Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
03-18-2019
8Posts
0Likes
0Solutions
Mar 18, 2019Last Visited
User
Activity
User
Profile
Latest posts by mgillette
| Subject | Views | Posted |
|---|---|---|
| 5101 | 03-13-2019 03:52 PM | |
| 668 | 07-17-2018 05:39 PM | |
| 1216 | 03-22-2018 01:05 PM | |
| 1274 | 03-21-2018 02:04 PM | |
| 7161 | 02-13-2018 08:09 PM |
User Badges
Public Statistics
| Date Registered | 04-26-2012 01:41 PM |
| Date Last Visited | 03-18-2019 07:32 PM |
| Total Messages Posted | 8 |
03-13-2019
03:52 PM
Thanks for the reply, since a bit of time has passed I actually forgot about this post. Long story short it's up and running. I did try an application override and that didn't resolve things - nice to know I was on the right track at least. What i was able to confirm through a series of packet captures both here and at our voice providers end was that their equipment was dropping packets - I mean, it had to be their service if I was getting flawless voice with my FreePBX system hosted in a different country. The provider went back to their suppliers who confirmed the issue and implemented a fix. Turns out, we were possibly the only client they had running that specific version of the Mitel App on iOS and this introduced issues supposedly. Nedless to say I wasn't too stoked about being utalised as beta testers! I think next time I'll be more inclined to roll my own solution. Cheers!
... View more
07-17-2018
05:39 PM
Hi All, We have just had an interesting experience when trying to migrate to version 8.1.11-h1. Basically what appears to happen is the firewall is thrown into a boot loop. We just have a single 5020 - no HA and all the normal lights come on after a reboot, the STS light is amber for about 30 seconds or so and then the lights turn off - rinse and repeat. After about 30 mins or so I was presented with the maintenance window - when I connected via serial console and was able to downgrade to version 7.1.18 again. Then I decided to try the base 8.0.0 release, the exact same issue occured only this time I didn't wait 30ish minutes to downgrade - I gave it 5 boot loops and called time on it. When 8.0 was relased I did download that in preparation for the move, so I'm just wondering if over time (and a few version 7 upgrades) that something corrupted this image perhaps? How have you guys gone with upgrading to version 8? any tips on where I can go from here? Thanks!
... View more
03-22-2018
01:05 PM
Appreciate the feedback, we do actually have application filters in place in addition to URL categorisation. This takes care of most casual bypass attempts via the usual proxies/L2tp/ipsec etc. I fully understand that this is largely a futile exercise that needs to be dealt with outside of IT. My personal view is that this should be a catalyst of sorts for management to make it clear to students what the policy is and to take disciplinary action - just like what would happen in a business. Additioanlly, this is a great opportunity for the school to educate the student/s better on how to be good digital citizens - kinda ironic really.
... View more
- Tags:
- n
03-21-2018
02:04 PM
Hi PAN Community, I work for a school and we have issues with student VPN use - specifically x-vpn, hotspot shield etc. We have rules in place that take care of the proxies and standard VPN applications and have SSL decryption and URL blocks in place for stuff we don't want students to access ie, pornography. I found the following reddit post which details similar issues: https://www.reddit.com/r/paloaltonetworks/comments/6ydcw7/how_are_you_all_blocking_personal_vpns_like_nord/ Which seems to suggest blocking ip ranges. Before I go that far, I thought I'd ask the community to see if anyone else has encountered something similar. Cheers!
... View more
02-13-2018
08:09 PM
Hi There, We have a hosted mitel voice solution that we are seeing call quality issues in the inbound direction, ie calls in. I am attempting to troubleshoot this with our provider and they are seeing SDP attributes being added from our firewall. I'm relatively new to the voice game so please excuse the ignorance! I have disabled SIP ALG and applied QOS as suggested here https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/quality-of-service/use-case-qos-for-voice-and-video-applications Setup looks like: PAN ---------------- Ubiquiti Edgerouter Pro --------------- ISP juniper I'm at a bit of a loss as to where to look next - just as a test I spun up a freepbx system and connected a phone to that and am able to make calls inbound and out without issues so I am confident that the firewall is classifying everything and rules are doing what they should. I should add theat the issues are only with softphones, we have mitel branded handsets and cisco ATA's that don't have issues with inbound quality. So the question would be, what would add the SDP attribute and where should I look to resolve this? Thanks in advance
... View more
07-30-2012
02:44 AM
Ok so here's what I've done. Downloaded the forward_trust CA and imported that into the keychain on an OS X machine. Fire up safari and go to ssl facebook. The browser complains that the identity of www.facebook.com can't be identified and asks me what to do. I click continue. Nothing appears to have changed from my first post and the safari activity window reports that the certificate for s-static.ak.fbcdn.net is invalid because the certificate issuer can't be identified. Various other parts of SSL websites also break in this manner - hotmail,yahoo and gmail all report at some point that a certificate is invalid. This is the screenshot of the certificates page And a screenshot of the decryption settings
... View more
07-30-2012
12:51 AM
Hi Andre, Firstly thanks for the config guide, but unfortunately it doesn't work for me in my scenario. We don't use AD or windows so I can't push out certificates using GPO. We are linux/Mac based and rely on users clicking the right option when their browser prompts them to accept a certificate. In the facebook case above the browser does not load the s-static.ak.fbcdn.net certificate. I need to manually load this into the browser on my test machine for https facebook to work. I have tried other SSL sites, (gmail,hotmail,yahoo) these exhibit the same issue where the site doesn't trust the CA on the palo alto and doesn't load some certificates. This causes various parts of these sites to break.
... View more
07-29-2012
05:06 PM
Hi All, I have an issue with SSL decryption and using the inbuilt CA. What appears to happen is that various parts of SSL websites don't trust the CA on the palo alto and as a consequence sites do not load fully and report various certificate issues. This is what https facebook looks like: The corresponding browser complaints: I'm running the very latest OS 4.1.6 but I was running 4.1.3 and this problem was evident then as well. I've tried uploading a trusted certificate from rapidssl and I don't get the option to select that is a valid certificate for a forward SSL proxy which is understandable as I don't have a key. So I'm obviously doing something wrong - whats the accepted procedure to get this up and running? Thanks in advance for your help
... View more
- Tags:
- decryption
- ssl
Labels:
- Labels:
-
Configuration
-
Management
-
Troubleshooting
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
