Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About Rboehme
About Rboehme
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
01-21-2020
19Posts
1Like
1Solution
Jan 21, 2020Last Visited
User
Activity
User
Profile
Latest posts by Rboehme
| Subject | Views | Posted |
|---|---|---|
| 848 | 07-11-2019 08:37 AM | |
| 1425 | 07-11-2019 08:26 AM | |
| 999 | 07-11-2019 07:54 AM | |
| 777 | 05-17-2019 02:11 PM | |
| 1117 | 12-19-2018 06:05 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 01-11-2018 03:43 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 1 | |||
| 13 | |||
| 1 |
User Badges
Public Statistics
| Date Registered | 01-23-2015 01:05 AM |
| Date Last Visited | 01-21-2020 05:25 PM |
| Total Messages Posted | 21 |
| Total Likes Received | 1 |
07-11-2019
08:37 AM
From the description I understood he wants to ping his own gateway. Therefore there is no policy needed. (intra-zone). Is traffic from inside vlan.101 accepted and processed by the firewall?
... View more
07-11-2019
08:26 AM
Hi James, from my point of view there is no downsite. If your ruleset is appropriate there is no reason to let the intra-/inter-zone Default rules not log events. As mentioned by other user you can have a deny/any/any rule before the default rules but this is basically only useful if you have setup policies for everything. Imagine some customer/partner wants to setup a VPN with your outside interface. As he is based within the outside zone as well as your outside interface this would normally hit the "intra-zone default rule" - which can not being hit when a deny/any/any statement is placed before. The best practice is to set logging to "at session end" and you can safely enable the logging on those rules as I do primarily assume you do not want this rule to be it but when it gets hit you want to see it in the logs. Kind regards, Rene
... View more
07-11-2019
07:54 AM
Dear CRDF18, please try the following steps: SSH into FW2 sourcing from FW1 (just connect and accept the key) SSH into FW1 sourcing from FW2 (just connect and accept the key) Enable HA1 encryption again and let us know the outcome 🙂 Kind regards, Rene
... View more
05-17-2019
02:11 PM
Dear Community, I have found this side note in an article regarding the master key on the firewall. "Without the Master Key, when a configuration is exported from a firewall, the password is hashed and can be copied." Basically its the exact answer of the question I originally had. I am facing a situation where a firewall crashed. I have received the new firewall and have the certificates and the running config saved locally. When trying to import the config the firewall skips basically every entries in regards to password or keys and shows this as error messages. I do understand the firewall is unable to decrypt those data without a matching master key. However from where do I retrive the master key hash and do I assume correclty to use the hash as the password for the imported config? Thanks. Kind regards, Rene
... View more
12-19-2018
06:05 AM
Dear Comm, I was googleing alot about this topic and but only found this: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXlCAK My specific question is, if a the User ID agent show the username "pre-logon" learned via "GP" - does this "user" counts to the "gruoup" of "known"-user which I can use in security policies? Thanks for your support. Kind regards, Rene
... View more
12-12-2018
03:40 AM
Dear Comm, I do understand that we use the master key for encrypting our private keys and passwords stored on the firewall. However I am wondering why we should touch this key at anytime? What is the default lifetime of the default master key? I assume it to be 0 (=infinite) as I cant find anything about this question even in the PANOS admin guide. Please clarify: - What is the default lifetime of the native/default master key? - Why should we change it (periodically? How often?) Thanks and kind regards, Rene
... View more
01-11-2018
03:43 AM
1 Kudo
Dear comm, sorry for the stupid question. Right after posting it came into my mind: admin@Roob_Stark(active)> show system info | match operation operational-mode: normal Thanks 😛
... View more
01-11-2018
02:54 AM
Dear comm, when searching for operational modes you will find a bunch of guides how to change mode from normal to CC or FIPS. However I would like to know where I can check the current mode running. I know you can clearly see it when using Panorama but this is not the case here. Where can I check the operational mode on a standalone firewall? Kind regards, Rene
... View more
08-15-2017
08:56 AM
Dear Trancefor, thank you for your answer. I am confused by this: Usually four LDAP servers are more than enough to authenticate all the users in the domain, and to provide redundancy in case a LDAP server goes down. This sounds like:"Hey, I will use one LDAP forever, if it goes down, I just will pick the next in the list". Sometimes, larger companies have more than four LDAP servers with distributed environments in which users connect to dedicated LDAP servers. Users may contact LDAP servers that are not one of the four servers, and will try to authenticate to them. So this sounds to me like (if the first statement above is true):"Hey I will use the first LDAP server of the first entry of the authentication sequence. If this authentication fails, I will contact the first LDAP server of the second entry of the authentication profile." Bascially if you have two groups of LDAP servers: Group1: 1,2,3,4 Group2:5,6,7,8 Authentication Sequence: Group1,Group2 Assuming no LDAP server goes down ever: LDAP1 will be contacted and LDAP5 might be contacted, the rest of the server will never be contacted. Am I right here? Kind regards, Rene
... View more
08-15-2017
07:56 AM
Dear comm, when I have several LDAP servers in a profile for user authentication. How is this list utilized? Is only the first entry used? Are authentication requests distributed over all configured servers? How does it work? Kind regards, Rene
... View more
- Tags:
- authentication
- ldap
05-05-2017
05:30 AM
Dear all, we found out that we are not able to restart VPN tunnels in PANOS 8.0.x from GUI because its grayed out and it is an expected behavior as you can see the message "Restart disabled because OK". The conclusion is that on version 8.0.x it's not possible anymore to restart the tunnel from GUI if the tunnel is up and running, but you can still restart the tunnel from CLI. Unfortunately there is no official document discussing this subject yet. Will Palo Alto support us with an official document in the near future? We dont wanted to open a TAC case for this question so we are directing this question to the community. Thanks and kind regards, Rene
... View more
11-23-2016
05:48 AM
Hi there, if we are going to the tab "Policy" we will see 7 different sub tabs. The tabs are: Security NAT QoS PBF App Override Captive Portal DoS Protection So I know for example that Security rules are always checked before NAT rules but whats about the rest? I spent planty of time google for this information but without success.
... View more
10-18-2016
07:43 AM
Dear community, I am struggling around with a though I cant find an answer for. I every documentation I found they state that additional LDAP server are for fault tollerance only. Imagine the follwing setup: A customer is loadbalancing user authentication against more than one LDAP servers. So actually that means the firewall will only monitor one of maximum 4 LDAP servers (per profile). Think about all of the servers are up and running but user logon is distributed across all four LDAP servers. How will I be able to discover complete user ID information? Kind regards, Rene
... View more
10-13-2016
05:08 AM
Actually what you can to is: - attach your trust interface to the VR - attach your untrust interface to the VR - go to the CLI and enter "ping source <ip-of-trust-interface> host <ip-of-host-in-untrust-zone> A setup like this would normally be trust (LAN) to untrust (internet) so in my case it would be: ping source 192.168.0.1 host 8.8.8.8 If the ping succeeds you know that your VR is working.
... View more
10-13-2016
04:56 AM
Dear cpainchaud , thank you for your suggestion. I will check that out. At least I got a clue now. I will get back here if I found a solution.
... View more
10-12-2016
07:44 AM
Hi all, is anyone familiar with this issue? We are facing this currently but Google almost spits out nothing about this issue. I was going through the User-ID deployment and troubleshooting guide but nothing helpful there. Any ideas?
... View more
09-15-2015
06:27 AM
Have export of traffic /threat/url etc set up on log export All setup to use SCP. Target linux server is setup correctly. Test SCP server connection works correctly (see attach word doc) Job fails with an error in system log : Failed exporting data log via ssh (last-calendar-day) to 192.168.252.61. Permission denied, please try again..' ) Also tested everything is OK by running export from command line , this works , see log below: ****@sd061(active)> scp export log traffic to data-paloalto-prd@192.168.252.61:/home/data-paloalto-prd/sd060logs/sd060-20150914x start-time equal 2015/09/11@00:00:00 end-time equal 2015/09/14@10:09:00 (container-tag: export container-tag: log container-tag: traffic leaf-tag: to value: data-paloalto-prd@192.168.252.61:/home/data-paloalto-prd/sd060logs/sd060-20150914x container-tag: start-time leaf-tag: equal value: 2015/09/11@00:00:00 pop-tag: container-tag: end-time leaf-tag: equal value: 2015/09/14@10:09:00 pop-tag: pop-tag: pop-tag: pop-tag:) ((eol-matched: . #t) (cli-handler: . scp-handler) (context-inserted-at-end-p: . #f)) /usr/local/bin/pan_logquery -L 3600 -b -t traffic -t1 1441926000 -t2 1442221740 2> /dev/null | /usr/bin/ssh 'data-paloalto-prd@192.168.252.61' ' cat > /home/data-paloalto-prd/sd060logs/sd060-20150914x ' data-paloalto-prd@192.168.252.61's password: Marking log as exported successfully... /usr/local/bin/pan_slog -t 1 -s 1 -o 'Succeed to export traffic log (2015/09/11@00:00:00 - 2015/09/14@10:09:00)' /usr/local/bin/pan_logquery -L 3600 -b -t traffic -t1 1441926000 -t2 1442221740 -m 1> /dev/null 'cfg.reportd.enable': NO_MATCHES 2015-09-14 10:41:26.518 +0100 Error: pan_logdb_update_file_construct(pan_logdb.c:474): update file: /opt/panlogs/logdb/traffic/1/20150914/pan.0000000000.log.actionflags.updatefile exists but of wrong size: 800891 expected size: 809485 /usr/local/bin/pan_slog -t 1 -s 1 -o 'Succeed to mark traffic log as exported' May you please help?
... View more
02-11-2015
08:01 AM
Dear all, i have searched for a while now and was reading through the documentation. Unfortunately I didn't find anything. I would like to now if it is possible to get a report created which fulfills the following criteria: - logs all VPN logins done by the users - is sent out automaticly on a given time Thanks and regards, Rene
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-21-2020
05:25 PM
|
Likes Given To
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
