Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
04-30-2020
43Posts
1Like
0Solutions
Apr 30, 2020Last Visited
User
Activity
User
Profile
Latest posts by jharlow
| Subject | Views | Posted |
|---|---|---|
| 2616 | 08-10-2018 05:51 AM | |
| 887 | 03-15-2018 06:38 AM | |
| 901 | 03-12-2018 11:59 AM | |
| 2179 | 01-25-2018 01:19 PM | |
| 1888 | 01-25-2018 06:39 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 06-08-2015 01:09 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 2 | |||
| 1 |
User Badges
Public Statistics
| Date Registered | 03-19-2015 02:57 PM |
| Date Last Visited | 04-30-2020 03:06 PM |
| Total Messages Posted | 43 |
| Total Likes Received | 1 |
08-10-2018
05:51 AM
I have one FR ID: 7832 : User-ID needs to support Azure AD authenicated users. I have no idea what the status is, other than the SE stating it is a "highly requested feature" Saidly, they do not seem to be in much of a hurry as this was requested in January. I would like to see something more like Uservoice. Let people vote on items and then service can comment and commit to them based on their rating. I see a lot of providers using this service now.
... View more
03-15-2018
06:38 AM
Thanks for the feedback. I was able to transfer my config. I figured out that after importing the config one has to load it as well.
... View more
03-12-2018
11:59 AM
Currently have a PA500 (in virtual wire mode). Ordered a replacement PA220. I followed the instructions on connecting to the new unit and assigning a new IP address. It too is in Virtual wire mode. I need to understand how to transfer my configuration to the new unit. Also need to understand how to connect the device to the production network without taking down the network (lol). I am assuming I can just connec a wire to vw 2 port? Just want to confirm. Thanks!
... View more
01-25-2018
01:19 PM
I appreciate your responses. I think we are going to make the move to the PA220. It will also give me a device to finally use to migrate from our current setup (ASA as NAT/VPN and PA for filtering and reporting) When I originally configured the PA, I configured it in virtual wire mode and never wanted to make the switch since it was in production. I can start with the PA220 as an actual L3 device, configure the rules, NAT, VPN etc and then place it in production. Off to discuss this with our vendor. Thanks again. Any other words of wisdom since you have experience both the PA500 and PA220? I know I have to get a rack kit as it is a smaller unit. any other guidance will be appreciated.
... View more
01-25-2018
06:39 AM
I see the option under User-ID for NTLM (currently unchecked). Simply checking this is all that is needed? You mentioned it grabs the credentials from the browser, but if the user's machine is no longer on a local premise AD (simply connected via AzureAD through Windows 10), will there be credentials to grab? Let's assume the individual is prompted, however often will this take place (session cookie, restart of browser, PC restart, etc.) And lastly, since yes, NTLM is a Windows thing, how will Mac's and iOS devices handle this process? Will they simply get prompted to login and if so, the same last question applies (length of time). I sent a request to support about AzureAD. This really needs to be added as there are more of us looking to move to Azure and less on-premise. Maybe PA version 11. 🙂
... View more
01-24-2018
02:53 PM
Thanks for your thorough response. What is NPS rate? The security zones and polices are neither an issue. There are two reasons that I am considering the upgrade option. One, our renewals are up (which are annual) and the cost for renewing all of the same services are actually cheaper on the PA220. Second, and to some might not be a big need but the performance with commits are just brutal and as you mentioned, we are not even utilizing this thing. With the plan to move everything over from our ASA to the PA just adds more concern as more will be on the PA which would cause commits to even be slower than they are now. Even the overall management of the device just feels sluggish. Maybe this is due to being a 7 year platform (although we puchased it 4 years ago). I am hoping that what they say is true and managing the PA220 is a better experience.
... View more
01-24-2018
01:27 PM
Sales team reached out to me recommending that we upgrade our PA500 to the PA220. We are a small company with a data pipe of 100MB. We do not have a lot of settings on the PA500. On an average we have around 1500-2000 sessions per the UI Home page. Looking at the ACC, I set it to 24hours and athe highest is around 22,000 (looks like about an average or 15,000 during business hours). We currently have 14 security policies (including the two intrazone defaults). We do not have NAT setup yet as we are using a Cisco ASA for NAT; however, that will all be moved over this year. The question I have, is there any reason why we should or should not opt to upgrade to the PA220 over the existing PA500? I know the main reason he recommended it is that the PA500 has an extremely slow management commit and he states this was resolved in the PA220. This is something I know others have mentioned regarding the PA500 in the forums. Thanks for any advise. Any one that has also made this move and have any advise, that would be great too.
... View more
01-24-2018
10:39 AM
If we were to pull all of our domain controllers from on-premise, wouldnt that kill the first two options? GlobalProtect might be the only option but frown on as it is something that we will have to install. What APIs are you referring to?
... View more
01-23-2018
01:50 PM
We currently use User-ID with an on-premise Active Directory server. We are planning on moving to Azure AD (not to be confused with AD services in Azure). Are there any plan on getting User-ID to work with AzureAD (web Auth)? What other options can I use to continue to use User-ID if we do not have Active Directory on premise? Thanks.
... View more
05-17-2017
01:47 PM
Excellent. Thanks.
... View more
05-17-2017
06:42 AM
DA does have a public IP. The PA is currently setup as a vwire, so NAT is handled by our Cisco ASA. I have all of the ports enabled correctly on the ASA). As far as the PA, I created application overrides for all of the ports. One thing I noticed and I know this is the default since version 7 ( I believe); the policy for "Inbound Traffic" has application-Default as a service type. Should I change this to any and see if that solves the issue (instead of trying to figure out application overrides)? You mention premit all traffic from the source IP. Is that as in creating a new policy with that source IP and set any as service and allow? Sorry, still a newbie to PAN. Thanks.
... View more
05-16-2017
02:31 PM
Any chance, this process is documented somewhere ?
... View more
05-16-2017
08:57 AM
Yeah, I would do it manually as well. The issue I have and I am assuming this; is making the change from vwire to L3 would require resetting the device (lossing all of my custom settings I have now; aka URL filtering rules.) Is that correct?
... View more
05-16-2017
08:18 AM
@OtakarKlierCan we be friends? 🙂 Wow! That was easy enough and does exactly what I needed! Thanks! Curious, is that basically what I need to do to make this a layer 3 device versus vwire, minus NAT rules? Or a different way to ask, is all that is needed is to create the same NAT rules from the ASA on the PA and this is a L3 device or is there more to that?
... View more
05-16-2017
06:03 AM
Gotcha! I dont know if I can use that method as of yet. Our PA is in transparent mode, as the only policies we have in place is for URL filtering and AV/Malware scanning. We have an older Cisco ASA that handles NAT. The goal is to transition over to the PA, but getting there from where we are now ... Any case, your response helps me understand what I can do. Thanks.
... View more
05-15-2017
12:10 PM
I am not sure if I follow you? I have AD connected and use it to filter users for other policies. If you were agreeing with me that a separate policy is the best way to block internet access and add the XP machine via their static IP, then we are on the same page. Guess I wanted to check to see if there was a better way? The URL filtering will allow me to filter by category. Right now I have a policy created that I set BLOCK on all types but not sure if that is best way on going about this.
... View more
05-15-2017
06:41 AM
I have several older machines (XP) that are used for special purposes that cannot be be upgraded. Even the hardware cannot be upgraded or replaced (running on old dell dimenion desktops). These machines do not need access to the internet but they are on the same domain and need to be able to communicate with other domain machines. I want to make it where these machines cannot access any internet resources to reduce the change of malware/virus type activities. I was thinking that I can setup a rule/URL filter, that would block access and add these machines IP addresses to the list. Is this the best way to achieve this goal? Thanks
... View more
05-12-2017
11:14 AM
Trying to configure DireectAccess (Windows Server) to work but I believe it is failing due to the Palo Alto. I created a custom application and application override for the ports needed but still failing. Per a Microsoft Document, "the firewall has to be configured to pass the traffic through transparently. you cannot NAT the traffic". How do I do this? Anyone else experience using DA (more so with DA is behind the PA firewall)? Thanks,
... View more
05-18-2016
10:34 AM
Disregard. Deteremine that I had to also create a application override. Once that was in place, traffic is now identify correctly. Thanks.
... View more
05-18-2016
09:55 AM
I created a new application and configured the settings to idenfity any traffic that is using port 3260 (tcp/3260); however, I am still seeing "unknown-tcp" in the monitor logs. I do not believe I can use a signature or at least in the examples I found as the data is encrypted (IPsec), so there is no Get statement in the TCP segment. Only traffic that is on 3260 is iSCSI and needs to be identified.
... View more
05-17-2016
02:58 PM
I have a Dell Equalogic SAN that is replication to an offsite location. The traffic is sent over via a VPN tunnel (Certificate based). This traffic is being reported as unknown tcp. I can verify that the traffic in question is in fact the SAN traffic as the source and destination matches. I also read that the PA normally flags certificate based VPN as unknown. I need to get this traffic reported as a correct application as unknown is hard to manage and add to the fact that PA recommends blocking unknown TCP traffic. I also need to create a QoS rule so that this traffic is provided a higher priority.
I believe what I am needing to create is an Application override based on some of the articles here. Assuming this is correct and will provide me with the requirements; I need to have several IP addresses in this policy. Can I create an application group with a subnet; for example, all SAN traffic is outbound on 10.0.52.x (10.0.52.1-10.0.52-9) or do I have to create the group with each IP address?
If this is not the ideal solution or will not provide the results I am seeking, can you provide me with the KB or solution that would? Thank you.
... View more
01-28-2016
09:07 AM
Thanks. That worked.
... View more
01-28-2016
07:25 AM
Need a way to except a machine from the URL policy. Currently I can only find a way to except a user level however, I have one machine that is not on the domain that is used to communicate to several external services.
... View more
01-12-2016
08:35 AM
I am currently using the PA-500 in virtual wire mode, including monitoring, AV, Malware, etc. and web filtering. I want to start transitioning to layer 3 in order to move off of our Cisco ASA (currently sits on the inside of the PA500). What is the best way to start this process without lossing my current setup and with minimum downtime?
Outside > PA500 (Currently monitoring,AV,Malware,Web Filter) > Cisco ASA (NAT translation/VPN)
Thanks!
... View more
11-12-2015
01:13 PM
That did the trick. Curious why a custom URL category would work differently than adding the same site to the allow site lists on the URL filter. Hmm.. It works, and that is all that matters. Thanks!
... View more
11-12-2015
11:30 AM
Did you add share-ware-and-freeware to any URL filtering? I have it under Continue, at the moment.
... View more
11-12-2015
08:03 AM
I created a URL filter to block shareware sites; however I need to unblock one that I use. ninite.com. I have had no success getting this site to work. Adding the url ninite.com to the allow list, I am given an SSL error (enable TLS 1.0, 1.1, 1.2) which is enabled. I tried adding the IP address and that did not work. It appears the site is using a non-standard port (port 6080). So I added that port to as part of the IP address to allow. That partially got the site working but the installer still does not. The site has a SSL certificate and the certificate CN matches the URL that I added to the allow list.
Anyone willing to drill down on this issue and see what is needed to get it working? 🙂 I am guessing the installer is using a different port as well...
Thanks,
... View more
08-06-2015
01:29 PM
Maybe there is a bug in 7.0.1. When I click on URLS under Destination IP activity, I receive a "No data to display"
... View more
08-05-2015
06:59 AM
It seems nearly every time I need to determine the URLs that are using what seems to be excessive bandwidth, this one comes up the most. Akamai Technologies. I understand they are a CDN, but if most services rely on their services and that is as far as we can go to determine the source, this really kills any advantage of the PA; or at least the reason we opt for it. Application/URL monitoring. For this particular example. I am looking at applications that use Flash. We need to determine what Flash is being used for in our company to determine the course of action towards removing Flash Players. All of the major destination addresses while looking at the ACC points to Akamai Technologies. That does not tell me a thing of value. What is the actual site or purpose? I cannot be the only one looking for similar data, giving all of the Flash headlines right now. There alt to be a way to pull a report and see what users (which that I can see in ACC) are using the Flash Player and for what purpose (site url, media, ads?) Again under Destination Address, the addresses are mostly Akamai Technologies. PA-500 version 7.0.1
... View more
Labels:
- Labels:
-
App-ID
08-05-2015
06:48 AM
I have a PA-500 and even with this model, committing takes a long time.
... View more
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
