About JRussell

JRussell · ‎12-18-2015

Any suggestions from the table? Or do I take it from the silence that others don't have a hard and fast rule for dealing with informational threats?

JRussell · ‎12-17-2015

Yes. They are both "informational" threats. Just wanting to see how others treat these? Do you not bother with them at all and allow them all through? Or do you reset them? Or only in high risk (finance) pcs?

JRussell · ‎12-16-2015

Just wanted to gauge what others are doing with regards to this particular vulnerability if anything. Historically this has been set to reset-both on this vulnerability. Which, by and large doesn't seem to cause that much of a problem on most sites, but I suppose the question I was asking is, is this something I should be blocking/resetting, or just logging instances for this and it is something I can allow through? And I suppose the same goes for other "informational" vulnerabilities. How are others dealing with these?

JRussell · ‎11-24-2015

Hi there, I have recently started wanting to setup using some Dynamic block lists in my PA box. I just wondered if others use these and if so, which sites do they use? I was inially looking at using these 2. www.spamhaus.org www.openbl.org Any others that you would suggest? Or even, if you have reason to not use the above 2 I would love to hear it. Thanks

JRussell · ‎12-08-2014

Thanks Sai, I have logged it with me SE for this feature request. Hopefully it will be done in the near future.

JRussell · ‎12-05-2014

Hi, I wanted to know if this was possible? We currently have an issue with 1 of our online services and it turns out to be a routing issue between Virgin and BT. The server seems to create 2 connections and when it is one the first connection it is fine, but the 2nd connection just grinds uploads to a snails pace. We found that if we proxy through a German server this company set up for us we can get the service perfectly fine. I wondered if it was possible to get PA to do this just for this one specific URL?

JRussell · ‎11-28-2014

Thanks for coming back DZ We use WSUS to deliver any MS updates/installs that we do. So hopefully it will help protect us to a degree. It is just strange that there is not a lot of noise being kicked up about this by AV companies.

JRussell · ‎11-28-2014

Anyone have any further information on this? It seems a few people would be interested in knowing.

JRussell · ‎11-27-2014

I am not sure about making a report to show you those unused rules. But as an administration task, once a year, I will go into the rules. Tick "Highlight unused rules" , select them all and then move them all to the bottom underneath my "drop all" rule. That will then show all your unused rules in one easy to see location. I am assuming this is the reason the customer wants such a report? You could then also export the rules as a CSV file to see all the rules in question. In case you wanted something printable.

JRussell · ‎11-27-2014

Thanks for the link. Although I am getting " Access to this place or content is restricted" Could you provide a working link please? Thanks, James

JRussell · ‎11-26-2014

Hi All, I understand that this bit of spyware is not well understood as to it's ultimate purpose, very hard to detect and in fact, with the media converge it has had recently I am sure whoever coded this nasty has since changed it's code/behavior. But my question is, does or is PA able to detect any such traffic from this malicious code given that it has taken the "Security experts" years to come back with their prognosis on the code in the first place. Or is this one of those things that we just have to pray to the IT deities that we never fall under the gaze of someone who is wielding such a powerful bit of spyware?

JRussell · ‎08-11-2014

Thanks for your assistance on this one guys. But in the end I managed to resolve the issue and ti was nothing to do with the PA box. For some reason the Pfsense firewall on the other side didn't like me setting the Wifi interface as the WAN interface. Worked fine once I set the wifi connector to another interface.

JRussell · ‎08-06-2014

Sorry, I thought having a static route with the next hop being the wifi NIC on the other end would be my valid return route? Or am I missing something there. I am just in the middle of trying to put the config back to how it was as I was playing with the setup yesterday, once I have it how it was I will try those commands you suggested to get the session traffic

JRussell · ‎08-05-2014

Hi there, I am trying to deploy a network that is connected directly to my PA box over a wifi connector and I am hitting some stumbling blocks. I wondered if someone might be able to offer any advise. The scenoria is this. I have an office that is connected to my office via a wifi transmitter. These wifi use the 172.16.5.x range. There is to be a firewall on the other end of this connection for the wifi to plug into (pfsense). On the Firewall on the other end I have 2 interfaces. A Lan and the wifi connector (it has an address on the wifi range). I have set the wifi up as the WAN interface and it's gateway as the wifi interface IP on the PA box. Traffic between those 2 seems to flow ok. Now, the Local LAN. If I setup a NAT rule on the PA box, or in this case incorporate it into an existing rule, that says all traffic from the LAN within my PA network goes out through our external IP (which is an interface on the PA box). That works fine for my local LAN that is attached directly to the PA network. But for this other office, when I try that the traffic shows and shows as allowed out, but always incomplete. I also tried setting up a static route on the Virtual router pointing to the wifi WAN card on the pfsense box as it's next hop, but still traffic shows incomplete and I never get any pages appear on the other end (apart from local DNS traffic, I have a DNS forwarder for my domain pointing to my domain controller and all DNS requests within my domain work ok via that) I have a policy based re-direct for internal LAN that says if going to that wificonnected office, then go over the wifi transmitter. That allows me to get onto it from where I am sitting. The ideal scenario would be that the network on this wifi connected office is an extention of the private LAN network (10.10.0.0/16) that I have in my main office. But if on the pfsense side I try tell it to use 10.10.1.3 (which is what all the LAN pc's within the main office use) as it's gateway, which I have to then set the LAN on the other side as /16 to allow this, I think lose connection with the firewall. If I try a completely separate network range then all traffic appears to come from the wifi connector on the wifi connected offices WAN card and again, traffic shows as incomplete. I know this is not strictly a PA issue, but if anyone could offer any suggestions it would be appreciated.

JRussell · ‎08-01-2014

Thanks for the replies. We have problems with the PAN box before I restart the management server. After that it is fine. I get that I would have to reconnect after a restart of it. It was just previously I have never seen that error before (the connection reset one). It usually takes a few minutes and then boots me out of CLI. We are still running 5.0.8 OS. Due to problems we had with V6 and booking in the time to do the upgrade out of hours to diagnose said problem. I will check to see that the process is not running into the man plane and will let you know. It is just odd that the PAN box behaves eratticly ( multiple fails on commit, slowness etc) and then you do the reset and it is ok... for a while, could be a day, could be a week. But at the moment at least, it always seems to re-occur eventually.

JRussell · ‎07-31-2014

My PA 2020 box has been a bit slow of late, and it also has failed on 2 commits so I thought I would drop onto CLI and do a debug software restart management-server as this would usually pick things up when I have had the problem in the past. But when I do this command I get the following Process 'mgmtsrvr' executing RESTART Jul 31 12:06:35 Error: pan_read_full(comm_utils.c:97): srvr: fatal recv error. sock=3 err=Connection reset by peer (131) I wondered if anyone could suggest to me as to why this would be happening and if there is any way to get around it. I did this same command last week and got the same error, but when it let me back into the web interface the commits then started going through ok. And then it is ok for a while. Incidentally, the error I was getting on the commit fails was Management server failed to send phase 1 abort to client logrcvr Management server failed to send phase 1 abort to client sslvpn Management server failed to send phase 1 to client websrvr Management server failed to send phase 1 abort to client websrvr Management server failed to send phase 1 abort to client sslmgr

JRussell · ‎06-24-2014

There were no zones set. Let me try changing it so that the Source zones are different from the destination zone and see how that works.

JRussell · ‎06-24-2014

You are correct sir. I have 2 NAT rules for this server 1 that says all external traffic going to a particular IP (the one that the A record points to on our ISP DNS), using port 49610( which I have created as a service for this app) gets destination address translated to the server internal IP on port 443. 2nd rule which says all internal traffic on that service/port and that server, gets destination address translated to the server internal IP and 443. This is because when that server sends out links to the files within, it adds that 49610 port, and the rule was made in mind with making the links work both externally and internally without having to get internal people to remove the port.

JRussell · ‎06-24-2014

Somehow through doing all those troubleshooting guides and mucking around with the firewall settings on the other end I managed to get it up and running. Thanks all for your suggestions!

JRussell · ‎06-24-2014

I have a Esxi Server with a particular VM machine on it. If I reboot that machine it does not give it the configured IP address that I have set it for. If I try go in and manually tell it to use the IP address it is assigned it tells me that this IP address is already in use. If I go and change the Object IP address in Palo Alto Firewall then it allows me to set this IP address. I can then set the Object IP back after the VM has taken that IP which will then get all the NAT and security rules working but it is annoying that every time we reboot that VM it seems to happen. I have tried putting in a static ARP entry for this, but still no joy. Any suggestions?

JRussell · ‎06-23-2014

Thanks Kunal, I will give that a read. But just looking at that command. Won't that give me all phase 2 negotiations? I ask because that will give me an absolute tone of data returned as we have about 40 sites, all with 3 tunnels on them. Is there any way to refine those Ike debug to only show the one site and it's tunnels?

JRussell · ‎06-20-2014

Hi there, I have a unique linux firewall box (that connects back to PA via Ipsec tunnels) on one of my sites. It is unique in the fact it requires 5 NIC's for the networks there. It only uses 3 phase 2 Ipsec tunnels which is the same on all my sites, but I have noticed some issues. Namely that some of the time only 2 out of 3 tunnels come up. Sometimes all 3 come up, sometimes only 2. Fortunately the Main LAN always comes up, so users are not affected. Phase 1 tunnel comes up fine every time. So I am trying to build a replacement box to test (as well as a backup in case the live one goes down), but when I boot the box up I get the Phase 1 come up fine. Then the main LAN Ipsec tunnel comes up. But for some reason it takes a very long time for that 2nd one to come up. The original box was built by my predecessor and he left no documentation as to how he built this box. I realize that this isn't necessarily a Palo problem, but it connects back to my PA firewall and all my other boxes of the same build are connecting without issue. Any suggestions would be greatly appreciated. Is there perhaps some way I can monitor the Phase 2 portions of the Ipsec so that I can see what is happening? Apart from the system logs is there anywhere I can look to try help me identify the issue?

JRussell · ‎02-13-2014

Hi there, Like most people I know, everyone has at least 1 windows xp computer on their network. Due to the nature of our business we have a few (some due to legacy apps). But my question is that, come April and Microsoft's cut off point for support, will having one of these operating sytems behind a Palo Alto firewall that has Anti-virus and threat&app detection be enough? Obviously all the systems are running anti-virus. But if the media is to be believed come April the only way a Windows XP computer will be safe from attack is it if was completely offline. Whereas I like to think, if the firewall is secure enough and the rules are tightly controlled as to what is allowed in and out, it should not be a problem. What are the communities thoughts on this?

JRussell · ‎12-11-2013

Thanks. That did it

JRussell · ‎12-11-2013

I have a problem that my PA 2020 firewall is not generating any new logs. I was on a remote session with an engineer yesterday for something unrelated and in the course of that call the logs stopped generating. It wasn't until today that I went and checked the logs for a problem I was trying to investigate did I notice the logs stopped generating around 1pm yesterday. Is there a command to turn the logs off/on? All my security rules are still set to log traffic.

JRussell · ‎12-06-2013

Hi there, We have a particular setup with our remote sites that I am currently having an issue with. On sites we use pfsense firewalls that have Ipsec tunnels setup to connect back to the PA system here at our main offices. This has all been fine up until we decided to upgrade some of our ADSL lines to Fibre. Now the issue is that when we put a pfsense box on fibre it only connects 2 out of the 3 phase 2 Ipsec tunnels. The setup is thus. The pfsense has just 1 main Phase 1 tunnel. That connects fine. Then it has 3 phase2 tunnels, Local LAN (Green), untrusted Lan (Orange) and external (Red). The external is to allow 3rd party suppliers to remote into the untrusted lan where their servers reside. I have the Ipsec tunnel setup on PA with Proxy ID's for all 3 tunnels. Static routes for all 3 under Static routes in Virtual Routers. The Red tunnel is what all the Green and Orange traffic get's NAT translated to as the address it uses is the the assigned Public IP for that site that we use. I have tried connecting the Pfsense firewall through a router as well as plugging he Fibre modem directly to the Pfsense box and letting it make the PPPOE connection. Same result in both scenorio's. You plug the same box into an ADSL connection and all 3 tunnels come up. Fibre and just the 2 x LAN connections come up. The Crypto is set to ESP as the Protocol, P2 transforms to AES (Auto), 3DES and the P2 Authentication Method is SHA1. I have also tried it on AH as the Protocol but the same result. Any suggestions?

JRussell · ‎11-13-2013

Thanks for that. Only problem is that if I do it for instance with your avi example it brings up all files that have avi in them too.. in this case mostly PDF's that have avi somewhere in the title.. and we have a lot of them. Is there no way to refine the search to just searching the file extensions?

JRussell · ‎11-11-2013

Hi there, I want to be able to do a custom report showing me who has been downloading certain file types (avi for instance) on my network. Or at least, how I would be able to interrogate the data filtering logs to be able to show me this? The file types in question are all set to Alert on the data filtering profiles we use, but I want to be able to see a run down of who has been downloading what exactly. Is this possible?

JRussell · ‎09-16-2013

But would the FQDM work with it is the Gotoassit client trying to communicate with a server, and not a name, therefore not giving me a name to resolve? And sorry, yes, SSL is enabled in that rule too.

JRussell · ‎09-16-2013

Hi There, We have a user that is trying to use Gotoassist support with one of our supplier companies. I have created a specific rule that allows for Citrix, web-browsing to the specific websites it needs and gotoassist application itself. However, when it gets to the last step in the connection proccess where it comes up and says "Connecte to GoToAssist Remote Support" that is when I have an issue. Looking at the traffic logs there is a blocked connection using application "Unknown-TCP" to an IP address that shows as Citrix server when i search for it. I have tried to add that IP address to be allowed but then the next time it tries it uses a different IP address. So I added that one and then it uses a different IP address. Anyway, my question is. Does anyone else have this issue and managed to get around it? If it is coming up as Unknown TCP and the server range is not static I am not sure how I can make a rule to allow for this without allowing a lot of other stuff being allowed I don't necessarily want to be allowed. Can anyone help with this?

Date Registered	‎09-14-2012 02:45 AM
Date Last Visited	‎12-21-2015 05:09 AM
Total Messages Posted	60
Total Likes Received	13

Online Status	Offline
Date Last Visited	‎12-21-2015 05:09 AM

Strata

Prisma

Cortex

About JRussell