LIVEcommunity - About UKRB

UKRB · ‎08-27-2013

Has anyone got anywhere with PAN support with this? I've slightly given up hope which is not great really!

UKRB · ‎11-19-2012

Hi siebi. I'm pleased to hear that I'm not the only one who is having this issue. It's really quite frustrating. I did log it with support a while back but didn't make much progress. Have you logged it at all yourself? Thanks

UKRB · ‎11-16-2012

Hi all, I'm seeing some odd behaviour with apps that use SQL where the app is on a terminal server. The terminal server has an app installed and works perfectly when the PAN TS agent is not running. When the agent is started, the application throws up lots of connection errors. This happens with multiple terminal servers, multiple app and multiple SQL servers. Has anyone else seen behaviour like this at all? Thanks, UKRB

UKRB · ‎10-31-2012

Yes, Bob, your ISP is correct is the short answer. What I would do as a starting point is to look at the IP addresses and subnet mask they have given you. Work out the size of the subnet they have allocated you and all the possible IPs in that block. Discount the network and broadcast addresses, then make a note of the IP in the block you're using for your main firewall interface and then the IP they have give you as a gateway. Whatever IPs left should be free for you to use, assuming they've not used any more and not told you. You can then create policy objects with IPs from the range and then create NAT rules to forward the traffic into your network. Once the NAT rule is in place, the firewall will automatically respond to traffic destined for that IP. No extra configuration is required at the interface level. Your NAT rule would be something like: Soure Zone: Internet Dest Zone: Internet Source Address: Any Dest Address: [policy object with ext ip you want to use] Service: Any Source Trans: None Dest Tran: [policy object of internal device using internal IP] The source and destination zone both being Internet / Untrust is the bit that can trip people up. It's because from the point of view of the external user they are making contact with you an external, public IP and technically they don't know it's destination is internal or going to get NAT'd. Hope that all makes sense! UKRB.

UKRB · ‎10-31-2012

In my experience it is often the switches that cause the delay and not the PA devices. I have a 2020 HA pair running with pretty speedy failover, though it can always be better! If you look at the units when you try a failover you should see all the activity lights on the ports go off on one unit and light up on the other unit. When these light up, the PA unit will be ready to start passing data, so your switch needs to get going too! You said you were testing this by unplugging a data interface - what sort of experience do you get when you do a controlled failover? Device / HA / Operational Commands / Suspend local device Also, are you using striaght through or crossover cables between the units?

UKRB · ‎10-31-2012

Well, the rack mount kit for the PA 200 finally arrived after a number of weeks. For the benefit of people that are not sure what it looks like as I was originally, I have added a photo below. The plate in the middle of the brackets is to be attached on the side of the unit to support the power supply unit.

UKRB · ‎10-21-2012

Well my PA-200 has arrived an I'm still slightly surprised that it hasn't come with something to make it fit a 19" rack. As I said before, it's the sort of thing other vendors chuck in for free. Poor show PA - especially the price! :smileyangry: But, what is most annoying is that after ordering the rack mount kit over two weeks ago, I still don't have it because the distributor says it's rarely ordered!! C'mon PA.... What's going on! I love working with your kit and I tell others so, but when I wait over two weeks for a metal bracket it's quite annoying. While it seems like a small thing - how can you complete a job professionally if the kit you have configured is slumped in the bottom of a rack!

UKRB · ‎09-26-2012

Thanks for the speedy response! So the rack mount kit widens the unit to fit a 19" rack of it is a full rail kit of some sort? I want to put the device in a small rack that is not as deep as a full server rack. Thanks

UKRB · ‎09-26-2012

Hi all, I'm planning on purchasing a PAN 200 device very soon for a small site that I'm responsible for. I'd like to know what's in the box with regards to mounting it in a standard 19" rack. I know that there is a separate rack mount kit available for the device but from the cost of it I can only imagine it's something to make the unit go in a large server rack. For example, you can get small HP Procurve switches of a similar size to the PAN 200 and HP do not advertise anywhere the fact that in the box there are two L shaped brackets that are essentially spacers that allow the device to be mounted in a 19" rack. They do though advertise a huge rack mount kit which is actually a rail kit and totally over the top. Essentially, I don't want to order something I don't need and so if anyone who actually owns or has opened the box of a PAN 200 could confirm what's included, that would be of great benefit. Many thanks in advance, pan UKRB

UKRB · ‎08-06-2012

Hi Tom, I'm a bit lost as to why you have all the sub interfaces on the external side? I have done something similar recently where I wanted one network behind an interface (essentially a guest network) to go out behind a different public IP but I just defined the IP as an object and then specified the NAT rule to use that object as the new source address on it's way out. Also, your route suggests the default router out is one of your own IPs (1.1.1.1 being on eth1/1) this would just send traffic back to the firewalls so I can't see how that works? Perhaps I'm missing something? UKRB

UKRB · ‎05-14-2012

Hi there, I'm looking to setup a few site to site VPNs using a PA2020 at our HQ site with Draytek Vigor 2830n routers at the other end. We have fixed IP addresses on the other end so I don't need to worry about the issues with dynamic IPs. I was wondering if anyone has experience with setting them up and if they had any issues getting them up and running. I'll be working through it over the next week or so and hope to post any issues or a full solution should it go ok! Cheers, UKRB

UKRB · ‎05-05-2012

Right, well assuming you have blocked the adult categories then for the most part you're covered, no? I think a category of sites which are chat sites requring no login would be a tough one! UKRB

UKRB · ‎05-05-2012

Yep, me too - any URL reporting improvement would be great!

UKRB · ‎05-05-2012

I think the URL reporting is an area that PAN really needs to work on if I'm honest and I'm not asking for really complicated things. As mentioned above, the User Activity Report is far too long - why can't we customise what's in the report or calm it down a bit. If I give that to someone in HR who's doing an employee investigation, I just get blank looks as I've essentially bombarded them with a book of URLs! Also, so often heads of department want to know how their department is using the Internet as as soon as I produce info on what a user is doing, the first question, understandably is, how does this compare to colleagues. Group based reporting should be much easier! Come on PAN - please work on this!

UKRB · ‎05-05-2012

I think the issue with these sites is that they have such varying degrees of unsuitability. I've just checked the three URLs you mentioned and they were categorised as follows: [if only for the benefit of other readers if you have already checked them] chatrandom.com Internet Communications Adult and Pornography chatroulette.com Nudity Internet Communications omegle.com Social Network The first two are cleary more adult orientated and so I would have thought blocking "Adult and Poronography" along with "Nudity" would have been acceptable for many companies. I'm aware that sometimes more innocent sites can get caught up in the Nudity sites so you could ask BrightCloud, who Palo Alto use, to recategorise the URL. I've had a great experience with BrightCloud who have got back to me within 24hrs whenever I've suggested a change. With regards to Omegle, it's not clear that it's going to lead to anythin unsavoury. What's the difference between that site and say MSN Web Messenger or Google Chat, Facebook chat etc etc. Many harmless sites could be used to have adult chat on but they wouldn't be blocked unless it was the main use as is seen with the first couple of URLs you suggested. In terms of application blocking - they all use so many different types of technologies to operate so I'd think it would be tough to block them. For the sites you wish to block, what common attribute do they have that doesn't include harmless sites? And finally, if you don't want to block the adult categories, aren't you letting users access far worse sites? UKRB

Member Since	‎08-08-2011 12:19 PM
Date Last Visited	‎04-01-2019 06:14 PM
Posts	36
Total Likes Received	12

Online Status	Offline
Date Last Visited	‎04-01-2019 06:14 PM

Re: SQL and Terminal Services agent

Re: SQL and Terminal Services agent

SQL and Terminal Services agent

Re: Multiple IPs on public facing interface

Re: HA Down Time

Re: Reports - Best way to see top URLs visited?

Re: Multiple IPs on public facing interface

Re: Server Profiles - Email alerts

Re: HA Down Time

Re: New PA Purchase - Rules question and any tips?

Re: SQL and Terminal Services agent

Re: SQL and Terminal Services agent

SQL and Terminal Services agent

Re: Multiple IPs on public facing interface

Re: HA Down Time

Re: PAN 200 Rack Mount

Re: PAN 200 Rack Mount

Re: PAN 200 Rack Mount

PAN 200 Rack Mount

Re: help to configure a DMZ and NAT

Draytek Vigor - Site to Site VPN

Re: Blocking Chat roulette type sites

Re: Reports - Best way to see top URLs visited?

Re: Feature Request - Reporting

Re: Blocking Chat roulette type sites

Network Security

Cloud Security

Security Operations