This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About TomMeadows

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
TomMeadows
‎10-12-2022
since ‎07-31-2017
L2 Linker
User Activity
User Profile
Latest posts by TomMeadows
View All
User Badges
Community Statistics
Member Since ‎07-31-2017 06:34 AM
Date Last Visited ‎10-12-2022 05:58 AM
Posts 14

Re: test security-policy-match command giving me odd output?

by in General Topics
‎09-30-2020 07:33 AM
‎09-30-2020 07:33 AM
That seems the answer Travis.    I did work this out myself afterwards, by looking at the available command completion options on CLI and noticing the zone information associated with from and to parameters.   I still think a bit odd that Palo Alto Knowledgebase example doesn't use them though.   Thanks.   ... View more

Re: test security-policy-match command giving me odd output?

by in General Topics
‎09-30-2020 07:30 AM
‎09-30-2020 07:30 AM
Rene- you're correct. I did get the wrong protocol number, (you are correct), but I think it was missing zone information that was giving me the incorrect policy. ... View more

test security-policy-match command giving me odd output?

by in General Topics
‎09-22-2020 12:04 PM
‎09-22-2020 12:04 PM
I was trying to work out which security policy applied to traffic through my Palo Alto from 10.77.22.10 (in the trust zone) to 10.99.0.1 Firstly, I wanted to confirm what zone 10.99.0.1 was in using this page : https://alwaysnetworks.co.uk/identifying-which-zone-a-subnet-is-in-on-a-palo-alto-firewall-script/     administrator@CAMPA01(active)> test routing fib-lookup virtual-router default ip 10.99.0.1 -------------------------------------------------------------------------------- runtime route lookup -------------------------------------------------------------------------------- virtual-router: default destination: 10.99.0.1 result: interface tunnel.27, metric 10     I then used this command to find out which zone tunnel.27 is in :     administrator@CAMPA01(active)> show interface tunnel.27 | match Zone Zone: DataCenters, virtual system: vsys1     So 10.99.0.1 is in DataCenters zone However, when trying to find out if users were permitted to 10.99.0.0/16, I referred to this page :   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cla1CAC with title “how to test which security policy applies to a traffic flow”. So I ran test security-policy-match command as below (where TCP = ip protocol 5).     administrator@CAMPA01(active)> test security-policy-match source 10.77.22.10 destination 10.99.0.1/16 protocol 5 "Allow Trust Out; index: 2" { from trust; source any; source-region none; to untrust; destination any; destination-region none; user any; category any; application/service 0:any/any/any/any; action allow; icmp-unreachable: no terminal yes; }     I was a bit confused, because the command suggested this traffic would be passed via “Allow Trust Out” policy which permits traffic from “trust” zone to “untrust” zone. But destination IP is actually in DataCenters zone instead? Why does it give me this output? I've confirmed that IPsec tunnel that uses interface tunnel.27 is up... ... View more

Re: Source address of PBF Monitor heartbeat ICMPs

by in General Topics
‎02-06-2020 09:29 AM
‎02-06-2020 09:29 AM
Thank you for the response.   If the IP address of the egress interface is used as a source address, then I wonder if I might have uncovered a bug?   Firewall is PA-220 running 8.1.12   We have 2 circuits with user Internet traffic by default going up the backup circuit with an overriding PBF rule to force traffic over the primary circuit.   This PBF rule was monitoring against an OpenDNS server ip (208.67.222.222) with checkbox enabled to disable the rule if that ip was unreachable.   We had a call that users could not access Internet. Upon logging into firewall, we could see backup circuit was down.   However, the primary circuit appeared fine (we were connecting to the firewall remotely over IPsec tunnel over the primary circuit), so we assumed the PBF rule should still be activated.   However, that appears not to be the case, because as soon as we unchecked the "Monitor" checkbox in the PBF rule and committed the change, users were again able to access the Internet.   We then ssh'd into the firewall and tried pinging the OpenDNS server (208.67.222.222) from cli with source address the egress address of the PBF rule. We got ping responses.   So, I'm wondering if a) that OpenDNS server was not responding and just happened to recommence responding as I was commmitting the Monitor check removal or b) it could be a bug?   Has anyone had other odd experiences with monitoring PBF rules? ... View more

PBF Monitor Target

by in General Topics
‎02-06-2020 07:22 AM
‎02-06-2020 07:22 AM
Scenario is dual-ISP scenario using PBF to connect via primary ISP but switch to secondary if primary goes down.   In a Policy Based Forwarding rule in the Monitor section of the Forwarding tab, there are 2 checkboxes: one for Monitoring itself, and the second one labelled "Disable this rule if nexthop/monitor ip is unreachable".   Firstly, what is the point of the 2nd "Disable this rule" checkbox? Why would someone leave it unchecked? If we are monitoring connectivity to an external address, and we can't reach it over the egress interface, would we not always want the PBF rule to disable? What scenario would we not want to do this?   Secondly, if a monitor IP address is added, does the Palo Alto just check connectivity to that address, or also to the next-hop as well? The checkbox label says "disable this rule if nexthop/monitor is unreachable" which is unclear to me.   ... View more

Source address of PBF Monitor heartbeat ICMPs

by in General Topics
‎02-06-2020 04:17 AM
‎02-06-2020 04:17 AM
I have a Policy Based Forwarding related question.   If we have a PBF rule, with Monitoring enabled, and the "disable this rule if next-hop/monitor ip is unreachable" also enabled.   So Palo Alto sends ICMPs to the monitored IP address out of the egress interface defined on the same page.   However, what is the source-ip of these ICMP requests?   Is it always the IP address of the egress interface?   ... View more

Any chance of an Automated Rollback on Palo Alto firewalls?

by in General Topics
‎02-09-2018 04:37 PM
‎02-09-2018 04:37 PM
Hi-   Im familiar with Juniper equipment which all have the option to 'commit confirm' which automatically reverts the config change if a 2nd commit is not made within a certain period (default 10 mins I think).   Its a life-saver if you have to administer remote devices, bbvsince if your change broke connectivity for any reason, in 10 minutes time, your changes get revoked.   I now have to administer a couple of remote Palo Alto systems.   I don't know of any way to automate a rollback in absence of confirmation.   Does anyone know any way to do this?   Does anyone know if this is on the PANOS roadmap?   Thanks   Tom ... View more

Re: QoS issues on dual-ISP setup with differing circuit speeds.

by in General Topics
‎01-22-2018 03:22 AM
‎01-22-2018 03:22 AM
Thanks for all responses.   Reaper. I very much appreciate your detailed explanation, together with screenshots. I wasn't aware you could override the default clear-text profile on a QoS Interface object to differentiate depending on the source interface.   That was exactly what I was trying to do, and I think this will work well for us.   To the other posters:   Otakar - I don't believe our ISP does support QoS tagging. Steve- I think you're describing the same solution Reaper has suggested.   Thanks all! ... View more

QoS issues on dual-ISP setup with differing circuit speeds.

by in General Topics
‎01-19-2018 08:18 AM
‎01-19-2018 08:18 AM
Hi-   We have dual connections and have our Palo Alto set up similar to described in this article:   https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Firewall-with-Dual-ISPs/ta-p/59774   Our primary connection is 100Mbps whilst 2nd is only 10Mbps. Presumably this should involve 2 QoS profiles, one with an "egress max" set to 100, and the other with "egress max" set to 8.   However, although we have dual outbound connections to the ISPs, we only have the single inbound connection from our LAN, and as QoS needs to applied at the ingress , it seems that we can only apply a single QoS profile.   Is there any way we can change QoS profile dependent on which circuit is in use?   At the moment, if we have set "egress max" to 100 and we fail over to the slower circuit, then voice quality seriously degrades (presumably because the Palo Alto still thinks there is plenty of bandwidth to service non-prioritised traffic). ... View more

Re: Port Channels in a Active / Passive VWire Environment

by in General Topics
‎10-01-2017 02:55 AM
‎10-01-2017 02:55 AM
I too would be interested to know if it is possible to use port-channels as a resilience model in an Active-Passive Palo Alto environment. Does anyone do this, or know whether it is possible?   Thanks, ... View more

Re: Is it possible to monitor PBF rule status via SNMP?

by in General Topics
‎09-30-2017 03:28 PM
‎09-30-2017 03:28 PM
Does anyone know if there is  any other way in the Palo Alto world to signal PBF rule status?   Thanks  ... View more

Is it possible to monitor PBF rule status via SNMP?

by in General Topics
‎09-29-2017 07:56 AM
‎09-29-2017 07:56 AM
Hi-   Is there a way I can get our PA-220 to alert our SNMP monitoring system when a Policy Based Forwarding rule fails/activates?   I've set up SNMP on the firewall, added a device entry in our PRTG monitoring system, and set PRTG to automatically detect the device. It has discovered about 40 sensors, but I can't see any that relates to PBF.   We have a problem with a PBF rule failing, and I would like our monitoring screen to display whether this PBF rule is active or not.   Thanks,   T ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎10-12-2022 05:58 AM
Latest Tags
No tags yet
Likes Given To
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks