Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About SteveBallantyne
About SteveBallantyne
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Thursday
7Posts
0Likes
0Solutions
Jan 14, 2021Last Visited
User
Activity
User
Profile
Latest posts by SteveBallantyne
| Subject | Views | Posted |
|---|---|---|
| 119 | 3 weeks ago | |
| 135 | 3 weeks ago | |
| 197 | 3 weeks ago | |
| 709 | 06-23-2020 06:58 AM | |
| 3826 | 07-24-2019 12:21 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 4 | |||
| 1 |
User Badges
Public Statistics
| Date Registered | 07-24-2019 09:01 AM |
| Date Last Visited | Thursday |
| Total Messages Posted | 7 |
3 weeks ago
I just got off of a Zoom session with PA support. They did some further digging into the session flows via the CLI and came to the conclusion that my packets are coming into the Palo, but the return path is broken on the FortiGate side of things. Since the session is never fully establishing (no ACK), the tunnel inspection is not kicking into gear. That is, the *intent* to inspect is there, but the conversation is one-way. I have already engaged FortiNet support - now it's a waiting game. I will share some information and configuration examples if we can ever sort this out, as I couldn't find a lot of useful documentation on their side. And I know there are many customers out there with Palo's in the main office, and "baby firewalls" at their remote sites.
... View more
3 weeks ago
That is helpful, thank you. I am beginning to think that this is an issue on the Fortigate side. Although the strange thing is that it looks like the packets are emerging from the Fortigate side "in tact" and the Palo is just dropping them. Here is an example ... I have a test phone that I put a static IP onto, 10.50.80.10. It's on VLAN 580. Then I have a phone server on the Palo Alto side, 10.10.70.10. I ran a packet trace on the Palo, filtering for the phone IP. It seems that the packets are assembled with the correct VLAN and the correct VXLAN VNI of 1001. But they are dropped, and as noted the Tunnel Inspection is not being performed. I have a case open with support - but not getting any feedback after the first 24 hours. 🙂
... View more
3 weeks ago
Hello community, I am attempting to create a VXLAN over IPSec solution between my PA-3250 and a remote Fortinet FortiGate 61E. I have managed to get things configured correctly on the FortiGate (I think) as I am seeing the traffic entering on the Palo side. I am using Tunnel Inspection on the Palo side and it appears to be set up correctly. In the Monitor > Tunnel Inspection on the Palo, the traffic can be seen there. Even though when I click the magnifier to take a deeper look on the flow the "Tunnel Inspection" checkbox is NOT checked, which seems strange to me. I created a security rule for phone traffic and I am seeing that traffic pop into my standard Palo Monitor > Traffic > Logs. But the applications are all coming up "Incomplete". I am also not able to ping back and forth. So it appears everything works - with the exception of the routing. And I am not sure how to fix that? Has anyone here done multiple VLAN's over a VNI using VXLAN over IPSec? If so - how did you get your traffic to *route* correctly?
... View more
06-23-2020
06:58 AM
I would like to throw a +1 to this request! It seems ridiculous that to me that the "test email" button just sends a blank email. Why not attach the actual reports to it also? I shouldn't have to wait 24 hours to see what the report is going to look like. 🙂
... View more
07-24-2019
12:21 PM
I ended up upgrading (or in this case *downgrading*) my secondary to 9.0.0 and that worked. So then I was able to upgrade my primary to 9.0.0 without any issues. None of my VPN tunnels came back up on their own, which was a little disheartening. I had to go into the CLI and do a "test vpn ike-sa gateway <tunnel name>" on every single one of them. But my upgrade is complete and functional for now.
... View more
07-24-2019
09:30 AM
Also - my secondary now shows "HA not enabled" on the Dashboard, even though it's still configured?
... View more
07-24-2019
09:11 AM
Hello community - I have a case open with support, but I am looking to see if anyone else has an idea for me while they are looking at my tech support files. I attempted to upgrade an active/passive HA pair following the Palo Alto Doc. I upgraded the secondary from 8.1.4-h2 to 9.0.3 and rebooted. I am now at the step where I would suspend the primary and fail over to the secondary. But my HA pair is broken. Here is what shows on the Dashboard of my primary ... Mode Active-passive Local Active Peer (172.17.1.11) Unknown Running Config Synchronized App Version Unknown Threat Version Unknown Antivirus Version Unknown PAN-OS Version Match GlobalProtect Version Unknown HA1 Down HA1 Backup Down HA2 Down I find it odd that it shows a version match for the PAN-OS Version, when in fact, the secondary is running 9.0.3?
... View more
Latest Blogs
Latest Posts
Copyright 2007 - 2021 - Palo Alto Networks
