About aleksandar.astardzhiev

aleksandar.astardzhiev · ‎10-02-2020

Hi @FarzanaMustafa , I believe you are confusing HA path monitor with static route path monitor. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/static-routes/static-route-removal-based-on-path-monitoring.html The purpose of HA path monitor is to trigger failover, to the other member in the cluster, in case that FW detect issues in the path from the active member. As you can imagine, if you don't have HA enabled...there is no failover, so what would be the purpose to monitor the path at all. Static route path monitor can be configured for each static route. Its purpose is to de-activate the static route in case of issues with that path. This has nothing to do with HA, so if the path is down FW will simply deactivate that static route so the traffic can take next best match in the routing table. P.S now that I re-read your question - I was thinking that you may refer to the failover loop. So what is happening is when you configure HA and enable path monitor the active FW will ping select address in order to detect issues in the path. If the ping is down the FW will think that there is some issues with the path and will failover to the secondary member. As you may know the passive FW in PAN cluster will keep its routing engine "disabled". This means that passive FW is not capable of sending or receiving any traffic over it dataplane interfaces. Which means when FW is in passive state it cannot send ping to test the path. So when secondary member become active only then it start sending ping to test the path. And here comes your failover loop - if the problem is not in the FW connection, but somewhere down the path, both members in the cluster will not be able to ping the provided ip. Unfortunately each member will discover this only when become active. So you will have 1. Path monitor on primary goes down. 2. Primary failover to secondary 3. Secondary start sending ping for path monitor 4. Path monitor on secondary member goes down (since the problem is at the next hop) 5. Secondary failover back to primary 6. Primary start sending pings for path monitor 7. There is still issues with next hop so path monitor from primary goes down 8. Primary failover to secondary This can keep going on and on. That is why PAN FW has failover loop prevention, which is basically a counter that is counting how many times there was failover for given period of time. When the count reach the configured limit one of the member move to suspended state, that way the currently active member will remain active even if the path monitor is still down. And that is how HA path monitor can cause "loop condition" aka failover loop. However still you need to have HA enable to have failover loop.

aleksandar.astardzhiev · ‎09-30-2020

Hey @FWPalolearner , I understand that you use loopback for GP portal and gateway and use NAT to translate the public to the loopback. I still don't understand why you do this way instead of use the eth1/1 in the GP portal and gateway on first place. But let discuss the other point - "But I can still create a gateway with same loopback" even if you somehow manage to use same interface/ip on multiple gateway you should receive error during commit. Think about it - all comes done to sockets, creating GP gateway will create TCP socket which FW will listen for connections. Sockets consists of ip and port and you can have different services/application on different combination of ip and port. If you create second GP gateway you need to create second socket and since you cannot use different port (always using the standard port for SSL or IPSec) the only part you can change is the ip. Assigning same int and ip to both GP gateways will try to create two exactly the same sockets which will generate commit error. And the same concept for the sockets apply for your NAT rules. I assume that you have NAT rule says "any public source to dest x.x.x, nat to any public source to dest 192.168.1.75". If you create second NAT rule similar to above, but with dest 192.168.1.76, the second nat will never hit (because the first math will be applied). Again you can play with ports as GP doesn't allow you change default ports, so the only way for the fw to apply the different nat rules is to use source ip address as matching criteria, but this defied the purpose of remote access vpn, because you will need to know from which public ip will the users connect.

aleksandar.astardzhiev · ‎09-30-2020

Hey @FWPalolearner , If you want to have separate gateway you definitely must use different IP, because you cannot have more than one GP gateway (or portal) on same interface. But I would suggest to think for a moment if you really gain any benefit separating users into zones: 1. You already separate users based on user groups and assign different IP pools. Even that both type of users (internal and partners) are coming from same zone you still can use source user group and source ip to granular control over the user access. 2. If you worry about restricting access between VPN users (partner user connected to vpn to reach internal vpn user), I am not 100% sure at the top of my head, but I believe you can simply configure explicit intrazone rule to control the traffic between users. Again even that all users are associated with same zone you still have other methods to differentiate between them.

