This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About ErwinBuena
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About ErwinBuena
12-10-2020
21Posts
3Likes
0Solutions
Dec 10, 2020Last Visited
User
Activity
User
Profile
Latest posts by ErwinBuena
| Subject | Views | Posted |
|---|---|---|
| 1849 | 12-18-2016 06:00 PM | |
| 2169 | 01-25-2015 04:37 PM | |
| 2145 | 01-25-2015 02:12 PM | |
| 1852 | 01-25-2015 02:09 PM | |
| 1986 | 01-22-2015 12:27 PM | |
| 7436 | 12-11-2014 02:13 PM | |
| 2260 | 08-25-2014 10:09 PM | |
| 3383 | 07-15-2014 04:14 PM | |
| 3383 | 07-15-2014 02:03 AM | |
| 3507 | 07-14-2014 09:03 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 2 Likes | 01-25-2015 04:37 PM | |
| 1 Like | 01-25-2015 02:12 PM |
User Badges
Community Statistics
| Member Since | 06-17-2014 02:33 PM |
| Date Last Visited | 12-10-2020 02:00 PM |
| Posts | 21 |
| Total Likes Received | 3 |
12-18-2016
06:00 PM
Hi Can someone clarifies if it is a default behaviour on PaloAlto to allow scan host sweep towards Internet? It is tagged as medium in Threat Prevention but the firewall unable to block it even though the profile is set to strick that block all Threats categorize from low to Critical. Thanks, Jabuens
... View more
01-25-2015
04:37 PM
2 Kudos
I'm running latest version of PAN6.xx and I have this similar issue when I'm doing testing and found out that the reductions of throughput is related to the way url filtering has been configured specially if you're using speedtest and other sorftware online to test the internet speed connections. Reduction of throughput the way I've observe it during my testing is due to ports being block by PaloAlto used by speedtest to do it calculation. You can test it by creating a policy with filtering in place and without filtering. Observe the result and see if you can get the 44mb without PAN. The other issue that slow your connections is with the proxy that you used to connect to the internet. You can also disable it on your pc and play around with PAN configuration with or without filtering. I hope it helps with your troubleshooting.
... View more
01-25-2015
02:12 PM
1 Kudo
We have found the issue with the active directory is not configured to send security logs to the firewall that causing USER-ID not to work in version 6. The old box that we're using are running on version 5 and USER-ID agent is running on windows 2003 that is not compatible the way PA version 6 handles security logs from active directory (AD)
... View more
01-22-2015
12:27 PM
Just a question about Global Protect Gateway License. Currently we're planning to deploy PA-5050 for our Data Center Infrastructure. Is Global Protect Gateway License is a requirement? For what I've understand, this is only a requirement if you're going to use remote access or SSL VPN but since this is only for our internal security and no remote access needed this license I believe is not needed anymore. Can someone provide their opinion about licensing? Thanks, Erwin
... View more
Labels:
- Labels:
-
Management
12-11-2014
02:13 PM
Is someone got an answer for this kind of issue? I'm also in the process of modifying the default profile for Antivirus and set a block rule for smtp, pop3 and imap of PA detected an anomaly on it's payload. Is it a good practice?
... View more
08-25-2014
10:09 PM
We have a new PA-3020 running on version 6 and I'm using our old Windows User-ID agent running on version 5 that are currently operational in our environment. I've configured PA-3020 to connect with the User-ID agent but I'm having an authentication issue PAN-3020> show user user-id-agent state all Agent: ad-agent(vsys: vsys1) Host: 10.2.2.2 (10.2.2.2):5007 Status : conn:idle Version : 0x5 num of connection tried : 4 num of connection succeeded : 2 num of connection failed : 2 num of status msgs rcvd : 192179 num of request of status msgs sent : 192191 num of request of ip mapping msgs sent : 2013 num of request of new ip mapping msgs sent : 0 num of request of all ip mapping msgs sent : 292 num of user ip mapping msgs rcvd : 0 num of ip msgs rcvd but failed to proc : 0 num of user ip mapping add entries rcvd : 0 num of user ip mapping del entries rcvd : 0 num of request of group msgs sent : 0 num of group msgs rcvd : 0 num of group msgs recvd buf fail to proc : 0 num of xml data msgs rcvd : 0 num of xml data msgs rcvd but failed to proc : 0 Last heard(seconds ago) : 3 Messages State: Job ID : 0 Sent messages : 210810 Rcvd messages : 207229 Lost messages : 0 Failed to send messages : 0 Queued sending msgs with priority 0 : 0 Queued sending msgs with priority 1 : 0 Queued rcvring msgs with priority 0 : 0 Queued rcvring msgs with priority 1 : 0 PAN-3020> show user user-id-agent statistics Name Host Port Vsys State Ver Usage --------------------------------------------------------------------------- ad-agent 10.2.2.2 5007 vsys1 conn:idle 5 P N Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, '*' Currently Used The error that I got is authentication failure and it says user is not in allow-list even though I've configured the groups based on LDAP group mapping. Does anyone encountered this issue? Thanks, Erwin
... View more
07-15-2014
04:14 PM
Hi Mivaldi, Thanks for the information. Deploying the PAN internal Interface as the DNS for all DHCP client will not scale out and it's adds up additional time for DNS resolution for internal networks. Reading all the discussion about DNS forwarding in this forum provide me great information including the one that you mention. 1. I've decided to configure our internal DNS server to have a DNS forwarder point to PAN Internal Network for Internet (external) DNS Resolution and query data to our ISP Public DNS. 2. External DNS will only communicating for all DNS resolution via PAN DNS Proxy. Cheers, Erwin
... View more
07-15-2014
02:03 AM
Thanks Hulk for the feedback
... View more
07-14-2014
09:03 PM
I'm looking on how to configure DNS proxy on PAN and found below link that provide great information. https://live.paloaltonetworks.com/docs/DOC-3637 https://live.paloaltonetworks.com/docs/DOC-3522 https://live.paloaltonetworks.com/docs/DOC-4633 However, it does not cover the design that I want for DNS resolution and protect our internal DNS servers. - I would like to check if anyone has done configuring their internal DNS server to use PAN (DNS Proxy configuration) as a DNS forwarder to resolved all external DNS?? - PAN DNS Proxy will have entry for public DNS server coming from our local ISP server provider at the same time PAN firewall is configured to forward DNS resolution bound for our local domain resolution - Using the above setup, I can protect my internal DNS since all external DNS resolution will be coming from PAN Firewall. Any information or ideas are highly appreciated Cheers, Erwin
... View more
07-14-2014
07:18 PM
Hi Steven, See my update below The vpn would build on the internal interfaces since the ISP for one side is down. - You’re correct, I’m planning to build the tunnel via the Internal Interface on PAN Firewall The PA default route for the down ISP goes into the tunnel - I’m planning to used PBF together with the built-in monitor to track the site ISP connections and once it is down, default route will be routed to VPN Tunnel. Do I need to create two PBF for this scenario? On the PA with good ISP - return traffic to the other site needs to go into the vpn instead of the MPLS or the tunnel will be asymmetrical and fail - If I enable “Enforce Symmetric Return in PFB Rule? Does it reduce the complexity that you mention? NAT for internet access - Yes, I’ll do dynamic NAT translation for all traffic coming out of the VPN tunnel. Possible issue that I’m anticipating are the NAT translation for the public IP’s owned by ISP that having an issue. Any thoughts on this? It’s looks like it’s getting complicated than the original plan that I thought. Do you think it make since to do it this way or I need to look at another solutions. Your feedback are highly appreciated and help me a lot to think out of the box for the solution that I’m planning. Cheers, Erwin
... View more
07-14-2014
04:37 PM
Hi Steven Configuration would be more complicated if I do the fail over functionality on HQ RTR that will look like this. For each sites (HQ1/2 RTR) it has a default static route towards PAN Internet Firewall. Using PBF to revert the default static on PAN and back to HQ RTR would be an issue. Do you have any recommendation to address this issue? Other solution that I'm thinking is to use IP SLA on HQ Router to track Internet Edge connections and then let the routes dynamically learned the routes since those default static routes has been re-distributed to MPLS routing table to fail-over to another ISP. I'm hesitant to this since it will require more work as compared to building up VPN tunnel between the two PAN router. In terms of the NAT rules, it covers the private IP address for each sites. Each sites has it's own public IP address for NAT translation for each of the system for inbound traffic Thanks to Kadak and Hulk for your update as well. Cheers, Erwin
... View more
07-13-2014
10:41 PM
I'm new in using PaloAlto Firewall. We have to sites that have it's own dedicated ISP connections and I've been task to configure the PAN firewall to route the Internet connections to another ISP if the main internet connections encounter a connectivity problem. HQ1 RT1-------PAN FW--------Internet RTR------------------ISP1 | | | -> Connections between HQ1 and HQ2 is via internal MPLS and they're on different location | | HQ2 RT2-------PAN FW--------Internet RTR------------------ISP2 Is it possible to configure VPN Tunnel between the two PA FW and used PBF? Any feedback are highly appreciated Cheers, Erwin
... View more
- Tags:
- fail-over
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks