I still can't figure this guy out. All the other commands work perfectly fine but as soon as I try to 'set' a new rule I get an error saying that it's malformed. I've looked through all of the documentation that I can find but nothing will get the request to come across properly https://10.191.136.7/api/?type=config&action=set&key=key&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='Test-API']&element=<source><member>10.191.135.66</member></source><destination><member>8.8.8.8</member></destination><service><member>any</member></service><application><member>any</member></application><action>allow</action><source-user><member>any</member></source-user><option><disable-server-response-inspection>no</disable-server-response-inspection></option><negate-source>no</negate-source><negatedestination>no</negate-destination><disabled>yes</disabled><log-start>no</log-start><logend>yes</log-end><description>Testing</description><from><member>inside</member></from><to><member>outside</member></to>

Member Since	‎05-26-2016 07:16 AM
Date Last Visited	‎02-24-2026 02:19 PM
Posts	6,520
Total Likes Received	2296

Online Status	Offline
Date Last Visited	‎02-24-2026 02:19 PM

Unlock your full community experience!

About BPry