Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About joshsmtech
About joshsmtech
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
08-18-2015
21Posts
2Likes
0Solutions
Aug 18, 2015Last Visited
User
Activity
User
Profile
Latest posts by joshsmtech
| Subject | Views | Posted |
|---|---|---|
| 453 | 08-29-2011 11:29 AM | |
| 452 | 08-24-2011 02:59 PM | |
| 453 | 08-24-2011 02:46 PM | |
| 581 | 07-25-2011 10:26 AM | |
| 581 | 07-18-2011 11:41 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 08-24-2011 02:46 PM | |
| 1 | 07-15-2011 09:23 AM |
User Badges
Public Statistics
| Date Registered | 02-22-2011 05:24 PM |
| Date Last Visited | 08-18-2015 09:07 AM |
| Total Messages Posted | 21 |
| Total Likes Received | 2 |
08-29-2011
11:29 AM
If you know which zone the destination IP is in, then I would recommend you specify the destination zone and IP address. However, this is not a requirement. You can also leave the zone as any. It depends on your organizations, topology, security policies and best practices but either way will work.
... View more
08-24-2011
02:59 PM
I am running a pair of PA-4020s in HA mode on PAN OS 3.1.8. For about the last three or four Threat and App Content updates I have had sync issues. I have the active PA downloading and then syncing the content to the passive PA. This worked fine until now and we have had the 4020s in place since April. Anyone else having this issue or have any suggestions before I call support?
... View more
- Tags:
- ha
08-24-2011
02:46 PM
1 Kudo
If your rule has Zone A to Zone B specified and IP address source and destination of any, then the traffic will be filtered based on zones only regardless of IP. Entering in an IP address is not required, if you want to only filter on zones this can be done as long as your source and destination IPs are "any". Typically you assign interfaces to Zones so you need to understand your network topology to understand what traffic is coming through each zone, but when filtering at the zone level IP addresses do not need to be specified. For Example: I want all of my internal users to access anything in our DMZ and the web and my DMZ to be able to access the Web I would create 3 zones... Zone A = Internal Users, multiple subnets and IPs Zone B = DMZ multiple subnets and IPs Zone C = Internet multiple subnets and IPs My rule would go something like this: Name S. Zone D. Zone S. Address D. Address Application Service Action Rule 1 Zone A Zone B Zone C Any Any Any Any Allow Rule 2 Zone B Zone C Any Any Any Any Allow No Specific IPs need to be listed to put these rules in.
... View more
07-25-2011
10:26 AM
Wow, how did I miss that! Thanks, that was it.
... View more
07-18-2011
11:41 AM
Unfortunately I do not have any PA firewalls running 4.x
... View more
07-18-2011
09:53 AM
I have a Panorama server running PANOS 4.0.3 with 2 PA-4020s connected to it running PANOS 3.1.8. I noticed since upgrading the panorama to 4.0.3 that the system logs no longer show the device name or IP that sent the system log to the panorama. This is a challenge because I can not identify which system log is coming from which managed device in the Panorama. Any help on this would be appreciated.
... View more
- Tags:
- panorama
Labels:
07-15-2011
12:55 PM
Can you give a little more info in regards to the size of your network behind the PA500? How many web users, etc... We are using a 4020 with URL filtering and don't have any performance issues with about 800 internet users. But I realize a 4020 has quite a bit more horsepower than a PA-500. Sounds like a call to tech support might be good for this one, If you haven't called them already. Please let us know what you find out. I am considering a PA500 for some of our smaller remote sites so any info / feedback you have would be great.
... View more
07-15-2011
09:23 AM
1 Kudo
I have a PA4020 running PANOS 3.1.8 with URL filter version 3646. My URL filter is set to alert only for all categories. I used google chrome and I am able to get the login to appear on this site. If you aren't seeing anything in the FW logs, try from a few other PCs on your net behind the FW and see if you get the same results. Are you checking the URL logs or the traffic logs or both? Any other rules turned on for this traffic... AV, Threat, Data filtering, etc... Maybe one of these logs has the answer. Message was edited by: joshsmtech
... View more
07-14-2011
04:14 PM
Thanks for the tip. How can I see what the settings are currently?
... View more
07-14-2011
10:00 AM
I am testing a URL filter that when a user tries to go to facebook, they are presented with the PAN URL "Continue" page (see attached). They are allowed to go to the page if they click on Continue to acknowledge they will be tracked. This works fine initially, but it seems as though there is some sort of timeout. If the page sits idle for about 5 mins and the user goes back to it, the page does not load unless they re-type www.facebook.com into their browser, hit the "Continue" warning page again and click continue again to get to facebook. Is this the way this feature is intended to work? It seems like there is a cookie or something missing that isn't caching when the user clicks accept on the continue page. Or is there a setting somewhere in the PA firewall to set a timeout for this somehow?
... View more
- Tags:
- url_filtering
07-14-2011
09:34 AM
Are you using AD to log in? Is it possible that somone is logging into the laptop with a local user account? If that is the case, UserID will track all activity from that device as the source user of the last person that logged into the device with AD. If you were the last person to log in and someone else logs in with a local account, I believe your name will still be in the FW logs. The user ID agent polls your AD servers... If it is still in the AD DC security logs that you were the last person to log into the laptop, that is what the PA Firewall will put in its logs. I would check the UserID agent and the domain controller and see what users are showing up there for that laptop. If your AD Logs are different than what your PAN agent has or the PAN agent is different than what your PA Firewall is showing, that would be something worth mentioning to tech support. What version of the PAN UserID agent are you running?
... View more
06-22-2011
02:53 PM
That was it! I let it churn over night and sure enough everything fine in the morning. Thanks.
... View more
06-20-2011
05:06 PM
I am having issues with commits that never complete and my jobs being "stuck" after I upgrade to Panorama 4.0.3. Here are th jobs I have after I reboot... Enqueued ID Type Status Result Completed--------------------------------------------------------------------------2011/06/20 16:45:43 5 report-pusher PEND PEND 0% 2011/06/20 16:45:41 4 panorama-log-fwd-ctrl-composite ACT PEND 33% 2011/06/20 16:45:37 3 AutoCom FIN OK 16:45:43 2011/06/20 16:45:13 2 UpdateLicDb FIN OK 100 % 2011/06/20 16:45:07 1 panorama-log-fwd-ctrl-composite FIN OK 100 % It has been about 15 minutes since I upgraded and rebooted and these jobs are still stuck. Also I noticed the CPU in the GUI is pegged at 100% and has been since the upgrade. I went from 3.1.8 to 4.0.1 then to 4.0.3. 4.0.1 had the same cpu issue. My VM is running in ESX 4.x with 4GB memory and 2 ghz proc. Anyone else having similar issues with 4.0.1 or 4.0.3 in panorama? I have tried reverting the OS but the job just hangs. I have a ticket open with support, but wanted to post it on the forums as well.
... View more
06-09-2011
01:43 PM
nvm... found the answer in an earlier post, but here is what I did.... To identify which url-database your panorama is using, go to the CLI and input the following command... panorama>show system setting url-database if it says surfcontrol (which apparently the panorama image I got, comes with by default) then use this command... panorama>set system setting url-database brightcloud You're panorama box will reboot after this. You're panorama device URL categories should match the PA firewalls now.
... View more
06-09-2011
01:11 PM
I have noticed some of the URL categories are different in my panorama box when compared to my PA firewall when creating custom reports. I have verified they are running the same PAN os level (3.1.8). This makes creating custom reports on my panorama difficult when trying to filter on these categories since my PA4020 is logging these as a different category. For example on my PA4020 I have a custom URL log report setup filtering on the URL adult-and-pornagraphy. When I go to setup the same report on the Panorama I don't have adult-and-pornography as a choice. I only have adult-or-sexually-explicit as an option. My PA4020 sends all of its logs to the panorama, but since these categories don't match between the PA and the Panorama I can never get the URL report I am after on the panorama. Any ideas or plan to fix this? It seems to me the panorama should have the same categories as the PA firewalls. Anyone else notice the same issue on their devices?
... View more
05-12-2011
11:32 AM
Does anyone know if it is possible to change the disk quotas in Panorama?
