This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies. For details on cookie usage on our site, read our Privacy Policy
On our juniper firewalls we are using web authentication to restrict access to certain hosts and I would like to know if this is possible and how to on PA. The user hits a captive portal(webauth in juniper) that is boudn to an interface: set interfaces reth0 unit xxxx family inet address x.x.x.x/24 web-authentication https This presents a simple login page that requries two factor authentication wich then puts an entry into a local database. A policy then allows the traffic based on this. set security policies from-zone aaaa to-zone bbbb policy test match source-address subnetx set security policies from-zone aaaa to-zone bbbb policy test match destination-address web-auth-hosts set security policies from-zone aaaa to-zone bbbb policy test match application junos-https set security policies from-zone aaaa to-zone bbbb policy test then permit firewall-authentication web-authentication Authentication Profile set access profile TEST-ACCESS authentication-order radius set access profile TEST-ACCESS session-options client-idle-timeout 10 set access profile TEST-ACCESS session-options client-session-timeout 120 set access profile TEST-ACCESS radius-server x.x.x.x port 1812 set access firewall-authentication web-authentication default-profile TEST-ACCESS set access firewall-authentication web-authentication banner success "TEST Access Login Successful"
... View more
I am running BFD with BGP in a cluster(active/passive) and I am unclear on how to set up a failover of the firewall to the passive peer if BFD fails in order to bring up the BGP peer on other node. Any assitance would be appreciated.
... View more
I was not able to get this to work without putting a source nat policy in and after I put that in internet access is available. nat-type ipv4; from trust; source any; to INTERNET; to-interface ethernet1/1 ; destination any; service any/any/any; translate-to "src: ethernet1/1 x.x.x.x (dynamic-ip-and-port) (pool idx: 1)";
... View more
With the NAT VM no longer being required and you can assign a public address to NIC1 I have a question on the NAT process concerning only connectivity from resources to the interent. Do you need to configure a source nat policy or do you just forward traffic to 0.0.0.0/0 via a static route to the .1 address of the subnet on NIC1 and the Azure environment will do the translation? It is my understanding you only assign the public IP address to the VM NIC and do not assign this to an interface within the Palo Alto configuration? Thanks, Steve
... View more
We are doing a POC with NSX and have stood up the firewalls and they are recognized by Panorama however within "Managed Devices" the PA VMs are constantly showing connected then disconnected. We do not believe this is a network problem as Panorama and the NSX deployment is in the same lab environment and no other issues are encounterd on the deployment or with other devices managed via panorama. Looking to see if anyone has any troubleshooting thoughts. Panorama is at 7.1.2 and the VM firewalls are at 7.1.
Thanks
... View more