aleksandar.astardzhiev · ‎09-30-2020

Hey @FWPalolearner , From your explanation I don't believe you will need the second portal/gateway/loopback/tunnel. 1. Create new DNS record for external.connect.it to FW public x.x.x.x 2. Under the current portal create two "agent" configs based on user group, one for internal and one for partner users. 3. In first config set for external gateway "internal.connect.it", and for second agent config set "external.connect.it" 4. Under the current gateway create two client settings based on the two user groups (gateway -> agent -> client settings). 5. Under each client settings configure IP pool. Important note here is that you must not use Client IP Pool (gateway ->agent -> client ip pool). On this tab you define one single IP pool for all connected users, no matter which user group they are. To be able to configure different ip pool for each user group you must remove any config from client ip pool tab and put it under the client settings And that should be enough. If you think for a moment only difference between the two "portals" is the FQDN that users are using, which really doesn't matter as long as you have a valid certificate to cover both addresses. Everything else should be standard user group based separation which you can accomplish with single portal and gateway.

aleksandar.astardzhiev · ‎09-30-2020

Hey @MrWonderful , I was asking because most of the physical devices have dedicated ports for HA1 and HA2, so you don't actually need to allocate dataplane interfaces for HA with command like this: set network interface ethernet ethernet1/3 comment "Reserved for HA1" ha set network interface ethernet ethernet1/4 comment "Reserved for HA2" ha It seems only the smallest PA-220 doesn't have dedicated ha port - https://www.paloaltonetworks.com/products/product-comparison?chosen=pa-220,pa-850,pa-820 So if you use something bigger than that you should use those. Sorry if you already have done that, but from the above replies I understand that you are struggling with allocating eth1/1 and 1/2 as HA links

aleksandar.astardzhiev · ‎09-29-2020

Hey @Abdul-Fattah , You are absolutely right... I forgot about the authentication sequence, thanks.

aleksandar.astardzhiev · ‎09-29-2020

Hey @FWPalolearner , You can setup both DNS records to resolve to same IP, but: - First you need to apply wildcard certificate on the portal or use certificate with SAN (subject alternative names) - Even the users are pointed to different addresses they are still ended on the exact same portal, so they will be prompted with exact same authentication. This really annoys me with GP portal, there is no way to use multiple authentication realms and provide a way for the user to select/navigate to required auth realm. So as long as you will use the same authentication type (LDAP, radius, etc) for all users (external and internal) you should be fine using two DNS records pointing to the same ip and having one portal. The important think here is the SSL certificate that will be used for the portal - either it must be wildcard (to match both urls) or it must list both in SAN (subject alternative names). Your really don't need two gateways. You can use same gateways for both external and internal users, and using user group to apply different settings. The problem is again with the address, however during GP portal config you can specify different gateway addresses for each user group. So you can actually the exact same DNS records that you are using for the portal. And for the GP gateway you need to use the same SSL certificate (either wildcard or with SAN)

aleksandar.astardzhiev · ‎09-29-2020

Hi @FWPalolearner , I suggestion is to always avoid multiple ip address on same interface like you would avoid a plague/covid. I cannot claim I have deploy lots of GPs, but I haven't yet saw a real need to configure multiple portals on single device, so I will try to avoid such setup as well. As @Abdul-Fattah mentioned you can provide single portal and once the user authenticate you can have group/user base separation (have different ip pool, dns, access etc for each user group). This would be the easiest way to have complete separation between internal users and contractors/3rd-party. The problem with this approach is that both type of users will need to use same authentication type. You can use different domain for user authentication, but the the type (LDAP, RADIUS, etc) must be the same for both (if you use mfa over radius you can be creative, but it is up to the mfa and not the fw). And as you can imagine both type of users will use the same vpn address. If you really want internal users to use one address and contractors/external user to use completely different address - the only way to achieve this is to have second portal/gateway. As mentioned I would avoid secondary IP, instead I would recommend to use loopback (configure loopback with public ip, put it in untrust/outsie zone and use it for the gp portal and gw). The only benefit I can think of is that you can apply different authentication type for each user group, so it is interesting for me to understand the reason why you need separate addresses

aleksandar.astardzhiev · ‎09-29-2020

Hi @MrWonderful , I want to go a step back, what device module are you deploying? Is it physical device or it is virtual one?

aleksandar.astardzhiev · ‎09-29-2020

Well @MrWonderful , You can still use the Expedition tool to do the bulk work and convert all network objects and apply them on the new firewall. That way you can configure the rules one by one manually. I would still suggest to to use Expedition for the rules, adjust the rules (replace known ports with applications, remove unused rules etc), generate set commands and apply them on the new FW manually.

aleksandar.astardzhiev · ‎09-27-2020

@Rievax , Well the captive portal will "enforce authentication for internet users" as per your requirements. Why is this not option for you?

aleksandar.astardzhiev · ‎09-27-2020

Hi @Jimmy20 , As @MP18 briefly explained - no, your setup is not sufficient to trigger failover. You have two "components" - to define conditions for the failover and to tell the firewall to use these conditions for failover. From the image you provide you have enabled the link and path monitor, but you have not configured any conditions, no interface to monitor. It is good to mention the purpose of both link and path monitor. Link monitor will trigger failover if there is an issue with firewall interface, either if you disconnect it or there is no physical signal over the connected cable. Path monitor go beyond just looking at the physical state of your interfaces. With path monitor firewall will try to ping provided IP address trying to confirm that all three layers are up and running (imagine you have virtual fw, its interfaces way never go down, but there is not connectivity with its directly connected router, link monitor will not work here, but rather path monitor). Link Monitor gives you very granular control over the condition when to trigger failover. If you notice you need to configure "Link group" in which you can group the physical interfaces in your interest. You need to select group failure condition, this means how many of the interfaces in the group needs to be down to consider the whole group as down. You can have multiple groups, so that is why you have "global" failure condition where you need to tell how many of your groups needs to be marked as down to trigger failover. How to group your interfaces and how to select the group and global failure condition depends on your setup.

aleksandar.astardzhiev · ‎09-26-2020

Hi @jlieberman , I finally understand what is the problem with the FQDN object. It seems that DNS return different IP addresses every time a request is sent. I was going to suggest to use some script that is reading all 500+ server and providing EDL, but I didn't manage to find the full list of addresses so I am not sure of the effort will worth it.

aleksandar.astardzhiev · ‎09-24-2020

Thanks @jlieberman , I was not aware of this change, I will have it in mind. The only other reason I have experience is if the firewall is in active-passive HA and the secondary member is not able to connect to the cloud via the service route as it doesn't have running routing engine. Have you tried to confirm to run some captures to confirm bi-directional connectivity to the cloud? First check with capture that you see DNS requests and replies. Based on the DNS reply run capture with returned cloud ip and check what traffic is generated. Most probably it will be SSL but at least you can confirm that you have basic TCP connectivity.

aleksandar.astardzhiev · ‎09-24-2020

Hi @GN_ROS , You can also use "set cli config-output-format set" under the Panorama (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHoCAK ) After that just show the template assigned on the device in question. Piping the output to "match eth1/9" you should receive of the commands that this interface is referring to. Copy the relevant lines, edit them in text editor to use the new interface and just paste the edited command to the panorama Modified set commands should simply replace the current entries (static route, GP, peers etc. everything is referred with name and can have only one interface). You probably will need to put the command in the proper order and of course manually remove the ip address from old interface (panorama will give you error if you try to put same ip on both interfaces)

Member Since	‎08-01-2017 11:18 PM
Date Last Visited	‎12-22-2025 12:06 AM
Posts	1,077
Total Likes Received	448

Online Status	Offline
Date Last Visited	‎12-22-2025 12:06 AM

Unlock your full community experience!

About aleksandar.astardzhiev