... View more
05-04-2011
02:21 PM
We ended up going to static routes. Luckily our remote MPLS network are contiguous and we were able to cover them with about 14 /16 static routes. The route process was locking up very often and causing issues with our iBGP full mesh. PAN support wasn't able to provide much of an answer so I am writing this off as a bug or some sort of limitation with BGP on the firewall itself. It could possibly be related to having two virtual routers and running BGP on one and statics on the other, who knows. If anyone comes across similar issues please post here, we are curious to see if this may be a bug of some sort.
... View more
05-04-2011
02:00 PM
Yes, we are having the same issue with passive FTP. Traffic is getting blocked by the implicit deny rule I have in place, probably because NAT is messing with the connection. I was able to get around temporarily by permitting all port from our source IP to the specific remote IP. This was temporary from one of our critical transfer. I just reverted back to Content Update 243 and am waiting for our sysadmin to test again.
... View more
04-28-2011
11:04 AM
Hello, Wondering if anyone else is having this issue. We have 2 x PA-4020s in an Active/Passive setup running BGP with several Cisco routers that connect to our MPLS network. About a week ago we had a failover occur due to ethernet1/3 bouncing. We have remained on our secondary device since then until we can figure out what is going on with the primary. Ever since the failover we have been experiencing problems with BGP routing. I noticed when looking at the BGP peers in the current active PA that all the BGP peer status' were idle. I looked at our current passive PA and it shows several of the bgp peers either connected or active. It appears everything seems to be routing correctly at the moment, but every now and then we will have a site go down and have to put in a static route. I noticed when showing the detail of all me bgp peers on my current active PA there is the following error... Last Error- Cease (6) : connection rejected (5) Any help/ideas would be great. Active Device: Name Group Local IP Peer IP Peer AS Password Set Status Status Duration(secs.) Show/ Hide Annex-VPN-Host stores 172.20.2.1 172.20.2.241 65360 no Idle 60108 Show details... SM-VPN-Host2 stores 172.20.2.1 172.20.2.242 65360 no Idle 376 Show details... SM-VPN-Host1 stores 172.20.2.1 172.20.2.243 65360 no Idle 21108 Show details... Corp-3750-A stores 172.20.2.1 172.20.2.250 65360 no Idle 35300 Show details... Corp-3750-B stores 172.20.2.1 172.20.2.251 65360 no Idle 4670 Show details... Corp-3845-A stores 172.20.2.1 172.20.2.252 65360 no Idle 60113 Show details... Passive Device: Name Group Local IP Peer IP Peer AS Password Set Status Status Duration(secs.) Show/ Hide Annex-VPN-Host stores 172.20.2.1 172.20.2.241 65360 no Connect 241495 Show details... SM-VPN-Host2 stores 172.20.2.1 172.20.2.242 65360 no Active 241495 Show details... SM-VPN-Host1 stores 172.20.2.1 172.20.2.243 65360 no Active 241495 Show details... Corp-3750-A stores 172.20.2.1 172.20.2.250 65360 no Active 241495 Show details... Corp-3750-B stores 172.20.2.1 172.20.2.251 65360 no Connect 241495 Show details... Corp-3845-A stores 172.20.2.1 172.20.2.252 65360 no Connect 241495 Show details... Peer Detail from Current Active PA: Configuration Passive no Multi-Hop TTL 255 Reflector Client not-client Same Confederation no Aggregate Confed. AS no Peering Type Unspecified Connect Retry Interval 120 Open Delay 0 Idle Hold 15 Prefix Limit 5000 Hold Time Config 90 Keep Alive Config 30 Next Hop Self no Next Hop Peer no Next Hop Thirdparty no Remove Private AS no Runtime Status Peer Router ID 10.255.101.253 Hold Time 90 Keep Alive 30 Last Error Cease (6) : connection rejected (5) Status Flap Counts 2446 Established Counts 1 Stats Counters Msg. Update In 1190 Msg. Update Out 0 Msg. Totals In 8572 Msg. Total Out 10984 Last Update Age 13 IPv4-unicast Counters Incoming Total 2944 Incoming Accepted 1 Incoming Rejected 2943 Outgoing Total 0 Outgoing Advertised 0 Capabilities
... View more
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
