This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About DJFirewallSupport
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About DJFirewallSupport
10-31-2022
11Posts
1Like
0Solutions
Oct 31, 2022Last Visited
User
Activity
User
Profile
Latest posts by DJFirewallSupport
| Subject | Views | Posted |
|---|---|---|
| 325 | 10-10-2022 08:49 AM | |
| 2792 | 11-02-2012 06:56 AM | |
| 2792 | 11-01-2012 01:58 PM | |
| 3197 | 11-01-2012 08:13 AM | |
| 1467 | 10-24-2012 02:04 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 11-01-2012 08:13 AM |
User Badges
Community Statistics
| Member Since | 07-17-2012 09:58 AM |
| Date Last Visited | 10-31-2022 09:03 AM |
| Posts | 11 |
| Total Likes Received | 1 |
10-10-2022
08:49 AM
sometimes the policy matched the multicast packets and sometimes it didn’t when each packet had the exact same source/dest IP and source/dest port?
Some multicast traffic is allowed but other packets are denied. We need to understand why there is a difference.
In this case some multicast traffic was allowed by a policy that was not configured to allow multicast traffic. But other multicast traffic didn’t match the policy so it was evaluated by the remaining policies and dropped becuase there were not policies to allow that multicast traffic. For both groups the IP source and destination addresses and ports were identical.
All of the multicast packets should have been denied. can some one explain why a different policy matched the multicast and permitted it.
... View more
11-02-2012
06:56 AM
Thanks for the info - I will be having someone at the local site swap the crossover cable on the dataplane interface I configured for HA to see if it's the cable.... and if not working I will just use the mgt interface per your config. Thanks, - Dave
... View more
11-01-2012
01:58 PM
Thanks Renato, that is helpful. I have tried your configuration and it is working. But are you saying that I can't utilize a dataplane interface for HA1 on the PA-200? Or just that I don't have to? Obviously it's nice to save the physical dataplane interfaces if I can as PA-200 only has 4 of them...But on the other hand, it would also be nice to have an HA1 primary and HA1 backup like I do for full HA configurations...for purposes of HA control link resiliency. Note the comment by "npare" to this document seems to indicate that you can use a dataplane interface for HA1 primary: But if I can only use the management interface for HA1, what happens when mgt interface of primary goes down....obviously a failover should happen there. But how will upstream/downstream gateways learn the MAC address of the new node? Thanks for clarifying, - Dave
... View more
11-01-2012
08:13 AM
1 Kudo
Hi All, Trying to configure a pair of PA-200's as an active-passive cluster using "HA lite". Right now both devices are showing active, so it seems the nodes do not see each other as cluster members. I have defined one HA link on both firewalls, ethernet1/2...they are connected together via a cross-over cable and both interfaces are showing UP.. I realize that state synchronization is not possible with one HA link, but just looking for config sync. When I do a "show high-availability state" from CLI, I get: Peer Information: Connection status: down Connection down reason: Never able to connect to peer I have tried to suspend the device with the worse priority...and then make it functional again (hoping it goes into passive state)..but it only goes right back to active. Note I am running 4.1.8 code here. I have also found a doc that indicates the MGT port is used for HA1 with an HA-lite configuration. Is that true? If so, does that mean I don't need the cross-over on ethernet1/2? Note when I ping the peer HA1 IP address (from either firewall) I simply get back an ICMP "Destination host unreachable" .... I am sure this is a problem! Below are my configs for this...perhaps I have something missing? Grateful if anyone with this knowledge and experience on HA lite would take a look for me....thanks in advance. Node 1: set deviceconfig high-availability group 1 mode active-passive passive-link-state auto set deviceconfig high-availability group 1 mode active-passive monitor-fail-hold-down-time 1 set deviceconfig high-availability group 1 configuration-synchronization enabled yes set deviceconfig high-availability group 1 peer-ip 192.168.201.2 set deviceconfig high-availability group 1 election-option device-priority 95 set deviceconfig high-availability group 1 election-option heartbeat-backup yes set deviceconfig high-availability group 1 election-option preemptive no set deviceconfig high-availability group 1 election-option promotion-hold-time 2000 set deviceconfig high-availability group 1 election-option hello-interval 8000 set deviceconfig high-availability group 1 election-option heartbeat-interval 1000 set deviceconfig high-availability group 1 election-option flap-max 3 set deviceconfig high-availability group 1 election-option preemption-hold-time 1 set deviceconfig high-availability group 1 election-option monitor-fail-hold-up-time 0 set deviceconfig high-availability group 1 election-option additional-master-hold-up-time 500 set deviceconfig high-availability interface ha1 encryption enabled no set deviceconfig high-availability interface ha1 monitor-hold-time 3000 set deviceconfig high-availability interface ha1 ip-address 192.168.201.1 set deviceconfig high-availability interface ha1 netmask 255.255.255.0 set deviceconfig high-availability interface ha1 port ethernet1/2 set deviceconfig high-availability interface ha1-backup set deviceconfig high-availability enabled yes Node 2: set deviceconfig high-availability group 1 peer-ip 192.168.201.1 set deviceconfig high-availability group 1 configuration-synchronization enabled yes set deviceconfig high-availability group 1 mode active-passive passive-link-state auto set deviceconfig high-availability group 1 mode active-passive monitor-fail-hold-down-time 1 set deviceconfig high-availability group 1 election-option device-priority 100 set deviceconfig high-availability group 1 election-option heartbeat-backup yes set deviceconfig high-availability group 1 election-option preemptive no set deviceconfig high-availability group 1 election-option promotion-hold-time 2000 set deviceconfig high-availability group 1 election-option hello-interval 8000 set deviceconfig high-availability group 1 election-option heartbeat-interval 1000 set deviceconfig high-availability group 1 election-option flap-max 3 set deviceconfig high-availability group 1 election-option preemption-hold-time 1 set deviceconfig high-availability group 1 election-option monitor-fail-hold-up-time 0 set deviceconfig high-availability group 1 election-option additional-master-hold-up-time 500 set deviceconfig high-availability enabled yes set deviceconfig high-availability interface ha1 encryption enabled no set deviceconfig high-availability interface ha1 monitor-hold-time 3000 set deviceconfig high-availability interface ha1 ip-address 192.168.201.2 set deviceconfig high-availability interface ha1 netmask 255.255.255.0 set deviceconfig high-availability interface ha1 port ethernet1/2 set deviceconfig high-availability interface ha1-backup -- Thanks and regards, - Dave
... View more
- Tags:
- high_availablitly
Labels:
- Labels:
-
Troubleshooting
10-24-2012
02:04 PM
This is definitely not ideal...it would be quite useful to have this feature implemented as it is especially helpful for troubleshooting situations. But thanks for your answer just the same... Regards, - Dave
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-31-2022
09:03 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks