This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About smarcyes
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About smarcyes
05-24-2022
7Posts
7Likes
0Solutions
May 24, 2022Last Visited
User
Activity
User
Profile
Latest posts by smarcyes
| Subject | Views | Posted |
|---|---|---|
| 3565 | 05-22-2022 03:04 PM | |
| 3617 | 05-22-2022 11:52 AM | |
| 1299 | 05-17-2022 02:28 PM | |
| 1544 | 05-17-2022 11:35 AM | |
| 1571 | 05-17-2022 05:20 AM | |
| 1736 | 05-16-2022 05:52 AM | |
| 1375 | 04-16-2022 12:22 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 05-17-2022 02:28 PM | |
| 3 Likes | 05-22-2022 03:04 PM | |
| 3 Likes | 05-22-2022 11:52 AM |
User Badges
Community Statistics
| Member Since | 04-16-2022 10:08 AM |
| Date Last Visited | 05-24-2022 05:12 PM |
| Posts | 7 |
| Total Likes Received | 7 |
05-22-2022
03:04 PM
3 Kudos
@BPry Good example of where the blocking based on service might not always apply. Yea, I dont think in the outbound direction, I would be concerned as much. It would be more of less "untrusted" zone to a more "trusted" zone that would seem to make more sense as you mentioned.
... View more
05-22-2022
11:52 AM
3 Kudos
The below mentioned line brings up an interesting notion though... "When a policy is created to block a specific application, the only way for the firewall to find out which application is used in a specific session, is to let packets tricke through and a session to be established. Once the session has been established, the firewall will be able to identify an application based on the payload of the packets and how the session behaves" PA documentation seems to always recommends to configure policies based on "application" rather than service port. This makes sense for an "allow" rule because you want to make sure the traffic is legitimately the application that should be allowed through and not just simply "other" traffic that is using the same port as legitimate traffic. But it would seem that in the case of a "blocking" rule, it would seem best to block on port rather than application with a drop action as the syn packet would be blocked immediately vs allowing some packets to trickle in to determine the application with say a deny action? The rule based on application/deny is effectively potentially allowing a single or few packet based attack. Take an example of blocking ssh to a server. It would seem better to create a rule to match on port 22 with action of drop vs a rule that matches based on application=SSH and especially set to a deny action. However, even an application=ssh and an action of drop would still seem vulnerable in that the firewall will have to allow some packets through to determine its the SSH application.
... View more
05-17-2022
02:28 PM
1 Kudo
Yes I’m talking about that whole paragraph…DIA links can fail over to an MPLS link, but you may not have an MPLS link. DIA links must be able to fail over to another link that has a direct path or indirect path (through a hub or branch) to the internet; the DIA traffic can take any pathavailable to get to the internet and isn’t restricted to DIA. DIA AnyPath supports a DIA link failing over to a private VPN tunnel going to a hub firewall to then reach the internet. This makes it sound as if your DIA links are down, and you don’t have other links such as MPLS, then you can use private vpns to reach the internet as if they are these separate entities. Now if they are simply saying that with sdwan, that Internet traffic doesn’t HAVE to route out the local DIA and can route over the sdwan created vpn tunnels over any medium (mpls, DF, P2P, etc), then that’s just bad writing. That is also misleading and a little overselling as “unique specific feature” because that is the basic premise of SDWAN of routing traffic over different types of links based on different variables. That would be like saying there is another feature called “Dropbox Anypath” that can route Dropbox traffic over various links. Again, that’s just the whole premise of SDWAN and not really a unique sdwan feature. Just wanted to make sure that I wasn’t messing something but if it’s just bad wording, then it is what is.
... View more
05-17-2022
11:35 AM
Right but in that same doc, it says to fail over not using MPLS but rather vpn. That is my whole question that the doc seems counterintuitive. If you have a vpn up, then you have a DIA. They aren’t mutually exclusive. So why would ever fail over to a vpn for Internet if the very fact that you have vpn means you have local internet. Now if it said fail over to mpls or direct link like you mentioned, then this would totally make sense.
... View more
05-17-2022
05:20 AM
That was one of the docs I was referring to in my question. Again, it mentions that if your local DIA is down, then you can fail over to a vpn link. Again though, if your local ISP is down, then your vpn (that uses your local ISP) is down as well.
... View more
05-16-2022
05:52 AM
Im still trying to get a grasp of the concept of SDWAN - DIA anypath. The components and configuration are pretty straight forward but the "why/when" is not making sense. The main scenario that's proposed is "when you want to fail over to using the internet at another site (over the vpn) when local DIA is not available." Again, I must be missing something obvious here but when your local internet is down, the vpn is most likely down as well. You cant fail over to the vpn. I can understand some of the other scenarios mentioned such as having some bandwidth heavy applications go out local internet while having some applications go out the hub internet for extra inspection/visibility.
... View more
04-16-2022
12:22 PM
Im really new to Prisma Access as I am still learning. From what I gathered so far though, the use cases seem to be very niche if Im understanding correctly. Much of Prisma Access advantages seems to be in gaining standard PA features/security while maintaining minimal Internet latency based on the users location. Please help me if my assumptions/understanding below are incorrect and/or if there are some instances where I may not be considering. Cases where Prisma Access doesnt seem to be a fit Scenario1 A customer with a single main site/DC and any number of remote users that all typically reside in close proximity (500 miles) of the main site/DC. Remote users can vpn back into the main DC and maintain the same features provided by the main PAs at the main site. I wouldnt think it would make sense to deploy Prisma Access in this situation because all users in this instance would have the standard features provided by the main site PAs and with most remote users being relatively close, there arent any latency gains. Scearnio2 A customer with several main sites/DCs and several branch sites spread throughout a single country. All sites are running PA firewalls for their WAN/Internet connectivity. Again, with running PA products at all sites, PA standards should be able to be met. Panorama should be able to maintain a standard for all configurations. Assuming DCs arent extremely large distances between each other witinh the country, again, the latency you might gain by a local Prisma Access instance doesnt seem to really warrant its need. Possible Cases for Prisma Access Scenario1 A multinational customer with offices spread throughout the world with DCs in only specific strategic locations. Remote users and/or branches may be spread in far distances from the DCs. In this case, I can see the value in Prisma Access as you dont want remote users in Japan for instance VPNing all the way back to the UK. This Prisma Access could provide the same standard PA features/security whole not causing excessive delay from remote users say in Japan from having to remote all the way back to the UK. Scenario2 A customer operating within a single country with main sites, branches and remote users spread throughout the country. However, in this instance, they dont have PA firewalls at all these locations. Thus without PA firewalls at all locations, PA standards/security cant be maintained. Prisma Access would provide this set of standard access/policy. My main possible objection here is that that the branches are still going to need some form of router/firewall at these branch locations. So, yes theoretically, a company could go with a super low cost option for the local branches' router/firewall for internet and ipsec connectivity to Prisma, but would the cost of Prisma access for that branch basically be the cost to eventually to upgrade that branch with a small PA? Also, overall in regards to the "services" vpn from prisma access to your main site for remote and branch access to resources at your main site, the concern there is the latency with essentially the "double vpn". There is the vpn from the remote user/branch to Prisma Access and then the vpn from Prisma to your main site over the services connection. To me this would add considerable delay as with any other double vpn solution?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-24-2022
05:12 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks