Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About cosx
About cosx
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
01-14-2019
26Posts
3Likes
0Solutions
Jan 14, 2019Last Visited
User
Activity
User
Profile
Latest posts by cosx
| Subject | Views | Posted |
|---|---|---|
| 872 | 11-12-2015 04:51 PM | |
| 835 | 11-12-2015 04:46 PM | |
| 883 | 11-11-2015 01:18 PM | |
| 595 | 10-16-2015 03:54 PM | |
| 470 | 03-27-2015 09:18 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 11-30-2012 02:49 PM | |
| 1 | 03-26-2015 02:10 PM | |
| 1 | 08-26-2013 03:44 PM |
User Badges
Public Statistics
| Date Registered | 06-14-2011 01:52 PM |
| Date Last Visited | 01-14-2019 01:28 AM |
| Total Messages Posted | 26 |
| Total Likes Received | 3 |
11-12-2015
04:51 PM
Running 6.1.2 and keep up-to-date with the application-threat updates.
Yeah, it all worked fine when we weren't allowing quic. We didn't start seeing problems until we expressly allowed it.
... View more
11-12-2015
04:46 PM
If you are using a loopback address that is in the same range as the Ethernet interface, are you sure that the provider router is finding the loopback via ARP? Since the address is local to the provider's address on that link, it is going to try to resolve it directly rather than route it to your firewall on the next-hop address.
FWIW, we terminate a bunch of VPNs on a loopback, and it works fine. The loopback is "behind" the firewall from the provider router's point of view, so it routes to the firewall as the next hop.
... View more
11-11-2015
01:18 PM
We started getting complaints from users that various Google services were showing intermittent disconnects. I think we've tracked it down to the QUIC protocol not being accurately identified by the PAN firewalls and getting blocked. I see 443/udp traffic from the hosts in question getting dropped as "unidentified-udp" mixed in with the allowed "quic" traffic on the same ports to the same general set of Google servers. Google has been rolling out QUIC for a while now, but we only recently allowed it in the firewall. It's been since then that we've seen the Google issues start.
I am considering adding a rule allowing "any" application out on 443/udp as a workaround. Has anyone else seen similar problems? That is, do you allow "quic" out to the Internet, but otherwise would drop 443/udp and see or not see this issue? Did you implement a workaround like this or something else? (BTW, I am not overly concerned about the security implications. PAN firewalls don't understand the QUIC traffic like HTTPS to guess at the Google "applications" inside.)
... View more
10-16-2015
03:54 PM
From what I understand, you need to explicitly allow "depends on" apps for a given app to work,
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Check-if-an-Application-Needs-Explicitly-Allowed/ta-p/61893
However, what if I want to only allow the "child" application, but not the parent?
My example is "logmein." We explicitly block it since it violates policies to have employees to set up their own remote access into our network. However, Microsoft uses LogMeIn as a support tool. I think that functionality is the "logmeinrescue" application.
So how can I set up my security policy to allow logmeinrescue, but not allow generic logmein? I'm not sure if it is possible.
... View more
03-27-2015
09:18 AM
Yes, I can limit source IP addresses at either the Interface Mangement level or within the Security Policy. But any administrator will then be able to access from the allowed IP addresses. I want to restrict some IP addresses to only certain administrators. For example, the administrator "johndoe" can only access HTTPS or SSH management via the management interface and/or from 10.100.0.0/16. Another user, "joefailsafe," can get in over an Internet-facing interface from <some-public-internet>/29 addresses. Whether joefailsafe also has access via the management interface and internal IPs, I don't care. What I do not want is for johndoe to be able to get in from the Internet at <some-public-internet>/29. Using the features mentioned in the two previous responses, there is no difference in accessibility for johndoe and joefailsafe. (Again, I'm not sure that there is a way to do this in PANOS. I thought I had seen the feature somewhere, but now I'm pretty sure I must have imagined it or be confusing our firewalls with some other device/OS.)
... View more
03-26-2015
03:16 PM
Is there a way to restrict access for specific administrators by interface or IP address? I really thought I'd seen this somewhere, but now I cannot find it in GUI or docs. Quick explanation of what we want to do. We want to have a sort of backdoor, emergency access to the firewalls directly from the Internet. That is, should some catastrophic network event (big misconfiguration or failure of the firewalls themselves, the core network, or remote access devices) break our usual ability to log in via remote access VPN and come into the firewalls' management interfaces, we want to be able to connect directly into the firewalls from the Internet. These firewalls are in a data center, so it's at least a half-hour car ride even during business hours, plus we want our off-site managed services provider to also have this ability. Usually, we use AD-backed authentication for administrators on the internal network. However, in the event of a failure, the AD servers may not be reachable, plus from a security point of view, using simple username-password authentication does not seem secure enough to face the Internet, even with source IP address restrictions. We would want to have a more secure local authentication method. Luckily, using public-key-based authentication (SSH keys and HTTPS client certs) are both options for local administrator authentication. So, those local accounts would seem to work out fine, but how do we block regular AD-based authentication from the Internet and allow it for the special local accounts?
... View more
- Tags:
- administrators
Labels:
- Labels:
-
Management
03-26-2015
02:10 PM
1 Kudo
For the record, I did go to PAN support with this. They provided a patched version of Panorama, 6.1.2-h1, with the fix. I assume that the fix will be present in future releases.
... View more
01-20-2015
01:27 PM
I recently upgraded Panorama to 6.1.1 from 5.0.11. When I did so, RANCID was no longer able to log into Panorama and do its configuration tracking. I tracked down the problem to a superreader not being able to issue the "set cli pager off" command. This worked in 5.0.11. It still works on a firewall running 6.1.1, just not on Panorama. In 6.1.1 on Panorama, the "set" command is totally restricted. On a PA-4060, I get what I expect, only the "set cli" and "set password" commands are available. I can temporarily give the account RANCID uses superuser permissions, but there isn't a reason this account needs write permissions. Am I the only one having this problem? Something about my Panorama setup? Or can other reproduce this? Any idea at which version this was broken?
... View more
Labels:
- Labels:
-
Panorama
10-27-2014
02:55 PM
Yes, it does show lifetime. I was looking for the lifesize. There is a mention of it in the flow output, packets received when lifetime expired:0 when lifesize expired:0 But that's not about what the current lifesize counter is at. I guess you can use the encapsulated and decapsupated byte counts to figure it out.
... View more
03-18-2014
03:06 PM
The firewall/router in question is not an ABR between two areas. It is only in a single area. It is an ASBR. The external routes it is bringing into OSPF are static routes configured on itself. It is listing itself as the forwarder. Section 2.3 of RFC2328 discusses what the forwarding field is used for, "...the OSPF protocol allows an AS boundary router to specify a "forwarding address" in its AS-external-LSAs. [The ASBR] would specify [the other router's] IP address as the "forwarding address" for all those destinations whose packets should be routed directly to [the other router]." There is no other router in this case. The ASBR itself is the correct next hop for the traffic. It also doesn't seem to make sense for a router to specify itself as the forwarder. The field should be zeroed if the ASBR itself is the next best hop.
... View more
03-12-2014
11:39 AM
I'm having some problems getting our traffic engineering working with OSPF, and I think I've finally figured out what's happening. But I can't figure out how to stop it. I think the problem is coming from how the PAN firewalls are importing the external static routes into the area. Here is a "dumplsdb" snippet for one such network, 3 0.0.0.1 10.33.151.86 10.89.4.0/22 type-7 (NSSA Ext) 0x800002FB 0x0000825D 559 36 Options: [NSSA] Mask 255.255.252.0, type 1, tos 0 metric: 1, forward 10.56.1.22, tag 0.0.0.0 Note that "forward 10.56.1.22" field. I think that's what's messing us up. I don't think that needs to be there, i.e. it should be 0.0.0.0. That address is on an interface of the advertising router (a PAN firewall at 5.0.11). When other routers calculate the cost to that 10.89.4.0/22 network, they calculate the cost to reach 10.33.151.86, add the metric on external route, 1, and then also add the cost of reaching the network where 10.56.1.22 resides (even though it's an address on the ASBR itself). Adding that last network is wrong, and it's messing things up. It causes OSPF to choose a non-optimal path to that external network. But I can't figure out why the PAN is adding anything to the "forward" field and cannot figure out how to clear it. I have an open ticket on this, but was hoping maybe someone in the community might be able to answer more quickly. Thanks.
... View more
08-26-2013
03:44 PM
1 Kudo
What solutions are used to backup Panorama VMs? We want to make a full backup of the VM, not just the configuration and log export tools built into the system. This is for DR purposes. However since we cannot access the system at the OS level, our sys admins can't put vmtools on the system to facilitate with their usual backup procedures. How do other Panorama users do backups of the whole VM?
... View more
Labels:
- Labels:
-
Management
-
Panorama
08-26-2013
10:59 AM
Sorry about that, the version is actually 4.1.6. (When I first looked at the "show system info" output, the "logdb-version: 4.1.2" line caught my eye first.) However, now I'm not really sure I even have a problem... Upon some more testing, it look like even though I have 92 translations "in use," when I actually try to create a new translation, it works. One of the translations that's listed gets bumped out. Presumably it's one of those that has no active sessions associated with it. Maybe the PAN retains some memory of inactive sessions so internal IPs get the same external IP address next time, but those external IPs are still available to new active sessions if needed? So now I may have to look elsewhere for what caused our problems... or maybe we really did run out of mapped addresses. Seems I can't tell by just looking at "show running nat-rule-ippool" how many addresses are really available, if the IP pool is at 100% usage.
... View more
08-19-2013
04:46 PM
I am using the original IP address for the <source> and the translated address <xlate-source> since those would be the IP addresses the firewall would see on the original packet that hits the system. So for example, from the "show running nat-rule-ippool" I see, 172.26.202.152 xxx.xxx.xxx.104 1 And I can find, crclark@scea-rhq-sc-pa5050a(active)> show session all filter source 172.26.202.152 -------------------------------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 889910 playstation-network ACTIVE FLOW NS 172.26.202.152[51781]/bp-gaming/6 (xxx.xxx.xxx.104[51781]) vsys1 54.241.139.10[443]/internet (54.241.139.10[443]) However, if I look for, 172.26.200.133 xxx.xxx.xxx.161 30 crclark@scea-rhq-sc-pa5050a(active)> show session all filter source 172.26.200.133 No Active Sessions And if there were to have been an incoming connection (there really shouldn't be, but since I'm troubleshooting, I want to cover all possibilities), it would be found with, crclark@scea-rhq-sc-pa5050a(active)> show session all filter destination xxx.xxx.xxx.161 No Active Sessions Since that would have been the IP address on the original packet that came in from the Internet side before NAT. So I understand why 172.26.202.152 is still holding a slot in the IP pool, but why is 172.26.200.133?
... View more
08-19-2013
04:37 PM
I am indeed doing one-to-one NAT, "dynamic IP" only. I do get output from "show running nat-rule-ippool." Are you saying the output is bogus? crclark@scea-rhq-sc-pa5050a(active)> show running nat-rule-ippool rule "Gaming to Internet" Rule: Gaming to Internet ----------------------------------------- Reserve IP: no 0.0.0.0-255.255.255.255 => xxx.xxx.xxx.100-xxx.xxx.xxx.191 Source Xlat-Source Ref. Cnt TTL(s) ---------------- ---------------- ---------- ---------- 172.26.200.133 xxx.xxx.xxx.161 30 172.26.200.250 xxx.xxx.xxx.101 980 172.26.75.32 xxx.xxx.xxx.108 17 172.26.201.27 xxx.xxx.xxx.166 1 172.26.202.152 xxx.xxx.xxx.104 1 [snip] Total IPs in use: 88 Total entries in time-reserve cache: 0 Total freelist left: 92
... View more
08-19-2013
01:16 PM
Having a problem with a NAT IP pool filling up. There are 92 IP addresses in the pool which should be plenty compared to the number of active clients. However, the pool is filling up. When I go to look at what active sessions a given IP address has, I find that many have no active sessions (with "show session all filter source <ip>" or "show session all filter destination <xlate-source>"). So why are they still consuming an address in the pool? I notice in the "show running nat-rule-ippool" output, that there is nothing in the "TTL" field. Is that expected? Is there a way to manually flush an entry or the whole list? The "clear nat-rule-cache" command does not seem to do it. Running 4.1.2 on a PA-5050.
... View more
Labels:
- Labels:
-
Management
-
Networking
-
Troubleshooting
06-28-2013
11:41 AM
We recently had the issue where something that was working broke. It may have been a case where a new App was added or updated by PAN and some traffic that used to match a more general application (e.g. "ssl" or "web-browsing") now seen as a new application. The new App was not listed as allowed and got blocked. In particular, it's the "intuit-quickbase" App. However, I would not discount that the user or vendor changed what protocol their business process used either. I would like to figure out what is more likely. I'm having problems finding out the update history of an App. I do have some approximations of when it may have changed, but I can't even find old release notes for content updates, only the latest few available. (I never thought to archive the update emails PAN likes to send out. I shouldn't have to though.) Anyone figured out where to find the old content update release notes? Or how to get the update history on a specific App in a more direct way than digging through piles of old release notes?
... View more
Labels:
- Labels:
-
App-ID
-
Troubleshooting
06-28-2013
11:13 AM
I would like to create a custom App for SMTP submission. All I really want to do is restrict the "smtp" App to use 587/tcp only. It's usual "default ports" action is to allow 25/tcp or 587/tcp. I just tried to create a Custom App based on "smtp," but have the only default port be "tcp/587." As I seemed to vaguely recall the other times I've tried to do this, without a signature section, the App does not match anything. SMTP traffic still matches "smtp," not my App. Sure, I can create a whole new policy rule in the rule base with "smtp" as the application and a "submission" service on 587/tcp, but it would be a lot easier and more manageable to just drop a custom application into an existing application group. Is there a way to create a custom App to change the default port behavior of a built-in App? (Note that this is not an Application Override thing. (Right?) I still want the PAN to do it's App ID voodoo, just change the default ports allowed.)
... View more
Labels:
- Labels:
-
App-ID
02-15-2013
10:08 AM
On an Phase 2 IPsec SA with a non-zero lifesize, I see the proposed initial lifesize in the "show vpn ipsec-sa" output, crclark@ <redacted> -pa5050b(active)> show vpn ipsec-sa tunnel <redacted> -cisco-gw GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB) --------------- ---- ------------ --------------- --------- ------- -------- ------------ 16 190 <redacted>.4 <redacted> -cisco-gw:csx-net-192.168.0.0( <reda ESP/3DES/SHA1 AE3A4D8C 46E57EF1 1549/4608000 16 191 <redacted> .4 <redacted> -cisco-gw:csx-net-192.168.6.0( <reda ESP/3DES/SHA1 CB4FE221 8B5EF149 1557/4608000 16 194 <redacted> .4 <redacted> -cisco-gw:csx-net-192.168.1.0( <reda ESP/3DES/SHA1 911952E8 F67725C5 1535/4608000 16 195 <redacted> .4 <redacted> -cisco-gw:csx-net-192.168.108.0( <re ESP/3DES/SHA1 DF7DA529 2899C3B7 1011/4608000 Show IPSec SA: Total 6 tunnels found. 4 ipsec sa found. Unlike the lifetime, the lifesize is not decrementing as data goes over the tunnel. So I have two questions, 1) Where can I find the actual lifesize remaining on a tunnel? 2) Or does PAN-OS not actually track lifesize?
... View more
Labels:
- Labels:
-
Networking
-
Troubleshooting
12-07-2012
11:43 AM
Oh, and speaking of IPsec, it'd be nice to have IKEv2 support. I know protocols from 2005 might be a little bleeding edge, but if we wait all the way to PAN OS 6, it will probably have been about ten years. Along with that, certificate-base authentication rather than solely pre-shared, secret keys would conform to real-world policy requirements (and all of the code lives in PAN OS somewhere for GlobalProtect VPNs).
... View more
12-07-2012
10:32 AM
Why do I need to list out all possible proxy-ID combinations for an IPsec tunnel? PAN OS 5.0 greatly increased the proxy ID count per tunnel (from the absurdly low 10 in previous PAN OS), thanks for that. But I still have got to ask, why do I need to do this at all? When configuring an IPsec tunnel, what do I end up doing? I write a quick Perl script or use a text editor to generate all of the proxy ID combinations to cut 'n' paste config at the CLI. This is what computers are good at, doing simple repetitive tasks. The PAN is a computer... so why am I doing this for it? Why can't I enter the two lists of networks and it builds all of the pairs itself. If I can do it in a three line Perl script, it seems it would be trivial for PAN OS to do this behind the scenes at commit time. It's not something that would even need to really touch the run-time or dataplane code. If the answer is that perhaps the user would only want to have certain pairs in a tunnel and not others, e.g. these pairs are desired, Local_Net-A <--> Remote_Net-A Local_Net-A <--> Remote_Net-B Local_Net-B <--> Remote_Net-B But for some reason, Local_Net-B <--> Remote_Net-A Is not. The right place to enforce policy is... wait for it... your security policy. You can block that traffic there, not in the IPsec configuration. Doing in the IPsec configuration is kind of like using routing policy to null route traffic on a firewall rather than using security policy. It works, but is not a good practice.
... View more
12-03-2012
10:18 AM
Thanks. Wasn't sure if custom URLs worked. So what I did was create a custom URL category for the sites I want to block: # show profiles custom-url-category custom-url-category { wpad { list [ wpad.am.example.com wpad.example.com]; } } Then I create a policy rule that uses that URL category, # show rulebase security rules "Block WPAD" "Block WPAD" { source any; destination any; service application-default; application web-browsing; action allow; source-user any; option { disable-server-response-inspection no; } negate-source no; negate-destination no; disabled no; log-end yes; from dc; to internal; log-setting Panorama-ALL; hip-profiles any; log-start no; category wpad; } Don't be mislead by the name. The action us currently "allow" while I make sure the rule does not catch traffic inadvertently. And I am a little puzzled by the results. If I do hit a URL that matches the URL category, I get the expected entry in my logs. However, I see a lot of logs, Time App From Src Port Source Rule Action To Dst Port Destination Src User Dst User =============================================================================== 2012/12/03 10:13:41 incomplete dc 63803 172.31.152.165 Block WPAD allow internal 80 192.168.208.131 2012/12/03 10:13:37 incomplete dc 50620 10.10.10.77 Block WPAD allow internal 80 192.168.228.45 2012/12/03 10:13:36 incomplete dc 63802 172.31.152.165 Block WPAD allow internal 80 192.168.208.131 Even though they are "incomplete," I believe the connections are in fact working. Not sure what these logs mean. I believe they are successful HTTP connections, but the URL does not match. I would expect not to see any log entry at all if that were the case. Is this expected behavior?
... View more
11-30-2012
02:49 PM
1 Kudo
On a PAN with no BrightCloud license, you can still use the URL filtering "Block" and "Allow" lists. Right now I use that feature to have a "log-all" URL filtering policy where I have "*" in the block list and an action of "alert." But now I have one (or it could be a short list) of URLs that I want to really block, i.e. an action of "block." However, if I change my block list to block that one URL with a "block" action, I lose all of my logging of other URLs. Is there a way to block my URL while still logging everything else that I'm not seeing? Kind of seems like something that should be easy (block some URLs while still retaining the ability to alert others), but I don't see how I can do it reliably.
... View more
- Tags:
- url_filtering
10-31-2012
11:02 AM
I have been searching for an application or applications that cover Symantec NetBackup communications. I have not been able to find anything. Anyone running NetBackup (versions 6.x or 7.x) traffic over a PAN firewall? What applications does the PAN identify (or not)?
... View more
Labels:
- Labels:
-
App-ID
08-12-2011
01:35 PM
While doing some testing on a PA pair at a new site, I noticed that at least one type of configuration change would apparently cause OSPF to reset and lose all of the routes out of the site. Specifically, I was enabling and disabling IPv6 on interfaces. When I would commit the change, the site would drop communications for thirty seconds or so until the OSPF neighbors started talking again. (At least that's what it looked like was causing it.) I've tried other policy and routing changes (remove and add IPv4 addresses from an interface, create and destroy L3 sub-interfaces, add and remove static routes), and none of those have seemed to cause OSPF to reset. Once this site is up and running in production, a thirty second blip would be a big deal. Does anyone know for sure what kinds of configuration changes are safe and not safe to make with respect to interrupting the dynamic routing protocols? (Can anyone else confirm enabling and disabling IPv6 causes disruption? Or is it just me?)
... View more
07-14-2011
01:40 PM
I have a fairly straightforward network topology for a firewall at a remote datacenter with one little catch. The PAN's revenue interfaces are an Internet interface, an internal interface, a DMZ interface, and a device management network. The catch is the PAN's MGMT interface lies on the device mangement network for which it is also the default router. For example, it's ethernet1/4 is 10.254.10.1/25 and it's MGMT interface is 10.254.10.4/25. Oh, and another little catch, this being a remote datacenter, we talk to that device mangement network over a VPN that terminates on the PAN itslef. So the problem is that I cannot reach the PAN on its MGMT interface or have it talk to our Panorama server over the VPN. I would prefer to still use the MGMT interface for system management. I would expect there may be others in the same or similar situations. How do you manage and use Panorama with your PAN over a VPN that terminates on the PAN itself? Pointers to vendor docs or your own experiences would be appreciated. Thanks.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-14-2019
01:28 AM
|
Latest Tags
No tags yet
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
