This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About johnstoni
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About johnstoni
02-19-2021
4Posts
0Likes
0Solutions
Feb 19, 2021Last Visited
User
Activity
User
Profile
Latest posts by johnstoni
| Subject | Views | Posted |
|---|---|---|
| 1782 | 02-18-2021 08:42 PM | |
| 2198 | 04-20-2020 09:02 AM | |
| 5897 | 03-18-2020 03:06 PM | |
| 5936 | 03-18-2020 06:38 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like |
User Badges
Community Statistics
| Member Since | 01-02-2020 08:13 AM |
| Date Last Visited | 02-19-2021 09:23 PM |
| Posts | 4 |
02-18-2021
08:42 PM
I work for a global enterprise that has around a dozen PA 7000 series FWs running between 2 & 6 vSystems each. We have many address groups with more than 500 members, and several "SuperGroups," containing two, or more, of those large groups. Let's say address-group group-1 contains 500 members address-group group-2 contains 550 members address-group group-3 contains 600 members address-group group-4 contains 650 members address-group group-5 contains 1000 members address-group SuperGroup contains address-groups 1, 2, 3, 4, & 5 Which is the best way to write a security policy for these groups: Rule Name source-zone address dest-zone address application services action logging 1 internal SuperGroup external 8.8.8.8 DNS Application-default permit whatever 2 internal group-1 group-2 group-3 group-4 group-5 external 8.8.8.8 DNS Application-default permit whatever 3a internal group-1 external 8.8.8.8 DNS Application-default permit whatever 3b internal group-2 external 8.8.8.8 DNS Application-default permit whatever 3c internal group-3 external 8.8.8.8 DNS Application-default permit whatever 3d internal group-4 external 8.8.8.8 DNS Application-default permit whatever 3e internal group-5 external 8.8.8.8 DNS Application-default permit whatever i.e. Is combing, or nesting, groups in to super-groups OK? Is there an impact on performance, or anything else, doing this? Is listing groups, rather than having a super-group, a better way to do it? Is it better just to have separate rules for each group, like 3a through 3e? The only difference in the above rules is how the source addresses are configured: in a super-group, a list of groups, or using multiple rules, one address-group per rule. Looking forward to your replies. Thanks, Ian
... View more
- Tags:
- PA-7000 Series
04-20-2020
09:02 AM
This is a question about how a firewall, FW, keeps IP to UID associations current/up-to-date in an environment where such associations might be changing every few seconds. A FW associates a UID with an internal IP address, e.g. 10.10.10.10, which has no UID associated with it. Let's say that I logon as ipj1965 from 10.10.10.10. The first time a FW sees traffic from 10.10.10.10 it will ask itself "Do I know who's at 10.10.10.10?" If not, it will ask its associated UID servers. They do know the answer, as they're constantly interrogating the Windows AD Server Logs, and will tell the FW. If my UID logs off, and nobody else is given 10.10.10.10, no problem. If I 'move' to a new IP address, e.g. 10.10.10.11, that was previously not associated with a UID, the FW will associate ipj1965 with that new IP, again, by asking its UID servers. I think that this is in addition to my prior IP, 10.10.10.10. I also assume that this prior association times out after a period set somewhere in the firewall's configuration. What happens when somebody else, e.g. joeblogs, is given IP 10.10.10.10? Unless the association between 10.10.10.10 and ipj1965 has timed out, joebloggs will now be permitted through any policies in which ipj1965 is a named user. When, and how, do the FWs confirm their IP address to UID associations? The UID servers will know almost immediately that the joeblogs is now associated with 10.10.10.10. Do the UID servers send a message to the FWs telling them to drop the IP/UID association whenever they learn that a UID has logged off, or changed IP? Do the UID servers keep track of which UIDs the FWs have asked them about and inform them of any changes? If it all depends on timeouts, what happens with IPs that are only associated with a UID for a short time before quickly being associated with another UID (even though it's only a single UID at any one time)? I'd also like to know where this timeout is set, if that is the way the FWs keep their IP/UID associations current. Thanks for any and all help, Ian
... View more
03-18-2020
03:06 PM
Solved by: import pandevice my_fw = firewall.Firewall(host, user, password) response = my_fw.op(command2, xml=True) print(response) The response is a page of XML, so needs to be interpreted, but I do get the answers I want 🙂
... View more
03-18-2020
06:38 AM
I have a very simple python script that uses ssh=paramiko.SSHClient(), ssh.connect (host, 22, user, password), stdin, stdout, stderr=ssh.exec_command(command), and for line in stdout.read().splitlines(): print(line). When I set host, user, password and command, e.g. "show ip int brief", to connect to a Cisco router, everything works fine and the script prints out the results that I expect. However, when I set them to connect to a PAN firewall, e.g. command="show clock", my script connects to the FW, which I confirm by looking in the FW's system log, but all I get returned is the 'Number of failed attempts since last successful login: 0' message? Any ideas - I'm sure I'm just missing something basic. Do I need to import any of the PAN packages or can I just run run simple CLI commands using paramiko? PS: I sleep for 20 seconds after connecting before running the ssh.exec_command() Thanks, Ian
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-19-2021
09:23 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks