Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- 5G
- IoT Security
- Prisma SD-WAN
Network Security
- Prisma Access
- Prisma SaaS
- Prisma Cloud
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
- LIVEcommunity
- ›
- About rahmant
About rahmant
Announcements
Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
08-18-2015
24Posts
1Like
1Solution
Aug 18, 2015Last Visited
User
Activity
User
Profile
Latest posts by rahmant
| Subject | Views | Posted |
|---|---|---|
| 519 | 12-19-2012 10:24 AM | |
| 600 | 06-14-2012 05:40 AM | |
| 757 | 06-13-2012 12:16 PM | |
| 712 | 05-23-2012 01:58 AM | |
| 8499 | 05-04-2012 12:37 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 11-24-2010 03:53 AM |
User Badges
Public Statistics
| Date Registered | 09-23-2009 07:21 AM |
| Date Last Visited | 08-18-2015 09:06 AM |
| Total Messages Posted | 24 |
| Total Likes Received | 1 |
12-19-2012
10:24 AM
As mentioned in my earlier post, you can try to tweak the timer values to lessen the impact on your WAN links. What we saw was a huge burst of activity when a DC is first integrated with the UIA. Once the initial burst is complete (depending on how large your DC logs are), then the queries pared down to a steady background chatter. We found the two minute interval to be acceptable but YMMV. Tariq
... View more
06-13-2012
12:16 PM
I've been able to configure packet captures with single IP src/dst definitions. Is there a way to set up a capture using "any" as a destination or source? Thanks, Tariq
... View more
05-23-2012
01:58 AM
Perhaps you can check for a duplex mismatch on the mgmt port? I remember on the PA-2000 series, there were some issues with link negotiation when plugged into Cisco switches.
... View more
05-04-2012
12:37 PM
I've used a slightly different procedure for genning/signing internal certs via my internal MS CA for installation within my PA units. PA has the following doc: https://live.paloaltonetworks.com/docs/DOC-1246 which references this verisign doc: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR198 The procedure involves the use of the openssl tool for genning a key/CSR. Once that's complete, take the CSR and sign it using the MS CA. Using web certificate services on my CA, I can download the signed certificate (using the std web server template) from the CA as a base64 encoded *.cer file. With that in hand, I've been able to import the cert and key into my PA units. I did the original procedure for 3.1.6, but it's worked for 4.0.x as well as 4.1.x (though the interface for importing the certs has changed slightly through the different revisions). You'd also likely need to import the CA certs into the PA units for the validation to work properly. Tariq
... View more
02-20-2011
07:37 AM
We got bitten by this as we have DC's scattered throughout our network. We have three Internet gateway points with PA's installed and three UIA's, one local to each gateway. Each then queries the DC's for it's respective zone (Americas, EMEA, AsiaPac) to get a polling of user-to-IP mappings for each respective region. We needed to tweak the timers on the UIA to stop hammering our WAN links as a result of this design. We get a bit of lag in our mapping results (we only poll the DC's every two minutes), but that was acceptable to us so as to reduce the bandwidth utilization on the network. Tariq
... View more
01-26-2011
12:40 PM
For followup, I have three PA units distributed globally (NJ - 2x2050's, Rotterdam - 1x500 and Singapore - 1x500) and all are being centrally managed by Panorama. Pushes do take a bit of time to process (when don't they ), but still usable. I haven't run into any connectivity problems where the connections would fail or anything (at least not yet). Tariq
... View more
01-26-2011
12:38 PM
I've seen this with many types of VPN interactions. With a traditional Cisco remote access VPN installation, the typical process has the MTU of the client device's NIC set to 1300 bytes. This typically resolves the fragmentation issue. Tariq
... View more
12-17-2010
03:40 AM
Where did you run the capture? There's a bit of a disconnect - you likely could not have gotten the captive portal window unless the redirect was seen on the client. From the capture, what do you see? Tariq
... View more
11-24-2010
03:53 AM
1 Kudo
-) Is the agent service started? -) Check the logs on the agent host for errors -) Do a "check/display" users within the agent interface to see all the user's that the agent has identified -) Make sure you're filtering the appropriate AD groups if needed -) Check the logs on your PA unit and make sure that it is "connected" to the agent -) How long has the agent been running? From my own experience, it does take some time for it to parse the DC logs and scan for logged in users. -) How many DC's are in your network? Do you have all the DC's coded by IP in the agent config to be scanned? Tariq
... View more
11-23-2010
12:26 PM
I've run into issues with using local groups in PA rules. Individual local users work fine, but when trying to use locally defined groups, I've run into problems. I'll try to open a case with support to get it checked out. Tariq
... View more
11-15-2010
09:51 AM
Just for warning, you should probably check with support before modifying anything We had to modify the security log timers from 1 sec to 120 secs, as the agent was bombarding our WAN connections with query traffic. Tariq
... View more
11-15-2010
06:59 AM
Grrrr - it's always the stupid stuff that gets me. Believe it or not, I think that all that was needed was a forced policy push after the certificate addition to do the trick. I was assuming that since the certificate add didn't trigger a commit, that it was accepting it without issue. I deleted the old cert entry, readded the intermediate CA cert to the client cert and readded it to the PA unit. This time, I forced a policy push by making + backing out a change so that I could force a commit. That seems to have done the trick. Tariq
... View more
11-12-2010
01:11 PM
Just bought a cert from Thawte and am trying to make use of it for captive portal redirects. I've run into an issue in that, while the unit can import the host certificate fine, none of the captive portal client's recognize it as it's been signed by one of Thawte's new Intermediate CA's. I read a technote in the discussion area that someone was able to bundle their Intermediate CA cert(s) into their original host cert just by copying/pasting the PEM text for the CA certs to the bottom of their host cert PEM file. I've tried this and while the cert with the CA data appended imports fine, the clients still doesn't recognize/see the Intermediate CA's when presented with the host certificate. Anyone else run into this? If so, any suggestions? I've also opened a ticket with support at the same time. Thanks, Tariq
... View more
11-01-2010
05:28 PM
Are you decrypting the Gmail session so that the PA unit can actually see the upload? Tariq
... View more
Latest Blogs
Latest Posts
Copyright 2007 - 2021 - Palo Alto Networks
