About pulukas

pulukas · ‎07-30-2016

I think you are looking for this, the security advisory postings. https://securityadvisories.paloaltonetworks.com/

pulukas · ‎07-30-2016

I think the best approach here would be to open an official ticket to notify the app-id team that this is not working correctly. You can follow the pcap instructions here to capture the failed traffic for them so they can analyze why the traffic is not correctly being identified. https://live.paloaltonetworks.com/t5/Management-Articles/App-IDs-PCAPs-and-Custom-Signatures/ta-p/56014

pulukas · ‎07-30-2016

The nature of the issue makes it far more likely to be a bug in PanOS than a hardware failure. The HA software is what allows the link to be up but the traffic to no longer be accepted. Generally for a port hardware level failure we would see input/output errors or a failure to pass traffic at all. I feel pretty confident that if there is an issue the issue will be a bug in the PanOS and you will need to get either a service release or upgrade to solve the problem. It could also be some configuration issue on the device that simply needs to be adjusted to work properly. Keep us updated on the case.

pulukas · ‎07-29-2016

You should probably post this over in the MindMeld specific forum. the developers monitor discussions there. https://live.paloaltonetworks.com/t5/MineMeld-Discussions/bd-p/MineMeldDiscussions

pulukas · ‎07-29-2016

In Active/Passive the links will show up on the passive node but no traffic will pass until a failover event. In Active/Active mode the link is up and traffic will pass. If you are sure that traffic is passing a passive node link and there are no failover events in the logs, I would open a case with TAC to investigate. It would likely be a software bug.

pulukas · ‎07-28-2016

You are correct that you cannot use untagged frames for all the sub-interfaces. The point of the sub-interface is to connect multiple separate vlans on a single physical port. To do this we need to tag the frames with the vlan number and of course the switch (which you apparently don't control) would also need to have those vlans setup and tagged identically on your connected port. In short, if you want subnet, vlan and zone separation of clients you need the switch setup to be appropriately changed along with the PA for this to work. But perhaps you don't need this if user id setup will get you what you need. If you can get the connection to AD or whatever the local auth is setup you can create your policies using security group membership and there is no need for physical network zone separation.

pulukas · ‎07-27-2016

Is there a particular problem with the communications? I'm assuming your server is not able to successfully communicate with the public server since you have outbound traffic with no response. If this is the case, do you have ssl decryption setup for this communication? You may want to turn it off as a test to see if this is part of the issue.

pulukas · ‎07-26-2016

You have your normal vSwitch where the servers would be connected if there were no PA firewall. Disconnect all the protected servers from this vSwitch. connect the untrust interface of the v-wire on the PA to this original vSwitch Create a new vSwitch on the VMware host. Connect all the protected servers to this vSwitch connect the trust interface of the v-wire on the PA to this vSwitch

pulukas · ‎07-25-2016

The ESXi side is the same whether the firewall is layer 3 or transparent. You assign your zone to the interfaces and these need to insert into your flow for the protected devices. On ESXi you create the vSwitch behind the PA and attach that zone on the PA to that vSwitch. The protected servers connect to this vSwitch. The outside zone on the PA connects then to the vSwitch you would use for the server if there were no firewall at all. You are basically adding one vSwitch and moving the server behind the firewall.

pulukas · ‎07-24-2016

License management generally is in the support portal. I assume the trail licenses can also be managed here. https://live.paloaltonetworks.com/t5/Integration-Articles/How-to-Transfer-Licenses-to-a-Spare-Device/ta-p/58764

pulukas · ‎07-24-2016

If the primary concern is security, you can use md5 authentication for the neighbor relationships. https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-OSPF-Authentication/ta-p/52330

pulukas · ‎07-23-2016

Check the traceroute to your mgmt address and see where it goes. I suspect your traffic may be going through the production flow and nat interfaces and not reaching your mgmt subnet.

pulukas · ‎07-23-2016

Unfortunately, this parameter is not availabe in the current PanOS releases. You can discuss with your sales engineer either adding a feature request for a future release or if one alreadly exists adding your company vote for the feature.

pulukas · ‎07-23-2016

Naming conventions that I've found most helpful over various employers are ones that are both brief and meaningful. This usually entails determining first the major categories and then sub-groups that have logical meaning for the organization. Then developing a short 3-4 letter abreviation for them to encode into the name. You can further simplify the AD setup by creating security groups that simply contain other groups. For example: List of job roles that contain actual users List of resources needing access security that contain job role groups only The security policy then can be nuanced to either the resource or the role depending on the details of the rule. And names are recognizable abbreviations of the resource or the role.

pulukas · ‎07-19-2016

As Reaper notes, the sinkhole is a great add on to the bot net report. With the report we frequently have to do some detective work with the logs can cross references to get the actual source address of the infected machines. With a sinkhole you not only block the traffic, but you get a solid and direct host address to go and clean up.

Member Since	‎12-24-2012 04:42 AM
Date Last Visited
Posts	1,334
Total Likes Received	432

About pulukas

Re: VPN site-2-site configuration and OSPF

Re: VPN site-2-site configuration and OSPF

Re: Is it ok to set ipsec phase 1 lifetime 24 hours when the peer set it to 86400 secs?

Re: routing forwarding

Re: redistribute global protect ip pool subnet into bgp.

Re: QOS setup to to guarantee vital services with free internet

Re: Configure carrier data feed without dedicated router?

Re: Security Policy Granular to Address Group?

Re: DNS "Aged Out"

Re: DNS "Aged Out"

Re: How to configure ECMP Equal Cost Multi-Path Between Palo Alto And Cisco

Re: configure management IP address using CLI

Re: Forwarding Decisions in PANOS

Re: Multi Critera Show Command

Re: Nat type 2 , type 3 with playstation and xbox

Re: Does BGP need to be on a separate virtual router ?

Re: URL Filtering Team creating MORE of a risk

Re: PA-3060 Whats Up Gold (WUG) Integration: Auto Link Creation Fails

Re: Recommended Software release

Re: World Cup 2018

Re: Palo Alto Security Advisories RSS

Re: postscript-pdl application classification - buggy

Re: HA issues

Re: Error Checking credentials - Gateway Timed out

Re: HA issues

Re: Multiple Zones with one VLAN

Re: Multiple outgoing connections

Re: documentation on PA-VM on ESXi

Re: documentation on PA-VM on ESXi

Re: How to Transfer PA VM Trial to Another PA VM

Re: OSPF Link State Database Overload Protection for Palo Alto Firewall

Re: Can't access management when PA200 is in line

Re: OSPF Link State Database Overload Protection for Palo Alto Firewall

Re: Active Directory group naming scheme

Re: what is the difference between Botnet report and DNS Sinkholing?

Unlock your full community experience!

About pulukas