About MrDMartins

Hi Gang,   First, thanks for having a look and a big thank you for taking the time to respond.   I recently created a security policy rule that blocked outside-outside zone traffic. I did this due to outside traffic that did not match any NAT rules, for some reason, ended up matching the intrazone-default rule. Although this effectively allowed such traffic, such traffic simply aged-out since we have nothing on those public IP addresses (it is all NATed after all). This is improves insight, statistics and so on since this traffic was no longer being allowed.     I did however notice that, when attempting to ping from the public interface of the firewall, it was hitting the same outside-outside deny rule. This is expected since the ping from public interface is after all outside-to-outside zone. Disabling the rule of course means the ping now works.   I am wondering what you all have done in this circumstance? Though we can ping from the inside but are you happy that you can't ping from your outside interface? I was worried it would potentially break path monitoring etc. but that works from the inside so that's fine.   Thank you kindly!   Daniel ... View more

Hi Gang, Still getting grips to everything so would love your help in understanding the behaviour of traffic when it is NATed and allowed.    The Scenario:  Zones: outside and inside A DNAT rule from outside-to-outside that NATs 1.1.1.1:22 which translates to 192.168.1.1:22 A security policy that from outside-to-inside traffic for 1.1.1.1:22 Result: Any other traffic destined for 1.1.1.1 but not matching port 22 matches the intrazone-default rule. This results in traffic being allowed. However, traffic will time-out as there is nothing on that public address.  Questions: Is this the expected behaviour of the firewall? Why is traffic allowed from ports which we did not specifically define in the NAT and alow in the security rule? Should I be worried that traffic other than specified in the NAT and security policy is being allowed? How best to block this behaviour? I guess we'd need to create a deny security rule for each allow rule to prevent happening?    Thank you a bunch!!!   Daniel ... View more

Hi Gang,   We need to change the management IP address of Panorama due to a complete change in our network. It runs in, Panorama mode, and manages several firewall pairs (which forward their logs to Panorama).   My questions is: Is it as easy as changing the IP address of Panorama? Then logging into the managed firewalls to change the Panorama address?   It ought not to affect the groups and current configuration right?   Than you all for your time! Daniel  ... View more

Hi Gang, We have Palo Alto Panorama and Firewalls and yes all going smoothly, however, It is not the end once it is up and running.   So I am keen to read on all what you do in the daily administration of your PAN environments. All I have really, in terms of daily administration is: I've got email alerts configured to say if HA kicks in, will look to add more Reports - I need to look into as I have neglected this bit We will look to do health checks say through Nagios example Hoping to learn off more from all you seasoned people!   Thank you all, Daniel ... View more

Hi Gang,   Excuse me for my ignorance. We had firewalls Palo literally thrown at us, and instantaneously put into production (not great!).    I have a pair of Palo's in HA Active/Passive with preemptive enabled on active/primary. These are in turn, patched to an INET switch (internet handed off via a single ethernet patch cable to this switch).    We have HA (device > ha > link and path monitoring) configured for the link and path monitoring: Link group: Failure = any Link group = all interfaces Path monitoring:  Failure = any path group = virtual router path with internal and external destination IPs, at 500ms interval and 5 ping count. Now say the active firewall detects a link failure interface (bear in mind this is an interface that is on the same switch as the secondary). The passive firewall takes over until the primary is ready to preempt over. We are right here.    Now the same scenario but this time, there is a path link failure. Now, let's say something has happened upstream, say the ISP router went down. No pings to say public IP addresses 8.8.8.8 and 8.8.4.4, so no internet at all and thus the primary firewall will detect path link failure as per HA. The secondary will take over.   In the scenario mentioned before, not sure what happens: The primary firewall, it will be passive waiting to preempt when links are back, though secondary has no internet either, so what happens here? The secondary it takes over thought what happens here too (I haven't configured link and path monitoring yet on the passive firewall - should I do so)? Both firewalls are sitting there with no path to the internet. What happens here? What happens with flapping in this case and not hard path link failure to both firewalls. Do I bother with virtual router path monitoring or rely on HA monitoring? To make it more confusing, Palo's are connected to ACI. We are wondering if the internet is unavailable for both firewalls, could both firewalls shut down all internal-zone-based-interfaces so that ACI could detect a failure on the aggregate links to active and passive? In this case, ACI would proceed to remove the static quad route to the firewall pair and insert another route so traffic is routed elsewhere. ACI is tracking IPs external IPs via the Palo to determine failure.   Perhaps I am overthinking this and lost in my mind. Appreciate in any sources, knowledge and clarification you all can provide.   Excuse me again for my ignorance.   Thank you kindly,   Dan ... View more