About nathan_gilmore

I have attached a PDF that shows screenshots of the same rule, in four different variations. I am trying to understand the relationships between using applications and traditional ports. I have a server that has a static public IP NATed to the private internal IP. I need telnet, FTP and web browsing allowed on it. I originally setup the rule to be like # 3.  Using the default PA provided service group of service-http that does 80 and 8080 and applications FTP and Telnet.  None of the three services worked under this configuration. I modified the rule to look like # 1 and all three services worked. So I played with it more to see about how the relationships work between applications and services and came up with two additional variations.  # 2 and # 4. # 2 works like # 1, all three applications work. # 4, FTP and Telnet do not work, but the website does. So my question to you all is what is this relationship doing?  Why does # 3 not allow any of the three services to work, yet # 4 allows the website to work but not ftp and telnet?  Can I mix and match applications and services in the same rule or do I need to break them apart? This simple example is not a big deal but I have some servers that use known applications like FTP and MSSQL that I would like to switch over to use pure applications for them in the rule but they also have some proprietary ports that are unique to them that I will need to keep listed as services.  So before I start mucking with them I'd like to have a better understanding of how this is supposed to be working. Thanks for any advice and guidance. ... View more

Morning! So we went live with our PA2020 yesterday.  Upgraded from our Cisco PIX 525 and so far everything is working great.  Only 10 seconds of downtime as we did the cut over. I work at a university and the number one request from students is to make gaming available.  Now with the PA I'm more open to the idea and want to start easing into allowing the various services to go through to the student VLAN. When I allowed WorldofWarcraft, I get a message saying that bittorrent is required but my P2P block all rule prevents it. Currently the very first rule I have is my P2P block all rule, blocking the entire category of p2p, and several levels lower I have the rule allowing worldofwarcraft for the student vlan allow. When I commit the config, it shows a warning that worldofwarcraft requires bittorrent but the p2p rule is blocking it. I must block p2p to stay in compliance on our campus but I would like to allow worldofwarcraft for our students. Any suggestions or anyone have a configuration that makes it work properly but also blocks p2p traffic? Thanks, Nathan G. ... View more

Recently purchased a PA2020 to replace our Cisco PIX 525.  I'm in the process of auditing our cisco config and recreating it in the PA. I'm looking for suggestions on how to allow applications inside to outside and outside to inside. I only have two zones setup.  inside-trust & outside-untrust Can I just create one rule to allow skype that lists both zones on either side of the rule? source destination name zone address zone address application rule1 inside-trust outside-untrust any inside-trust outside-untrust any skype or is it better to have two rules and break it up for inside to outside and outside to inside? source destination name zone address zone address application rule1 inside-trust any outside-untrust any skype source destination name zone address zone address application rule2 outside-untrust any inside-trust any skype Either way is fine with me, I'm just looking for best practices or if having both zones listed is a bad idea or even supported.  Also if anyone has done this and found if it is a good idea or bad idea?  Gaming is another example that relates to this question as I work at a university. Thanks! ... View more