Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
About ggarrison
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About ggarrison
05-16-2022
121Posts
10Likes
12Solutions
May 16, 2022Last Visited
User
Activity
User
Profile
Latest posts by ggarrison
| Subject | Views | Posted |
|---|---|---|
| 3247 | 09-22-2015 01:54 PM | |
| 1710 | 05-15-2012 09:49 AM | |
| 2621 | 02-27-2012 05:02 PM | |
| 1964 | 02-17-2012 09:58 AM | |
| 2883 | 10-28-2011 12:32 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 10-24-2011 01:24 PM | |
| 1 Like | 10-28-2011 12:32 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 06-14-2011 02:31 PM |
| Date Last Visited | 05-16-2022 07:10 PM |
| Posts | 121 |
| Total Likes Received | 2 |
09-22-2015
01:54 PM
BearGolightly, I have double checked with our engineering team, and have confirmed that DirectPath I/O is in fact not supported with PA-VM series devices on ESXi. As an alternative to link monitoring, we recommend configuring path monitoring instead. We are working with our team to make sure that all documentation and references to DirectPath I/O are updated to reflect the correct information. Please let me know if there's anything else I can help you with.
... View more
03-26-2012
02:33 PM
Interesting - I opened up a support case about this very issue but appearntly they're still researching the problem or think it's being caused by a security rule that PAN is applying. Currently being experienced when users attempt to go to www.foxnews.com or www.bing.com. Entering in the URL's without the "www." works just fine and presents a CP page for people to authenticate against (using standard block page). Traffic that is from unidentified users is supposed to be CP'ed - the block page with the underscores instead gives the computers IP as the user id and does not prompt for CP. Running 4.1.3.
... View more
02-17-2012
09:58 AM
Johan, The PAN firewall does not directly participate in Kerberos authentication of clients, it relays the requests from the client to the servers that are configured in your Kerberos authentication profile. Consequently, no trust needs to be established with the firewall, as both members will have the keys necessary as they are both in the same domain. Also, TGT renewal requests will be renewed by the end user's workstation. If you would like more information on Kerberos, please follow this link to Microsoft's TechNet: http://technet.microsoft.com/en-us/library/cc961976.aspx
... View more
08-29-2012
03:03 PM
I believe this signature needs updated. The current version of Dropbox failes to "establish secure connection" when decription is enabled, regardless of the fact that Palo Alto has an exclusion. 4.1.7, with all of the latest dynamic software signatures installed. I believe this might be because Dropbox is making use of the Amazon S3 network, which may have a different SSL certificate. I am not certain that this is the issue, but it looks likely.
... View more
09-14-2012
01:25 AM
1 Kudo
Since you dont have any vlans at all (just a physical lan) and probably wont be able to change how the access network looks like my idea was something like: 1) A regular interface, for example 192.168.0.254/24 (which you add in dhcp as default gw so regular clients will use 192.168.0.254 as default gw to reach Internet or whatever and before they are let out they must use the captive portal). 2) A subinterface (or another physical interface), 192.168.0.253/??, which the ssl-vpn clients would connect to. Its the last part which im not sure if its possible to accomplish on a PA (due to ip range collissions and such). As sdarapuneni said if you enable both captive portal and ssl-vpn on the same interface then the PA will force both to be valid (meaning ssl-vpn users would still get a captive portal). Im thinking if it would be possible to trick PA into this support by using vrouter and/or dnat/snat in combination? A workaround could be if you setup something like: 1) 192.168.0.254/24 for regular clients (captive portal) on int1. 2) 10.0.0.254/24 for ssl-vpn clients on int2. Connect both to your access network and in the dhcp put up static leases based on mac address. This way a regular client will get a 192.168.0.x ip and 192.168.0.254 as default gw and your known ipad (etc) clients gets a 10.0.0.x ip and 10.0.0.254 as default gw. Because this ip "separation" isnt a true separation (they are all on the same vlan anyway) the only way for a client who gets a 10-ip to reach internet is either to auth using ssl-vpn OR go through 192.168.0.254 and use the captive portal - either way they must authenticate in order to leave your access network. Of course this doesnt fulfill any demands regarding strong auth (since you use captive portal) but your case doesnt seem to involve being 100% sure of who did what (because in order to use captive portal your access network must be secured/hardedened aswell like using protected vlan so clients cannot steal each other ip/mac addresses and such but also since if a user gets hold of another users login/pass they will use that instead of their own) but rather make it easier for your trusted clients to use your access network.
... View more
10-20-2011
09:16 AM
Thank you for your reply ggarison, We went through the troubleshooting exercises, like you described, have not found any faults. I think the most puzzling is that packet captures in both cases over VPN and over LAN are the same.
... View more
11-08-2011
09:32 PM
We were able to replicate this in our Support lab. There has been a bug opened with our Engineering group.
... View more
10-19-2011
07:36 AM
1 Kudo
Hi, This state is continuous if the ha cluster does not have matching panos versions(3.1.x and 4.0.x) even if you try to make the passive device functional. Not the same when you're upgrading from say 4.0.3 to 4.0.5. Assuming both have the same panos after an upgrade and the passive was once non-functional, making it functional will bring it back into passive state. -Renato
... View more
05-11-2012
12:22 AM
Rumours says (at least the ones I have heard :P) that PANOS 5.0 will somewhat address this dependency jungle out there so you wont need to open up more than necessary. For example where you today must open web-browsing + facebook (which would allow basically any HTTP surfing which doesnt have its own appid) in a single rule you then will only need to open for just facebook. The PA would then allow a couple of web-browsing packets, enough to identify facebook and if its still not identified after a couple of packets it would deny the session. However if this is true or not or even involves the skype detection I dont know, hopefully someone from PAN can answer this? Otherwise I totally agree with you. One of (many) good things with using a PA box is the ability to block unknown traffic. But this will be spoiled if you are forced to allow unknown just to make detection of (for example) skype (among others) to work. But this whole appid stuff (no matter if its the one PAN uses or from some other vendor) is a bit sketchy - thats why you should NEVER allow "service:any" even if you use appid but set at least "service:application-default" or even better manually define which ports should be allowed. A simple test you can do on your own is if you allow web-browsing to any port for a server. Your "http-like" request can be "a b c" (that is a[space]b[space]c) followed with two enter strokes. This packet will bypass your PA and hit your server. Not until the server replies with "Error 400, Bad Request" the PA will know that "oh this was supposed to be web-browsing but doesnt look anything like it" and block the response from the server to reach the client (and at the same time drop the whole session).
... View more
06-29-2011
11:26 AM
There is a password length limitation when authenticating using the local user database. If you wish to use longer passwords, you may configure an authentication profile that uses RADIUS, LDAP, or Kerberos. For more information on authentication profiles, please refer to page 42 of the Palo Alto Networks Admin Guide v4.0.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-16-2022
07:10 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks
