About Brandon_Wertz

@WJLennon wrote: There is such rich data stored in this tool, is there way to generate a network diagram? I need to have up-to-date network diagrams for SOX and PCI audit every year.  It would be awesome to have a diagram generated that I could review/update and then hand over to auditors. It would also be helpful during production issues to quick overviews of my systems. The firewall (strata) platform will not natively diagram at your network.  However, a new feature (license) IoT Security might give you a diagram of sorts you could look into that.  Though I'm not exactly sure even that will give you what you're looking for. ... View more

Turned off Zone Protection Profiles on both the LAN and GlobalProtect zones....up to ~200mbit on connections now. Going to work more with PA Support to see what might be going on. Not opposed to going to 11.1. We're not doing anything crazy on our device. ... View more

Yeah I'm skipping 11.0 all together.  Still have most on 10.1.X with only 3400s running 10.2.  I'll be pushing our 10.1.X to 10.2.X here in October.  Then ridding 10.2.X until EOS around Jun-25 just before EOS in Aug.  Hopefully by then 11.1.X will be stable for an enterprise at which point I'll upgrade 110+ firewalls to 11.1.X.   It's a real balancing act trying to find the "right" stable code, but we usually run older code, we hit too many service impacting bugs.  (We actually hit a MD5 hash collision on a commit once.  2 URL profiles ended up having the same MD5 hash upon a commit.  That's how unlucky we are)  ... View more

Yeah the reason git-base is there because PAN-OS was telling me one of the applications I am allowing is based on it so I added thinking it would allow it over 443.  It did not.      In the end I specified service over ports 80/22/443 and it appears to be working over 443 now.   My assumption is that it will allow those applications over those ports to those destination IPs.  We don't decrypt so I believe this is the only way to do this correctly.       ... View more

@jeffrowan wrote: Hello,   I'm planning to remove some older Juniper MX routers from the network edge and move the BGP peer configuration to an Active/Passive pair of 5410s.  There are two ISPs.  For now I'm just hoping to replicate the Juniper setup on the PAs.  Right now the PAs statically route traffc to the Juniper where the BGP peers are configured.   I want to make sure I have all the necessary settings replicated and figure out if I can pre-configure the BGP peers on the PA before cutting over, without breaking the current routing.  If anyone has done a similar transition with BGP and has any suggestions, it would be much appreciated.   Thanks! Setting BGP up in Palo...less is more.  When you start to configure export/import/redistribution profiles means the firewall will do only what you configure.  If you configure none of this then Palo will share everything.   Take the time to review all areas of the BGP config.  There is 10+ areas availble when setting BGP up, so don't overlook all the config options.   Also be sure to enable ECMP if your 5410 will be connecting to 2 upstream or downstream routers at the same time (and you want both to be active/active) ... View more

@Sanjay_Ramaiah wrote: Thank you both for the help 🙂 So this will not even let the Portal authentication attempt as well.   If you're wanting to block GP VPN access from these regions then I would use the region as the source and your GP portal/gateway IPs as the destination with a deny action.  No need to call out any specific application.  Doing this will prevent anyone from that IP space associated with that geographic region from reaching your environment.  ... View more

The best way to test true throughput is to download and run "openspeedtest" on a server on the same switch or local LAN with your firewall.  It will setup a speed test page on any server or workstation and the user just hits the start button.  That will give you actual speed between the client and local server cutting out all other delays.   The link below will take you to the windows version of the download page they also have versions for different operating systems.   We use this to test speed instead of IPERF3 now.  Works great and any user can figure it out.   https://go.openspeedtest.com/Win   ... View more

Setting the interface to up disables auto-negotiation.  I thought that might be the issue.  The interface is down because of no link, not lack of traffic.  It looks like @Brandon_Wertz has the best solution. ... View more

Here is the CVE advisory published today - https://security.paloaltonetworks.com/CVE-2024-3661 ... View more

Hey @Brandon_Wertz , thank you again, took off some time today to try this out, as I was very curious.    Here are the screenshots if you would still be interested in landing me some more insights  :    Below are the results of a ping from branch fw 172.28.89.252 to a natted host behind main fw, 172.28.89.248   Logs from Main FW (172.28.89.254). As you can see the ping arrives well through the tunnel. And below the wireshark results on the natted host 172.28.89.248, with the infamous no response found icmp packets even with ECMP enabled on both sides quite unfortunately :   For completeness sake here are the related routes left in my VR configuration on Main FW ... technically you can disregard the last 2 routes, they are remainings from previous tests, only the first one really matters in this.  And VR on the branch FW looks like this:  As a side note the packet wouldn't reach branch FW without the last explicit route ... Strange.   Both sites have ECMP enabled on their VR like so :    Any suggestion ? 😇       ... View more

Hi @BPry  The logging and reporting is set to Max.   Regards Satya Kalyan. ... View more

Thanks for the info, I appreciate it. ... View more

https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/configure-threat-prevention/configure-inline-cloud-analysis#idcf1fc426-b522-4e84-9098-ac82f2d784ae has region specific cloud connection FQDN's listed in Step 9 under PAN-OS. ... View more

Hi @Warron_F ,   The firewall does not support viewing object names in the monitor traffic. At best, we can resolve hostnames for anything that can be resolved.  ... View more

"Unknown-TCP" traffic from Commvault refers to network traffic generated by Commvault software that is using TCP (Transmission Control Protocol) but is unrecognized or unidentified by the network monitoring system. This type of traffic can occur due to various reasons such as custom configurations, non-standard ports, or unexpected communication patterns. Understanding and scrutinizing this traffic is crucial for network security and performance management, ensuring it doesn't compromise network integrity or impede data backup processes. ... View more