Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
About rbit0965
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About rbit0965
05-13-2020
5Posts
0Likes
0Solutions
May 13, 2020Last Visited
User
Activity
User
Profile
Latest posts by rbit0965
| Subject | Views | Posted |
|---|---|---|
| 766 | 09-04-2013 12:06 PM | |
| 1194 | 08-19-2013 04:22 AM | |
| 1192 | 08-15-2013 06:14 PM | |
| 1192 | 08-15-2013 05:17 PM | |
| 1279 | 08-15-2013 02:44 PM |
User Badges
Community Statistics
| Member Since | 02-28-2013 11:07 AM |
| Date Last Visited | 05-13-2020 12:34 AM |
| Posts | 5 |
09-04-2013
12:06 PM
Currenly all routing must take place on our core network. (due to backup ipsec tunnels and faster MPLS circuts) Here is what we want to do but I am not sure how to accomplish this. We have four IPsec Tunnels that we do not want to be routed to each other without touching the core network first. Our current setup has all four IPsec tunnels terminating on different tunnel interfaces but all on the same virtual router. (vr-ipsec) Traffic destined for the core comes over the vr-ipsec and out eth10 for the core. However traffic for a remote site comes down the same virtual router and back up the correct tunnel interface. Skipping the core all together. What we want to do is terminate all the tunnels onto an interface facing the core. Each tunnel interface will have its own IP address. The core will know how to get to each remote site via the assigned IP on each tunnel. I can draw pictures if needed. Thanks
... View more
08-19-2013
04:22 AM
That is correct. We currently see two sessions. But our question is why did we not see two sessons before setting up the third zone?
... View more
08-15-2013
06:14 PM
Update: First I changed my VPN Tunnels to a newly created zone (IPSEC_Trust) and did the same thing for the 1/10 interface. Updated my any any rule to allow from and to IPSEC_Trust and also update my IPsec tunnels to the same Zone. This created mixed results. Some traffic was fitting the any any rule and other traffic wasnt. I did have both zones (ipsec_trust and trust) in the source and destination... would that fail? I then changed 1/10 interface back to trust. Updated my any any rule to allow from and to IPSEC_Trust and trust All untrust traffic from the remote site now works, and shows up as two sessions on the firewall. IPSec_Trust >> Trust Trust >> Untrust Is this the only solution for this?
... View more
08-15-2013
05:17 PM
I am able to ping and traceroute from 1/9 interface (via cli) to the remote site. So i would assume all the routes are correct.
... View more
08-15-2013
02:44 PM
I will try to draw this out the best I can and then ask my question. Remote Site (zone is trust, vrouter2, tunnel.1) <<>> Core network (zone is trust, Interface 1/10, vrouter2, layer3) Rule for this is any, any in both directions. The above is how all remote traffic flows. (all traffic hits the core) Core Network <<>> interface 1/9 (zone is trust, Vrouter1) <<>> Out to the web (zone is untrust, Vrouter1) What should happen: Remote user surfs the web, Traffic comes down the ipsec tunnel assigned a session ID by PA and logged. And is passed on to the core. and then passed back up to the firewall on interface1/9 where it would match a rule, gets logged, and be passed out to the web. Here is whats happening: Remote user surfs the web, Traffic comes down the ipsec tunnel assigned a session ID by PA and logged. And is passed on to the core. and then passed back up to the firewall on interface1/9 .... Nothing Happens. We cannot see a log or a deny at all. remote users cannot ping the 1/9 interface. My Originall suspicion is that the traffic is already assigned a session ID so PA drops the traffic. To fix this I would think I need to change my tunnel and tunnel to core(1/10) connection to be their own zone. Any ideas? I can provided more details if needed.
... View more
Labels:
- Labels:
-
Networking
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-13-2020
12:34 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2021 - Palo Alto Networks
