This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About LouisScaringella
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About LouisScaringella
09-13-2023
16Posts
3Likes
1Solution
Sep 13, 2023Last Visited
User
Activity
User
Profile
Latest posts by LouisScaringella
| Subject | Views | Posted |
|---|---|---|
| 2637 | 02-04-2020 01:17 PM | |
| 2655 | 02-04-2020 12:39 AM | |
| 1829 | 09-06-2019 02:31 PM | |
| 1857 | 09-06-2019 09:29 AM | |
| 2792 | 09-30-2014 02:12 PM | |
| 2941 | 09-30-2014 01:25 PM | |
| 3049 | 09-30-2014 11:50 AM | |
| 2260 | 03-13-2014 07:28 AM | |
| 2354 | 12-25-2013 10:00 AM | |
| 1610 | 11-01-2013 08:57 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 02-04-2020 12:39 AM | |
| 1 Like | 02-04-2020 01:17 PM | |
| 1 Like | 09-16-2013 10:19 AM |
User Badges
Community Statistics
| Member Since | 06-21-2013 04:50 AM |
| Date Last Visited | 09-13-2023 04:10 PM |
| Posts | 16 |
| Total Likes Received | 3 |
02-04-2020
01:17 PM
1 Kudo
In my case, this was a result of a Zone Protection Profile applied to my "untrust' zone which included both ISP interfaces. It was dropping the ICMP replies due to strict IP check. I disabled this and now everything works as expected.
... View more
02-04-2020
12:39 AM
1 Kudo
Thanks for your post. I am seeing the exact same behavior both in 8.1.12 and now 9.0.6 on a PA-220. My workaround, not sure why this works, was to add another static route on my primary ISP interface for 1.1.1.1/32 with a next hop of the ISP gateway. When I test this, the route monitor seems to be up now. Without this additional route, it stays in a down state even when the interface is back up and functioning. I've tested this before, used in production with clients, and I feel like this is something that was broken and has remained broken for some time now somewhere beginning the in 8.1.x code and above.
... View more
09-06-2019
02:31 PM
4. Sometimes when using the Rule Enrichment feature and importing policies, it fails to import the policies into the project. The fix was to delete and recreate the project and remove all the configs.
... View more
09-06-2019
09:29 AM
I'm sorry to complain, but there are a number of issues i've found with this software. I've allocated ample resources to the VM.
1. The UI is really laggy, unresponsive, and the filter window often doesn't rspond to being closed.
2. It is not auto processing CSV files and deleting them as it is configured.
3. The API generation creates invalid calls for address objects.
... View more
09-30-2014
02:12 PM
No, I don't have an active link. I received an email from a colleague who had previously emailed someone from Palo Alto who sent it to him. I have a feeling it is revoked as well.
... View more
09-30-2014
01:25 PM
I did not mean using the Palo Alto VM as a proxy, but apparently Palo Alto had created a VM based upon Ubuntu and Squid which was used as a proxy server. There is a TechNote called "YouTube for Schools-TechNotes-RevF" that describes this VM. I have a feeling it is no longer supported or used.
... View more
09-30-2014
11:50 AM
I have a Tech Note for the YouTube for Schools and Google, Bing, and Yahoo SafeSearch. However, I cannot seem to find the VM for the proxy server that Palo Alto has created. Is there a link for this somewhere?
... View more
Labels:
- Labels:
-
Configuration
-
Content-ID
-
Management
-
Networking
03-13-2014
07:28 AM
No, I did not have tunnel monitor enabled on this. I know it was an odd question, but I was just curious as to what the cause was since no traffic was flowing. I think it had to do with the other end using keepalives or DPD on the Palo Alto.
... View more
12-25-2013
10:00 AM
Hello, I have a VPN tunnel between a Palo Alto and a Juniper SSG. Even when there is no traffic from the end devices coming through, the VPN tunnel somehow stays up. I would expect the IKE and IPSEC SA's to time out and stay down until traffic is passed. However, the IPsec tunnel stays up. It seems that the Palo Alto is initiating the connection even though I know no traffic is coming through it for the VPN to become active. I see in the logs that the Palo is the initiator and it brings up the tunnel consistently after about an hour which is when the IPsec SA expires (lifetime is 1 hour). Any ideas why this happens? On other tunnels I have this does not happen the tunnel stays down when inactive. I have noticed that those other tunnels are terminating to Cisco ASAs and not a SSG as is the case with the one I was referring to above. I am really curious why this happens. I even disabled dead peer detection to test and it made no difference. I do not see a setting in the Palo that would enable/disable this. Thanks, -Louis
... View more
11-01-2013
08:57 PM
Hello, I had a quick question about destination NATing to an address not in the same subnet as an interface on the Palo Alto. For example, let's say I have a site-to-site VPN and I am using destination NAT on one side of the tunnel. When traffic comes from one side of the tunnel to the other, destination NAT is performed. One side uses 10.124.4.50/24 as its destination. The firewall on the other side then uses destination NAT to translate this traffic to 10.1.1.50/24. I have seen articles on the Palo website that say you must have a route for this NAT address or have an interface with an IP in that subnet assigned. I have done destination NAT a number of times to public address spaces to a subnet that did not physically belong to an interface on the Palo. For example, the public address of the Palo is 209.209.209.209 and I am destination NATing a server from 207.207.207.207 to 192.168.50.250. In these cases, I never created a route manually for the before-NAT address/subnet. Is this something that has changed with recent PAN-OS codes? I ask because I came across a situation similar to what I described above with a VPN tunnel. The other side of the tunnel needed a route for the subnet they were NATing to/from in order for the policy to work. I never had to do this in the cases I have seen, so I am curious why. Any ideas?
... View more
- Tags:
- nat
09-16-2013
11:16 AM
Thank you. I figured out the issue just now. I had to add the sAMAccountName value for Login Attribute under the LDAP Authentication Profile.
... View more
09-16-2013
10:19 AM
1 Kudo
Thank you for your time. I have a lab setup with a PA-500 and a Windows 2008 server with Active Directory. I have a single user in the trust zone on the Palo and I am trying to get Captive portal working for User-ID mappings of unknown users. I have my LDAP server profile and I have my user/group mappings working just fine with that, however, when I attempt to use the LDAP authentication profile in Device>User Identification>Captive Portal Settings which references that LDAP server profile, authentication fails. The user does get redirected to the web form and I put the credentials in and it fails to authenticate. When I do a packet capture on the Windows server, I see the LDAP bind request and it is successful. It then appears to be searching the directory and shows a success with 0 results. I am not too familiar with the inner workings of LDAP. Any ideas as to why authentication fails? I know I am entering in the correct username and password because I can login to the test domain I have setup on the host laptop. Does the username have to be in a certain format? I am not user SSL with LDAP in this scenario.
... View more
Labels:
- Labels:
-
Configuration
-
Set Up
-
Troubleshooting
-
User-ID
09-09-2013
01:07 PM
Is it possible to have HA successfully setup between two different platforms? In my case I have a customer with a 5020 and a 5050. I know the documentation states that it must be the same platform, but was curious if anyone has ever tried doing this. Thank you, -Louis
... View more
Labels:
- Labels:
-
Configuration
-
Management
-
Networking
09-09-2013
07:42 AM
I understand that both firewalls should have the same feature licensing for proper failover, but has anyone implemented HA successfully using two different models? 5050 and 5020 for example? I know in the documentation it states both models must be the same.
... View more
- Tags:
- ha
Labels:
- Labels:
-
Configuration
-
Networking
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-13-2023
04:10 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks