Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- ›
- About BeardedTree
About BeardedTree
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
User
Activity
User
Profile
Latest posts by BeardedTree
| Subject | Views | Posted |
|---|---|---|
| 572 | 12-14-2020 12:06 PM | |
| 576 | 12-14-2020 12:04 PM | |
| 677 | 12-13-2020 12:06 PM | |
| 151 | 12-12-2020 06:25 AM | |
| 139 | 12-12-2020 06:13 AM |
User Badges
Public Statistics
| Date Registered | 10-13-2020 03:45 PM |
| Date Last Visited | |
| Total Messages Posted | 11 |
12-14-2020
12:06 PM
Another quick thought would be a Panorama running a newer version and using features that are not supported on the firewall you're pushing it to.
... View more
12-14-2020
12:04 PM
How were the object created initially? The way you're explaining it sounds to me like an import gone wrong where the firewall/Panorama did load the Object but something is "off" with the way it's in the running XML.
... View more
12-13-2020
12:06 PM
Did it all of a sudden stop working or is this a new implementation or upgrade? One thing to look for is that on the local firewall Panorama is allowed to push Objects: As you're stating a blank push of a firewall policy without objects is working I believe this is enabled. Make sure the Object or Object-Group you're trying to push out isn't bound to a certain firewall but is in the "Shared" object space or Object specifically for that FW. If the item is a group containing more IP's, FQDN's or Objects it never hurts to check if the actually sub-objects for errors.
... View more
12-12-2020
06:25 AM
Taking the original error and picking it piece by piece. Peer's ID payload ' IPv4_address:xxx.xxx.xxx.xxx' does not match certificate ID, Error: failed to get subjectAltName. It would seem that their side does have their Local ID Field and IP Field are filled with an IP address however the certificate they use doesn't seem to have a SAN at all, or a matching IP address SAN on the certificate. Looking at the last bit my guestimate would be the second case. Next step would be to verify if this is actually the case by either having them check the config or make a PCAP of the initial exchange to capture the certificate info (Depending on the Ike version and mode of connection (Main/aggressive)).
... View more
12-12-2020
06:13 AM
Are you seeing the "Unable to fetch external dynamic list. Couldn't connect to server. Using old copy for refresh." only on the passive device, and does the MGMT IP of the passive device have connectivity to your Minemeld URL? As you're stating that manually forcing an update I'm assuming that it does, however I might be interpreting your scenario sketch wrongly. What we've seen with some of our customers is that the error "Unable to fetch external dynamic list. Couldn't connect to server. Using old copy for refresh." at times is shown on the active device when there are no new or removed IP addresses on the EDL instead of a "Succesfully connected, no changes to the list were detected, using old copy" message. With a manual refresh you force out the old EDL information and it would be expected to see that it updated successfully. Could be a simple issue of wrong error code shown but still might be worth making a case with TAC to confirm this is the case.
... View more
12-11-2020
08:13 AM
That would mean the Peer firewall is sending it's IP address as Local Identifier, however the question is if this is also defined on the certificate the Peer is using as that needs to match aswell. So the Peers Certificate would need a SAN Attribute "IP Address" with it's IP.
... View more
12-11-2020
08:00 AM
Gotcha, just to clarify did you also designate SAN attributes for your firewall cert and for the cert the other firewall is using? Like: The additional attributes are SAN items which seem related to the error where no additional attributes were found. It would end up local something similar to the below screenshot if he other side has a certificate with Email Otherunit@local.local. Lastly the intermediate and/or root need to be marked in the certificate store as trusted CA's
... View more
12-11-2020
07:21 AM
Are you sure you've imported the peers certificate, or signer of the certificate, in the local firewall and added a certificate profile containing this certificate which applies on the VPN? The Peer Identification, local and peer, needs to match on both sides (Reverse local/Remote) and the Cert Profile, if containing the cert marked as trusted, should set up the Phase 1 connection.
... View more
12-11-2020
01:24 AM
If you can generate a new certificate it would defiantly be worth generating a new one containing additional SAN entries. I'd suggest tagging on the SANs Hostname, FQDN and IP address and check if you can get the firewall to recognize these attributes as the Peer Identification.
... View more
12-10-2020
02:04 PM
The error seems to suggest that either A. The other side is sending a local identification that does not match any SAN that is present on the certificate or B. Does not contain a SAN attribute on the certificate at all. Are both sides under your control, where you're able to generate a new certificate if need be or inspect the current attributes of the certificate it's using? Also make sure the Certificate Profile on the VPN contains the Intermediate, Root or Self Signed certificate and is marked as a Trusted certificate in the local device store.
... View more
12-10-2020
01:48 PM
If your security policy is set to have any source IP it would mean that access would not be limited to the ms-office365 application. Once you add the explicit required apps to the rule they are seen as separate entities and one would for instance be able to web-browse to your internal server without any intention of the ms-office365 application..
... View more
Contact Me
Latest Tags
No tags yet
Latest Blogs
Latest Posts
Copyright 2007 - 2021 - Palo Alto Networks
