Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About a.jones
About a.jones
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Saturday
55Posts
5Likes
7Solutions
Nov 28, 2020Last Visited
User
Activity
User
Profile
Latest posts by a.jones
| Subject | Views | Posted |
|---|---|---|
| 116 | 2 weeks ago | |
| 188 | 3 weeks ago | |
| 769 | 10-16-2020 08:31 AM | |
| 841 | 10-14-2020 07:24 AM | |
| 221 | 10-08-2020 10:56 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 04-06-2020 05:37 AM | |
| 1 | 12-03-2019 01:18 AM | |
| 1 | 11-26-2019 10:40 PM | |
| 1 | 11-21-2019 01:25 AM | |
| 1 | 04-30-2019 07:08 AM |
User Badges
Public Statistics
| Date Registered | 03-19-2019 04:59 AM |
| Date Last Visited | Saturday |
| Total Messages Posted | 58 |
| Total Likes Received | 5 |
2 weeks ago
Hi, I have daily, weekly and monthly reports. They all look the same. The report setup is identical for both the router interface and the Palo Alto interface, just the interface itself that the report data is pulled from is the difference. Result is a big difference in data usage. Regards Adrian
... View more
3 weeks ago
Hi All, We have a problem with the report data on Solarwinds. We are running a multi-vsys Palo Alto 5220 with bgp connectivity to a router and need to run bandwidth reports on all vsys. All Vsys have at least 2 BGP Peering for inside and outside on 2 AE's, each assigned a particular Vlanif. All reports seemed to look good but one person is saying one of the reports is reporting too little usage. On a particular vsys we are seeing bandwidth peaking at around 60Mb in the day. When I monitor the Router interface for that particular Vlanif I get a peak of around 600Mb which I am told is expected usage. I can't see anything that would give this problem. We have configured a standard snmpv3 setup, monitoring on the relevant interfaces and vlanifs. I have looked at the reporting on a second pair of Palo Altos we have which reports around 350Mb at eak which is expected. Has anyone seen this before and have a solution? Monitoring on the router is not ideal as I can't break down the traffic to Globalprotect, VPNS etc. Regards Adrian
... View more
10-16-2020
08:31 AM
Yes. BGP is used between the firewall and the upstream routers. I see my ping in the firewall logs but I would have thought it would respond as it is tied to the interfaces rather than try to route through, especially out of a different interface.
... View more
10-14-2020
07:24 AM
Hi All, I'm trying to configure a Floating IP for a VPN on an Active-Active pair of 5220's. I have the Floating IP configured with the Active-Primary Device Priority 1 and Active-Secondary with Device Priority 100. The Interface IPs for both devices are in different subnets to the Floating IP. When I ping the floating IP from home, I see a log entry on the device for the ping but I never get a response from the ping. Any idea's? Regards Adrian
... View more
10-08-2020
10:56 PM
Hi, Tried this and I still get the client certificate required. Regards Adrian
... View more
10-04-2020
07:50 AM
Hi All, I have recently configured a clientless vpn for a customer but the solution needs client certificates for the users to log in with a browser. Is there a way I can make this an authentication only solution with no client certificate requirement? The GlobalProtect configuration is configured and working for staff members using PreLogon successfully. The clientless VPN is configured within this portal configuration. Authentication is only possible for users in the ldap group. It all works but the client was no client certificate. Any resolution must not break the current PreLogon Globalprotect. Regards Adrian
... View more
08-23-2020
09:14 AM
Hi, Apologies for no response. I had been in and out with suspected Covid symptoms for a few weeks. I have tried this and whether I am doing something wrong. I need the following IP subnets with the following response: 172.18.24.0/23 and 172.18.26.0/23 responde with “Access to the web page you were trying to visit has been blocked in accordance with NNC filtering policy. Please contact the Complaints and Compliments team at NNC for more information or if you feel that the site you were attempting to view was inappropriately blocked.” All other ips responded with: “Access to the web page you were trying to visit has been blocked in accordance with Corp Partnering filtering policy. Please go to the Corp Partnering webpage for more information or if you feel that the site you were attempting to view was inappropriately blocked.” This is a multi vsys Palo Alto and this particular vsys is the Public Wifi vsys. All Partners wifi traverses this vsys so there is no Userid but 2 partners want 2 specific subnets with a different response hence my issues. Regards and thanks as always. Adrian
... View more
07-20-2020
01:22 AM
About to upgrade to 8.1.15-h3. We are going to 9 or 9.1 in late Sept/Early Oct. Regards Adrian
... View more
07-20-2020
12:51 AM
Hi All, Apologies I may need to add a bit more detail. The configuration contains multiple paths for different partners for a large wireless network. Each Partner has their own SSID and are assigned a specific subnet. Many share the same Response Page for their web traffic but we have a couple that want to have a different response page carrying their own Partner name. Whilst I cannot add multiple response pages and refer a partner to a specific response page I understand that using javascript I can assign a specific response based on the IP source of the user hence the original question. Regards Adrian
... View more
07-16-2020
05:00 AM
That range was only ever used as an IP range for receiving traffic on the firewall to translate to a real IP on the network. Not sure why it occurred, we think it must have existed somewhere on the internal network and we were lucky before that it worked. I added a static NAT and that resolved the issue. Regards Adrian
... View more
07-16-2020
04:57 AM
Hi All, Hoping someone can help. I need a custom response page for URL Filtering. I know I need to use Javascript but that is not my forte so hoping can provide the inform for me. I need to produce two distinct page responses depending on the IP address the user comes from ie: If they come from address range 10.0.0.0/8 a URL response page produces "Page Blocked for Security Reasons" If they come from any other address range a URL response page produces "Page Blocked because we have the power to do so". I understand it is a text file I need to upload, it's just the page construct I'm struggling with. Thanks in advance Adrian
... View more
07-02-2020
06:52 AM
Issue was resolved. Found someone had changed the Usedby setting on the BGP Export.
... View more
- Tags:
- ssue was resolved.
07-02-2020
06:50 AM
Hi All, I have had a destination nat running for months without issue. NAT: Source VPN Interface to Inside Interface: Destination Address: 192.168.90.231 Destination Translation: 10.0.8.82 Rule: Source VPN to Inside : Source IP to 192.168.90.231 It has been working for months without issue. Suddenly last night, the traffic to 192.168.90.231 starts routing to the outside interface and NAT stops working as traffic isn't heading that way. No changes were made on the system, it's not in the BGP routing table. As there is no rule for this it hits default deny. I have checked that the destination real address is routable and it is. This is the only path that is failing. Any idea's? Regards Adrian
... View more
06-20-2020
12:47 PM
Hi All, I have raised a TAC case regarding this but wanted to see if anyone had had a similar issue with a known fix? We have a pair of Palo Alto's with PANOS 8.1.10 running in active-active configuration. Routing is configured using BGP. The active-secondary export is configured with an AS-Path Prepend of 3 for both peers (inside/outside) to make the route less attractive than the Active Primary. The Inside Path is fine showing AS-Path prepended, but the outside path is not showing AS-Path prepending. Not sure when this stopped but it is causing us some minor issues and increases latency by 5ms as some traffic is routing via active-secondary. Has anyone seen this before or have any recommendations - disabling BGP and re-enabling BGP did not work neither did rebooting the active -secondary device. Regards Adrian
... View more
05-18-2020
04:24 AM
Hi All, I have a pair of Active-Active firewalls that have now come under my management. There is an existing Ipsec VPN which is only configured on the Active-Primary so if this fails, the VPN goes down. I have a required for 6 more VPNs. Has anyone configured resilient IPSec VPN on the Active-Active setup? What's the best way to achieve this - a floating IP or something else? Once I have the new VPNs configured and operational I'll need to look at migrating the existing one. Regards Adrian
... View more
04-06-2020
05:37 AM
1 Kudo
Seems to be back. There must have been an extended outage somewhere.
... View more
04-03-2020
06:50 AM
Hi All,
Looked at my nodes today and it looks like https://panwdbl.appspot.com is down or decommissioned. Tried going to this URL and I get a 404 error? Has this page moved and I missed a notification, down for good or just an outage? Obviously impacts some of the DBLs I have.
Regards
Adrian
... View more
04-03-2020
03:39 AM
Thanks for the response. My setup is as follows for HA: Palo 1: Setup Section: Peer HA1 IP Address 192.168.1.25 Backup Peer HA1 IP Address 192.168.1.17 Control Link: Port ha1-a IPv4/IPv6 Address 192.168.1.26 Netmask 255.255.255.252 Control Link (HA1 Backup): Port management Data Link (HA2): Port ethernet1/3 IPv4/IPv6 Address 192.168.1.34 Netmask 255.255.255.252 Management IP: 192.168.1.19 Palo 2: Setup Section: Peer HA1 IP Address 192.168.1.26 Backup Peer HA1 IP Address 192.168.1.19 Control Link: Port ha1-a IPv4/IPv6 Address 192.168.1.25 Netmask 255.255.255.252 Control Link (HA1 Backup): Port management Data Link (HA2): Port ethernet1/3 IPv4/IPv6 Address 192.168.1.33 Netmask 255.255.255.252 Management IP: 192.168.1.17 There is no duplication. Is it because the Backup Peer address is using the management address? Regards Adrian
... View more
03-26-2020
05:56 AM
Hi All, I have an issue with a Template push to device issue. I have added some routes in the BGP import section and have committed to Panorama without issue. When I push to device I run into a couple of separate issues which is causing me problems. When I push to devices using the force template values I get issues concerning HA and this error: ha1-backup interface ipaddr configured to match peer-ip-backup address My setup is an active passive pair with unique management addresses, unique hostnames. HA is configured with unique IPs for Peer HA1 on both, pointing to the IP set on Control Link HA IP set on the opposite device. The backup HA is configured to work on the management interface and the peer set to opposite device IP. If I don't force template it is all okay, and it works apart from the config is not pushed. If I force the template, the passive device fails with the error above but the primary device has the config on. Question is how to resolve this through Panorama? If it can't, is it best to do this config on the device and is that achieved by selecting the "Disable Device and Network Template" in Device>Setup>Panorama settings? Secondary quicky question - is it best to have sync config ticked post migration to Panorama as the documentation wasn't clear whether to enable it or not? Regards Adrian
... View more
03-22-2020
06:11 AM
Hi All, A quick query that I have seen on my minemeld install. I have created a number of RBL lists and I can see that although the miner is pulling (or indicating) there are IPs to be mined, when I look at the Aggregator I see that it is not aggregating any and therefor the output is 0. This was not the case when I built them. Any ideas? As an example here are the prototypes I am using: Miner: attributes confidence: 50 direction: outbound share_level: green type: IPv4 source_name malwaredomainlist.ip url http://www.malwaredomainlist.com/hostslist/ip.txt Processor: minemeld.ft.ipop.AggregateIPv4FT Output: minemeld.ft.redis.RedisSet Regards Adrian
... View more
01-21-2020
11:17 PM
@vsys_remothanks. Checked that and found the root cause. It now commits. Regards Adrian
... View more
01-21-2020
11:16 PM
Hi All, Quick question on my new deployment for Panorama. I have a HA pair with unique hostnames and IP addresses with firewall as an active passive pair. The migration steps state the following: Do not combine the HA firewall pair in to a single template if a unique Hostname, management IP address, or HA configuration is configured for each HA peer. You may also configure a unique Hostname, management IP address, or HA configuration locally on the firewalls. What do I need to do to accommodate this? I may be having a "stupid" moment but the documentation is not 100% clear (bad night and 6.30am). Using this document: https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management.html#id177DF10905Z Regards Adrian
... View more
01-18-2020
05:00 AM
Hi All, I have just migrated an active/passive pair of 5220's to Panorama. After completing this following https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management.html#id177DF10905Z I go to perform step 4 and I get an error which I can't seem to resolve. Can someone help? Here is the error: devices -> localhost.localdomain -> template-stack -> mll.pa.fw0.eastnet_stack -> config -> devices -> localhost.localdomain -> deviceconfig -> system -> route -> service -> crl-status -> source is missing 'address' devices -> localhost.localdomain -> template-stack -> mll.pa.fw0.eastnet_stack -> config -> devices -> localhost.localdomain -> deviceconfig -> system -> route -> service -> crl-status -> source is invalid Its stopping me in the final stages of deployment. Regards Adrian
... View more
12-13-2019
12:24 AM
This was a strange setup but I got it working by a source and destination nat. The remote end are seeing the traffic now. We were taking over another companies solution so have been replicating their setup to a degree. We cannot inherit their equipment so have migrated to our own solution. Some things they have done is a mess. This instance they claim to have had a working solution which I copied and it turned out that was not true. Regards Adrian
... View more
12-09-2019
08:48 AM
Hi All, Can someone help me with a NAT over VPN. What I thought was correct isn't working and I have tried a number of combinations that all fail. The encryption domains are (based on Palo) Remote 85.90.253.239, local 192.168.90.228, to reach a server on IP 10.0.8.82. What would the NAT look like? Every combination that I think is correct doesn’t see the NAT rule hit. Probably so simple I'll headbutt the desk but for now....it's eluding me - albeit I've spent the weekend migrating 5 large councils to a Palo Solution so very worn out. Regards Adrian
... View more
12-04-2019
12:26 AM
I have found if you install on Ubuntu 18.04 Bionic Beaver server edition it works. it took me two installs with reboots to get it working but I get a log in. I think the first install missed some things. Second install, rerun from the beginning as if a fresh install.
regards
Adrian
... View more
12-03-2019
01:18 AM
1 Kudo
Hi All,
I have installed minemeld on Ubuntu 18.04 using Ansible Playbook. I have followed the instuctions on https://github.com/PaloAltoNetworks/minemeld-ansible#howto-on-ubuntu-1804 and rebooted the device but I get the Error Checking Credentials: Bad Gateway error.
Looking at the supervisorrd.conf status I see minemeld-web in a fatal status. Looking ath the minemeld-web log I see the following:
root@ld1-mm01:/opt# tail /opt/minemeld/log/minemeld-web.log File "/opt/minemeld/engine/0.9.64/local/lib/python2.7/site-packages/minemeld/flask/main.py", line 3, in <module> app = create_app() File "/opt/minemeld/engine/0.9.64/local/lib/python2.7/site-packages/minemeld/flask/__init__.py", line 67, in create_app from . import metricsapi # noqa File "/opt/minemeld/engine/0.9.64/local/lib/python2.7/site-packages/minemeld/flask/metricsapi.py", line 19, in <module> import rrdtool ImportError: librrd.so.4: cannot open shared object file: No such file or directory [2019-12-03 08:46:39 +0000] [1092] [INFO] Worker exiting (pid: 1092) [2019-12-03 08:46:39 +0000] [1089] [INFO] Shutting down: Master [2019-12-03 08:46:39 +0000] [1089] [INFO] Reason: Worker failed to boot.
I have followed instructions to downgrade pip but that does not work.
There are instructions to do the following pull (not sure how to do this or if it is necessary):
https://github.com/PaloAltoNetworks/minemeld-ansible/pull/43
Any advice on how I can get this working?
Thanks
Adrian
... View more
11-26-2019
10:40 PM
1 Kudo
My issue was resolved with a weekend of checks. We found that the registry setting for PreLogon was changing and we had to change it back to a DWORD of 1, reboot and then prelogon on boot would work. We don't know why it is doing this but we have generated a group policy that checks the registry setting to ensure that it is correctly set. I found that the laptop was sending messages for prelogon connection to the Palo Alto but it would never connect. Logging in would see Globalprotect connect and log off would see it switch to Prelogon mode. This lead me to believe the solution was working and lead to the investigation of the laptop settings. Since we have rectified this issue the problem has not resurrected itself. Regards Adrian
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Saturday
|
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
