This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About igobejishvili
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About igobejishvili
03-29-2023
10Posts
3Likes
0Solutions
Mar 29, 2023Last Visited
User
Activity
User
Profile
Latest posts by igobejishvili
| Subject | Views | Posted |
|---|---|---|
| 1149 | 08-02-2022 03:14 AM | |
| 1703 | 07-29-2022 12:43 AM | |
| 1892 | 07-26-2022 01:40 AM | |
| 1263 | 06-27-2022 06:50 AM | |
| 1303 | 06-27-2022 04:20 AM | |
| 2079 | 04-01-2022 10:29 AM | |
| 2124 | 04-01-2022 07:24 AM | |
| 2645 | 03-31-2022 01:36 AM | |
| 2704 | 03-30-2022 09:26 AM | |
| 2906 | 03-30-2022 02:30 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 3 Likes | 04-01-2022 10:29 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 03-30-2022 02:04 AM |
| Date Last Visited | 03-29-2023 11:04 AM |
| Posts | 10 |
| Total Likes Received | 3 |
08-02-2022
03:14 AM
Thank you for your input.
I've added static routes and traffic flows correctly. Looks like once static route points to tunnel interface associated with policy based IPsec tunnel, then traffic correctly flows through appropriate proxy ID sub-tunnels based on destination prefix. ICMP is successful and packet encaps/decaps increase accordingly.
However my problem with failover still persists. If primary IPsec tunnel goes down, static routes are not withdrawn from routing table and traffic effectively gets blackholed. Since "outer" associated tunnel has no IP address, I'm unable to configure tunnel monitoring or path monitoring for static routes. There is no source IP address available to source ICMP from.
... View more
07-29-2022
12:43 AM
Thank you for the reply. Currently I have no routes associated with these connections. That's why I was wondering if there is anything like reverse-route from Cisco world, to inject static routes from P2 selectors (ACLs in that case) that can be manipulated with metrics etc. If not, what is the correct way to apply a static route over policy-based tunnel in PAN-OS? As tunnel itself has no IP address, I assume egress interface should be used as a next hop. Each configured Proxy ID is represented as a sub-tunnel with naming of IPsec_Tunnel_Name:ProxyID_Name, that is not visible in PAN-OS web management. Can static routes be pointed to just an "outer" IPsec tunnel name?
... View more
07-26-2022
01:40 AM
Hello everyone,
I have a case, where we have configured two site-to-site VPN connections to our partner's primary and backup datacenters. Both tunnels are policy-based IPsec VPNs with Proxy-IDs configured and both use the same local/remote inner IP addresses. This is a single ISP/single virtual router environment.
For example this is a sample config of two Proxy-IDs in one tunnel:
172.16.2.2 (real private IP) NATed to 172.29.2.2 used as local and 200.0.0.2 remote.
172.16.2.3 (real private IP) NATed to 172.29.2.3 used as local and 200.0.0.3 remote.
Now exact same proxy ID configuration is present in second tunnel as well. My question is, how do we make tunnel1 preferred egress point for outgoing packet flow and how do we implement failover to tunnel2, in case tunnel1:proxyid sub-tunnels go down?
I can't use any routing solutions or tunnel monitor as it's a policy-based VPN. There are no routes regarding those remote networks and also tunnels have no IP addresses configured for themselves.
ADD: Maybe there is a mechanism in PAN-OS similar to reverse-route in IOS, that can inject routes based on proxy IDs? That could solve the problem with variable AD or metric per route injection.
... View more
06-27-2022
06:50 AM
Thank you for the reply. That's exactly what I've ended up doing. MASQUERADE on the Linux server with its own IP for specific source networks (ingress via PBF) and then srcnat of that DMZ IP to Outside on PA. I can observe two sessions per flow, one to the server and another corresponding flow from the server.
... View more
06-27-2022
04:20 AM
Greetings! As title suggests, I'm trying to implement PBF to the specific destination network in Internet through a server residing in DMZ. There are three zones configured: Inside 10.0.5.0/24 - from where traffic is initiated DMZ 10.0.22.0/24 - where intercepting server is connected. Plain Linux with net.ipv4.ip_forward = 1 Outside 2.2.2.2/30 - facing Internet with single connection (upstream BGP router in this case) Interesting destination network 203.0.113.0 /24 PBF rule matches source and destination IP networks (10.0.5.0/24 => 203.0.113.0/24) and works as intended. In traffic log I can see my requests being rerouted from Inside to DMZ and tcpdump on server surely shows connections from 10.0.5.0/24 network. The problem occurs when server itself tries to reach to the actual destination network. Either NAT is not happening during forwarding or something else is discarding traffic in firewall. I can see retransmissions happening before the session is dropped. Tried srcnat with unused IP from my BGP pool (routed from upstream to firewall which works in normal routing flow between zones) in both INSIDE to DMZ or DMZ to OUTSIDE flows. From Inside to DMZ flow it happens and I can see my internal network already NATted to public IP in server's tcpdump, but connection still fails. From what I understand, in this scenario firewall sees traffic from 10.0.5.0/24 but sourced from DMZ zone. Could there be something like uRPF mechanism kicking in? There are no errors in traffic log either.
... View more
04-01-2022
10:29 AM
3 Kudos
I found what the problem was. It has to do with application IDs. If you leave application to "any" and apply URL filtering profile with URL category, it only matches "web-browsing" and "ssl" app-ids for URL list regex. Anything else associated with that URL will be governed by predefined category containing it and get blocked. If you add the rest of app-ids exclusively (necessary for a webpage like wetransfer for example), then it will correctly allow traffic on that rule. That's why when I was matching with "any" in application field, I could see hits on specific rule but also see blocking from generic rule. web-browsing and ssl were matched in specific rule, wetransfer-base etc., matched further down in generic. Seems like "any" doesn't really mean any in the world of PA... Actually if URL requires only web-browsing and ssl app-ids it works even with URL category only, but there is a caveat. Rules with URL category only will ignore any other app-ids (even added exclusively) except web-browsing and ssl. Pretty convoluted I should say. Thanks for helping me 🙂
... View more
04-01-2022
07:24 AM
Hello, thank you again for your time. So you are using your custom URL Category in your specific allow Security Policy, but under the Actions tab of the policy where you set Allow, do you have a Profile Setting with a URL Filtering profile that is actually blocking the connection? True, I use rule with URL category in specific allow, but no profile is applied in that rule. Let's assume my URL category object name is "CAT1" and has following regex configured: *.example.com/* *.example.com/ .example.com/* .example.com/ And URL filtering profile "PROF1", that has default categories either allowed or blocked, where "CAT1" is set to none. "example.com " is in one of the blocked default categories here. Then I have two security rules as follows from up->down Rule1 that allows several LDAP users to any destinations using any apps and any services, "CAT1" applied to it and profiles set to none. Rule2 for "General Internet Access", that has profiles enabled and "PROF1" applied to it. What I think I see in logs is, that CAT1 is matched before PROF1, but instead of allowing this traffic, firewall continues evaluating security policies down the line and finally blocks URL via PROF1. I've also tried the scenario described by you using two separate URL filtering profiles, where in PROF1 CAT1 is set to "none/none" and in PROF2 (clone of PROF1) CAT1 is set to "allow/allow". Even then, firewall still blocks access from Rule2 via PROF1.
... View more
03-31-2022
01:36 AM
There is an odd thing I've noticed in logs. If this security rule above doesn't have custom URL category attached to it, matched traffic (by source LDAP user) is correctly allowed and forwarded, but once I attach URL category although it matches the URL regex, firewall continues evaluating security rules and finally blocks URL because it's blocked in rule below for all users.
... View more
03-30-2022
09:26 AM
Thanks for the reply. Yes these URLs matched by custom URL category are blocked in default category assigned to URL filtering profile. But security policy rule, that uses this default category filtering profile is below (after) this specific rule. I've even tried making another URL filtering profile where I allowed this custom category, but even then they were blocked. There is no overlap of regex matches in single URL profile. If block always takes precedence regardless its security rule position, then I can't understand how to allow portion of webpages to specific users/IPs, while blocking them to others. It's either all allow or all block then...
... View more
03-30-2022
02:30 AM
Hello, We're running VM appliance with PAN-OS 10.1.4 I've created custom URL category matching several wcard domain names, that we want to whitelist for only some LDAP users and added security policy placing it above internet access policy for all users (where URL filtering profile is applied to block URLs by predefined categories). We're decrypting this traffic as well. Policy looks like this: Src zone: Inside facing user networks
Src User: user1/user2/user3 (IP addresses obtained via querying PA user agent running in separate VM)
Dst zone: Outside facing Internet
Service: Any
Application: Any
Profile: None
URL Category: Custom URL category I've created
Action: Allow This policy matches traffic generated from user1/2/3, but URLs are still blocked and notification indicates them being blocked by default category. Is there anything I'm missing?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-29-2023
11:04 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks