This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About mstevenson
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About mstevenson
08-18-2015
9Posts
0Likes
0Solutions
Aug 18, 2015Last Visited
User
Activity
User
Profile
Latest posts by mstevenson
| Subject | Views | Posted |
|---|---|---|
| 1693 | 04-18-2013 06:26 AM | |
| 2616 | 11-20-2012 07:02 AM | |
| 2775 | 11-15-2012 01:03 AM | |
| 2775 | 11-14-2012 07:03 AM | |
| 3046 | 11-12-2012 02:45 AM | |
| 2156 | 09-19-2012 04:05 AM | |
| 1224 | 09-18-2012 11:45 AM | |
| 2828 | 04-07-2011 07:32 AM | |
| 3581 | 03-17-2011 08:18 AM |
User Badges
Community Statistics
| Member Since | 03-01-2011 06:53 AM |
| Date Last Visited | 08-18-2015 09:07 AM |
| Posts | 9 |
04-18-2013
06:26 AM
Hi I am trying to resolve the issue with the new google safe search changes that have happened. I am from a school and we are having issues with students being able to search for inappropriate content on google images due to their recent changes of not forcing strict safe search on. Previously we have used the work arounds that are on articles 1399 on here but these dont have any effect now google has changed the way safe search works. I have found a work around that works by manually typing &safe=on in the url of a google search with enables the safe search function to be on. Now i need to find a way of injecting this parameter into all google searches that users do using the palo. Does anyone have any suggestions on how this can be done? Thanks Matt
... View more
Labels:
- Labels:
-
App-ID
-
Configuration
-
Troubleshooting
11-15-2012
01:03 AM
192.168.0.2 is the internal ip address of the L3_Inside interface the firewalls sit in a separate VLAN to the main internal network with routing between the VLANs (its to cope with the ARP limit of the palo) its the dynamic IP and port address for the L3_Inside interface. Matt
... View more
11-14-2012
07:03 AM
Hi Numan Thanks for your reply and advice, i have posted the output of the show sessions can you take a look and see if it looks right. Matthew@Altrincham_Primary(active)> show session all filter source 172.16.12.25 -------------------------------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 20456 undecided ACTIVE FLOW NB 172.16.12.25[49469]/L3_Inside/6 (192.168.0.2[24823]) vsys1 89.238.148.200[443]/L3_Inside (172.16.0.77[443]) 17465 undecided ACTIVE FLOW NB 172.16.12.25[49468]/L3_Inside/6 (192.168.0.2[4005]) vsys1 89.238.148.200[443]/L3_Inside (172.16.0.77[443]) Matthew@Altrincham_Primary(active)> show session id 20456 Session 20456 c2s flow: source: 172.16.12.25 [L3_Inside] dst: 89.238.148.200 proto: 6 sport: 49469 dport: 443 state: INIT type: FLOW src user: altrincham\administrator dst user: unknown s2c flow: source: 172.16.0.77 [L3_Inside] dst: 192.168.0.2 proto: 6 sport: 443 dport: 24823 state: INIT type: FLOW src user: unknown dst user: altrincham\administrator start time : Wed Nov 14 15:01:13 2012 timeout : 5 sec total byte count(c2s) : 132 total byte count(s2c) : 0 layer7 packet count(c2s) : 2 layer7 packet count(s2c) : 0 vsys : vsys1 application : incomplete rule : U-Turn Webmail SEC session to be logged at end : True session in session ager : False session synced from HA peer : False address/port translation : source + destination nat-rule : U-Turn Webmail NAT(vsys1) layer7 processing : enabled URL filtering enabled : False session via syn-cookies : False session terminated on host : False session traverses tunnel : False captive portal session : False ingress interface : ethernet1/2 egress interface : ethernet1/2 session QoS rule : N/A (class 4) Thanks Matt
... View more
11-12-2012
02:45 AM
Hi All I have a u turn nat rule and security policy in place that has been working fine to allow internal access to the external url of our exchange owa and now it has stopped working - nothing has changed on the firewalls or on the exchange system that could explain the problem. The u-turn nat rule is setup as follows Source Zone: L3_Inside Destination Zone: L3_Outside Destination Address: 89.238.148.200 Source Translation: Dynamic IP and Port (Correct interface and IP selected) Destination Translation: 172.16.0.77 (internal address of OWA cluster) Security rule for the u-turn nat: Source Zone: L3_Inside Destination Zone: L3_Inside Destination Address: 89.238.148.200 Normal external nat rule for the OWA setup: Source Zone: L3_Outside Destination Zone: L3_Outside Destination Address: 89.238.148.200 Destination Translation: 172.16.0.77 (internal address of OWA cluster) Security rule for the normal external OWA rule: Source Zone: L3_Outside Destination Zone: L3_Inside Destination Address: 89.238.148.200 I can see traffic passing through the firewall using the u-turn nat rule but the application column just reports as incomplete? any ideas would be great as i cant work out what could be wrong. We have multiple nat and u-turn nat rules setup to allow access to other external urls internally and these work perfectly fine and these are setup in exactly the same way. Thanks Matt
... View more
09-18-2012
11:45 AM
Hi I have 2 PA500 firewalls running in a active/passive HA setup, the firewalls are fully integrated into active directory using the Identification client for security polices all clients on the network are set to use our core switch as their default gateway and the switch has a route set so it uses the firewalls IP as its gateway. Problem is the PA500 has a hard limit of 500 ARP table entries and we have a lot more than 500 network devices on the network, so when the firewall reaches its 500 ARP limit no more devices can connect to the internet, the only way i have found to try and allow other clients is to clear the ARP tables on the firewalls, but this causes other clients to have no internet connectivity. Does anyone have any ideas on how i can resolve this without upgrading to the larger firewalls? Thanks Matt
... View more
04-07-2011
07:32 AM
Hi all I have read through the NAT tech notes and manuals from this site but canot seam to get this feature to work, i have u-turn nat enabled and working brilliantly in the same zone but i cant get the u-turn feature to work between zones/seperate networks. Let me explain our setup and any help would be very appreciated. Guest Client Network Source - Guest Laptop: 192.180.0.10 Dest - External webmail IP address: 89.248.148.200 Internal Corporate Network Internal webmail server: 172.16.0.10 I need users to be able to access the external address of the webmail server from the guest client network. What i would like is so when users on the guest network access the webmail external ip it is routed through the PA and is then routed to the internal network zone. I have setup the u-turn feature in the same zone and that works great, its just when i am trying to do u-turns with different zones that i cant get it to work. I have followed the guide NAT Tech Notes to set the NAT and security rules for the u-turn between zones but they dont seam to be working. Any help would be great!! Matt
... View more
03-17-2011
08:18 AM
Hi all I have a brand new PA500 that I have setup and everything is working fine in the outbound direction e.g. i can access the internet etc.. the problem i have is in the inbound direction. My external interface IP address is set to 89.238.148.194/28 and I have a number of other external IP addresses that i need to NAT to internal private IP addresses these are as follows: External IP Internal IP 89.238.148.196 172.16.0.7 - Microsoft ISA 89.238.148.197 172.16.0.7 - Microsoft ISA 89.238.148.198 172.16.0.13 - SMTP Traffic 89.238.148.199 172.16.0.39 - Port 80 Traffic 89.238.148.200 172.16.0.10 - Port 443 Traffic The problem comes when i try and add the multiple external IPs to the external interface of the PA500 i get the following error: Operation Commit Status Completed Result Failed Details routed: In virtual-router default: address 89.238.148.199/28 on interface ethernet1/1 has overlapping subnet with address 89.238.148.194/28 on interface ethernet1/1. Commit failed We currently have a watchguard firewall and all i do on this to add multiple external IPs is to add the additional IPs as secondary networks but with the PA500 i cant figure out why its not working. Please any help would be great!! Matt
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-18-2015
09:07 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks