This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About bradenmcg
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About bradenmcg
11-07-2019
65Posts
2Likes
0Solutions
Nov 07, 2019Last Visited
User
Activity
User
Profile
Latest posts by bradenmcg
| Subject | Views | Posted |
|---|---|---|
| 1757 | 01-14-2015 12:06 AM | |
| 1571 | 08-27-2013 03:38 PM | |
| 4183 | 08-15-2013 01:49 PM | |
| 4183 | 08-14-2013 04:49 PM | |
| 13619 | 08-08-2013 04:52 PM | |
| 13620 | 08-08-2013 12:02 PM | |
| 13620 | 08-08-2013 10:26 AM | |
| 14406 | 08-06-2013 02:55 PM | |
| 16445 | 08-06-2013 02:28 PM | |
| 1697 | 07-03-2013 12:31 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 07-14-2011 12:41 PM | |
| 1 Like | 08-08-2013 04:52 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 12-23-2009 11:36 AM |
| Date Last Visited | 11-07-2019 07:30 PM |
| Posts | 65 |
| Total Likes Received | 2 |
01-14-2015
12:06 AM
I'm trying to setup two different versions of GlobalProtect SSLVPN endpoints. I already have a single portal + gateway configuration that only routes specific /24s through the VPN. I want to add a second setup that doesn't split-tunnel and instead passes all traffic through the VPN (for use on untrusted networks like public wifi). Do I need to create an entirely separate Portal as well as Gateway config? Or can I have a single Portal, but multiple gateway configurations, and depending on which hostname is entered in the client config it will change the behavior? It would be nice to be able to share a public IP for this, but if that's not possible it isn't a deal-breaker (we have a /24). I *can* reuse the same SSL certificate because it is a wildcard, so different hostnames for the different endpoints isn't a problem.
... View more
Labels:
- Labels:
-
Configuration
08-27-2013
03:38 PM
kprakash you have been incredibly helpful with all of this so far, thank you. It seemed like it would be better to branch this to a new topic. Here is a new / updated image with some more information... I currently have a single default route for outbound traffic, it is going to ISP A. I have two public blocks from ISP A, both are /28s and I have various NAT statements and rules in the PAN to pass traffic from my LAN side out ISP A via those blocks. I'm now trying to migrate everything to ISP B and the new /24 that they have given me, and then also announce that /24 to ISP A for failover. I'm currently having problems with routing - outbound traffic is always using ISP A... which I guess is to be expected given my default route. However, I need to figure out a way to re-do the setup to keep some traffic leaving that circuit. What I need to do is make it so all traffic sourced from 203.0.113.0/24 leaves via ISP B, unless there is a better/more specific route to the target via ISP A (which will happen because I still have many remote sites on ISP A, I don't want their traffic to have to go out to the internet and reach ISP B if they can instead stay within ISP A's network). If any traffic comes *in* via ISP A (bound for 203.0.113.0/24), then I'd also like it to LEAVE via ISP A. I also need to insure that any traffic sourced from 192.0.2.32/28 and 192.0.2.128/28 exits via ISP A, no matter what. (Those blocks belong to ISP A and ISP B won't do anything with them.) I know this is going to involve Policy Based Forwarding, but I'm not exactly sure how to setup the rules. I tried a PBF rule similar to this: source zone: untrust source address: 203.0.113.0/24 Destination address: any Egress I/F: eth0/3.2000 next hop: 198.51.100.1 (ISP B router) After committing that rule, I tried a traceroute from 203.0.113.1 (firewall interface) and it was still leaving via ISP A. It seems like PBF doesn't affect traffic from the firewall itself? So then I tried a host attached to eth0/3.2100 (203.0.113.99, with the PAN as default gateway), and even that traffic still left via ISP A. I know that to insure traffic "sticks" to an interface I will need the Symmetric Return option as well, which is why I just updated to 5.0.6 last night. Eventually I will have all traffic migrated to 203.0.113.x/24, at which point I can get rid of 192.0.2.32/28 and 192.0.2.128/28, but until I migrate IPs in DNS and get all of the rules setup, I have to keep those blocks around. Even once I migrate to 203.0.113.x/24, I still want traffic from that block to leave via whichever ISP has a better route... since ISP A is giving me routes for all of their sources, I'm hoping that routing/BGP is smart enough to take that path even if I set the default route (with higher weight) to ISP B? ISP B isn't yet sending me any routes, but I'm trying to see if they can send me local/customer routes along with a default so I don't need to use any static routes.
... View more
Labels:
- Labels:
-
Configuration
-
Networking
-
Troubleshooting
08-15-2013
01:49 PM
Another BGP/traffic question... ISP A = 50 mbps, national ISP ISP B = 25 mbps, local provider with peering to many other ISPs, no direct peering to ISP A as far as I'm aware Once I have both paths active, how do I specify which link to use for outbound traffic from my announced subnet? ISP A is giving me no inbound routes while ISP B is only giving me directly connected subnets that it is already routing back to my PAN anyway (I have two /28s and a few /30s that I'm going to get rid of once I migrate everything to this /24). I can obviously set the default route to one side or the other, but I'd like to use both links ideally, and I'd prefer if traffic "sticks" to the link that it came in on in most cases. I understand that I can prepend my AS on export statements to affect how inbound traffic comes to me... but how do I load balance the outbound traffic? Does this require policy-based routing, and can that take into account the load on a circuit? (I only have a single PBR that is being used for a special VPN for certain LOB traffic.)
... View more
08-14-2013
04:49 PM
Rather than opening another discussion just for this... What exactly does the "soft reset with stored info" option do on the Peer Group config screen? The manual and help page are both less than helpful: "Select the check box to perform a soft reset of the firewall after updating the peer settings." What exactly is a "soft reset of the firewall" in this context? Does this mean that a change to the peer config would flush firewall states? Or does it enable the PAN to handle Cisco-style BGP "soft resets" when the config has been changed, rather than dropping and restarting the BGP session? (Or does a PA device *already* use soft-resets by default? From what I've seen it looks like a config commit creates a new BGP session / causes a flap...) Also, it seems like absent any filters for Import or Export, PanOS (at least 4.1.x) is "default permit," correct? I was kind of surprised by this behavior because typically firewalls are "default deny" at least in terms of security rules. OTOH, it does appear that on Cisco IOS at least, BGP is also default permit (filters have to be setup or else it takes everything), so I guess following Cisco behavior makes some amount of sense. Again, I'm relatively new to BGP here.
... View more
08-08-2013
04:52 PM
1 Kudo
My option works (just tested it). You are correct that the loopback only takes a /32, I forgot about that. I put .1 /24 as a secondary IP on the same VLAN 2000 L3 subif. I was then able to put another device on the same VLAN, use .1 as the gateway and assign an IP, and pass traffic without issue.
... View more
08-08-2013
12:02 PM
The "server" here is actually a SIP gateway device from our VoIP provider, it is locked down and only accepts traffic from their IP block so security isn't much of a concern here. I'm trying to keep it "outside" the PAN because I don't want any added delay in the traffic due to filtering/etc. If I add 203.0.113.1/24 as a secondary address on the vlan 2000 L3 port, that should work though, correct? I can put the SIP gateway in the same VLAN, assign it 203.0.113.5/24 and have it use the PAN 203.0.113.1 as default GW, which should then route it through the routing table and out to 198.53.100.1 (the ISP) and from there the internet? If the packet is entering and leaving the same interface and same security zone, then the firewall rules don't act on it and it should pass through as quick as a normal router would, right? I realize that I will then have two subnets on the same VLAN but since both subnets are public and "outside" I don't really care...
... View more
08-08-2013
10:26 AM
So I can keep the /24 on the PAN and NAT for it... but what if I need to assign one of those addresses directly to a server ("outside" the firewall)? Here's a basic diagram of the setup (it omits the second ISP and a bunch of other irrelevant stuff) - is what I want to do in the lower right corner going to work?
... View more
08-06-2013
02:55 PM
OK, that makes sense. The peers won't really care if the "Router ID" doesn't actually match the interface that is connected to them. This also explains why the "peer router ID" I'm getting from ISP B doesn't fall inside the /30 that is being used to exchange routes. This means I should be able to establish a connection with both peers via the same VR once I get my existing setup with ISP A changed to use my public ASN. (We were using private ASNs for them to hand me MPLS routes prior to me obtaining a public ASN.) How can I go about weighting the two routes for load-balancing (so more traffic travels via the larger connection), rather than just failover? I understand that in some cases I can't affect the paths because the ISPs may re-write them when they leave their border, but I'd at least like to try to set it up "correctly." I apologize for my inexperience here, this is my first real foray into BGP, and while I have the O'Reilly BGP book, it is written with Cisco in mind and PAN behavior seems somewhat different.
... View more
08-06-2013
02:28 PM
What exactly is the "Router ID" field used for in the BGP tab of Virtual Router configuration? I ask because I'm planning on announcing a /24 to two different ISPs/peers, and each ISP has its own /30 for the transit segment. So, if I make the router ID the IP address for one segment, it is incorrect for the other segment... or does "Router ID" not actually get used for anything and it's just an identifier? The documentation / help file says "Enter the IP address to assign to the virtual router," does this mean I need to use a separate VR for each BGP peer? If so, how do I get my traffic to fail from one VR to the other? I currently have all of my interfaces attached to a single VR using a default route to ISP A. I'm running a BGP session with them to receive routes for an MPLS network, but not announcing anything to them yet. I now have a publicly routable /24 from ISP B, as well as a public ASN, but I need to announce that /24 to both providers and (ideally) unevenly weight the two connections as ISP B is a 50Mb link while ISP A is only 25Mb. I have seen the document that explains setting up BGP with two ISPs, but it is a bit confusing since it was written for 4.0 and I am on 4.1. Also, it assumes that I want to take the /24 and apply it to an internal interface on the PAN, which I do not. I want any / all addresses in the /24 to be proxy ARPed by the PAN and I will NAT (1:1 or otherwise) to internal hosts. This is simply because I don't want to have to put together another switch or VLAN and public IPs on my internal systems - it's easier to just run it all through the PAN. (I do have an active/passive pair of PANs but that is already functional, the only thing I'm having trouble with is the BGP portion. The HA pair has appropriate interfaces to each ISP for failover to function correctly.)
... View more
Labels:
- Labels:
-
Networking
-
Set Up
07-03-2013
12:31 PM
So I'm going through the document here: https://live.paloaltonetworks.com/servlet/JiveServlet/downloadBody/2016-102-8-14087/GlobalProtect-Config-Apple-iOS-RevD.pdf I have an existing / configured GlobalProtect portal for VPN usage for PCs/Macs. It looks like this (portal and gateway settings): http://imgur.com/Juwdzxq http://imgur.com/D9bwEwP If I enable the X-auth support and everything else needed for iOS to work, is that going to break my existing GP clients (which are NOT doing any sort of certificate-based authentication)? I.e. if I want to do this seamlessly, should I setup a second portal just for iOS? I discovered the iOS GlobalProtect app on the app store, but we don't have a license for GlobalProtect (we were using Netconnect in the past), and apparently the app won't work if I don't buy full-on GlobalProtect licenses?
... View more
Labels:
- Labels:
-
Set Up
12-04-2012
10:32 PM
Greg, Does this mean that wildcard certs will no longer work with GlobalProtect? Or does one of the SAN entries simply have to match the CN (*.example.com)?
... View more
01-10-2012
02:41 PM
http://en.wiktionary.org/wiki/benign Presumably the wildfire system isn't as thorough as you are assuming. Plus, just because an exe tries to create another exe in c:\ doesn't necessarily mean it is bad - this is effectively what installers do.
... View more
11-23-2011
11:08 AM
I'm not sure why they would consider it "unusable?" The main purpose of the TS UserID function is to enable you to do per-user web filtering from a Terminal Server, without having to use virtual IPs per each individual. I would never allow my users to do anything that would involve GRE from a terminal server. That could do $deity knows what to other people on the same terminal server and is not a good idea. Ping is ICMP so it isn't tracked by UserID, but really, is that something you are concerned about? Our users can't even access the command line on our terminal servers, so they don't really have any way to ping.
... View more
11-21-2011
03:38 PM
The XBox most definitely does use Kerberos traffic (it actually does use port 88) in communication with the Live servers, so you don't want to block that (and if you don't have a list-ending "Allow all," then you want to explictly add Kerberos for the Xboxen). It wouldn't surprise me if some of the traffic decodes as http/web-browsing, although it may not necessarily use port 80. In a typical home environment, the XBox will attempt to use UPnP to communicate to the router that it wants one single port open for itself. It will use a dynamic high-numbered port, and UPnP will simply forward this off the router back to the XBox. It does a combination of TCP and UDP traffic over that port. I have not gotten to try a PA device at home so I'm not sure how well the decoders and NAT functionality handle this process. In the absence of UPnP, the XBox will never show "Open NAT" (unless there is a 1:1 NAT or some other setup in place where all of its traffic passes transparently). At least, this has been my experience with a bunch of other firewalls. I currently use a pfSense device at home, specifically because it does support UPnP (along with some enterprise grade features) so I can have my nerdy IT cake (RRDTool graphs and advanced rulesets) and eat it too (no problems with XBoxen or DirecTV receivers or the like due to UPnP). pfSense even allows you to limit UPnP functionality to specific subnets/IPs, so I could potentially see it being an answer for a university (use DHCP to restrict your Xboxes to a specific subnet, and then only allow that subnet to use UPnP, and rate limit / traffic shape it so it is only good for game traffic and not bulk downloads). After all of the hell I went through with bug #32846, I'd love for PA to send me a 500 with lifetime definitions to experiment with at home.
... View more
11-03-2011
08:12 PM
How stable? How tested? Is this mostly incremental changes on the inside? The mentioned improvements to the management performance have me very interested, but when I went from 3.x -> 4.0 we had nothing but problems due to a few bugs. I'm now upgrade-wary.
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks