cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

About ifstciss

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
ifstciss
3 weeks ago
since ‎07-29-2020
L1 Bithead
User Activity
User Profile
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎07-29-2020 09:21 AM
Date Last Visited 3 weeks ago
Posts 8
Total Likes Received 3

Re: Transparenlty NATing IPsec traffic to other device

by in General Topics
4 weeks ago
4 weeks ago
Never mind, session 1338 seems to have been "stuck".   Probably at initial creation of the session (some time ago), the connection didn't work because some other config was incorrect, but the flow was still created and remained cached in fastpath state. Since the VPN gateways just continue trying to connect the bad session/flow was never purged or reinitialized.   I have removed it manually from the session browser and the flow was now created successfully and the VPN is successfully connected.   Also "show arp all" no longer shows 192.168.1.2 as "(incomplete)". In fact it no longer shows that address at all, which seems to be a good sign in this case.   Happy holidays 🙂 ... View more

Transparenlty NATing IPsec traffic to other device

by in General Topics
4 weeks ago
4 weeks ago
Hello,   We have an issue with forwarding an IPsec connection to a VPN device behind the PAN-OS FW.   So the setup is supposed to be the following: * PAN-OS is using outside interface 192.168.1.1/24 * 192.168.1.2 is an address with DNAT to 10.10.10.1 on an internal vlan Note that the FW also processes IPsec VPNs itself on its own IP 192.168.1.1.   NAT rule: * src zone: outside * dst zone: outside * original src address: remote ipsec gw * original dst address: 192.168.1.2 * translated src address: keep * translated dst address: 10.10.10.1   There is a security policy of course * src zone: outside * dst zone: inside * src address: remote ipsec gw * dst address: 192.168.1.2 * app: ipsec   Using packet capture, I see that the packet is captured in receive, fw, and drop stages. Digging further using dataplane debug   Packet received at fastpath stage, tag 1338, type ATOMIC Packet info: len 254 port 19 interface 261 vsys 1 wqe index 216243 packet 0x0x80000003144648ca, HA: 0, IC: 0 Packet decoded dump: L2: 00:04:96:af:51:02->00:1b:17:00:03:13, VLAN 502 (0x8100 0x01f6), type 0x0800 IP: 1.2.3.4->192.168.1.2, protocol 17 version 4, ihl 5, tos 0x00, len 236, id 34594, frag_off 0x0000, ttl 59, checksum 58234(0xe37a) UDP: sport 500, dport 500, len 216, checksum 27049 Forwarding lookup, ingress interface 261 L3 mode, router 2 Route lookup in router 2, IP 192.168.1.2 Route found, interface ethernet1/4.508, zone 3 Resolve ARP for IP 192.168.1.2 on interface ethernet1/4.508 ARP pending Packet dropped, no ARP   Why would it try to route or resolve ARP when it is supposed to be responsible for that address itself, e.g. according to https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/nat/nat-policy-rules/proxy-arp-for-nat-address-pools.html   I have the feeling that all of this stopped working once PAN-OS FW started processing IPsec VPNs itself on 192.168.1.1.   PAN-OS is 10.0.8   Thanks, Marki ... View more

Re: What Are Applications and Services?

by in Blogs
‎06-03-2021 03:51 AM
‎06-03-2021 03:51 AM
What if you want to enforce an application on its default ports and a few other ports.   Do you have to create two rules for this?   Or does defining a specific service add this port to the default ports for that application? (In that case, how do you define just that port without the default ports)   Thanks. ... View more

Re: Feature Upgrade: load, install, run !?

by in General Topics
‎08-19-2020 02:33 PM
‎08-19-2020 02:33 PM
The license does not seem to be the issue. I've opened a case with TAC. They asked me to install (but not necessarily run) 9.1.0 first before upgrading 9.1.3-h1, which works ok. But which is the opposite of what the message clearly says. So the message that is displayed in this case is simply wrong.   I'll ask them to file a bug report. ... View more

Re: Feature Upgrade: load, install, run !?

by in General Topics
‎08-19-2020 09:49 AM
‎08-19-2020 09:49 AM
> means you are grabbing the image from you Palo Alto portal and doing a manual update Yes. > You are running a licensed PA, correct?  That may be the issue. We don't have Internet connectivity on these devices yet as they are being staged. ... View more

Re: Feature Upgrade: load, install, run !?

by in General Topics
‎08-19-2020 09:25 AM
‎08-19-2020 09:25 AM
The situation I'm starting from is the following:   Then I click "Upload" and upload 9.1.3-h1. Then I click on "Install" next to 9.1.3-h1 which appears in the list. Then the message pops up.   What do you mean by "downloading"?   ... View more

Feature Upgrade: load, install, run !?

by in General Topics
‎08-19-2020 05:51 AM
‎08-19-2020 05:51 AM
What does "base image must be loaded" and "you do not have to install or run the base image" mean?   See my screeshot below. The base image is there. Do I have to click on "Install"? The message however clearly says I do not need to do so? So what do I do?     ... View more

Re: HA running configuration not sync

by in General Topics
‎08-17-2020 04:08 PM
3 Kudos
‎08-17-2020 04:08 PM
3 Kudos
Yep I had this too. Turns out, there was a commit lock present on the peer device. I found out because attempting a manual sync (on the active device) gave an error about it. Too bad the system log on the dashboard doesn't simply show that right away. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
3 weeks ago
Likes Given To
Likes From
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2022 - Palo Alto Networks