This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About Shayan
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About Shayan
10-17-2015
14Posts
0Likes
0Solutions
Oct 17, 2015Last Visited
User
Activity
User
Profile
Latest posts by Shayan
| Subject | Views | Posted |
|---|---|---|
| 4031 | 02-14-2014 10:01 PM | |
| 4288 | 02-13-2014 12:51 AM | |
| 2046 | 02-04-2014 06:07 PM | |
| 2558 | 01-20-2014 10:23 PM | |
| 2831 | 01-19-2014 03:05 PM | |
| 4904 | 07-30-2013 03:57 PM | |
| 5034 | 07-29-2013 11:47 PM | |
| 2422 | 07-29-2013 06:14 PM | |
| 2517 | 07-25-2013 03:22 AM | |
| 1961 | 07-25-2013 02:51 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 2 Likes | |||
| 1 Like | |||
| 2 Likes | |||
| 2 Likes | |||
| 2 Likes |
User Badges
Community Statistics
| Member Since | 04-07-2013 03:52 PM |
| Date Last Visited | 10-17-2015 12:56 AM |
| Posts | 14 |
02-14-2014
10:01 PM
Hi, Thanks for the response. It make sense. I'm not specifically looking for reverse proxy solution. If I can achive similar security by SSL inspection that would be suffient.
... View more
02-13-2014
12:51 AM
Hi, I have setup a decryption policy to decrypt inbound SSL traffic for the Exchange web mail server. However, when I check the logs I see only some traffic as decrypted and some arnn't. Refer below screenshots, Why isn't the policy not decrypting all the traffic? I'm trying to decommission the Microsoft ISA server used as reverse proxy for Exchnage Web mail. Is it safe to use inbound SSL inspection and NAT the traffic into the internal exchnage sever? Shayan
... View more
Labels:
- Labels:
-
Troubleshooting
02-04-2014
06:07 PM
Hi, I'm trying to create a custom APP-ID for nearmaps.com. However, cannot get the monitoring to identify the traffic. Following is how I created the APP-ID, captured the header information from HTTPFox on Firefox. Refer attached screenshot Im not sure what i'm doing wrong here. Appreciate any response.
... View more
- Tags:
- app-id
01-19-2014
03:05 PM
HI, I need to get the numnber of hits going out to maps.google.com via PaloAlto.How can I do this? Shayan
... View more
Labels:
- Labels:
-
Content-ID
07-30-2013
03:57 PM
Exactly what I was looking for. Spot on. Thank you.
... View more
07-29-2013
11:47 PM
How can I run a report in PaloAlto Firewall to extract users logged in via Global protect last month? PA-500 5.0.2
... View more
- Tags:
- globalprotect
- reports
07-29-2013
06:14 PM
Hi, I have done the configuration and it seems like the session is also established. However, client computers cannot reach the servers on the other side. What i'm I missing here. Is it somthing to do with the cellular interface? Interface: Dialer1 Cellular0 Profile: ISAKMP_PROF Session status: UP-ACTIVE Peer: <PaloAlto IP> port 500 IKEv1 SA: local 10.249.207.85/500 remote <PaloAlto IP>/500 Active IPSEC FLOW: permit ip 10.20.1.0/255.255.255.0 10.3.0.0/255.255.0.0 Active SAs: 2, origin: crypto map CISCO Config. Router#sh run Building configuration... Current configuration : 2934 bytes ! ! Last configuration change at 00:59:39 UTC Tue Jul 30 2013 version 15.1 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! crypto pki token default removal timeout 0 ! ! no ip source-route ! ! ! ip dhcp excluded-address 10.20.1.1 10.20.1.10 ! ip dhcp pool DHCP_POOL network 10.20.1.0 255.255.255.0 default-router 10.20.1.1 dns-server 10.3.2.117 10.20.1.1 ! ! ip cef no ipv6 cef ! ! multilink bundle-name authenticated chat-script gsm "" "AT!SCACT=1,4" TIMEOUT 60 "OK" CONNECT license udi pid C887VAG+7-K9 sn FGL1710248X ! ! ! ! ! ! controller VDSL 0 ! controller Cellular 0 ! ! crypto keyring KEYR1 pre-shared-key address <PaloAlto IP> key <Password> ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key <Password> address <PaloAlto IP> no-xauth crypto isakmp profile ISAKMP_PROF keyring KEYR1 self-identity user-fqdn <email address> match identity address <PaloAlto IP> 255.255.255.255 initiate mode aggressive ! ! crypto ipsec transform-set PaloAlto esp-3des esp-sha-hmac ! crypto map PaloAlto 10 ipsec-isakmp set peer <PaloAlto IP> set security-association lifetime seconds 86400 set transform-set PaloAlto set pfs group2 set isakmp-profile ISAKMP_PROF match address IPSEC ! ! ! ! ! interface Ethernet0 no ip address shutdown ! interface ATM0 no ip address shutdown no atm ilmi-keepalive ! interface FastEthernet0 no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface Cellular0 no ip address ip nat outside ip virtual-reassembly in encapsulation slip load-interval 60 dialer in-band dialer pool-member 1 dialer-group 1 async mode interactive crypto map PaloAlto ! interface Vlan1 ip address 10.20.1.1 255.255.255.0 ip virtual-reassembly in no ip route-cache cef ! interface Dialer0 no ip address ! interface Dialer1 ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in encapsulation slip dialer pool 1 dialer idle-timeout 0 dialer string gsm dialer persistent dialer-group 1 crypto map PaloAlto ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat inside source list NAT interface Dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1 ! ip access-list extended IPSEC permit ip 10.20.1.0 0.0.0.255 10.3.0.0 0.0.255.255 ip access-list extended NAT deny ip 10.20.1.0 0.0.0.255 10.3.0.0 0.0.255.255 permit ip 10.20.1.0 0.0.0.255 any ! ! ! ! ! ! control-plane ! ! line con 0 no modem enable line aux 0 line 3 exec-timeout 0 0 script dialer gsm modem InOut no exec transport input all rxspeed 21600000 txspeed 5760000 line vty 0 4 login transport input all ! end Router#
... View more
07-25-2013
03:22 AM
Has anyone setup a IPSEC VPN with a CISCO 880 series router Dynamic IP?
... View more
Labels:
- Labels:
-
Networking
07-25-2013
02:51 AM
Thank you for the response. Realy appreciate it. I will update the version and let you know.
... View more
07-25-2013
02:36 AM
I'm also experiencing the same issue. All users get a 1 day expire message here is whats in the log, Jul 23 11:13:22 authd_sysd_localprofile_callback(pan_authd.c:4340): localprofile sync triggered via sysd Jul 23 11:13:22 authd_sysd_localprofile_callback(pan_authd.c:4360): get local info for vsys1/COP_LDAP Jul 23 11:33:42 pan_authd_service_req(pan_authd.c:3310): Authd:Trying to remote authenticate user: <username> Jul 23 11:33:42 pan_authd_service_auth_req(pan_authd.c:1186): AUTH Request <'vsys1','COP_LDAP','<username>'> Jul 23 11:33:42 pan_authd_common_authenticate(pan_authd.c:1646): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:c:o:p_:l:d:a:p_0,username <username> Jul 23 11:33:43 pan_authd_authenticate_service(pan_authd.c:665): authentication succeeded (0) Jul 23 11:33:43 pan_authd_authenticate_service(pan_authd.c:671): account is valid Jul 23 11:33:43 pan_get_passwd_expiry(pan_authd_passwd.c:795): Using /etc/openldap/pan_ldap_vsys1_:c:o:p_:l:d:a:p_0 to get password info Jul 23 11:33:43 pan_get_ldap_ip(pan_authd_passwd.c:120): Reading file /etc/openldap/pan_ldap_vsys1_:c:o:p_:l:d:a:p_0 Jul 23 11:33:43 pan_authd_bind(pan_authd_passwd.c:244): binding with binddn <username>@cop.int Jul 23 11:33:43 pan_authd_ldap_search_result(pan_authd_passwd.c:357): searching base 'DC=cop,DC=int' for (sAMAccountName=<username>) (userAccountControl) Jul 23 11:33:43 pan_authd_ldap_search_result(pan_authd_passwd.c:380): DN in entry CN=<username>,OU=Staff Depot,OU=staff Users,DC=cop,DC=int Jul 23 11:33:43 process_ad_usracct(pan_authd_passwd.c:496): AD :Got value userAccountControl : 512 Jul 23 11:33:43 pan_get_ad_passwd_expiry(pan_authd_passwd.c:687): userAccountControl = 512 Jul 23 11:33:43 pan_authd_ldap_search_result(pan_authd_passwd.c:357): searching base 'DC=cop,DC=int' for (maxPwdAge) Jul 23 11:33:43 pan_authd_ldap_search_result(pan_authd_passwd.c:380): DN in entry DC=cop,DC=int Jul 23 11:33:43 process_ad_pwdattr(pan_authd_passwd.c:470): AD :Got value maxPwdAge : -77760000000000 Jul 23 11:33:43 pan_authd_ldap_search_result(pan_authd_passwd.c:357): searching base 'DC=cop,DC=int' for (sAMAccountName=<username>) (pwdLastSet) Jul 23 11:33:43 pan_authd_ldap_search_result(pan_authd_passwd.c:380): DN in entry CN=<username>,OU=Staff Depot,OU=staff Users,DC=cop,DC=int Jul 23 11:33:43 process_ad_pwdattr(pan_authd_passwd.c:470): AD :Got value pwdLastSet : 130189625099463765 Jul 23 11:33:43 pan_get_ad_passwd_expiry(pan_authd_passwd.c:760): AD pwd expires in days 1 Jul 23 11:33:43 authentication succeeded for user <vsys1,COP_LDAP,<username>> Jul 23 11:33:43 pan_authd_process_authresult(pan_authd.c:1366): pan_authd_process_authresult: <username> authresult auth'ed Jul 23 11:33:43 Request received to unlock vsys1/COP_LDAP/<username> Jul 23 11:33:43 User '<username>' authenticated. From: 27.96.214.249. Jul 23 11:33:43 pan_get_system_cmd_output(pan_cfg_utils.c:4275): executing: /usr/local/bin/sdb -n -r cfg.operational-mode I have replaced theactual user name with <username>
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks