About Matlu_NN

It is not necessary to have a firewall rule to test this, right? And the VSYS, would be the VSYS1, according to the scenario I could show you, right? ... View more

Hello, my friend. Can I create a test user in "Local User Database" -> "Users" and apply the command? For example, create an account like the following: Username: jchampion Password: 1234abc# I can run the "Test" command without having a security policy, can't I? The command would be something like this: test authentication authentication-profile Local Database username jchamion password 1234abc# This is the flow it should follow, and the command should be successful, right? Or is there any observation on your part? Thanks for your help. ... View more

Hello, Then the command "test", would only be useful to test the "local users", that are inside the option "LOCAL USER DATABASE" ???? Greetings. ... View more

Hello, friend. And in the command: test authentication authentication-profile <authentication-profile-name> username <username> password. What should I put in the <authentication-profile>? My local users have not created an "Authentication-Profile". Is it optional? ... View more

Hello, Actually, I don't know what is the correct syntax of the command. I am applying what I can understand from the shared document, but I always get the same result.     Can you tell me what you think is the error I am having in applying the command? Note: It is important to mention, that this is a local account created on the Palo Alto Firewall itself. Thanks ... View more

Hello, You need to configure the "<vsys-name>"???? I have a Firewalls Cluster, and I do not see anything in the configuration of the equipment that makes me "recognize" if I have configured or not the "vsys". Is this something that comes active by default or is it something that must be activated???? Working with vsys, can impact on the configuration that has the Cluster of equipment? Greetings. ... View more

Hello, They are local users. Is there any way to successfully perform the test command to validate if the credentials are working or not? Greetings. ... View more

Hello, I have performed the agent installation test on Windows Server, and the test has been successful. If it is not in the Palo Alto matrix, what does this mean, that if I have a problem with a user in his GP connections from his Windows Server, "I guess" that TAC will not give me any support, right? A criterion to apply object HIP, can be the "serial" of the Laptop that uses a user ???? Greetings. ... View more

Hello, my friend. I got this information regarding the SwitchCore machine that has the IP 10.7.44.1, which is the GW of my Palo Alto. The Router with IP 10.7.44.1, knows my MGMT IP (eth1/4 of the FW), by a static route, as I show you in the following image. All your explanation is clear, I just want to give "sense" to the explanation of why the "ping host 10.7.25.107" works, if according to the routing table, to reach that destination, I must leave through the eth1/4 interface and it does not work, but it seems that it does reach that destination through the MGMT interface of the Firewall (with IP 10.7.15.166). Hopefully, you can clarify this theory. Greetings. ... View more

Hi, Buddy Thanks for taking the time to be able to help me. Right now, I have no idea, if the MGMT interface, was "sold" as "Out of band". Is this something I should check with the project implementer? Or can I answer this question myself by checking the configuration? The only thing I know is that the Firewall model, which is a 3020, has a dedicated leg to be MGMT. In your experience, I ask you 2 questions. When you have connectivity problems between a source and a destination, and you want to validate if that destination is "available or reachable" from the Firewall point of view, you do tshoot tests, involving the simple PING from the FW???? CLI. For you to validate if you have a route or not, to reach a destination, from the FW, it is valid to use the command "show routing route"???? I still have pending, the routing table of the Router that GW from the MGMT of the FW.   Thanks for everything, bro. ... View more

Hello.   Unfortunately the router that is the DGW of the MGMT interface, is managed by another "Team", and I do not have that information now, but I will talk to them to provide me the route that they have from their equipment, to reach the IP that has my MGMT interface of the Firewall.   Is this type of scenario common? I mean, if I validate that to get to any destination, I leave through a specific interface (any, for example eth1/5, eth1/8, etc], and if I want to test PING with ORIGIN, from the Firewall CLI, I must always have an Intazone rule enabled and in "permit"?????   This is as a general concept????   To understand why in my case, "ping host x.z.z.z" works, you need the routing from the Router, right?   For now, I can assume that for any kind of traffic to reach my specific destination, it is going out on the eth1/4 interface????.   Thank you. ... View more

Hello, Is it necessary to have a security rule to allow traffic from the Ethernet1/4 Interface for ping tests to my destination 10.7.25.107????? I have checked the rules, and also the logs, and this is what I found. It is necessary to create an explicit rule to allow me to simply ping from the eth1/4 interface to my destination ????. What I do not understand so far, is why the "PING HOST X.X.X.X.X" responds me positively, if in the routes, I do not have any evidence that to reach this destination, I do it by the MGMT. Unfortunately, I do not have the routes of the router with IP 10.7.44.1 Thanks for all your help.   ... View more

It is clear to me that the "ping hos x.x.x.x.x" takes out all the traffic through the mgmt interface, in my scenario, this should not happen, because for me to reach the destination 10.7.25.107, according to the routing table, I must reach it through the Ethernet1/4 interface.   So, the correct way to test the connectivity to that destination, should be with a "ping with source", that is with the command "ping source <IP of the interface Eth1/4 source 10.7.25.107" (As it is in the pictures that I attached above the case), but when you do this test, it simply does not work, and I do not understand why. It is not supposed to work?????? Cheers ... View more