This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
About SteveBallantyne
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About SteveBallantyne
07-15-2022
10Posts
2Likes
0Solutions
Jul 15, 2022Last Visited
User
Activity
User
Profile
Latest posts by SteveBallantyne
| Subject | Views | Posted |
|---|---|---|
| 757 | 07-14-2022 08:33 AM | |
| 839 | 07-13-2022 07:20 AM | |
| 12343 | 04-15-2021 01:57 PM | |
| 1473 | 12-31-2020 07:43 AM | |
| 1489 | 12-31-2020 05:27 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 04-15-2021 01:57 PM | |
| 1 Like | 06-23-2020 06:58 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 5 Likes | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 07-24-2019 09:01 AM |
| Date Last Visited | 07-15-2022 12:21 PM |
| Posts | 10 |
| Total Likes Received | 2 |
07-14-2022
08:33 AM
The problem with this is that I have a couple hundred devices with static IP addresses. Everything from printers, to interface boxes stuck to lab instruments, to managed switches, etc.
... View more
07-13-2022
07:20 AM
Hello all, I currently have a case open with support on this issue. But I am looking for some customer feedback.
We presently have *two routes* and two separate firewalls. 10.0.44.1/22 on my Palo Alto, and 10.0.45.1/22 on a legacy Cisco L3 router. The Cisco has been stripped down and only really serves as a default route to a end of life firewall. My goal is to lift 10.0.45.1/22 from the old Cisco router and place it on my Palo Alto. In so many words ... I want to create a "secondary" IP address on the same subnet so that 10.0.45.1 and 10.0.44.1 are used interchangeably.
If I try to add these two addresses on the same one interface, the Palo rejects the changes with overlapping subnets. Support had suggested using a separate physical interface. But that gave me the same error message.
EDIT: This is on a Palo Alto PA-3250
Most of the articles and posts I have looked at for this issue point to a customer VPN where two remote sites have the same subnet(s). That doesn't really apply to my case here, and the solutions don't really make sense for this scenario.
Any help or pointers would be appreciated!
... View more
04-15-2021
01:57 PM
1 Kudo
As someone who just upgraded to 5.2.6 I can tell you that upgrading doesn't fix it! 🙂 I am tired of being asked what this message means. So I am throwing in the towel and unchecking IPSec. PA support - please fix it. Super annoying.
... View more
12-31-2020
07:43 AM
I just got off of a Zoom session with PA support. They did some further digging into the session flows via the CLI and came to the conclusion that my packets are coming into the Palo, but the return path is broken on the FortiGate side of things. Since the session is never fully establishing (no ACK), the tunnel inspection is not kicking into gear. That is, the *intent* to inspect is there, but the conversation is one-way. I have already engaged FortiNet support - now it's a waiting game. I will share some information and configuration examples if we can ever sort this out, as I couldn't find a lot of useful documentation on their side. And I know there are many customers out there with Palo's in the main office, and "baby firewalls" at their remote sites.
... View more
12-31-2020
05:27 AM
That is helpful, thank you. I am beginning to think that this is an issue on the Fortigate side. Although the strange thing is that it looks like the packets are emerging from the Fortigate side "in tact" and the Palo is just dropping them. Here is an example ... I have a test phone that I put a static IP onto, 10.50.80.10. It's on VLAN 580. Then I have a phone server on the Palo Alto side, 10.10.70.10. I ran a packet trace on the Palo, filtering for the phone IP. It seems that the packets are assembled with the correct VLAN and the correct VXLAN VNI of 1001. But they are dropped, and as noted the Tunnel Inspection is not being performed. I have a case open with support - but not getting any feedback after the first 24 hours. 🙂
... View more
12-30-2020
11:33 AM
Hello community, I am attempting to create a VXLAN over IPSec solution between my PA-3250 and a remote Fortinet FortiGate 61E. I have managed to get things configured correctly on the FortiGate (I think) as I am seeing the traffic entering on the Palo side. I am using Tunnel Inspection on the Palo side and it appears to be set up correctly. In the Monitor > Tunnel Inspection on the Palo, the traffic can be seen there. Even though when I click the magnifier to take a deeper look on the flow the "Tunnel Inspection" checkbox is NOT checked, which seems strange to me. I created a security rule for phone traffic and I am seeing that traffic pop into my standard Palo Monitor > Traffic > Logs. But the applications are all coming up "Incomplete". I am also not able to ping back and forth. So it appears everything works - with the exception of the routing. And I am not sure how to fix that? Has anyone here done multiple VLAN's over a VNI using VXLAN over IPSec? If so - how did you get your traffic to *route* correctly?
... View more
06-23-2020
06:58 AM
1 Kudo
I would like to throw a +1 to this request! It seems ridiculous that to me that the "test email" button just sends a blank email. Why not attach the actual reports to it also? I shouldn't have to wait 24 hours to see what the report is going to look like. 🙂
... View more
07-24-2019
12:21 PM
I ended up upgrading (or in this case *downgrading*) my secondary to 9.0.0 and that worked. So then I was able to upgrade my primary to 9.0.0 without any issues. None of my VPN tunnels came back up on their own, which was a little disheartening. I had to go into the CLI and do a "test vpn ike-sa gateway <tunnel name>" on every single one of them. But my upgrade is complete and functional for now.
... View more
07-24-2019
09:30 AM
Also - my secondary now shows "HA not enabled" on the Dashboard, even though it's still configured?
... View more
07-24-2019
09:11 AM
Hello community - I have a case open with support, but I am looking to see if anyone else has an idea for me while they are looking at my tech support files. I attempted to upgrade an active/passive HA pair following the Palo Alto Doc. I upgraded the secondary from 8.1.4-h2 to 9.0.3 and rebooted. I am now at the step where I would suspend the primary and fail over to the secondary. But my HA pair is broken. Here is what shows on the Dashboard of my primary ... Mode Active-passive Local Active Peer (172.17.1.11) Unknown Running Config Synchronized App Version Unknown Threat Version Unknown Antivirus Version Unknown PAN-OS Version Match GlobalProtect Version Unknown HA1 Down HA1 Backup Down HA2 Down I find it odd that it shows a version match for the PAN-OS Version, when in fact, the secondary is running 9.0.3?
... View more
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks