This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

About mario11584

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
mario11584
‎03-13-2018
since ‎11-30-2012
L4 Transporter
User Activity
User Profile
Latest posts by mario11584
View All
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎11-30-2012 09:41 AM
Date Last Visited ‎03-13-2018 02:25 PM
Posts 151
Total Likes Received 13

Adding a Custom Application/Ports to Security Policy

by in General Topics
‎10-01-2013 04:05 PM
‎10-01-2013 04:05 PM
Maybe my thought process is wrong so I am hoping somebody can set me straight. I have a few non-standard ports that need to be opened on the firewall. They don't belong to any application so I need to allow the ports. What I have done is created custom applications with basically just a name and the ports used (no signatures). I created an application override for these custom applications as well. I then added these custom applications to the security policy along with other known applications that need access. Is this the best way to open a port on the Palo Altos? ... View more

Re: DNS Proxy Errors

by in General Topics
‎09-30-2013 01:06 PM
‎09-30-2013 01:06 PM
Any ideas on how to resolve the issue? Palo Alto support is suggesting some type of vulnerability and traffic is being cut off. I don't see anything, at all, in the threat logs. It's suggested I remove the vulnerability profile from the security policy DNS traffic is using but if the threat logs don't show anything it doesn't seem like that would do the trick. Plus, I would be opening my network up to vulnerabilities. I would create an exception before completely removing a vulnerability profile. ... View more

Re: DNS Proxy Errors

by in General Topics
‎09-24-2013 10:12 AM
‎09-24-2013 10:12 AM
Tail lines shows the following around 3:10 on 9/24: Sep 24 02:57:21 Error: pan_dnsproxyd_recv_server_udp_cb(pan_dnsproxy_udp.c:487): [Drop Rcvd Server Pkt]: Error in processing packet Sep 24 04:21:52 Error: pan_dnsproxy_process_server_pkt(pan_dnsproxy_pkt.c:1320): [9951/-][Drop Rcvd Server Pkt]: No pending entry in conn tbl for server_tid:9951 Sep 24 04:21:52 Error: remove_conn_tbl_entry(pan_dnsproxy_pkt.c:284): conn_tbl[9951] entry is already freed! Sep 24 04:21:52 Error: pan_dnsproxyd_recv_server_udp_cb(pan_dnsproxy_udp.c:487): [Drop Rcvd Server Pkt]: Error in processing packet Sep 24 04:21:54 Error: pan_dnsproxy_process_server_pkt(pan_dnsproxy_pkt.c:1320): [5461/-][Drop Rcvd Server Pkt]: No pending entry in conn tbl for server_tid:5461 Sep 24 04:21:54 Error: remove_conn_tbl_entry(pan_dnsproxy_pkt.c:284): conn_tbl[5461] entry is already freed! Sep 24 04:21:54 Error: pan_dnsproxyd_recv_server_udp_cb(pan_dnsproxy_udp.c:487): [Drop Rcvd Server Pkt]: Error in processing packet Sep 24 04:38:40 Error: pan_dnsproxy_process_server_pkt(pan_dnsproxy_pkt.c:1320): [20840/-][Drop Rcvd Server Pkt]: No pending entry in conn tbl for server_tid:20840 Sep 24 04:38:40 Error: remove_conn_tbl_entry(pan_dnsproxy_pkt.c:284): conn_tbl[20840] entry is already freed! Sep 24 04:38:40 Error: pan_dnsproxyd_recv_server_udp_cb(pan_dnsproxy_udp.c:487): [Drop Rcvd Server Pkt]: Error in processing packet debug shows "no pending connections". I tried to initiate connections but I received the same results. ... View more

DNS Proxy Errors

by in General Topics
‎09-24-2013 08:28 AM
‎09-24-2013 08:28 AM
We have a remote office using a PA-200 in the middle east. I configured it to use DNS proxy with caching to lower the time for resolution over the VPN tunnel back to our corporate DNS servers in the US. We also have intermittent disconnects due to the unreliable internet connection there and this seemed to help eliminate some of the complaints of network connectivity problems. At any rate, I am receiving possibly thousands of errors in the system logs related to DNS proxy. Here is just 3 lines of it: Here is a screenshot of my config. I also have a bunch of static entries under that tab and nothing under proxy rules. It seems that things are resolving fine, however. From a Windows 8 VM, configured to use the DNS proxy only doesn't seem to be having any problems. Any thoughts? ... View more

Re: Applications in PBF

by in General Topics
‎09-16-2013 07:49 AM
‎09-16-2013 07:49 AM
Thank you, that makes sense to me. Thanks for the help. ... View more

Applications in PBF

by in General Topics
‎09-13-2013 01:28 PM
‎09-13-2013 01:28 PM
Correct me if I am wrong but I should be able to filter traffic in a rule based on applications, correct? I am trying to create a PBF that will route traffic for one specific IP address using google-docs-base but I can't get this application to show up in the drop down list. It looks like it has a few of the more common applications but not the entire list. When I type it in to search it can't find it. I looked at this older doc Using Applications in PBF but it didn't help me out. Any thoughts on what I am doing wrong? ... View more

Re: LDAP 389 Group Mapping

by in General Topics
‎07-12-2013 10:38 AM
‎07-12-2013 10:38 AM
Thanks for the reply. I guess I am little confused. What are you saying should be in the Group Objects Group Member field? uniqueMember or attribute name? When I expand uniqueMember, in that same column (Attribute Description) it lists uniqueMember for each user. Under the Value column it lists each user in the following format "uid=username,ou=People,dc=company,dc=com". Also, why would objectClass=goupOfUniqueNames go in the Search Filter field? Wouldn't it go in the Object Class field? Also, what about Group Name? Attached is a screenshot of my user which resides in the VPN group. Thanks again for your help. ... View more

LDAP 389 Group Mapping

by in General Topics
‎07-11-2013 03:20 PM
‎07-11-2013 03:20 PM
I am attempting to configure Global Protect to authenticate with our LDAP server. We are an all Linux shop and we are using LDAP 389, which is very similar to OpenLDAP (this is what I was told anyway, I am not much a server guy and don't manage this server). We would like just one specific group and the users assigned to that group to be allowed to authenticate. To do this we have attempted to setup a group mapping but we're having a heck of a time coming up with the right filters, object classes, etc. to get this to work completely. Does anybody have experience with this LDAP server that can throw me a bone? I've worked with Palo Alto support and they have worked diligently to help me figure it out but they haven't had much luck either. I pulled up the group (vpn) using an LDAP browser and attached a screenshot of the details. Currently I have the following configured under Group Objects: Search filter: (empty) Object Class: top Group Name: cn Group Member: vpn User Objects: Search filter: (empty) Object Class: top User Name: uid With these configs I am able to see the groups listed under the Group Include List and add it to the Included Groups, which allows me to add it to the allowed users list under the authentication profile, however I am unable to authenticate when testing. System logs show the user is not in the allowed user list. When I use the show user group list command in the CLI it shows me the group I want to add. When I use the show user group name "groupname" command to see all the users in the group it doesn't show me the users. It just shows me the groups short name, source type, and source. It seems like the group is queried but not the users. Any thoughts? ... View more
Labels:

Re: Avaya 9611G/4610SW VPN to PA-500

by in General Topics
‎07-03-2013 01:33 PM
1 Kudo
‎07-03-2013 01:33 PM
1 Kudo
Well, I finally threw in the towel. After many days (probably more like weeks) of troubleshooting and testing we just decided to purchase a firewall from a different vendor. From firewall install to working phone was about 3 hours. Too bad I couldn't get this working on Palo Alto, that's one of the reasons we bought them. Thanks to those who offered help. ... View more

Re: Scheduled reboot of device

by in General Topics
‎06-25-2013 12:44 PM
1 Kudo
‎06-25-2013 12:44 PM
1 Kudo
Agreed, the current process is very difficult. Wouldn't it mean more to PA if the request came directly from the customer and not through a PA employee? Why do all services require a middle man these days? ... View more

Re: Avaya 9611G/4610SW VPN to PA-500

by in General Topics
‎06-18-2013 07:50 AM
‎06-18-2013 07:50 AM
Thanks for the response and the help. That's good to hear you have some working. I was beginning to think it wasn't possible. We are using the 9620L model. I changed the Encapsulation to 4500-4500 as you suggested. It wasn't previously set that way though. Didn't seem to do the trick unfortunately. The firewall shows me the error I have attached. I am not sure how to configure the KeyID in the PA's Global Protect configurations to match the phone. How did you handle that? ... View more

Re: Avaya 9611G/4610SW VPN to PA-500

by in General Topics
‎06-17-2013 02:16 PM
‎06-17-2013 02:16 PM
I've thought of doing this but building an IPSec tunnel for each remote user would be unmanageable. This is why we have been attempting to go the GlobalProtect route, but I'm losing hope that it will ever work. The firewall is trying to match a KeyID. The Avaya seems to be sending this KeyID to the PA and I think the PA isn't sure what to do with it. I don't configure a KeyID on my Mac when setting up a VPN or within the GlobalProtect software, so I think this is more of an issue with how Avaya manages the connectiong and not the Palo Alto. ... View more

Re: Avaya 9611G/4610SW VPN to PA-500

by in General Topics
‎06-11-2013 03:49 PM
‎06-11-2013 03:49 PM
To date have you been able to successfully connect? My problem seems to be with the "SET NVIKEIDTYPE". The PA logs show a mismatch key ID when my Avaya phone tries to connect. Where is that configured on the phone and more importantly, within Global Protect? Is it possible? I know where in an IPsec tunnel. It's kind of disappointing that phones that are so widely used like Avaya are not supported on these firewalls. I'm hoping these posts and thoughts will help others successfully connect so the knowledge can be shared. ... View more

LifeSize

by in General Topics
‎06-05-2013 08:08 AM
‎06-05-2013 08:08 AM
Anybody by chance have a signature for LifeSize? I added it to the applications list with just the ports used and generic categories but without a signature but it doesn't seem to be working. I thought before I dug into making my own signature I would find out if anybody has one already before I re-invent the wheel. Thanks! ... View more
Labels:

Re: ACE Exam - PAN-OS 4.0

by in General Topics
‎05-31-2013 12:43 PM
‎05-31-2013 12:43 PM
Read through the admin guide several times and any documentation the admin guide refers to. I say it was harder than the CCNA because with the CCNA you can find material to study that covers all topics in one source, like a good CCNA textbook. There is also a clear cut list of exam topics. Good luck finding this with Palo Alto exams. There are several questions on the exam I could not find a clear answer for anywhere, not even from the admin guide. Basically, the correct answer to those questions come from personal experience. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎03-13-2018 02:25 PM
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks