This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
About HeathRamos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About HeathRamos
06-16-2022
8Posts
0Likes
0Solutions
Jun 16, 2022Last Visited
User
Activity
User
Profile
Latest posts by HeathRamos
| Subject | Views | Posted |
|---|---|---|
| 1770 | 04-28-2021 06:46 AM | |
| 1798 | 04-27-2021 11:22 AM | |
| 1842 | 04-27-2021 07:26 AM | |
| 1849 | 04-27-2021 07:21 AM | |
| 1857 | 04-27-2021 07:09 AM |
User Badges
Community Statistics
| Member Since | 04-30-2015 06:49 AM |
| Date Last Visited | 06-16-2022 11:51 AM |
| Posts | 8 |
04-28-2021
06:46 AM
Talked to PAN tech support and they weren't able to get ipsec to work with the loopback set up. still looking into it. in the meantime, I have looked at various documents on setting up GP but none of them had info on any policies needed to allow traffic. What traffic needs to be allowed? I don't want to anything that could lead to security issues if it is on the external interface. Keep in mind, I created a security zone for VPN. not sure if that changes things.
... View more
04-27-2021
11:22 AM
well...I added a 2nd ip to external interface, created new tunnel, security zone, gateway, portal, added new security policy and altered the local host file on my laptop and was able to connect using IPSec. at least I know it is a firewall issue and not a client side issue. now to see if I can get it to work using loopback interface.
... View more
04-27-2021
07:26 AM
is there supposed to be a specific policy or NAT rule that allows UDP 4501?
... View more
04-27-2021
07:21 AM
I have a Deny All rule for all source and destination zones with the log at end of session enabled so I believe the firewall should log all blocked traffic, hopefully.
... View more
04-27-2021
07:09 AM
Thanks for the feedback I looked at the logs on one of the clients and it can see it trying to connect using ipsec but failing. Logs: - Trying to do ipsec connection to IP_Address [4501] - Network is reachable - Connected to: IP_Address [4501], Sending keep alive to ipsec socket - failed to receive keep alive - IPSec anti-replay statistics: outside window count 0, replay count 0 - Disconnect udp socket This happens with every client (all Windows 10 clients with standard configurations, including mine), so I am leaning toward it being a firewall issue. Pan-OS is 9.1.8 and GP Client is 5.2.5-c84. I was thinking of trying to add a 2nd external ip address and bypassing loopback set up as well as creating a test environment separate from what's being used in production but I wasn't sure how. Sounds like if my external interface was an ip address of 1.1.1.1/29, I can add 1.1.1.2 as a 2nd ip address, create a new tunnel and VPN security zone, use the same authentication, certificate profiles and test the set up. I will update this post if I see anything else in the logs
... View more
04-26-2021
10:35 AM
We have been using GlobalProtect for awhile but I just became aware that none of our clients are connected using IPSec even though the option is checked. I can't see anything being blocked so I am wondering if it is a configuration issue of some kind. Note: we are using loopback interfaces and both the gateway and portal use the same loopback
... View more
06-06-2017
01:43 PM
we have a PA-3020. I am mainly concerned about web-based emails mail.google.com doesn't decrypt eas.outlook.com doesn't decrypt
... View more
06-06-2017
01:20 PM
we recently upgraded from PAN-OS 7.1.10 to 8.0.2 and some (but not all) websites are no longer decrypting For instance, gmail doesn't decrypt anymore and we have a rule that allowed that application. Since that traffic isn't decrypted, it comes up as SSL and isn't applied. Any known issues in 8.0.2 that would cause this? Any way to fix it? Heath
... View more
- Tags:
- 8.0.2
- decryption
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-16-2022
11:51 AM
|
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks