This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About kblackstone
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About kblackstone
08-27-2019
18Posts
5Likes
2Solutions
Aug 27, 2019Last Visited
User
Activity
User
Profile
Latest posts by kblackstone
| Subject | Views | Posted |
|---|---|---|
| 10833 | 06-12-2018 07:22 AM | |
| 4344 | 04-25-2018 11:11 AM | |
| 4351 | 04-20-2018 06:58 PM | |
| 4550 | 04-20-2018 06:17 AM | |
| 4236 | 02-07-2018 07:00 AM | |
| 4382 | 02-07-2018 06:49 AM | |
| 5207 | 12-11-2017 05:20 PM | |
| 14229 | 12-11-2017 05:05 PM | |
| 3559 | 11-28-2017 06:39 AM | |
| 14272 | 10-23-2017 10:34 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 2 Likes | 06-12-2018 07:22 AM | |
| 1 Like | 12-11-2017 05:20 PM | |
| 1 Like | 12-11-2017 05:05 PM | |
| 1 Like | 09-26-2017 05:43 AM |
User Badges
Community Statistics
| Member Since | 06-18-2013 07:49 AM |
| Date Last Visited | 08-27-2019 10:53 AM |
| Posts | 18 |
| Total Likes Received | 5 |
06-12-2018
07:22 AM
2 Kudos
I have an ARM template that will create this entire environment for you. It can be used as a great learning tool since it includes the UDRs and other pieces necessary to make traffic flow work, in addition to the firewall policy that you'll need as a starting point. https://github.com/kblackstone/Dev/tree/master/Standard-SKU-LB-Sandwich This will eventually be moved to the corporate github, but in the meantime feel free to use. It might help answer your questions and allow you to see the pieces working together. -kb
... View more
04-25-2018
11:11 AM
The network interfaces I would add to the bootstrap.xml file. The VR configuration I would let Panorama push, along with the interface management piece if any load balancers are in play, and the larger security policy, etc..
... View more
04-20-2018
06:58 PM
The UDR is at the subnet level, so all firewalls put into those subnets would behave the same from the routing perspective if they have the same policy and virtual router configuration. I would bootstrap to get the interfaces up and in dhcp mode for both untrust and trust, and possibly the virtual router setup. Then let Panorama push down the policy and other information when the vm registers itself. The way bootstrapping works within Azure, you could have multiple bootstrapping configuration options available behind different shares on the same disk.
... View more
04-20-2018
06:17 AM
There are 2 options here when you want to service multiple ips on a load balancer: 1) add additional ips to the firewall interface from within the azure portal AND you will have to switch to static on the firewall and manually add the first + additional ips that you want to service (they'll match the ips on the azure portal). dhcp only picks up the first address from the azure side in my experience (this may have changed so please double check). #1 isn't the best option for ease of management 2) on the load balancer, enable floating ip on the rule and you will see the ip requested by the user come through to the firewall (even when having multiple front-side ips on the load balancer). you can then create corresponding nat and security rules based on that. using this method you can stay with dhcp on the firewall and do not need to add additional virtual ips from the azure portal side, nor on the firewall itself. #2 is the better way to go.
... View more
02-07-2018
07:00 AM
Which one specifically? There are multiple ARM templates in those directories.
... View more
02-07-2018
06:49 AM
Which of the templates did you use?
... View more
12-11-2017
05:20 PM
1 Kudo
Each Load Balancer rule has session affinity settings: none, client ip, client ip and protocol, which keeps the sessions going to the same back-end resource and symmetric. This link might shed some light: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-distribution-mode -kb
... View more
12-11-2017
05:05 PM
1 Kudo
HI junior_r, There are a few options when it comes to setting up the outbound probe but the most common that I have seen is to probe to port 22 on the firewall and enable the related interface management profile (for ssh) on the interface that will receive the traffic first. You may need to add the route to support return traffic to the probe source ip address: 168.63 .129.16. Alternitavely, you can probe to port 80 or 443 and write a NAT rule that sends traffic from 168.63.129.16 on the appropriate zone out to 8.8.8.8 on the Internet, or some other website that you wish to verify connectivity against. Leverage destination NAT to accomplish this. -kb
... View more
11-28-2017
06:39 AM
Hi eosminer, The VM Series supports packet captures natively within the operating system: Here is a link to more detailed information about how to run packet captures from the console or ui: https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390 -kb
... View more
10-23-2017
10:34 AM
Yes, enable floating ip for your outbound rules so the destination remains true as requested.
... View more
09-26-2017
05:43 AM
1 Kudo
Hi Anish, I took at look at the Ansible modules we have and do not see interface management as a currently supported option. Please see: http://panwansible.readthedocs.io/en/latest/index.html for a list of the modules, syntax and examples. Disclaimer: it seems some of the syntax may need updating. Thank you. -kb
... View more
09-16-2017
12:47 PM
Anish123, Please check here: https://github.com/PaloAltoNetworks/ansible-pan https://github.com/PaloAltoNetworks/ansible-playbooks
... View more
- Tags:
- ansible
09-14-2017
07:59 AM
You can use any virtual machine with at least 3 interfaces (max 😎 provided the virtual machine meets the minimum requirements: https://www.paloaltonetworks.com/documentation/80/virtualization/virtualization/about-the-vm-series-firewall/vm-series-models#_95869 Once deployed, you can change virtual machine size by shutting it down and selecting a new size.
... View more
09-04-2017
07:32 AM
Hi Amarash, have you created all of the necessary load balancing rules, probes, etc.? It might be worth contacting your Palo Alto Networks sales team who may be able to assist and get you up and running. You need: Front Side IP Address Backend Pool Health Probe Load Balancing Rules Corresponding port open on the firewall or wherever your health probe is going to Corresponding security rules to allow the health probe to pass The correct routes on your VM Series to account for the health probe(s)
... View more
08-30-2017
05:54 AM
Hi Amaresh, there are 2 ways you can do this: 1. Create a NAT policy that doesn't filter for inbound port so that you can account for both RDP (3389) and 443 coming into the same host. Then rely on your security policy to allow only the applications/ports you wish. 2. Create 2 separate NAT policies, one that filters specifically for port 3389 and one that filters for 443. I've provided an example below of #1 You will also need a corresponding Security Policy with the source zone of Untrust and the Destination zone of Trust, for the appropriate applictions that you want to allow access to. The Destination IP would be 10.0.1.4 in this case. You can leave the destionation IP set to any if you prefer to see the destination IP show up in the traffic log, and adjust the Security Policy after the fact.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-27-2019
10:53 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks