cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

About mike_lutgen

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
mike_lutgen
‎08-18-2015
since ‎04-26-2010
Not applicable
User Activity
User Profile
User Badges
Public Statistics
Date Registered ‎04-26-2010 08:25 PM
Date Last Visited ‎08-18-2015 09:06 AM
Total Messages Posted 13
Total Likes Received 6

Re: Wildfire Signatures vs Threat Prevention Signatures

by in General Topics
‎03-22-2014 04:11 PM
‎03-22-2014 04:11 PM
I understand what the technology does, that is not what my question was. My question was about identifying which threats have been mitigated by the Wildfire signatures vs the Threat Prevention signatures. ... View more

Wildfire Signatures vs Threat Prevention Signatures

by in General Topics
‎03-22-2014 10:10 AM
‎03-22-2014 10:10 AM
Hey Guys, Looking for a little help here, trying to provide some proof to management of the value that the Wildfire subscription is providing to us vs just having the Threat Prevention subscription.  I've looked in the Wildfire logs, but that only shows threats that were uploaded to the Wildfire cloud for investigation and were still allowed through the firewall (basically it's a log of all the stuff that got through and whether or not it was malware). That is helpful for the desktop team, because they can focus a PC cleaning on the machines that are listed in the logs, but I'd like to go to management with a list of threats that were blocked by Wildfire signatures to show all of the stuff that is being prevented from entering our network and therefore proving the value of the Wildfire subscription.  The problem with that is, as far as I know, all threats blocked by Wildfire signatures still just go into the Threat log and are indistinguishable from threats blocked by Threat Prevention signatures.  Does anyone know of a way to identify one vs the other? Thanks! ... View more

Re: Migration from Check Point to PAN

by in General Topics
‎05-09-2013 11:55 AM
‎05-09-2013 11:55 AM
If you are using the Migration tool, migrating from Cisco is fairly straightforward, the only thing that won't migrate for you is the NAT rules.  Recreating those is pretty straightforward though just be sure to use the bi-directional checkbox since I think that's how most/all Cisco NAT rules are. ... View more

Active FTP Timeout Issue

by in General Topics
‎11-29-2012 03:55 PM
‎11-29-2012 03:55 PM
Working with Active FTP, we are having problems with transferring files larger than 1.5GB because the control channel hits the idle session timeout for FTP (set at 1800 seconds).  Temporarily we have increased the timeout to 5400 seconds as a workaround but we are looking for an option to be able to tie the control channel lifetime to the data channel so that as long as as there is data transferring over the data channel the control channel won't time out.  Currently I don't know of any way to do this on Palo Alto Networks firewalls, is there any ability to do this? ... View more

Maximum Rows In Policy Editor

by in General Topics
‎08-29-2012 08:58 AM
‎08-29-2012 08:58 AM
I am currently working within Panorama and for one device group there are over 533 rules and editing them is terribly slow.  I found this document and one of the fixes mentioned was limiting the row count in the policy editor to only 100.  I would love to do that but I can't seem to find where in the interface I specify this. Any help would be very much appreciated. Mike ... View more

Re: Network address Translation (NAT) support for IPSec ESP

by in General Topics
‎08-25-2012 03:04 PM
2 Kudos
‎08-25-2012 03:04 PM
2 Kudos
Hello, This is not a terribly difficult task if you are familiar with how NATing generally works on the PAN firewall.  There is one main thing that you will need to make sure though - that the tunnel interface you specified for the tunnel is in a separate zone from the traffic that will be going across the tunnel.  As long as you have this done, you will build the NAT rule like this: Source Zone: <your source traffic zone(s)> Destination Zone: <your VPN tunnel interface zone> Source Address: any (or restricted to a specific IP if you like) Source Translation: You have a couple of options here depending on exactly what traffic you are sending across.      1. If it's coming from multiple hosts specify Dynamic IP and Port and then Translated Address.  In the area where you specify an address, either select/create an address object for the address that you are NATing to, or you can just type an address in the field as well.      2. If it's coming from a single host, you can do the first option, or you can specify it as Static IP and then in the Translated Address area, specify/create an address object for the address that you are NATing to or again, you can just type an address into the field. This is all you should have to do, the rule will look very much like your source NAT policy that translates your user traffic out to the internet except your destination zone will be the zone that your tunnel interface is in and you will not be specifying "Interface Address" as the Source Translated Address. One thing to keep in mind, if your VPN tunnel is currently in the same zone as your trusted network, when you apply a different zone to it, you will need to make sure to add the appropriate firewall rules so that traffic can flow correctly. Mike ... View more

Re: Export

by in General Topics
‎08-25-2012 02:47 PM
1 Kudo
‎08-25-2012 02:47 PM
1 Kudo
Hi Brano, You can also export these using the following process: 1. SSH to the firewall and run the command set cli config-output-format set 2. Enter the command configure to enter configuration mode and run the command show address-group <address-group object name> This will display the section of the configuration relating to that address group, you can copy it out from there and do what you like with it.  It will display in set commands, so if you wanted to create that address-group on other PAN firewalls, you could just paste the group of set commands into the CLI and it will be created (you will have to create the address objects first though, to export those from the config as well, run show address <address object name>). Mike ... View more

Re: What happens if I change mgt IP?

by in General Topics
‎08-25-2012 02:15 PM
1 Kudo
‎08-25-2012 02:15 PM
1 Kudo
Dave, This shouldn't cause an issue since you don't actually configure an IP address for firewalls within Panorama, just a serial number (to make sure they stay in the correct device groups).  All other configuration related to Panorama is on the firewall itself, so as long as the new address range that the firewall has can route to the IP address that is configured for the Panorama server you shouldn't have an issue. Mike ... View more

Re: Allow Vimeo From Specific Website

by in General Topics
‎06-28-2012 11:26 AM
‎06-28-2012 11:26 AM
Thanks mikand, I was actually able to get this working by allowing the Vimeo application for the websites player.vimeo.com and aaregistry.org and then blocking it for all other sites.  They also asked me to attempt to set up the same sort of thing for Youtube videos but I was unable to get that to work as the URL is always www.youtube.com for those videos, even embedded. ... View more

Allow Vimeo From Specific Website

by in General Topics
‎05-14-2012 10:52 AM
2 Kudos
‎05-14-2012 10:52 AM
2 Kudos
Hello, I have a customer that would like to block vimeo completely but allow it specifically from one website, aaregistry.org.  I have PAN-OS 4.1.6 running right now and have tried to use a custom URL category in my rule to allow vimeo specifically from that one URL, but I am having no luck.  I also even added vimeo.com to the URL category and it doesn't seem to be working, am I doing this right?  (screenshots attached) My block rule works, it blocks vimeo for my user account completely, but adding my allow rule did not grant me access to vimeo on aaregistry.org, or even vimeo.com after I added that to the custom URL category. ... View more
Labels:

Re: Migration from Check Point to PAN

by in General Topics
‎05-17-2011 12:42 PM
‎05-17-2011 12:42 PM
Hi Albert, I am trying to convert from a Checkpoint R65, and am using the routes.txt file, below is what is in that file. Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface 192.168.101.0   0.0.0.0         255.255.255.0   U         0 0          0 eth2 192.168.102.0   0.0.0.0         255.255.255.0   U         0 0          0 eth3 192.168.103.0   0.0.0.0         255.255.255.0   U         0 0          0 eth4 192.168.11.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0 216.207.173.0   0.0.0.0         255.255.255.0   U         0 0          0 eth1 192.168.0.0     192.168.11.2    255.255.0.0     UG        0 0          0 eth0 127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo 0.0.0.0         216.207.173.1   0.0.0.0         UG        0 0          0 eth1 When I attempt to use the migration tool and upload this file as my routes.txt, I get the errror: No routes.txt or empty file or cannot find the local interfaces, putting all rules in the Trust zone. Any ideas on why I would be getting this error? I am running version 1.5.4. Thanks! Mike ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎08-18-2015 09:06 AM
Latest Tags
No tags yet
Likes Given To
View All
Likes From
Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks