This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About Zewwy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About Zewwy
02-08-2023
36Posts
4Likes
1Solution
Feb 08, 2023Last Visited
User
Activity
User
Profile
Latest posts by Zewwy
| Subject | Views | Posted |
|---|---|---|
| 1677 | 07-14-2016 12:33 PM | |
| 1690 | 07-13-2016 11:46 AM | |
| 3502 | 07-13-2016 11:31 AM | |
| 992 | 06-24-2016 10:59 AM | |
| 9902 | 05-03-2016 07:14 AM | |
| 9944 | 03-11-2016 10:39 AM | |
| 10063 | 03-07-2016 12:04 PM | |
| 1264 | 03-07-2016 11:50 AM | |
| 1278 | 01-06-2016 09:05 AM | |
| 3194 | 10-26-2015 08:52 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 12-11-2014 02:05 PM | |
| 2 Likes | 10-15-2014 11:20 AM | |
| 1 Like | 03-20-2014 08:06 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 2 Likes |
User Badges
Community Statistics
| Member Since | 03-20-2014 07:52 AM |
| Date Last Visited | 02-08-2023 01:58 PM |
| Posts | 36 |
| Total Likes Received | 4 |
07-14-2016
12:33 PM
Correct I've talked to my other buddy who works for a said network company, who only deploys PA firewalls. And that is normal. However even after talking with this high tiered person neither one of us could find out why this is the case. We even looked at my SPF rules in case they might be routing traffic oddly but non of my SPF rules are set for my public IP that the GP interface is set for. They are for sub networks in the same subnet but have dedicated NAT and SPF rules. These did not seem to be the reason. The oddest part is how intermittent this one gateway is vs the other with pretty much the same settings. I can't think of anything in particular that I might have changed network wise (VRouters, static routes, or zones) that would make it not work. To top it off as I mentioned anyone connected to either Portal/Gateway using the GP app on their laptops works perfectly fine (unless they happen to connect to a private network with the exact same internal subnet as my own) but that rarely happens. We event looked at my phones internal IP from my cell network instead of the NATed IP I'd be looking for on my firewall, and sure enough they didn't overlap (which would fail to connect no matter which portal/gateway I specify) So sadly again tats not the case. To top it off when I check my active sessions when I attempt to connect to the non-working gateway all sessions show exactly the same and active as the working gateway. So I know my firewall isn't blocking anything. (I even did a packet capture and see all the IKE and EAS packets to/from going through perfectly fine. This makes me feel like there most be som kind of bug going on.... At least it working on one gateway is better than no gateways. But the task of actually figuring whats going on and causing the failure is boggling my mind!
... View more
07-13-2016
11:46 AM
A couple months ago I noticed my VPN on my phone stopeed working. I was originally using CM 12.1 but have since moved to mashmellow touchwiz for my Galaxy S5. Def not phone related as the issue remains, and is the same no matter what phone or OS versino being used and I'll provide some infra info before decussing the issue. I have two ISP, configured GP Portal and Gateway, using their own certs and SSL/TLS profile per gateway/portal. I already discovered that internal host detection is based on having the always on mode vs on-demand. and All users connecting to either portal using GlobalPrtotect on their laptops works perfectly fine. Running PAN OS 7.0.8. The Issue. When I connect to my gateway internally it says it connects perfectly fine. (I have a no NAT rule configured to reach the gateway as normally usering hitting the internet will be NATed to said gateway IP.) If I attempt to connect to teh same gateway via LTE/4G after disabling my WiFi (internal Connection) the VPN connectino will establish perfectly fine. If I choose to connect to another WiFi, giving me a new public IP that I will be comming in from, the VPN connection attempts to connect and simply fails. I attempted the same thing on my other portal, and at first showed signs of the same issue. After playing around a bit more (changing networks not making firewall changes) it seems my secondary gateway our phones connect perfectly fine. Even after changing from cell network to wifi. I decided to look at any differences bewteen them. I couldn't find a single thing. besides them having dedicated tunnel interfaces and seperate subnet for users, but those are suppose to be diffferent per design. I can't see anything that other wise is different. I can't put a finger on this after all the things I could possibly think of to test. The only thing I noticed was I accedently name my gateway for my secondary ISP the same name as my portal and that the cert was checked off as a CA (which isn't techincally correct, that was my mistake, but it still clealry works. Can't see this being the reason as, as i mentioend, VPN on the first portal works fine interanlly, and one instance on the cell network after the fact. but not after changing networks. Anyone having any idea at all what might be the case? I also decided to check the firewall for all active sessions, and did notice that sessions remain "active" after disconnecting my VPN. Is this normal?
