This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About Mack
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About Mack
05-09-2023
27Posts
2Likes
0Solutions
May 09, 2023Last Visited
User
Activity
User
Profile
Latest posts by Mack
| Subject | Views | Posted |
|---|---|---|
| 1449 | 07-29-2015 04:53 AM | |
| 4606 | 02-03-2014 09:29 AM | |
| 2488 | 11-22-2013 07:58 AM | |
| 2591 | 04-24-2012 07:30 AM | |
| 2787 | 04-04-2012 08:16 AM | |
| 2787 | 04-02-2012 06:08 AM | |
| 1389 | 03-30-2012 05:21 AM | |
| 3019 | 03-30-2012 05:18 AM | |
| 2833 | 03-22-2012 05:52 AM | |
| 1463 | 03-16-2012 12:16 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 03-22-2012 05:52 AM | |
| 1 Like | 02-10-2012 06:42 AM |
User Badges
Community Statistics
| Member Since | 03-16-2011 05:51 AM |
| Date Last Visited | 05-09-2023 04:19 PM |
| Posts | 27 |
| Total Likes Received | 2 |
07-29-2015
04:53 AM
Hi everyone, We've got a number of virtual-routers in our PA-5050s and we're looking to do some consolidation to simplify the configuration. Basically, we're looking to reduce the number of vrouters by moving interfaces that are currently in different vrouters into one common one. We are not going to change the zones associated with the interfaces. I'm wondering what happens to existing/established sessions on the firewall when we move the interfaces from one vrouter to another. My question is this: if we have an existing session through the firewall that was established based on a particular route pattern that determined the source and destination zones, then we change the route pattern but the src and dst zones remain the same, do the existing sessions continue or do they become invalid / get terminated? Long explanation: We have several server subnets and one core (physical) router in our network. We put the server subnets behind our PA-5050s on their own dedicated interface a few years ago, but we wanted to give them each a dedicated 1Gb link to our core router. So we created a vrouter for each server subnet and used a /30 routing subnet on a different dedicated interace between the core router and our PA-5050s to force each server subnet's traffic over a different link. So for our 5 server subnets, we're using 10 interfaces (5 x core<-->PA, 5 x PA<-->servers). While each server interfaces has its own zone, all of the /30 routing interfaces are in the same zone. We've now established 10Gb connectivity between the core router and the PA-5050s, so we do not need the separate interfaces. This 10Gb link is in the same zone as the /30 routing interfaces. To simplify our configuration, we'd like to start collapsing the separate server vrouters into one common one that uses the 10Gb link as its route to the core router. This will not change the zones, only the routing. We need to know if we need to schedule an server outage when we change the routing. Our hope is that since the sessions are based on the zones (which will be unchanged) and the firewall is able to do dynamic routing, the sessions would stay alive. However, the existing sessions that were previously routed across the 1Gb link will now be using the 10Gb link in a different vrouter, so maybe the firewall won't like that.
... View more
Labels:
- Labels:
-
Configuration
-
Networking
02-03-2014
09:29 AM
Hi all, We're in the process of migrating from Juniper ScreenOS devices onto our new Palos and I have some questions about ALGs and service timeouts. On our Junipers, there were a couple of ALGs that we had to turn off due to them mangling the application they were supposed to handle. The most prevalent of this was the SQL ALG, which seemed to have a tendency to terminate SQL sessions prematurely on longer running queries. Is there anyone who has migrated from ScreenOS to Palos that has experience with the ALG problem and can let me know if the Palos handle SQL better, or if I should create an Application override for it? Secondly, we had a number of services for which we extended the timeouts, most notably SSH (because keepalives didn't seem to work and our admins didn't like to log in repeatedly) and LDAP (because idle connection pool sessions would be timed out by the firewall too soon). Does anyone have experience with how the Palos handle these services/applications (especially the connection pools)? Finally, it looks like I can make a custom app that has longer timeouts (but it is not possible for a service/port definition - why?). On the Objects->Applications page, there is a clone button, but I can't seem to get it to work. Any idea of how I could clone an application, for instance the SSH application and give it an extended timeout?
... View more
Labels:
- Labels:
-
Configuration
11-22-2013
07:58 AM
Hi everyone, I'm having a bit of trouble configuring link aggregation between my PA-5050 and Juniper EX4500 switches over 10G interfaces. The problem seems to stem from the fact that the PA-5050 link-aggregation dialog gives two options for link speed: 1000 or Auto, whereas the EX4500 configuration requires a hardcoded 10G speed setting. How can I tell the PA-5050 to use a speed of 10000 instead of Auto?
... View more
Labels:
- Labels:
-
Configuration
-
Networking
04-24-2012
07:30 AM
KMacnaughton wrote: rmonvon wrote: Have you tried setting the idle timeout to 10 minutes while having the page refresh every minute please. Let us know if that works. This did not work. The browser sessions, even though they were on the Dashboard page and it was set to refresh each minute, still timed out. This occured on IE 8 and FF 11 on LInux It did seem to take far longer (hours) than 10 minutes to time out, however. They seem to have timed out overnight. We upgraded to PAN-OS 4.1.5 last week and it seems to have corrected this part of the problem. With idle-timeout=10m and Dashboard-refresh=1m, sessions stay logged on. I've not tested if idle-timeout=0 works, but as another user pointed out, that's not a preferred approach. We'd only tried =0 because the Dashboard-refresh wasn't keeping sessions alive.
... View more
04-04-2012
08:16 AM
rmonvon wrote: Have you tried setting the idle timeout to 10 minutes while having the page refresh every minute please. Let us know if that works. This did not work. The browser sessions, even though they were on the Dashboard page and it was set to refresh each minute, still timed out. This occured on IE 8 and FF 11 on LInux It did seem to take far longer (hours) than 10 minutes to time out, however. They seem to have timed out overnight.
... View more
04-02-2012
06:08 AM
It is set to refresh every minute, the default for the Dashboard. I'm not sure about the SSL repository. Where would I check that? If it helps, the problem seems to occur both in Firefox 11.0 on Linux and IE 8 on Windows 7.
... View more
03-30-2012
05:21 AM
Hi Al, We've actually recently upgraded to 4.1.4. I'm not able to confirm if the problem still exists because my sessions will not stay logged in long enough. I just posted in another thread that idle timeout = 0 does not work.
... View more
03-30-2012
05:18 AM
We have a couple of machines that are set to display the PANOS web UI Dashboard so that we can see the current Risk Factor and System Resources, etc... so we set the Authentication Settings Idle Timeout to 0 so that the sessions do not time out, as indicated by the help. However, they still do time out. Is there something else we need to change? We're running PANOS 4.1.4, but the problem also occured in 4.1.1.
... View more
- Tags:
- management
Labels:
- Labels:
-
Management
03-22-2012
05:52 AM
1 Kudo
We upgraded from 4.1.1 to 4.1.4 and the widgets now refresh correctly. Support told us that it was internally discovered bug 35829 and was fixed in 4.1.2. It wasn't published in release notes because apparently customers don't need to know about internal bugs. I find this a ridiculous posture - all bugs should be reported in the release notes, regardless of whether a customer has reported them or not. I held off upgrading to 4.1.2-4.1.4 because the release notes didn't mention any fixes for bugs I was experiencing. Why potentially destabilize my system with a regression bug that snuck into the new code if there's no expectation of payoff?
... View more
03-16-2012
12:16 PM
I think I may have found a bug with PANOS 4.1.1 on PA-5050s where the WebUI will not display new signatures until the user has logged out and logged back in again. I left a browser (Firefox 10) logged in for several days, using it just enough that the session did not time out. During this long session, a content update was installed. However, when I went looking for the new signatures, I could not find them. They would not appear in the new Vulnerability Profile or new Spyware Profile dialogs, even if I searched by the CVE number or the Vendor ID. A new session in a new browser showed them, so I tried logging out of the old session and logging in to a new one. The signatures were now available in the dialogs. This is obviously a little tricky to reproduce since there's only a content update once a week. I will try to do it again next week though. Has anyone else seen this behaviour?
... View more
- Tags:
- content_update
- web_ui
02-10-2012
06:42 AM
1 Kudo
It is happening to me as well on PANOS 4.1.1. I think it may be browser- or platform-related, as it seems to work for me in Firefox 3.6.2x on Windows but does not work for me using Firefox 10 on Linux. It works in IE7 and IE8.
... View more
02-10-2012
05:13 AM
KMacnaughton wrote: The issue now is the content of the vulnerability profile itself. Do we a) create a clone of the all-hosts-all-sigs vuln profile and except the problem signature, essentially giving us two near-identical, full-size profiles stored in the config file and memory, or do we b) create a vuln profile that only includes signatures that apply to the application in the host-specifc rule and except the problem signature there, giving us one full-size and one small-size profile to store. ... I'm hoping there is a better way to solve the problem, because right now only option a) seems sustainable. I'm really concerned with a multiplicity of 4000-signature profiles cluttering up the config file and memory. We have 800 rules or so to migrate from our old firewall and right now it looks like we could end up with several hundred full-size, single-exception profiles. So I decided to check the config file today to see how much is stored for each vuln profile. The config file is XML, meaning that it's bloated by structure/markup, but the vuln profiles only contain the select rules, which are 8 attributes in size, and the exceptions, which are also only a few attributes each. Relative to the size of the config file itself, each vuln profile does not take much space. So that is that issue put to rest. As for how much memory each vuln profile takes up, that's a mystery to us. One would assume that the programmers have come up with an efficient way to store profiles in memory and to do profile-signature matching as part of their one-pass architecture. This might suggest that the memory concerns are moot and that option a) is viable, except for the bugaboo that many near-identical vuln profiles would have to be edited if we decided to change the default behaviour for a signature category or severity (e.g. we decide to block all medium severity threats instead of default action). Maybe there will be an inheritance feature added, so that we can create an instance of a 'template' policy and the child instance will inherit any non-conflicting changes from the parent template...
... View more
02-09-2012
10:40 AM
mikand wrote: Any particular reason you wish to do this? Specifically for the case where for one host we want to add an exception. So for instance, say we have a all-hosts rule that applies default behaviour for all signatures. Then we discover that there is a host for whom a specific signature is causing problems. Since we don't want to turn that signature off for all hosts, we create a new rule just for that specific host and application. We also create a new vulnerability profile that sets an exception for the problematic signature and apply it to the specific host rule. The issue now is the content of the vulnerability profile itself. Do we a) create a clone of the all-hosts-all-sigs vuln profile and except the problem signature, essentially giving us two near-identical, full-size profiles stored in the config file and memory, or do we b) create a vuln profile that only includes signatures that apply to the application in the host-specifc rule and except the problem signature there, giving us one full-size and one small-size profile to store. Obviously my initial question was posed to see if scenario b) is actually a possibility without us having to revisit each of the special profiles once a week to add any new signatures. mikand wrote: Cant you select a sub-category such as networking -> remote-access? This would cover the threats regarding remote-access stuff. However there can be other threats more general that one should look for aswell so I would stick to use a profile which will look for as many bad things as possible. There's no application-related fields/filters in the vulnerability profile. The only option I see is to create a bunch of text-string match rules and hope that they collect all the signtures we need. I'm hoping there is a better way to solve the problem, because right now only option a) seems sustainable. I'm really concerned with a multiplicity of 4000-signature profiles cluttering up the config file and memory. We have 800 rules or so to migrate from our old firewall and right now it looks like we could end up with several hundred full-size, single-exception profiles.
... View more
02-09-2012
08:03 AM
jfitz-gerald wrote: Bytes in/out will be available in 4.1 on all platforms but the PA-4000 series. Bytes in/out do appear to be in 4.1.1 on our PA-5050s... except that the values are incorrect: the bytes-in and bytes-out fields always have the same value. There are now three bytes-related fields in PANOS logs: Bytes, Bytes Sent and Bytes Received. Every log has the same equation for the various values: Bytes Sent = Bytes Received = 1/2 Bytes I checked the release notes for 4.1.2, but there is no reference to a fix for this issue, nor a known outstanding issue.
... View more
02-09-2012
07:29 AM
Hi everyone, I've read through the Admin Guide and have done some searching in KnowledgePoint, but can't find the answer I'm looking for... Currently, in PANOS 4.1, in a Vulnerability profile, when one adds a rule, they can conditions to match signatures. We can provide a string to match on Threat Name, for example I could add a rule with 'ftp' in the threat name and that rule will match all signatures that contain 'ftp' in the name. I can also specify a rule that triggers on a specific category or severity level and any signature that matches the category or severity will be included in the profile. However, what if I want to build a profile that includes all signatures for only a particular application, for example Remote Desktop? I can't use category or severity, as that will match all signatures. I could add a rule with Threat Name = 'RDP'... but what if some signature names do not include RDP, but rather Remote Desktop Protocol? (BTW, this is the case.) Or the old name, Terminal Services? I could add rules for all three, but if Microsoft changes the name again and the newly released signatures use that name, our profile won't automatically include them. Is there any way to specify "include all signatures for this application" as the definition for a vulnerability profile?
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks