About PeterT

PeterT · ‎06-23-2022

The question though is which interface given VWIRE is a pair (logically one interface though physically two). Do you set it up on just one side of the VWIRE (single interface) or both physical interfaces; if both, does it double report the same traffic? TBH I struggle that same problem with vwire zone based FW'ing too.

PeterT · ‎10-13-2021

Been a couple years and I'd like to think we have come a long way on a better way to handle this. I'm dreading the future when we all go IPv6 if PANOS isn't updated to handle DNS wildcards in security policy / fw rules; I think we all understand the days of filtering by IP are limited with IPv6 and the every expanding CDN networks / cloud.

PeterT · ‎10-13-2021

So recently we (as in voluntold lol) decided to get rid of our dedicated Cisco L3 devices and move the L1 (VMWire) only FW's into L3 as a "cost saving measure". Won't get into how much I hate this but the decision has been made. Also this entire thing is managed via Panorama so don't need "do local FW overrides of templates". Also virtual systems not an option in many cases as the majority are low end small site models (i.e. 800's and down) hence don't need to get into "spin up a virtual system and control it that way" discussions. Anyways anybody have a config snippet they want to share for setting up the following two custom admin roles? 1) GP Admin - Needs access to the FW running GP (not all of them, just one), the ability to configure it all, maintain it, etc (via Panorama templates) but NOT anything else in Panorama or the FW. 2) Ditto but Network Engineer - I.e. needs access to the virtual routers, L2/L3 configs, interface configs, routing tables, etc but not stuff like admin database, authentication setup, security policy or objects, etc. The built-in rolls are ill equipped for this and I know how do do via effective superuser via Device Templates/Admin a per FW / virtual system level but I'm looking for more fine tuned than that i.e. "Just every function GP needs and nothing more" or "Every function a network engineer would need to treat the PA like a L3 device but nothing more"

PeterT · ‎05-24-2021

No, I end up just making a decrypt bypass rule just for it. I find google, like many other vendors (talking about you ArcGIS and many network appliances) are hard coding / cert pinning rather than using the OS certificate root store hence I ended up making all sorts of holes for this. I assume it's only going to get worse in the future given the move by major vendors and movers in the IT world to squash MITM "attacks" under the guise of privacy though in reality it has nothing to do with that.

PeterT · ‎04-29-2021

They are a community effort and I quit using Cacti sometime ago. Feel free to update them on the Cacti site and link them. Updating is pretty trivial, they are just definition files and OID's.

Member Since	‎06-17-2014 05:48 PM
Date Last Visited	‎01-19-2023 02:37 PM
Posts	34
Total Likes Received	4

Online Status	Offline
Date Last Visited	‎01-19-2023 02:37 PM

About PeterT

Re: vWire Interfaces and Netflow

Re: Easy way to deal with Google SMTP (1e100.net)?

Custom Admin Template Examples for GP Admin and Network Engineer?

Re: Google Earth (Pro) and SSL Decrypt

Re: Cacti - Templates

Re: Cacti - Templates

Re: Handling Google Mail (1e100.net)?

Re: Where are the administrator access logs on Panorama?

Re: SSL version logging

Re: Handling Google Mail (1e100.net)?

Re: Are DMZs still necessary?

Re: Are DMZs still necessary?

Re: Configuration of Palo Alto's in a NIST SP 800-70 Environment (mostly IPv6 blocking related)

Re: vWire Interfaces and Netflow

Re: Easy way to deal with Google SMTP (1e100.net)?

Custom Admin Template Examples for GP Admin and Network Engineer?

Re: Google Earth (Pro) and SSL Decrypt

Re: Cacti - Templates