... View more
07-13-2016
11:31 AM
I'd presume if you had said ports in layer 2 mode set with a sepcific vlan then they should all be within the same subnet, using the same DHCP pool?
... View more
06-24-2016
10:59 AM
Hey, So recently my XAuth RSA connection to my Global Protect via my Android phone stopped working. I've already read the fourm post about Version 7.1.1 but I have not updated to that version yet and am still on 7.0.6. I haven't made any changes (at least non I could think of that would have affected this). Users connecting via the global protect app still works perfectly fine. In my system logs I can see the phase one IKE completely successfully from the public IP of my android device however on the device it just sits there "connecting" then fails to connect. This started happening before I even moved to stock Marshmellow Touchwiz by Samsung, ( I was previously running Cyanogen Mod 12 (nightlies)). If anyone could provide some troubleshooting steps that I could to help pinpoint the cause of it failing would be great. Thank you.
... View more
05-03-2016
07:14 AM
Hey Gerardo,
Thanks so much for the suggestion. I was working with a PAN tech on the case (tier one) so had to argue about a couple things he wasn't understanding about the device, haha.
We tried you answer on my own account by me changing my AD user membership, and then re-newing the PAN's user mappings, and then I found I had to create a new profile (I'm sure possibly a uninstall, or even a registry edit could have resolved it but I didn't know exactly what to look for so I simply re-created my profile) before it would change from on-demnd mode to user-logon. I asked the tech for any documentation that would state why this is.
I can understand as since it's on-Demand that the user wouldn't normally connect internally, but then whats the point of teh internal host detection being available for edit when the type is set to on-demand. Seems like a UI bug or something that was merely overlooked and was just never thought of and conisdered as-is.
Thanks for your answer.
One last thing I noticed when I was testing and that was that the user cert I install on users system that goes into their personal certificate store of the user, when I created a new user an AD and logged into that user on a system I had installed the cert for another user, taht cert is already in the new users certificate store... I found this baffeling. The other weird part is when I removed my profile to fix the on-demand problem I noticed it removed my certificate from the store, more along the lines to be expected with a profile wipe.
... View more
03-11-2016
10:39 AM
Hey,
Thanks for the reply. I did the following.
I cleared the PanGPS.log file. I connected via the ISP 1 portal, and sure enough I get DNSQuery response 0
As it should be. I clear the log by renaming it.
I change my portal address on my GlobalProtect, connects sayign externally. I then check the PANGPS.log and I don't find a single DnsQuery line in the log at all, as if it's not even trying to do internal host detection.
Thoughts?
... View more
03-07-2016
12:04 PM
To start off...
I have already read this.
https://live.paloaltonetworks.com/t5/Management-Articles/GlobalProtect-not-Detecting-Internal-Network-with-Internal-Host/ta-p/53681
I'll start off with the whole story. We have 2 ISP's, setup to our PA-500's using 2 VR's. One was setup for the DMZ Zone, with it's default out ISP 1. The Second VR was users internet, with the deafult route out ISP 2.
Initially GP was set up on ISP 1. Thus when users attempted to connect their sesssion would be NATed out ISP 2 back into ISP 1, with internal host detection working a treat and showed the little house on the GP sys tray icon.
My goal was to move all my services over to ISP 2. Turns out I couldn't just copy the existing NAT rules since the DMZ default route was out ISP 1, and any connection attempts would fail to due an incomplete hand shake. Welcome Symmetric Return !
So I got all my services to work with either external IP association. I then go to move our VPN to the shaw side using both proper DNS lookup for the portal/gateway and our own internal PKI. I fought tooth n nail and got the internal PKI setup workign just the way I want it to. Externally wokring a treat, so I attempt to connect internally, to my dismay I couldn't reach the external portal from inside the network. Checking my monitor Tab on the PA's I see no blocked traffic, I now it was getting droped somewhere in the PA, so i do a packet capture. Low and behold, my packets are geting dropped.
After talking to my uber smart network engineer, we had two options (NoNAT to my ISP 2 pub IP, or do a UTurn NAT to my ISP pub IP)
After making this config, I could ping and access the web portal no prob! YAY!
And finally to the point of this post, everything works now except internal host detection. and it's driving me up the wall, everything I read on it and how I know my configs are it should just work at this point. But it keeps connecting my client to the VPN DHCP pool and saying its connected and I can see the traffic on teh client system. Even though it's internally connected, (I can ping and resolve the internal host detection stuff from the client system perfectly fine)
to make it even weirder, When I change my portal IP to the ISP 1, internal host dtecttion works a treat change it back to ISP 2, and interanal host detection fails.
same internal host detection settings on both portal/user configs, same internal network.
Thoughts? I'm bashing my head on this one...
... View more
03-07-2016
11:50 AM
A very smart network engineer I know informed me this is due to the way google changed the way their email system worked, and is caused when users who particularly use gmail with multiple folders will cause this Threat to be triggered.
He provided one of two options to help correct it.
1) get my colleague to clean up his gmail. reduce folder, etc (not likly to happen)
2) adjust the profile monitor and change it so that particular vulnerability isn't alerted on, this leave it open to exploitation.
Both options are not great, thus at this point I'll simply have to ingore in.. *Sticks head in the sand*
Thanks for all the replies *Cough none*
... View more
01-06-2016
09:05 AM
I know this was kind of asked here, and I was wondering if the best option would be to create a rule like the one mentioned in this post..
https://live.paloaltonetworks.com/t5/General-Topics/SMTP-long-MAIL-anomaly-Vulnerability-30392/m-p/2327#M1718
Since I am getting these almost everyday, and they seem to be always from one user account, and they happen to use gmail.
I also use gmail but I never seem to see my account as the "attacker" which I'm not sure why his account keep showing up as the attacker.
Should I just create the block rule and see if his email still works? He says he uses teh Windows Mail app with all gmail accounts.
... View more
10-26-2015
08:52 AM
Thanks for the response!
I wasn't sure if it was goign to be possible, but thats pretty awesome using NAT over IPsec with OSPF.
One question as the documentation isn't fully clear on. Do I have to have a tunnel subnet equal to the network I need to tranverse the tunnel? in this case /24 or can I still have just a point to point subnet /30 for my tunnel?
... View more
10-23-2015
09:50 AM
Is this even possible, or am I crazy
... View more
05-11-2015
07:29 AM
I appreciate the help. But that's the thing there is no file name referenced in the supplied Picture, or in the ACC. So That's why I posted here to kind of get an idea of what I am really being protected from and how I can better track it down. I do know who's machine it originated from, and it was one of my play around laptops. The one I install applications I don't' like on my actual workstation (iTunes, Samsung Kies, etc)
... View more
05-08-2015
11:37 AM
Thanks for the helpful reply. You mentioned "Generally if it's listed as "generic", it's one of many, many files that behave maliciously but don't stand out as something that has a unique name" Does this mean I have a file on my machine that would match the SHA-256 / MD5 signatures? and if so How would I go about removing it?
... View more
05-08-2015
09:15 AM
Do you have multiple Agent Configurations setup on your Portal settings? if yes, ensure that your account is a member of only one of them.to We use AD groups to tell which users are "On-Demand" vs Auto connect, and its pretty straight forward and working without issue for me. If you are using MS AD Groups ensure your account is getting the proper SID for that group.
... View more
05-08-2015
08:46 AM
Hey all, Love Palo Alto Networks!! Wooo! Anyway, just wanted to know something, when I go into ACC (Application Command Center) under Threat Protection... and I get something like this... Nice to know I was protect from a possible Virus, but what is Win32.Generic.deaep? Google doesn't show anything... all the links are pretty much useless as all they do is append what you clicked into the filter on the top, giving you the exact same page.. I'd like to know things like when did this come in? (I can only figure out based on going from 30 days back, to 7 days back and that's about it) What packets were blocked, used to discover this? What was the attacking vector? (Web, Flash, local Windows Process, etc) Then at least I can figure out how the virus almost made it in and stop the source. (Sadly these were blocked and the "attack victim" was me :S)
... View more
Labels:
- Labels:
-
Configuration
-
Management
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks