Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- ›
- About rkim
About rkim
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
yesterday
86Posts
48Likes
43Solutions
Jan 22, 2021Last Visited
User
Activity
User
Profile
Latest posts by rkim
| Subject | Views | Posted |
|---|---|---|
| 1832 | 08-24-2015 10:27 AM | |
| 724 | 08-01-2014 03:47 PM | |
| 1067 | 04-01-2014 03:16 PM | |
| 1746 | 03-09-2014 08:02 PM | |
| 906 | 03-09-2014 07:47 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 08-24-2015 10:27 AM | |
| 1 | 03-21-2012 09:53 PM | |
| 1 | 09-03-2011 10:24 PM | |
| 1 | 10-01-2011 09:28 AM | |
| 1 | 11-10-2011 10:30 PM |
User Badges
Public Statistics
| Date Registered | 06-03-2011 10:52 AM |
| Date Last Visited | yesterday |
| Total Messages Posted | 319 |
| Total Likes Received | 48 |
08-24-2015
10:27 AM
1 Kudo
Just to add to this thread, yes you should be able to achieve 30Gbps max firewall performance by simply adding an NPC even if you do not use the ports on that NPC. However, there is a change that you may need to make on the system level. By default the session distribution policy is set for ingress-slot. That means that sessions will only be handled by the NPC that has connected ports. In order to load balance between all NPCs you would have to change the session distribution policy to either session-load, random or round-robin. The differences between each setting are documented here. https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/technical-documentation/hardware-guides/pa-7000-series/PA-7000-Series_Hardware_Guide.pdf Note that if in HA, the session distribution policy needs to configured the same on both HA peers separately as this is not sync'd with configurations.
... View more
08-01-2014
03:47 PM
It sounds like you are hitting phase 2 lifetime and tunnel drops due to lack of traffic across the tunnel. PANOS defaults to 1 hour for ipsec-sa 2 lifetime. Have you checked with Cisco to see what is their ipsec SA lifetime? Based on your last comment, seems that tunnel is functioning as expected. You may want to also check with Cisco to see if they have a way to keep their tunnels always up.
... View more
04-01-2014
03:16 PM
1 Kudo
Have you seen this doc yet? User-ID Best Practices - PAN-OS 5.0, 6.0 This outlines several options for mapping users to IPs. In particular, if you have AD environment I would consider reading security logs method over WMI if you want to avoid the inherent chattiness of probing. There are other options as well such as using MS Exchange or if running 6.0.x, using syslog for ip-user mappings. -Richard
... View more
03-09-2014
08:02 PM
You don't mention anything about what PAN-OS version you are running or your management resource utilization. I would suggest following below article for some commands to view overall system utilization. Troubleshooting Slowness with Traffic, Management, or Intermittent SSL Decryption If you still have issue, I would recommend contact TAC to see if there is anything perhaps consuming inordinately large amount of resources or not. -Richard
... View more
03-09-2014
07:47 PM
2014-03-07 12:40:36 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <==== ====> Initiated SA: 126.57.38.50[500]-85.111.55.10[500] cookie:2fa8ed99f184af97:0000000000000000 <==== This could be for following reasons: 1. PAN device is sending out UDP 500 packet to start phase 1. But it is not received on SSG side. 2. SSG received PAN UDP 500 packet, but is not sending out 2nd message with responder cookie. 3. SSG received PAN UDP 500 packet and sent 2nd message with responder cookie. But it is not reaching PAN device. 4. SSG sent 2nd message and PAN device received it. But did not recognize it for some reason. Best thing to do in this case is to narrow down which side is having a problem. I would suggest running packet captures on both PAN side as well as SSG side filtering for UDP 500 packets. What you are looking for is to see if PAN is sending IKE packet and on SSG side make sure IKE is received. If PAN side shows IKE is sent but SSG side never sees the packet, then you have an issue on your provider side possibly blocking UDP port 500. Just remember for any VPN troubleshooting you always want to look at both sides of the tunnel. So let us know what SSG is seeing as well. -Richard
... View more
03-09-2014
06:27 PM
1 Kudo
Just to add to discussion, CP works by sending a 302 redirect when HTTP GET is received. HTTPS encrypts the GET message. Hence no redirect is triggered. This is why you need SSL decryption if you want to CP HTTPS traffic. -Richard
... View more
03-03-2014
12:09 PM
These messages are seen now due to new enhancements in 6.0 related to Syslog over TCP or SSL. However, the message is incorrectly being sent once every hour. That will be addressed in upcoming 6.0.1 (reference addressed issue id 60816 once 6.0.1 becomes available). -Richard
... View more
01-02-2014
01:49 PM
1 Kudo
To verify if traffic is transmitted or received by the PA device, you can set up packet captures. If you are not familiar with how to do that, you can follow below link. https://live.paloaltonetworks.com/docs/DOC-2542 Basically the idea is to set up transmit stage captures to see if packet was transmitted from DP and receive stage captures to see if you received a response from destination host. -Richard
... View more
10-31-2013
10:34 AM
1 Kudo
Predict sessions are created due to ALG function in a particular application decoder. When a packet arrives which matches the predict session, it will be converted to a regular Flow session. Predict sessions do not generate a traffic log. But the resulting Flow session will. Hope that helps. -Richard
... View more
10-31-2013
10:30 AM
2 Kudos
Currently there is no OID for tracking GP users via SNMP. However, I would advise to contact your PANW Sales Rep to inquire about roadmap for such a feature. -Richard
... View more
10-31-2013
10:19 AM
1 Kudo
Did a quick test on PA-3020 and PA-200 and the test nat-policy-match command worked fine for me. I used PAN-OS 5.0.6 and 5.0.8. What PAN-OS version are you running? Perhaps you can try adding more parameters in your test command such as from zone, etc. See if that makes a difference. -Richard
... View more
10-11-2013
10:56 AM
Multiple gateways to single portal requires a GP Portal license on your portal firewall. Otherwise you cannot configure your second gateway on the 1st firewall. Do you have the license properly installed for GP Portal? Easiest way to check would be on GUI goto Device tab > Licenses. -Richard
... View more
08-20-2013
10:12 PM
Could you confirm that you are currently running PAN-OS 4.1.2 ? If so then there were some NAT pool leak issues resolved between that release and latest 4.1.x release which is 4.1.14. If indeed on 4.1.2 then I would recommend scheduling an upgrade to 4.1.14 and see if you still have issues. If you continue to have NAT pool issues with 4.1.14, then I would recommend to open a support case to have TAC investigate. -Richard
... View more
08-20-2013
09:41 PM
1 Kudo
I am not familiar with CP port reuse option, but am curious if it basically disables TCP window or sequence checking. On PANW firewalls you can disable TCP window checking to work around port reuse situations. One major issue with hosts that re-use source ports for connections is that second session would use new Seq/Ack values which would likely fall outside of our normal TCP window checks. On other vendor platforms, this may also be referred to as TCP sequence checking. I normally recommend to correct the behavior to not re-use source ports at the source since this is inherently insecure behavior. But if that is not possible, then disabling the TCP window checking functionality in PAN-OS may be the best alternative. There are two ways to disable the TCP window checking. 1. Globally with configuration: # set deviceconfig setting tcp asymmetric-path bypass # commit 2. Per zone within Zone Protection Profile > Packet-Based Attack Prevention. Set Asymmetric Path to "bypass". Then apply to the zone in which client originates the session followed by commit. The risk in disabling TCP Window checking is that you can potentially open up the firewall to man-in-the-middle attacks. This is why I recommend to correct the problem at the source. -Richard
... View more
07-29-2013
01:52 PM
3 Kudos
I believe that the feature that Juniper ScreenOS/SRX uses to support binding multiple VPNs to single tunnel interface is called next-hop tunnel binding (NHTB). This is not part of the RFC standard for IPsec and should be considered proprietary for Juniper. For the most part this allows to save on the number of tunnel interfaces that would need to be configured and is meant for hub-and-spoke configurations. The configuration though is not that simple in that despite sharing single tunnel interface as you still need to populate the NHTB table with either static NHTB entries or via routing protocol such as OSPF p2mp. For PAN-OS there are two options to do similar scenario. 1. With 5.0 you can deploy large-scale VPN with Global Protect Satellite configuration. This is closest to Juniper NHTB. It is actually similar in that you can use a single tunnel interface and then can either specify routes to advertise to GP gateway or use OSPF to learn routes from all spoke sites. But also can do much more in that the configs on each satellite site is rather easy since you point each satellite site to the GP portal to automatically get all configs about each GP gateway to connect to. 2. Configure separate tunnel interface for each spoke site. There should not be an issue with limit on number of tunnel interfaces that can be configured (actually the limit is higher than the max number if SAs that can be configured). Then you can add each of the interfaces into OSPF p2p to learn each spoke site routes. For reference, here is a good doc on the Large-Scale VPN feature in 5.0. https://live.paloaltonetworks.com/docs/DOC-4139 Hope this helps. -Richard
... View more
Latest Blogs
Latest Posts
Copyright 2007 - 2021 - Palo Alto Networks
