Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About Poe
About Poe
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
08-18-2015
7Posts
4Likes
0Solutions
Aug 18, 2015Last Visited
User
Activity
User
Profile
Latest posts by Poe
| Subject | Views | Posted |
|---|---|---|
| 1322 | 08-24-2013 09:06 AM | |
| 1400 | 08-23-2013 07:38 AM | |
| 838 | 08-23-2013 07:16 AM | |
| 976 | 08-23-2013 06:48 AM | |
| 976 | 08-22-2013 09:21 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 08-22-2013 09:21 AM | |
| 1 | 08-23-2013 06:48 AM | |
| 1 | 08-23-2013 07:16 AM | |
| 1 | 08-22-2013 06:58 AM |
User Badges
Public Statistics
| Date Registered | 06-22-2013 01:57 PM |
| Date Last Visited | 08-18-2015 09:07 AM |
| Total Messages Posted | 7 |
| Total Likes Received | 4 |
08-24-2013
09:06 AM
Thanks for the reply. Last time I tried this, force template values overwrites existing configurations, but this only works for overridden configuration. For instance if I have a new device the default admin account will be present and if I have 3 administrator accounts in my template, if I override one of the template admin accounts and change his role on the local device. When I force the value it will overwrite the role change on the template admin account but it would not remove the Default admin account. I want to be able to delete the default admin account without having to prep the device before applying the template. In the switch world I would delete the startup-config and reboot the device and start with a clean slate. I wonder if I can do the same for PAN-OS or if it will brick something or revert back to the default config.
... View more
08-23-2013
07:38 AM
I am in the process of building out my Device Groups and Templates to standardize configurations across all sites. Our sites are standardized in a way that we can actually apply device configurations across multiple sites. After the base templates are applied all I need to do is apply the site specific data such as their local subnets and up addresses. My goal is to standardize configurations and reduce configuration time for rapid deployment. However, when trying to achieve this goal I ran into an issue with the base configurations of the PAN devices. Out of the box the device is setup for a vwire with trust and untrust zones setup. This causes a conflict with Panorama. When I go to deploy my template configurations, it errors because the vwire and the trust/untrust zones are being referenced and the Template cannot overwrite those settings, even with a force. My current solution to the issue was to go into the device and remove the conflicting configurations. Effectively removing all existing configurations from the device to allow the template a fresh start. Originally I was doing this from the GUI, but got lazy and now have a notepad with all the commands I just run from CLI. Attached are the commands that need to be run: delete rulebase security rules rule1 delete network virtual-wire default-vwire delete zone trust delete zone untrust delete network interface ethernet ethernet1/1 virtual-wire delete network interface ethernet ethernet1/2 virtual-wire delete network interface ethernet ethernet1/1 delete network interface ethernet ethernet1/2 delete network virtual-router default delete network ike crypto-profiles ike-crypto-profiles default delete network ike crypto-profiles ipsec-crypto-profiles default Is there a better way to get around this? Forcing the template won't work because unless the device settings directly conflict with the Panorama settings they will coincide. IE: Panorama will only overwrite on force, not delete.
... View more
Labels:
- Labels:
-
Configuration
-
Panorama
-
Set Up
08-23-2013
07:16 AM
1 Kudo
Hey jwolach, Let's assume that you have a file that is 75% public data and 25% sensitive data. Now lets assume that the first half of the document is public data and the last half is where the sensitive data is. If the data stream is being scanned as the file is being transferred, the packets will continue to flow until PAN detects the sensitive data. Once the signature match is detected, the stream is reset. The file will stop being transferred. This would be akin to downloading a word doc from the web and then stopping the download halfway and trying to open the document. At this point, the file would be "corrupt" and your application would throw an error and prevent you from opening it. However, if you really wanted to gain access to the downloaded data, you would theoretically have all the packets that were transferred. However, the sensitive information was blocked by the PAN OS. So in the end you would have a document that was 50% transferred, and if you did reconstruct the data to make it readable then you would have the 50% of the public data. The sensitive information was never streamed due to the PAN OS detecting it and dropping the connection. So the data you want to remain private, stays private. So in the end, they may get part of the document, but all information after the first signature match will be excluded from the document.
... View more
08-23-2013
06:48 AM
1 Kudo
Panorama Administrator's Guide 5.1 I would check out the new Panorama administrators guide, it is pretty handy. I'm not sure if it covers this change, but I will take a stab at guessing how this needs to be done. (Its been a while since I setup Panorama). If you add the additional disk space into VMWare guest and reboot panorama, PAN should detect the new space and you should be able to see that reflected under Panorama > Setup > Management > Logging and Reporting Settings. Total space should have increased. You can then set the quotas for each log type. I would guess that the information you want is under the Traffic logs, or Traffic Summaries. I would not increase the max rows in the UAR as that just appears to be how many lines the systems will output, not how much data it will retain. The max rows of 65535 is the limit to CSV type applications, so increasing this number may prevent you from opening these documents. If for some reason you don't have enough local space you can change to a NFS system. To do this go to Panorama > Setup > Operations > Storage Partition Setup (Bottom right on the Miscellaneous section). Hopefully that helps you solve your problem.
... View more
08-22-2013
09:21 AM
1 Kudo
Make sure you check that there is enough disk space allocated to the Log Files. This is located in the same place that emr provided. Panorama > Setup > Management > Logging and Reporting Settings. If you don't have enough disk space, it will cause logs to be overwritten. So it may not be possible for you to retain 30 days of user activity reports. You could also try running the report from the firewall instead of Panorama. Since the firewall is only recording its own data, the data you are after may still be there as it hasn't needed to overwrite that data yet. If this does work, look at expanding your Panorama log space, or ensure that the firewall is sending its logs to Panorama.
... View more
08-22-2013
08:56 AM
Is it possible to install a TFTP client on your local system and then use "tftp export ..." to export the running configuration file? You may want to view this to ensure your running config is the config you want. I have a PA-200 I am building for a site now, and the light for status is off during bootup, then shows orange, then goes green. Under the State for "show management-clients" it shows "P2-Ok" and a progress of 100 on most of the items that show as init for you. The last time I had an issue with a box not responding to management interface it was an RMA after support could not fix the issue.
... View more
08-22-2013
06:58 AM
1 Kudo
The "Monitor Traffic" log only shows traffic that has been allowed or denied by a security policy. By default traffic within a zone is allowed, but not monitored unless you create a rule to monitor this traffic. Traffic between zones is blocked by default, but will not display that the traffic is denied. So if you are expecting to see traffic in the "Monitor Traffic" log, make sure that you have a security policy that is processing the traffic. Then it will show up. If you already have the rules in place, and are still not seeing traffic. It is probably because your MAPI traffic is not making it to the firewall, or that your security rule isn't specifying that type of traffic, but is allowing the tracert through. If you don't have the rule, and cannot create it to test. Then I would setup a packet capture. You can see dropped packets from there to see if your firewall is dropping the MAPI traffic, or if the traffic is making it to the firewall at all. If MAPI is not making it to the firewall, consider the following. Typically, Exchange will have multiple networks, especially if setup as a DAG. Each network is assigned for certain purposes. You need to make sure that the network or NIC that MAPI traffic is connected end to end. When you run your tracert, it may be flowing across the primary NIC and routing as expected. However, when you start your migration, it may be using another NIC for MAPI traffic. That NIC may not be connected, or routing accordingly. On a windows environment you can use "route print" from command prompt to see the route tables. You will need to log into the Exchange Management console to verify the Network settings for MAPI traffic.
... View more
Latest Blogs
Latest Posts
Copyright 2007 - 2021 - Palo Alto Networks
