This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About OCEDTRA
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About OCEDTRA
07-20-2016
4Posts
0Likes
0Solutions
Jul 20, 2016Last Visited
User
Activity
User
Profile
Latest posts by OCEDTRA
| Subject | Views | Posted |
|---|---|---|
| 2851 | 03-30-2016 06:39 AM | |
| 2869 | 03-29-2016 10:47 AM | |
| 2900 | 03-24-2016 09:38 AM | |
| 3091 | 03-07-2016 10:38 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 2 Likes |
User Badges
Community Statistics
| Member Since | 01-30-2013 07:18 AM |
| Date Last Visited | 07-20-2016 01:40 AM |
| Posts | 4 |
03-30-2016
06:39 AM
Hi reaper,
now I think I got it. Thanks for your valuable hints!
This brings me even more to the conclusion that path monitoring is something I don't want in thsi scenario.
... View more
03-29-2016
10:47 AM
Hi reaper,
thank you for your reply.
The information that the passive member does not do path monitoring was very valuable to me.
I totally agree with your recommendation.
In my real scenario, I have an additional connection between F1 and R2, so i'm think about putting more priority on F1,
for it will always be my active firewall.
Instead I'm thinking about not having a path-monitoring on the routers at all, because I can't see any value in this any more.
To answer my own question from the beginning:
F2 was the active partner,
when the interconnection between S1 und S2 goes down,
F2 sees the path to R1 down and sees itself as "failed"?
Now F1, which didn't do path monitoring becomes active (is healthy, has all links, sees that F2 reports itself as "failed", doesn't do path-monitoring already...)?
Now it does tracking to R1 and R2... But as the interconnection between S1 and S2 is down, it cannot reach R2.
So after some time it will marks itself as "failed"?
F2 is still in "failed"... so there's no failover back to F2, right?
Now the PBF tracker will find that R1 is available and F1 will forward traffic through it?
Is the answer,
"yes, it will actually failover, but already when the interconnection between the switches goes down"?
Thank you for helping me to understand.
... View more
03-24-2016
09:38 AM
Hello,
sorry, if I missed something obvious... but I need your help, because I have no lab environment where I could answer my question by just testing....
I have two PA-200 with HA Lite.
Both have an outside interface connected to a switch:
Firewall F1 with switch S1, Firewall F2 with switch S2.
S1 and S2 have an interconnection.
Now there are two routers (with internet uplinks) connected to the switches, on each side:
Router R1 witch to S1, Router R2 to S2.
R1
|
S1-F1
|
S2-F2
|
R2
The default internet uplink is via R2.
There's a PBF configured that in case R2 is not reachable, the default route goes via R1.
There's link monitoring on the FW-interfaces connected to the switches.
There's path monitoring to both of the Routers.
Taken F2 is the active partner,
Taken the interconnection between S1 und S2 goes down:
Active and passive firewall would not see any change in link monitoring.
The passive partner would report that the path to R2 has failed and the device would change to "failed" state (?)
The active firewall would see that path to R1 went down and also change to "failed" state (?)
But as F1 which sees F2 in "failed" now, is in "failed" itself, I don't think a failover would occur...
Does it?
Now R2 also goes down...
IMHO, F2 is failing a little more, because it has lost the path to R2 _and_ R1.
If a failover would happen now, the PBF-Tracker would report that the backup-route is available and could forward traffic via R1.
How are failover decissions done? Is there documentation?
Would my HA pair failover to F1?
Thank you for your help!
... View more
03-07-2016
10:38 AM
Hello,
I have created a CSR:
request certificate generate country-code DE days-till-expiry 1100 email NOC@DOMAIN.COM locality BERLIN signed-by external organization MYORG ip 1.1.1.1 algorithm RSA rsa-nbits 2048 certificate-name testcert name test.domain.de
Looks fine and I can also see it in the WUI.
Now I would like to export it via SSH:
scp export certificate certificate-name testcert format pem include-key no to myuser@10.10.10.10:/cert_test.csr
but I get
Server error : Failed to prepare certificate testcert for export
This works fine for already existing certificates... but not for a CSR...
What am I doing wrong?
Any help appreciated. Thank you!
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks