About mr_almeida

Hello all!  We have had a single Panorama appliance running in Panorama mode as a local log collector in its own collector group. Firewall logs are sent to Panorama, and all is working well.   We now have procured a second Panorama appliance for HA. Hardware, disks etc., are all the same, and I've successfully set them up in HA, synced and healthy.   These two Panorama appliances are in different sites - though there is plenty of bandwidth and a few tens of ms latency between them. Currently, each appliance has only a single 2TB assigned to them. We don't plan to change from this setup or utilise dedicated log collectors anytime soon, and log retention fits within requirements.   The bit I am confused about is log collectors and collector groups. Cannot decide whether to have both appliances as either: Single log collector per collector group Put the secondary appliance in the same collector group as the primary appliance or multiple collectors in a single collector group. Regarding multiple collectors in a collector group, I have read you can achieve redundancy, increase log retention and exceed logging rates. I am aware you need to check the box for   enable log redundancy across collectors . I am also mindful that the logging rate is half - so I am not sure how the logging rates are exceeded if this happens?!   Regarding a single collector for each collector group, nothing seems to be mentioned or indicates anything about this. Why would I use this over multiple collectors in a single collector group? I know if the secondary appliance is down or lost, we lose those logs. I also assume you can still set the   Log Forwarding Preferences list   for both collectors in separate groups?   Hoping someone in this space can shed some light on what they have done or chime in on what you think!   Thank you for your time in reading and responding!   Panorama  ... View more

  Hi all,   Pardon me for the lengthy title.   Here is the layout of what I am working with: 😅 I am currently running PAN-3020 on PAN-OS 9.0.13 I do not have a URL filtering licence  I do not yet do decryption (long story). Security rules are any/any for testing this.     I have been tinkering with custom URL categories and filtering profiles. I have got what I intended to work.   However, I am confused by the behaviour of the firewall and further lost amongst content all over the internet, especially when it comes to URL filtering without a licence. Was hoping someone could help clarify it out for me?   =========== Scenario 1 Security policy rule A: Rule with an action of allow URL filtering profile assigned which also allows a good custom URL category Security policy rule B: Rule with an action of allow URL filtering profile assigned which blocks a bad custom URL category   No traffic will match security policy rules A or B. The only time traffic match either of these two rules is when I specify a URL category under the Service/URL Category tab for security policy rule A.   Scenario 2 Security policy rule A: Rule with an action of allow Custom URL category assigned to "services/URL Category" tab (found within the security policy rule), URL filtering profile assigned that allows a good custom URL cateogry Security policy rule B = Rule with an action of allow Assigned URL filtering profile that blocks a bad custom URL category URL traffic not matching any URLs specified rule A is now blocked. ===========   What I can't get my head around is why isn't it enough to simply use a security rule and a relative filtering profile that references the good custom URL category? Why when I don't specify the URL category, no traffic matches even though the filtering profile is there? Apologies for my ignorance.    Martins ... View more

Hi Gang,   We need to update our log forwarding to now include Syslog. Previously they were only uploading to Panorama. It was also previously shared but we will need to make it device group specific now as we have local syslog servers for local sites.   I can't seem to see it on any documentation or simply overlooked it, apologies if so but... do changes to log forwarding already enabled on security rules disrupt existing traffic, sessions or the like?   Thanks,   Daniel  ... View more

Hi Gang,   First, thanks for having a look and a big thank you for taking the time to respond.   I recently created a security policy rule that blocked outside-outside zone traffic. I did this due to outside traffic that did not match any NAT rules, for some reason, ended up matching the intrazone-default rule. Although this effectively allowed such traffic, such traffic simply aged-out since we have nothing on those public IP addresses (it is all NATed after all). This is improves insight, statistics and so on since this traffic was no longer being allowed.     I did however notice that, when attempting to ping from the public interface of the firewall, it was hitting the same outside-outside deny rule. This is expected since the ping from public interface is after all outside-to-outside zone. Disabling the rule of course means the ping now works.   I am wondering what you all have done in this circumstance? Though we can ping from the inside but are you happy that you can't ping from your outside interface? I was worried it would potentially break path monitoring etc. but that works from the inside so that's fine.   Thank you kindly!   Daniel ... View more

Hi Gang, Still getting grips to everything so would love your help in understanding the behaviour of traffic when it is NATed and allowed.    The Scenario:  Zones: outside and inside A DNAT rule from outside-to-outside that NATs 1.1.1.1:22 which translates to 192.168.1.1:22 A security policy that from outside-to-inside traffic for 1.1.1.1:22 Result: Any other traffic destined for 1.1.1.1 but not matching port 22 matches the intrazone-default rule. This results in traffic being allowed. However, traffic will time-out as there is nothing on that public address.  Questions: Is this the expected behaviour of the firewall? Why is traffic allowed from ports which we did not specifically define in the NAT and alow in the security rule? Should I be worried that traffic other than specified in the NAT and security policy is being allowed? How best to block this behaviour? I guess we'd need to create a deny security rule for each allow rule to prevent happening?    Thank you a bunch!!!   Daniel ... View more

Hi Gang,   We need to change the management IP address of Panorama due to a complete change in our network. It runs in, Panorama mode, and manages several firewall pairs (which forward their logs to Panorama).   My questions is: Is it as easy as changing the IP address of Panorama? Then logging into the managed firewalls to change the Panorama address?   It ought not to affect the groups and current configuration right?   Than you all for your time! Daniel  ... View more

Hi Gang, We have Palo Alto Panorama and Firewalls and yes all going smoothly, however, It is not the end once it is up and running.   So I am keen to read on all what you do in the daily administration of your PAN environments. All I have really, in terms of daily administration is: I've got email alerts configured to say if HA kicks in, will look to add more Reports - I need to look into as I have neglected this bit We will look to do health checks say through Nagios example Hoping to learn off more from all you seasoned people!   Thank you all, Daniel ... View more

Hi Gang,   Excuse me for my ignorance. We had firewalls Palo literally thrown at us, and instantaneously put into production (not great!).    I have a pair of Palo's in HA Active/Passive with preemptive enabled on active/primary. These are in turn, patched to an INET switch (internet handed off via a single ethernet patch cable to this switch).    We have HA (device > ha > link and path monitoring) configured for the link and path monitoring: Link group: Failure = any Link group = all interfaces Path monitoring:  Failure = any path group = virtual router path with internal and external destination IPs, at 500ms interval and 5 ping count. Now say the active firewall detects a link failure interface (bear in mind this is an interface that is on the same switch as the secondary). The passive firewall takes over until the primary is ready to preempt over. We are right here.    Now the same scenario but this time, there is a path link failure. Now, let's say something has happened upstream, say the ISP router went down. No pings to say public IP addresses 8.8.8.8 and 8.8.4.4, so no internet at all and thus the primary firewall will detect path link failure as per HA. The secondary will take over.   In the scenario mentioned before, not sure what happens: The primary firewall, it will be passive waiting to preempt when links are back, though secondary has no internet either, so what happens here? The secondary it takes over thought what happens here too (I haven't configured link and path monitoring yet on the passive firewall - should I do so)? Both firewalls are sitting there with no path to the internet. What happens here? What happens with flapping in this case and not hard path link failure to both firewalls. Do I bother with virtual router path monitoring or rely on HA monitoring? To make it more confusing, Palo's are connected to ACI. We are wondering if the internet is unavailable for both firewalls, could both firewalls shut down all internal-zone-based-interfaces so that ACI could detect a failure on the aggregate links to active and passive? In this case, ACI would proceed to remove the static quad route to the firewall pair and insert another route so traffic is routed elsewhere. ACI is tracking IPs external IPs via the Palo to determine failure.   Perhaps I am overthinking this and lost in my mind. Appreciate in any sources, knowledge and clarification you all can provide.   Excuse me again for my ignorance.   Thank you kindly,   Dan ... View more