This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About Huddlebuy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About Huddlebuy
05-18-2022
16Posts
5Likes
1Solution
May 18, 2022Last Visited
User
Activity
User
Profile
Latest posts by Huddlebuy
| Subject | Views | Posted |
|---|---|---|
| 11639 | 12-04-2018 04:35 AM | |
| 3027 | 12-03-2018 03:15 AM | |
| 3033 | 11-30-2018 10:14 AM | |
| 8390 | 11-19-2018 05:39 AM | |
| 8395 | 11-19-2018 05:13 AM | |
| 8603 | 11-19-2018 02:57 AM | |
| 11537 | 11-15-2018 01:54 AM | |
| 11547 | 11-14-2018 08:34 AM | |
| 1905 | 01-18-2016 06:29 PM | |
| 3830 | 12-08-2015 06:30 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 3 Likes | 12-04-2018 04:35 AM | |
| 1 Like | 12-08-2015 06:30 AM | |
| 1 Like | 09-14-2015 10:14 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 1 Like | |||
| 1 Like | |||
| 2 Likes | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 07-30-2015 04:38 PM |
| Date Last Visited | 05-18-2022 06:29 AM |
| Posts | 16 |
| Total Likes Received | 5 |
12-04-2018
04:35 AM
3 Kudos
The issue was we were trying to seperate the 2 vpn tunnels in 2 seperate zone - which can make the pan think - packets are spoofed. Moving them to the same zone, did the trick Thanks for the help.
... View more
12-03-2018
03:15 AM
Hi Yeah that makes sense. Does the device priority need to be same on both devices? disabling Preemption ? Kind Regards
... View more
11-30-2018
10:14 AM
Hi We currently have 2 PA 500 which are currently configured for HA. But don't think its currently setup correctly. This is what I can find regarding as to what we want to achieve. Active passive with OSPF https://knowledgebase.paloaltonetworks.com/servlet/fileField?entityId=ka10g000000CyRYAA0&field=Attachment_1__Body__s But the above article doesn't really make sense, like on the widget display it says HA peer's IP used is 1.1.1.4 and 1.1.1.15. Kind Regards
... View more
11-19-2018
05:39 AM
thanks Jmeurer. I will try re-try this by moving to the same zone. Do you know or come across any step by step guide to the setting up process between the tunnels between on-prem palo and aws VPC's. Kind regards Anu
... View more
11-19-2018
05:13 AM
Thanks for the suggestion we will try that option as well. Also AWS suggested the below Entering configuration mode [edit] # set deviceconfig setting tcp asymmetric-path bypass # set deviceconfig setting session tcp-reject-non-syn no # commit We are quite hesitant to enable this gloabally, as this would also apply for non aws traffic. So enabled this via the zone protection profile - strickly for that zone.
... View more
11-19-2018
02:57 AM
Hi OMatlock We have a similar issue from or end, for some reason we can't enable both tunnels at the same time- as it creates asymmetric routing. For e.g if traffic is sent from one tunnel, the PAN will reject any traffic from the other tunnel. I see you have configured both tunnel interfaces to be part of the same zone. But we have used different zone, not sure if this is an issue too? - we had to enable ECMP- later knew its not supported by AWS Kind Regards Anu
... View more
11-15-2018
01:54 AM
Thanks JPerry, for taking the time to suggest the 2 options. Am fairly new to the aws world, so excuss me if i use the wrong terminology. So from what I imaging, the transit vpc is using a VM series palo alto FW's in the AWS enviroment to connect to the on prem Palo alto's. So this will need to be an investment from our end to purchase the licences for this series. Is that correct. Kind regards
... View more
11-14-2018
08:34 AM
Hi We have around 6 different IPSEC tunnels configured on the PAN with AWS. However we are trying to troubleshoot an issue, which we think could be related to as asymmetric routing. For e.g if traffic is send from one tunnel, and AWS sends it via the 2nd tunnel, the PAN will be dropping these. So we have temporary disabled one of the active tunnels - we have tried enabled ECMP on the palo alto, don't think this is working either. We have configured the tunnel on different security zones, so not sure if this is correct way? Anybody have any experience with setting up 2 redundant tunnels with AWS, that works. The suggested options are enabling BGP - which we don't have experience with. Kind Regards Anu
... View more
- Tags:
- aws
- ipsec issues
- vpn
01-18-2016
06:29 PM
Hi Everyone,
Is it possible to setup a passive/active HA setup when the core switch pair are using GLBP to load balance end-user traffic ? Essentially, I will have two cores in A/A and the PANs in P/A. I am using PA-500s.
... View more
12-08-2015
06:30 AM
1 Kudo
There is another GP related bug on 7.0.3. When using domain names for LDAP instead of IPs, GP cannot resolve the domain name so you get plethora error messages in authd.log telling you the LDAP server is down. A workaround is to use a FQDN object, but even that is very temperamental; it'll work and then suddenly stop for no apparant reason. Kind of sucks as I purchased a 3rd party cert so that I could verify the SSL sessions for the LDAP servers and now I can't even do that.
Looks like a typical case of people at the top pushing for deadlines and overlooking quality which results in shabby work.
... View more
11-30-2015
07:14 PM
Hi Everyone,
A quick run through my configuration:
I am using LDAPS; In Device -> Server Profiles -> LDAP and Device -> User Identification -> Server I am using DNS A records instead of IPs for my Active Directory servers; this is to ensure the domains can be validated by my 3rd party SSL cert. Also, in the GP gateway config (Network -> GlobalProtect -> Gateways -> myprofile -> Client Configuration -> Network Services), I have configured my local DNS servers.
I have configured the DNS servers in Device -> Setup -> Services to point to my local DNS servers. Everything works, captive portal, agentless user-id etc. However, I have been trying to setup GP but have been having issues with authentication. A quick check of authd.log shows:
debug: pan_auth_service_start_auth(pan_auth_service_handle.c:671): can not send request to remote server win-dc1.site.org of server profile "win-ad-server-list" since it is down or in retry-interval
The server is not down and is working as expected. When I create a new LDAP:389 profile and use IPs instead of domain names, then the authenication works as expected. It looks like GP is not querying the local DNS servers for some reason and therefore cannot resolve the DNS records.
Please advice
... View more
11-26-2015
05:55 AM
Hi guys,
I have a Zabbix monitoring server on an external IP/network which is listening on port 10060. I have a zabbix agent installed on my internal windows server that is also listening on port 10060. The server will make requests to the agent to query its status.
To allow the Zabbix Server access to the internal network, I have setup destination nat translation and also added a firewall policy to allow traffic for that given IP/port. It 'should' work, but it doesn't. The internal server works as expected, I can telnet into 10060 but via the external IP, it just times out. Routes are setup fine and I can ping the windows server through the firewall.
Here is an image with the config for further clarity: http://s29.postimg.org/ta90zymjp/PAN.png
Please advice.
... View more
11-20-2015
02:41 PM
Hi Everyone,
My internal network (trust zone) operates at 1Gb speeds and the connectivity with ISP (untrust) is at 100Mb. I am in the process of setting up SIP QoS but am a little confused as to how I should manage the inconsistences between the ISP and internal network speeds and the "Maximum Egress" field for the "QoS Profile" section.
Should I create a seperate profiles for my Egress and Ingress interfaces with the "Maximum Egress" field set to 100 and 1000 respectively or should I just create one QoS profile with a "Maximum Egress" of 100 ?
I am running PAN-OS-7.0.3
Regards
... View more
09-14-2015
10:14 AM
1 Kudo
Thanks guys; will be configuring it behind a firewall on the OOBM link.
... View more
09-09-2015
03:40 AM
Hi, Is it a good idea to connect the mgmt interface directly to wan ? or should it only be accessible locally and via an access server for remote management ?
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks