This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
About bafergel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About bafergel
10-29-2021
26Posts
6Likes
4Solutions
Oct 29, 2021Last Visited
User
Activity
User
Profile
Latest posts by bafergel
| Subject | Views | Posted |
|---|---|---|
| 921 | 10-27-2021 06:19 AM | |
| 1041 | 10-26-2021 01:27 PM | |
| 972 | 09-28-2021 12:22 PM | |
| 916 | 09-17-2021 02:13 PM | |
| 1537 | 09-17-2021 02:11 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 09-17-2021 11:24 AM | |
| 1 Like | 09-17-2021 01:43 PM | |
| 1 Like | 09-15-2021 08:26 AM | |
| 1 Like | 09-13-2021 07:05 AM | |
| 1 Like | 09-10-2021 06:32 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 2 Likes | |||
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 03-23-2021 02:46 PM |
| Date Last Visited | 10-29-2021 09:54 AM |
| Posts | 26 |
| Total Likes Received | 6 |
10-27-2021
06:19 AM
Yes there is return traffic, however only a handful of packets so it doesn't appear as if much information passed in these connections. The successful SSL connections pass many more bytes and packets. And the incomplete connections only start appearing when those extra URLs are added, and SSL ones start getting blocked. The policies did not change and while in a broken state I did a test policy match and that traffic should have hit our rule... but it just didn't. These particular clients are configured to reach out to a specific URL, the URLs that were added that broke it did not modify or orverlap with this URL. The added URLs were mostly shopping/sports sites.
... View more
10-26-2021
01:27 PM
We added additional URLs to an existing custom url category and on our URL filtering profile, it is set to alert. These additional URLs are completely unrelated to the connection that started to fail. And as soon as we reverted those changes things began working just as they had before. We checked the URL filtering logs and nothing was being blocked on this connection. It wouldn't drop every connection either, so for example we have a client that was reaching out to a certain IP on the internet on 443. Some were blocked by the default block rule with an application on SSL and others were allowed with an application of incomplete on the rule the traffic should be hitting (they both had the destination of the same IP). But again once we removed those seeming unrelated URLs from the category everything was again allowed and registered as SSL.
... View more
09-28-2021
12:22 PM
Is there a way to allow ping on a rule that has another application that uses a non-standard port? So for example, if yum uses port TCP 3142 instead of its default tcp/80,21 is there a way I can attach ping to that rule and still have it work? Like on Cisco ASAs you can add icmp as a port/service. Example that doesn't work: Example that does work:
... View more
09-17-2021
02:13 PM
Hello @osmasoud, I believe this link will answer your question. https://www.paloaltonetworks.com/resources/pa-series-next-generation-firewalls-hardware-architectures
... View more
09-17-2021
02:11 PM
Hello @Sherm, I believe in that document it's stating once the zone protection profile is actually triggered. Once zone protection is triggered, say they access a resource 6 times in 30 seconds (through an allow rule), then zone protection will kick in and block them regardless of if they match an allow rule.
... View more
09-17-2021
02:01 PM
Hello @dtran, If you see the traffic being allowed in the firewall, I would recommend going through the steps of this article and see if Palo lists a reason as to why its dropping the connection. These steps have been helpful many times before in my troubleshooting. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS
... View more
09-17-2021
01:43 PM
1 Kudo
Hello @ErikMarschang, you can limit the permitted IPs to the management interface to an RFC 1918 address. Device>Setup>Interfaces>Management>Permitted IP Addresses.
... View more
09-17-2021
12:14 PM
Hello @Sherm, I know with Security profiles at least that they are not addressed until after a packet is processed and allowed. I believe zone protection acts in the same way. So if a policy does not actually allow the traffic it just stops right there, it doesn't go through the rest of the process and thus doesn't generate a threat log as there is no threat, just a blocked packet.
... View more
09-17-2021
11:24 AM
1 Kudo
It may just simply be a visual bug. If you do "show devicegroups name ?" on Panoramas cli does that show correctly? You could also just restart the management server and see if that addresses the issue, "debug software restart process management-server".
... View more
09-17-2021
06:39 AM
Hello @DarylMaurice, assuming I'm understanding your question correctly a setting up QoS would be your best bet. You could set up a QoS profile and set a class to a max of 25% (lets say class 3 for this example). With a QoS profile, any traffic not specified will be class 4. Under Network>QoS, click create and attach to your egress interface. In your case the Egress max would be 4000. Attach the QoS profile you just created to the clear text and/or tunnel interface. You will also need to create a QoS rule to say what traffic you designate for what class. Under policies>QoS, select create. Say for example you create a rule with a destination of your cloud backup (we'll say 2.2.2.2). And under other settings select the class you want it to apply to (in this example, class 3). You can do this with other traffic you want identified, and again remember anything not specified by a qos rule will default to class 4. Let me know if this helps!
... View more
09-15-2021
08:26 AM
1 Kudo
My assumption is that if you view the logs in Panorama is would show Panroamas times for logs but I'm not certain on this. In our environment everything is set to the same timezone of Panorama, regardless of what timezone they are in.
... View more
09-14-2021
01:45 PM
Do you have physical access to the firewall? You should still be able to console in. I believe this article is referencing your issue. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLqCAK In regards to whitelisting for PCI scans, you may be wanting to look at an exclusion for the zone protection profile.
... View more
09-13-2021
07:05 AM
1 Kudo
You can't edit the default predefined profiles. You could clone it and create your own from that then attach the profile you created to your rules or security profile group.
... View more
09-10-2021
12:08 PM
Here is the link to the thread and expedition tool. https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/migration-tool https://live.paloaltonetworks.com/t5/automation-api-discussions/how-to-quickly-find-and-remove-unused-objects-in-policy/td-p/230055
... View more
09-10-2021
12:07 PM
I believe you may be able to use the Expedition tool to achieve what you're looking for. I have only briefly used the tool so someone else may be better at answering this but it looks like there is another thread discussing this. Here is what TomYoung said in regards to this: " Expedition can make changes directly on the firewall. It has been a while since I have done it, but I believe you add the device under Devices and make the changes under your project > Export > API Output Manager. You should know the difference between Atomic and SubAtomic changes. You could also use "show | match <object-name>" in configuration mode (set format) and see where it is used in the configuration. If the only line is the address object, it is not used. You could also delete the object. If it is used, you will get an error right away. If not, the delete will be accepted in the candidate configuration. UPDATE: I saw this on Reddit, and it works. Select all the objects. (This may not be quick depending upon the number of objects.) Select Delete and Yes. All unused objects are deleted. All used objects produce an error and are kept. Use Device > Config Audit to see which objects were deleted. Once Expedition is setup, that is the quickest and easiest."
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-29-2021
09:54 AM
|
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks