Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
08-18-2015
11Posts
6Likes
3Solutions
Aug 18, 2015Last Visited
User
Activity
User
Profile
Latest posts by mike_lutgen
| Subject | Views | Posted |
|---|---|---|
| 1497 | 03-22-2014 04:11 PM | |
| 1646 | 03-22-2014 10:10 AM | |
| 825 | 05-09-2013 11:55 AM | |
| 990 | 11-29-2012 03:55 PM | |
| 693 | 08-29-2012 08:58 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 08-25-2012 02:15 PM | |
| 2 | 08-25-2012 03:04 PM | |
| 1 | 08-25-2012 02:47 PM | |
| 2 | 05-14-2012 10:52 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 2 |
User Badges
Public Statistics
| Date Registered | 04-26-2010 08:25 PM |
| Date Last Visited | 08-18-2015 09:06 AM |
| Total Messages Posted | 13 |
| Total Likes Received | 6 |
03-22-2014
04:11 PM
I understand what the technology does, that is not what my question was. My question was about identifying which threats have been mitigated by the Wildfire signatures vs the Threat Prevention signatures.
... View more
03-22-2014
10:10 AM
Hey Guys, Looking for a little help here, trying to provide some proof to management of the value that the Wildfire subscription is providing to us vs just having the Threat Prevention subscription. I've looked in the Wildfire logs, but that only shows threats that were uploaded to the Wildfire cloud for investigation and were still allowed through the firewall (basically it's a log of all the stuff that got through and whether or not it was malware). That is helpful for the desktop team, because they can focus a PC cleaning on the machines that are listed in the logs, but I'd like to go to management with a list of threats that were blocked by Wildfire signatures to show all of the stuff that is being prevented from entering our network and therefore proving the value of the Wildfire subscription. The problem with that is, as far as I know, all threats blocked by Wildfire signatures still just go into the Threat log and are indistinguishable from threats blocked by Threat Prevention signatures. Does anyone know of a way to identify one vs the other? Thanks!
... View more
- Tags:
- wildfire_logs
05-09-2013
11:55 AM
If you are using the Migration tool, migrating from Cisco is fairly straightforward, the only thing that won't migrate for you is the NAT rules. Recreating those is pretty straightforward though just be sure to use the bi-directional checkbox since I think that's how most/all Cisco NAT rules are.
... View more
11-29-2012
03:55 PM
Working with Active FTP, we are having problems with transferring files larger than 1.5GB because the control channel hits the idle session timeout for FTP (set at 1800 seconds). Temporarily we have increased the timeout to 5400 seconds as a workaround but we are looking for an option to be able to tie the control channel lifetime to the data channel so that as long as as there is data transferring over the data channel the control channel won't time out. Currently I don't know of any way to do this on Palo Alto Networks firewalls, is there any ability to do this?
... View more
Labels:
- Labels:
-
App-ID
-
Configuration
-
Networking
-
Troubleshooting
08-29-2012
08:58 AM
I am currently working within Panorama and for one device group there are over 533 rules and editing them is terribly slow. I found this document and one of the fixes mentioned was limiting the row count in the policy editor to only 100. I would love to do that but I can't seem to find where in the interface I specify this. Any help would be very much appreciated. Mike
... View more
Labels:
- Labels:
-
Configuration
-
Management
-
Panorama
-
Set Up
08-25-2012
03:04 PM
2 Kudos
Hello, This is not a terribly difficult task if you are familiar with how NATing generally works on the PAN firewall. There is one main thing that you will need to make sure though - that the tunnel interface you specified for the tunnel is in a separate zone from the traffic that will be going across the tunnel. As long as you have this done, you will build the NAT rule like this: Source Zone: <your source traffic zone(s)> Destination Zone: <your VPN tunnel interface zone> Source Address: any (or restricted to a specific IP if you like) Source Translation: You have a couple of options here depending on exactly what traffic you are sending across. 1. If it's coming from multiple hosts specify Dynamic IP and Port and then Translated Address. In the area where you specify an address, either select/create an address object for the address that you are NATing to, or you can just type an address in the field as well. 2. If it's coming from a single host, you can do the first option, or you can specify it as Static IP and then in the Translated Address area, specify/create an address object for the address that you are NATing to or again, you can just type an address into the field. This is all you should have to do, the rule will look very much like your source NAT policy that translates your user traffic out to the internet except your destination zone will be the zone that your tunnel interface is in and you will not be specifying "Interface Address" as the Source Translated Address. One thing to keep in mind, if your VPN tunnel is currently in the same zone as your trusted network, when you apply a different zone to it, you will need to make sure to add the appropriate firewall rules so that traffic can flow correctly. Mike
... View more
08-25-2012
02:47 PM
1 Kudo
Hi Brano, You can also export these using the following process: 1. SSH to the firewall and run the command set cli config-output-format set 2. Enter the command configure to enter configuration mode and run the command show address-group <address-group object name> This will display the section of the configuration relating to that address group, you can copy it out from there and do what you like with it. It will display in set commands, so if you wanted to create that address-group on other PAN firewalls, you could just paste the group of set commands into the CLI and it will be created (you will have to create the address objects first though, to export those from the config as well, run show address <address object name>). Mike
... View more
08-25-2012
02:15 PM
1 Kudo
Dave, This shouldn't cause an issue since you don't actually configure an IP address for firewalls within Panorama, just a serial number (to make sure they stay in the correct device groups). All other configuration related to Panorama is on the firewall itself, so as long as the new address range that the firewall has can route to the IP address that is configured for the Panorama server you shouldn't have an issue. Mike
... View more
06-28-2012
11:26 AM
Thanks mikand, I was actually able to get this working by allowing the Vimeo application for the websites player.vimeo.com and aaregistry.org and then blocking it for all other sites. They also asked me to attempt to set up the same sort of thing for Youtube videos but I was unable to get that to work as the URL is always www.youtube.com for those videos, even embedded.
... View more
05-14-2012
10:52 AM
2 Kudos
Hello, I have a customer that would like to block vimeo completely but allow it specifically from one website, aaregistry.org. I have PAN-OS 4.1.6 running right now and have tried to use a custom URL category in my rule to allow vimeo specifically from that one URL, but I am having no luck. I also even added vimeo.com to the URL category and it doesn't seem to be working, am I doing this right? (screenshots attached) My block rule works, it blocks vimeo for my user account completely, but adding my allow rule did not grant me access to vimeo on aaregistry.org, or even vimeo.com after I added that to the custom URL category.
... View more
Labels:
- Labels:
-
App-ID
05-17-2011
12:42 PM
Hi Albert, I am trying to convert from a Checkpoint R65, and am using the routes.txt file, below is what is in that file. Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.101.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 192.168.102.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3 192.168.103.0 0.0.0.0 255.255.255.0 U 0 0 0 eth4 192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 216.207.173.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.0.0 192.168.11.2 255.255.0.0 UG 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 216.207.173.1 0.0.0.0 UG 0 0 0 eth1 When I attempt to use the migration tool and upload this file as my routes.txt, I get the errror: No routes.txt or empty file or cannot find the local interfaces, putting all rules in the Trust zone. Any ideas on why I would be getting this error? I am running version 1.5.4. Thanks! Mike
... View more
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
