This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

About jeremylo

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
jeremylo
‎09-09-2021
since ‎06-27-2018
L3 Networker
User Activity
User Profile
Latest posts by jeremylo
View All
User Badges
Community Statistics
Member Since ‎06-27-2018 11:29 PM
Date Last Visited ‎09-09-2021 06:44 PM
Posts 39

Re: Need some suggestion about the routing between 2 internet outgoing interfaces

by in General Topics
‎01-30-2019 07:36 PM
‎01-30-2019 07:36 PM
hello LukeBullimore, If I set the 2nd data line to higher priority. Will the same problem happen on the 1st data line? In my current settings, user subnet can use the 2nd data line to reach internet. Only the interface cannot. I want to use this interface for send alert email and get PAN-OS update. 1st data line has no service route need. But I still hope it can be ping. ... View more

Need some suggestion about the routing between 2 internet outgoing interfaces

by in General Topics
‎01-29-2019 08:29 PM
‎01-29-2019 08:29 PM
I recently submitted a case to PA support about 1 of the internet facing interface cannot contact outside nor contact from outside. Use ping to diagnostic and found that the ping (request) and ping (reply) use 2 different route ).   This is because the 2 interfaces has its own zone and for different purpose: 1. Staff use the 1st data line, and use the 2nd data line if first one down. 2. Guest use only the second data line. This was achive by NAT and Policy Based Forwarding. The problematic one is the 2nd interface which has the issue of asymmetric routing.   But I setup only 1 virtual router which the static route of 1st data line has its priority higher. This cause the outgoing always use 1st interface, return from 2nd interface.   PA support suggest I merge the 2 interfaces in to the same zone. But I doubt this may violate to the network design mentioned above.   Is there anyway to force the 2nd interface outgoing and incoming always use the same route? ... View more

Re: Cannot contact update server from public IP address interface

by in General Topics
‎01-17-2019 06:58 PM
‎01-17-2019 06:58 PM
Manage to make it work. Require "DNS" and "Palo Alto Networks Services" set to use the outgoing interface. I didn't change "DNS" which was use "Use default" before. Although I can successfully ping (contact) outside from the outgoing interface. I got another problem now. As my PA device has 2 outgoing interface (to 2 modem). The 1 which success is not my preference. The prefer 1 even cannot ping from outside non ping to outside. But I'm sure internal user can use it to access internet. ... View more

Re: Cannot contact update server from public IP address interface

by in General Topics
‎01-17-2019 12:02 AM
‎01-17-2019 12:02 AM
I temporary change the service route config to "Use Management Interface for all". But still cannot ping outside.   The Management interface set as below: IP Address: 192.168.123.123 Netmask: 255.255.255.0 Default Gateway: 192.168.123.254 Speed: auto-negotiate MTU: 1500 Network Connectivity Services: HTTPS, Ping, SSH   Services set as below: Primary DNS Server: 8.8.8.8 Secondary DNS Server: 8.8.4.4 Update Server: updates.paloaltonetworks.com   Security Policy set allow the source zone of management interface to destination zone internet facing interface Monitor Traffic show source 192.168.123.123 to destination 8.8.8.8, application ping and dns are allow. Use the correct rule too. ... View more

Re: Cannot contact update server from public IP address interface

by in General Topics
‎01-16-2019 10:52 PM
‎01-16-2019 10:52 PM
Hello MickBall, The PAN OS version is 8.0.7 Service Route has no "Palo Alto Updates". ... View more

Cannot contact update server from public IP address interface

by in General Topics
‎01-15-2019 12:28 AM
‎01-15-2019 12:28 AM
After click "Check Now" in "Dynamic Updates". Show the error popup as below link https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkuCAC   The above KB not apply to my case. As I not allow my management interface to reach internet. So I go to customize "Service Route Configuration", and set the Source Address of Service - "Palo Alto Networks Services" and "URL Updates" to be the internet facing interface which assigned a public IP address. Still now work. Although I'm not sure these 2 services is for Dynamic Updates or not.   SSH to CLI. I ping source interface public IP to host www.google.com. Result is unknown host. If change to ping the IP of www.google.com. Result is 100% lost. But webUI Traffic logs show ping allow. That's weird since all internal users go to internet through that interface without problem. But ping source from it result in all packet lost.   Any possible reason cause this problem? ... View more

Re: Site to site VPN help :(

by in General Topics
‎09-06-2018 12:53 AM
‎09-06-2018 12:53 AM
Reason found. The vSRX was faulty. Setup and use the new version vSRX has no problem ... View more

Re: Site to site VPN help :(

by in General Topics
‎08-30-2018 06:32 PM
‎08-30-2018 06:32 PM
Hello. I think I overlook the type of VPN - "Route-based" and "Policy-based". I don't even know I'm using which type. Policy-based require setup "Proxy ID" and I don't have any of it. Found some info in https://blog.webernetz.net/route-vs-policy-based-vpn-tunnels/ Mention that PaloAlto don't support Policy-based VPN. Is that true? ... View more

Site to site VPN help :(

by in General Topics
‎08-29-2018 10:48 PM
‎08-29-2018 10:48 PM
Unable to make VPN work. Both "IKE Info" and "Tunnel Info" are red light in IPSec Tunnel. The peer is a Juniper vSRX. Normal configuration with trust, untrust and VPN zone in both firewall. Each zone has its own subnet. Both firewall can ping each other untrust interface. Workstations behind the firewalls can ping firewall's untrust interface too (default route + source NAT) Security policy for VPN zone to VPN zone set to allow any.   debug ike gateway and tunnel were on ikemgr.log show "SA dying from state INI_IKE_SA_INIT_SENT, caller ikev2_abort"  after 10 times retry.   test and show vpn ike-sa gateway show State: "INIT send <= Idle <== Idle <== Idle" reason: ikev2_initiator_start I think this is what SA keep trying.   I have no idea how to solve this.      ... View more

Re: How to use Aggregate interfaces LACP?

by in General Topics
‎08-02-2018 06:36 PM
‎08-02-2018 06:36 PM
Thanks BPry and JoeAndreini. In my production environment. The PA device will place between 2 x Juniper SSG140 (formed in HA) and 1 x Cisco 2960 switch like below:   internal <--> 2960 <--> PA <--> 2xSSG140(HA) <--> internet   My plan is 1. Aggregate interfaces connect to 2 ports in 2960. 2. Aggregate interfaces with eth1/1 connect to 1st SSG140. eth1/2 connect to 2nd SSG140.   Do you think LACP is going to work with those network device?  ... View more

How to use Aggregate interfaces LACP?

by in General Topics
‎08-01-2018 11:27 PM
‎08-01-2018 11:27 PM
Testing a PA-220. Create an Aggregate group with 2 interfaces. Both interfaces connect to an unmanaged D-Link switch. And it connected to the company network. The aggregate interface can up when LACP is not enable. After enable LACP. It down and hover the mouse on it show below info:   ethernet1/2: not active (negotiation failed) ethernet1/1: not active (peer not detected)   Is there any prerequisite to use LACP? ... View more

Re: Interconnect between layer 3 and layer 2 interface possible?

by in General Topics
‎07-16-2018 07:36 PM
‎07-16-2018 07:36 PM
Hello Otakar, In pan-os 8. I can't select a layer 3 interface when create VLAN ... View more

Re: How security policy - intrazone works?

by in General Topics
‎07-15-2018 06:35 PM
‎07-15-2018 06:35 PM
@JoeAndreini wrote: You could segregate traffic within the same subnet using L2 or vwire interfaces and inspect the traffic using intra-zone rules. Hello JoeAndreini, This seems impractical. I'll have huge workload to assign each computer to has its own L2 interface. ... View more

How security policy - intrazone works?

by in General Topics
‎07-12-2018 07:05 PM
‎07-12-2018 07:05 PM
Trying to use a Security policy with type intrazone and action is Deny (any application & service). Target is to block all communication within the same zone (subnet). Such as ping, file share (smb), ftp, etc. The layer3 interface and the computers were connected to a unmanaged switch.   But the outcome is only the gateway (layer3 interface) cannot be contact. All the computers can still comunicate with each other.   ... View more

Re: LDAP not work if management interface IP address cannot reach Windows AD

by in General Topics
‎07-11-2018 11:36 PM
‎07-11-2018 11:36 PM
Thanks MickBall. Customize service route configuration solve the probem. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎09-09-2021 06:44 PM
Latest Tags
No tags yet
Likes Given To
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks