About pulukas

pulukas · ‎07-15-2014

Sorry I misunderstood. This is the document for adding user accounts to the ignore list. How to Add/Delete Users from Ignore User List using Agentless User-ID

pulukas · ‎07-14-2014

More thoughts: The vpn would build on the internal interfaces since the ISP for one side is down. - You’re correct, I’m planning to build the tunnel via the Internal Interface on PAN Firewall The PA default route for the down ISP goes into the tunnel - I’m planning to used PBF together with the built-in monitor to track the site ISP connections and once it is down, default route will be routed to VPN Tunnel. Do I need to create two PBF for this scenario? There is only one PBF and one default route in this scenario on each device. this is what is outlined in the tech note. Dual ISP Branch Office Configuration On the PA with good ISP - return traffic to the other site needs to go into the vpn instead of the MPLS or the tunnel will be asymmetrical and fail - If I enable “Enforce Symmetric Return in PFB Rule? Does it reduce the complexity that you mention? The use of PBF is really not an option here due to the way the process works. Instead I think you would nat the tunnel traffic providing a unique route on each site just for tunnel usage. See this tech note. Configuring route based IPSec with overlapping networks NAT for internet access - Yes, I’ll do dynamic NAT translation for all traffic coming out of the VPN tunnel. Possible issue that I’m anticipating are the NAT translation for the public IP’s owned by ISP that having an issue. Any thoughts on this? I don't see how you can use the down ISP space as this will not return to the up ISP location. You will have to allocate and use nat space on the working ISP for this purpose. This could potentially work. With the issue I mentioned on point 1 previously needing to be tested. Whether this is easier than the MPLS routing solution I'm not in a position to judge. Both seem invovled.

pulukas · ‎07-14-2014

I see the issue where the dualing default routes would cause in my original scenario. In a vpn between the PA the following would occur. This may not be any simpler than your MPLS fail-over solution. The vpn would build on the internal interfaces since the ISP for one side is down. The ingress of traffic will be on the same interface as the vpn gateway. I don't know if that will work or not. Typically we see ingress on one interface and gateway on another. This would need to be lab tested. The PA default route for the down ISP goes into the tunnel This could potentially still use the technique previously mentioned with PBR and a default route to the tunnel interface. On the PA with good ISP - return traffic to the other site needs to go into the vpn instead of the MPLS or the tunnel will be asymmetrical and fail This gets trickier to work out. The current MPLS path will be available when this occurs and must be available to build the tunnel. So we cannot use the PBR method to switch. Another option might be to nat the outbound source when sending into the tunnel so the tunnel traffic has a unique return address not routed on the MPLS. You would then just need one for each side. NAT for internet access Once the traffic travels the tunnel from dead site to live site. You will need a nat rule on the live site to public nat the traffic from the tunnel going out to the internet as these source addresses won't be covered in the current configuration.

pulukas · ‎07-14-2014

Lync does require multiple different applications to the different servers in the security policies. The document below is most about Citrix Netscaler load balancing. But you will find a break down of the needed applications and policies by zone starting in Section 7 on page 43 for the Palo Alto rules in Lync deploys. http://media.paloaltonetworks.com/documents/panw-netscaler-lync.pdf

pulukas · ‎07-14-2014

If I understand correctly, you want to use ISP1 from HQ2 if ISP2 fails. And use ISP2 from HQ1 if ISP1 fails. If that is correct, then you do not need vpn in the mix at all. You would follow the Dual ISP branch instructions on both PA. The PBF primary is your local ISP. The new lower priority default route would be your MPLS router. You would also need to check your internet nat rule at both sites: PA at HQ1 would need a nat rule to the internet covering HQ2 private addresses PA at HQ2 would need a nat rule to the internet covering HQ1 private addresses Dual ISP Branch Office Configuration

pulukas · ‎07-14-2014

More reasons why we should know who is a Palo Alto support employee and speaking with that authority. But even with that designation breaking the seals to open devices is something no manufacture supports. With Palo Alto especially there are very few field installed parts.

pulukas · ‎07-13-2014

Could you run through the phase 2 troubleshooting command outlined in the following document. How to Troubleshoot VPN Connectivity Issues

pulukas · ‎07-13-2014

The migration tools are restricted access to Palo Alto partners. Those of us in the end-user community don't get access to these tools. I wish that we could.

pulukas · ‎07-13-2014

I don't think you can combine these two. If I understand what you are detecting correctly, the agent will be a request header and the other is a parameter header so they are check in different sections. I assume you have seen this documentation on creating regex by section, if not, it may be helpful. Creating Custom Threat Signatures

pulukas · ‎07-12-2014

There really is no way around the limit. You need to either forgo that test or find a longer string. Generally this limit is there to prevent false positives that come with very short tests.

pulukas · ‎07-12-2014

What is the output for request content upgrade info Does your support portal show the correct license information for the box? You can see if the cli steps in this document help. How to Activate the BrightCloud URL Filtering Service

pulukas · ‎07-12-2014

Try the steps outlined in this document to restart logging. Palo Alto Networks Firewall not Forwarding Logs to Panorama (VM and M-100)

pulukas · ‎07-11-2014

There is no PanOS 6 specific documentation for the Aggregate Ethernet implementation. These documents are recently updated showing what is support and not and how they appear when you create the AE in the web interface. Support for AE is limited in scope. Which Link Aggregation Protocols are Supported? Aggregate Ethernet Interface Link Status Behavior edited: to correct link.

pulukas · ‎07-11-2014

Sorry, I wasn't paying close enough attention. With DNS flags like this you do get your DNS server as the source. But this is a false positive because you DNS server is just forwarding the request on behalf of your infected clients. So you need detailed logs from the DNS server to back track the requests to the ultimate host. You will likely need to increase the logging level to find this information. See a fuller discussion in this previous thread. Re: Suspicious DNS Query - how to find source computer? This is what the new PanOS 6 DNS Sinkholing feature is designed to help you do. Get logging for the infected computers instead of the DNS server. How to Configure DNS Sinkholing on PAN-OS 6.0

pulukas · ‎07-11-2014

There is no update documentation for server 2012. And as you note, the global catalog really has not changed so there should be no difference for you. this is the most recently updated User-id Best practices from March of 2014. And you GC configuration does seem to match the example. User-ID Best Practices - PAN-OS 5.0, 6.0

Member Since	‎12-24-2012 04:42 AM
Date Last Visited
Posts	1,334
Total Likes Received	430

About pulukas

Re: VPN site-2-site configuration and OSPF

Re: VPN site-2-site configuration and OSPF

Re: Is it ok to set ipsec phase 1 lifetime 24 hours when the peer set it to 86400 secs?

Re: routing forwarding

Re: redistribute global protect ip pool subnet into bgp.

Re: QOS setup to to guarantee vital services with free internet

Re: Configure carrier data feed without dedicated router?

Re: Security Policy Granular to Address Group?

Re: DNS "Aged Out"

Re: DNS "Aged Out"

Re: How to configure ECMP Equal Cost Multi-Path Between Palo Alto And Cisco

Re: configure management IP address using CLI

Re: Forwarding Decisions in PANOS

Re: Multi Critera Show Command

Re: Nat type 2 , type 3 with playstation and xbox

Re: Does BGP need to be on a separate virtual router ?

Re: URL Filtering Team creating MORE of a risk

Re: PA-3060 Whats Up Gold (WUG) Integration: Auto Link Creation Fails

Re: Recommended Software release

Re: World Cup 2018

Re: User IP-user-mapping incorrect

Re: How to configure PaloAlto to Fail-over to another ISP on a remote location

Re: How to configure PaloAlto to Fail-over to another ISP on a remote location

Re: App-ID,dependencies and ports

Re: How to configure PaloAlto to Fail-over to another ISP on a remote location

Re: Assistance: my palo is not accessible.

Re: Some VPN packet is being dropped and particular counter increased and traffic slow.

Re: Migration Tool

Re: Custom signature for Wordpress

Re: Custom signature for Wordpress

Re: Activate Brightcloud URL DB

Re: Don't see Threat and URL log in panorama

Re: LAGG Interface Documentation

Re: In my PAN firewall, I can see a lot of spyware detection in Monitor tab.

Re: Active directory 2012 R2 integration with PAN os 5.0.9

Unlock your full community experience!

About pulukas