This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About markus.wissgott

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
markus.wissgott
‎04-05-2024
since ‎09-26-2017
L2 Linker
User Activity
User Profile
Latest posts by markus.wissgott
View All
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎09-26-2017 08:22 AM
Date Last Visited ‎04-05-2024 01:26 AM
Posts 19
Total Likes Received 2

Re: show counter interface management multicast packets dropped

by in General Topics
‎10-04-2018 04:35 AM
‎10-04-2018 04:35 AM
or maybe there are devices in the network with ipv6 enabled. ipv6 uses multicast (no broadcasts). if the mangement interface had no ipv6 configuration enabled it will probably drop those ipv6 multicasts. ... View more

Re: PA-3020 vs PA-850

by in General Topics
‎10-04-2018 04:19 AM
1 Kudo
‎10-04-2018 04:19 AM
1 Kudo
We are in the same situation. So if you had no issues with the PA-3020 and the performance limitations (like max sessions and througput) it can be an option to look at the PA-850. But the PA-850 is weaker in some points:   New Connections per second: 50.000 (3020) vs. 9.500 (850) - huge difference if you ask me Maximum session: 250.000 (3020) vs. 197.000 (850) - big difference if you ask me Security Rules: 2.500 (3020) vs. 1.500 (850) - big difference if you ask me, i mean 1000 rules more at the PA-3020 And it goes down the hole datasheet. The only points the PA-850 is better, in my opinion, is USER-ID Mapping in the Dataplane and SSL Decryption Performance (except for HSM Support).   If you didn't made it yet, take a look: https://www.paloaltonetworks.com/products/product-comparison.html?chosen=pa-3020,pa-850   So if your envirement is in this performance area maybe a PA-850 can work. But as i say, we are in the same situation right now and we are going for the PA-3220. But this is because we need more performance now. ... View more

Re: Static NAT between virtual routers

by in General Topics
‎10-04-2018 03:58 AM
‎10-04-2018 03:58 AM
I dont know it exactly, but maybe this link can help. It is about NAT between 2 vsys with 2 VR's. Not exactly your setup but maybe you can get some infos. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldgCAC ... View more

Re: show counter interface management multicast packets dropped

by in General Topics
‎10-04-2018 03:25 AM
‎10-04-2018 03:25 AM
there are no packets listed where i can see multicast. but your filter will only capture packets where 192.168.1.10 is involved (i guess its your local management ip of your pa-220). so if there is multicast which is dropped (not answered by your pa) you would never see it with your packet filter (host 192.168.1.10).   the traffic i can see for now is only arp with your gateway (192.168.1.20) i guess and dns traffic with the name server. thats ok. ... View more

Re: show counter interface management multicast packets dropped

by in General Topics
‎10-01-2018 04:34 AM
‎10-01-2018 04:34 AM
@MP18you can do a packet capture on the mangement interface and find it out.   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS   Didn't know it exactly which type of packets this counter hits, but maybe your management interface have a list of permitted ip addresses in the config and these packets came from devices not on the list?!? ... View more

Re: Decryption with Wildcard SSL-certificate?

by in General Topics
‎10-01-2018 03:20 AM
‎10-01-2018 03:20 AM
And you are sure, that your server didn't use any unsupported ciphers?? Check it here: https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/supported-cipher-suites And check it on your servers or the best way is to take a packet capture and analyse the ssl handshake to see if there are any unsupported ciphers in use.   For a quick check use the global counters. Here is an article that maybe help:   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cle3CAC       ... View more

Re: Decryption with Wildcard SSL-certificate?

by in General Topics
‎10-01-2018 01:10 AM
‎10-01-2018 01:10 AM
Ahhh, ok. For inbound i think it will work. I can check it on a Lab Unit the next days if you want? ... View more

Re: IPSec and DHCP relay

by in General Topics
‎09-28-2018 08:54 AM
‎09-28-2018 08:54 AM
There Are No Technical Solutions to Human Problems. Sorry. Maybe the Cloud Provider support IPv6 and IPv6 Autoconfiguration on his Gateway in the local Network?   And what do you mean with "to let the provider host it." ?? The Provider should not Host a VM Palo Alto or a DHCP Service? ... View more

Re: IPSec and DHCP relay

by in General Topics
‎09-28-2018 08:43 AM
‎09-28-2018 08:43 AM
Ok. As i know, it isn't possible because your setup is a Layer 3 VPN. DHCP works on layer 2 and even if your Cloud Provider offers a Layer 2 Tunnel like GRE, it isn't possible to terminate the Tunnel with a Palo Alto Networks Firewall.   my advice: 1. You need a DHCP relay agent in the local subnet of your clients (or a dhcp server). Maybe the Gateway of your Cloud Provider can do it? Ask him.   OR   2. You could run a Palo Alto VM in the network of your Virtual Desktop Clients and use it as a DHCP Relay Agent or DHCP Server   OR   3. static ip adress.... (depends on your setup and your pain...) ... View more

Re: IPSec and DHCP relay

by in General Topics
‎09-28-2018 08:17 AM
‎09-28-2018 08:17 AM
What exactly do you mean with "be used by an IPSec tunnel" ?? ... View more

Re: SSL cert mgt-Chrome issues

by in General Topics
‎09-28-2018 08:11 AM
‎09-28-2018 08:11 AM
Some Browsers like Chrome have their own Certificate Stores. You have to import the CA Certificate into the Chrome Certificate Store as a Trusted CA. Some Browsers with own Certificate Stores can be configured to use the local Certificate Store of your Machine. But i dont know at the moment if or how it is possible with Chrome. ... View more

Re: block all video streaming with palo alto PA-850??

by in General Topics
‎09-20-2018 02:45 AM
1 Kudo
‎09-20-2018 02:45 AM
1 Kudo
okay, this will be hard, likly impossible as i can see. can you tell me why you want to do that? ... View more

Re: Decryption with Wildcard SSL-certificate?

by in General Topics
‎09-20-2018 02:28 AM
‎09-20-2018 02:28 AM
@pivvre ok maybe i dont get it. you talking about outbound decryption, but between two internal zones? can you tell me where is the wildcard certificate installed? on the server you which to connect to, right? if so, this normally could be possible to decrypt if: - you have an ca certifiacte installed and checked it under certificates as your trusted forward certificate (as vsys_remo mentioned) - you have an adequate decprytion rule for your "outbound" connection, where "outbound" means from one zone to the other - the server is using a protocol (no proprietary encryption) and cipher suite which is supported by your PANOS Version (https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/supported-cipher-suites) ... View more

Re: Decryption with Wildcard SSL-certificate?

by in General Topics
‎09-19-2018 07:39 AM
‎09-19-2018 07:39 AM
is it possible to tell me the url? and which one do you want to decrypt or not to decrypt?   short answer: it will decrpyt. but if you want to exclude a specific host / subdomain, there could be a problem. you also need to look at the decryption rule. ... View more

Re: block all video streaming with palo alto PA-850??

by in General Topics
‎09-19-2018 07:10 AM
‎09-19-2018 07:10 AM
Are you sure, that you got a valid url filter licence on your PA? If so, are you logging the sessions of that security rule, where your url filter policy is active? ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎04-05-2024 01:26 AM
Latest Tags
No tags yet
Likes From
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks