Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About rahmant
About rahmant
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
12-19-2012
10:24 AM
As mentioned in my earlier post, you can try to tweak the timer values to lessen the impact on your WAN links. What we saw was a huge burst of activity when a DC is first integrated with the UIA. Once the initial burst is complete (depending on how large your DC logs are), then the queries pared down to a steady background chatter. We found the two minute interval to be acceptable but YMMV. Tariq
... View more
06-13-2012
12:16 PM
I've been able to configure packet captures with single IP src/dst definitions. Is there a way to set up a capture using "any" as a destination or source? Thanks, Tariq
... View more
05-23-2012
01:58 AM
Perhaps you can check for a duplex mismatch on the mgmt port? I remember on the PA-2000 series, there were some issues with link negotiation when plugged into Cisco switches.
... View more
05-04-2012
12:37 PM
I've used a slightly different procedure for genning/signing internal certs via my internal MS CA for installation within my PA units. PA has the following doc: https://live.paloaltonetworks.com/docs/DOC-1246 which references this verisign doc: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR198 The procedure involves the use of the openssl tool for genning a key/CSR. Once that's complete, take the CSR and sign it using the MS CA. Using web certificate services on my CA, I can download the signed certificate (using the std web server template) from the CA as a base64 encoded *.cer file. With that in hand, I've been able to import the cert and key into my PA units. I did the original procedure for 3.1.6, but it's worked for 4.0.x as well as 4.1.x (though the interface for importing the certs has changed slightly through the different revisions). You'd also likely need to import the CA certs into the PA units for the validation to work properly. Tariq
... View more
02-20-2011
07:37 AM
We got bitten by this as we have DC's scattered throughout our network. We have three Internet gateway points with PA's installed and three UIA's, one local to each gateway. Each then queries the DC's for it's respective zone (Americas, EMEA, AsiaPac) to get a polling of user-to-IP mappings for each respective region. We needed to tweak the timers on the UIA to stop hammering our WAN links as a result of this design. We get a bit of lag in our mapping results (we only poll the DC's every two minutes), but that was acceptable to us so as to reduce the bandwidth utilization on the network. Tariq
... View more
01-26-2011
12:40 PM
For followup, I have three PA units distributed globally (NJ - 2x2050's, Rotterdam - 1x500 and Singapore - 1x500) and all are being centrally managed by Panorama. Pushes do take a bit of time to process (when don't they ), but still usable. I haven't run into any connectivity problems where the connections would fail or anything (at least not yet). Tariq
... View more
01-26-2011
12:38 PM
I've seen this with many types of VPN interactions. With a traditional Cisco remote access VPN installation, the typical process has the MTU of the client device's NIC set to 1300 bytes. This typically resolves the fragmentation issue. Tariq
... View more
12-17-2010
03:40 AM
Where did you run the capture? There's a bit of a disconnect - you likely could not have gotten the captive portal window unless the redirect was seen on the client. From the capture, what do you see? Tariq
... View more
11-24-2010
03:53 AM
1 Kudo
-) Is the agent service started? -) Check the logs on the agent host for errors -) Do a "check/display" users within the agent interface to see all the user's that the agent has identified -) Make sure you're filtering the appropriate AD groups if needed -) Check the logs on your PA unit and make sure that it is "connected" to the agent -) How long has the agent been running? From my own experience, it does take some time for it to parse the DC logs and scan for logged in users. -) How many DC's are in your network? Do you have all the DC's coded by IP in the agent config to be scanned? Tariq
... View more
11-23-2010
12:26 PM
I've run into issues with using local groups in PA rules. Individual local users work fine, but when trying to use locally defined groups, I've run into problems. I'll try to open a case with support to get it checked out. Tariq
... View more
11-15-2010
09:51 AM
Just for warning, you should probably check with support before modifying anything We had to modify the security log timers from 1 sec to 120 secs, as the agent was bombarding our WAN connections with query traffic. Tariq
... View more
11-15-2010
06:59 AM
Grrrr - it's always the stupid stuff that gets me. Believe it or not, I think that all that was needed was a forced policy push after the certificate addition to do the trick. I was assuming that since the certificate add didn't trigger a commit, that it was accepting it without issue. I deleted the old cert entry, readded the intermediate CA cert to the client cert and readded it to the PA unit. This time, I forced a policy push by making + backing out a change so that I could force a commit. That seems to have done the trick. Tariq
... View more
11-12-2010
01:11 PM
Just bought a cert from Thawte and am trying to make use of it for captive portal redirects. I've run into an issue in that, while the unit can import the host certificate fine, none of the captive portal client's recognize it as it's been signed by one of Thawte's new Intermediate CA's. I read a technote in the discussion area that someone was able to bundle their Intermediate CA cert(s) into their original host cert just by copying/pasting the PEM text for the CA certs to the bottom of their host cert PEM file. I've tried this and while the cert with the CA data appended imports fine, the clients still doesn't recognize/see the Intermediate CA's when presented with the host certificate. Anyone else run into this? If so, any suggestions? I've also opened a ticket with support at the same time. Thanks, Tariq
... View more
11-01-2010
05:28 PM
Are you decrypting the Gmail session so that the PA unit can actually see the upload? Tariq
... View more
10-29-2010
10:54 AM
Is there any preferred setting for the SCSI controller option when configuring the Panorama VM in ESX 4.0? There seem to be two options - Buslogic Parallel or LSI Logic Parallel. Thanks, Tariq
... View more
10-13-2010
01:31 PM
In the URL filtering configuration, there is an option to allow for an override such that a user can type in a password to override a blocked website and gain temporary access to the site. Is there a similar function available for applications? For example, I only want to allow a select number of users to access facebook. -) I have an outbound application policy that permits access to web-browsing, but not social-networking -) I have a custom URL filtering policy that selectively allows override access to our blocked categories a defined subset of AD users When these users get to facebook, they get the "Application Blocked" page, not the "Web Page Blocked" page and they're dead-in-the-water. I'd rather not start allowing the facebook apps, only to rely on the URL filtering component to restrict/grant access instead. Is there any way to have the Application Blocked page request a password override? Thanks, Tariq
... View more
10-08-2010
12:57 PM
PA500, test unit running PANOS 3.1.4 When I enter a local user via the GUI, the corresponding XML in the configuration file is as follows: <shared> <local-user-database> <user> <entry name="testuser"> <phash>$hashvalue$</phash> </entry> </user> ... I can add the username without issue, but is there a way to enter in the password directly? Or do I have to hash it manually and then add the hash value via the CLI? Which hash is used? I tried running Hashcalc against the above testuser's original password, but came up mismatched against the listed <phash> value in the config using some of the common hashes (MD5, SHA1, SHA256, etc.) Any thoughts? Tariq
... View more
09-28-2010
09:30 AM
Can you try adding the user directly to the allowlist instead of using the group? Not permanently, but just to ensure that the general mapping is working. If that works, then it's something to do with group enumeration. Tariq
... View more
09-28-2010
09:22 AM
Sorry - the desired redirected URL is: https:// <firewall int IP>/xxx where the URL is SSL/TLS encrypted Tariq
... View more
09-28-2010
09:21 AM
Is there any way to change the default ports used by a redirected Captive Portal? In my test environment, the users are redirected to the firewall interface, but on port 6082. I'd like to have it redirect back to the std SSL port instead. So instead of: https:// <firewall int IP>:6082/xxx just: http:// <firewall int IP>/xxx Thanks, Tariq
... View more
09-11-2010
02:59 AM
Doesn't the URL Override redirect feature resolve this issue? If you redirect to an interface IP or a DN that maps to an interface IP on the firewall and ensure that you're presenting an internally valid certificate, then the users shouldn't get any certificate errors. Just got this working in my test environment a couple of days ago mysefl (running 3.1.4). If I remember correctly, generate the cert 1st in the SSL VPN area of the certificates left hand link on the Device tab. Once a cert has been applied, then go to the Setup left hand link of the Device tab and there should be a URL Override area on that page. If you edit that area, you should be able to configure the specifics of the Override feature, including the Override type (redirect/transparent). Set it to redirect, select the newly created certificate that should be present and then enter the DN that maps to proper IP address of the firewall. Commit and you should be good. Now when the user tries to access a URL that falls within an override set category, their browser should be redirected via HTTPS to the DN, which should be mapped to the firewall. If the cert is trusted, you should be set - no certificate warnings (assuming your cert was signed by a trusted authority). Tariq
... View more
02-01-2010
01:57 PM
Is there a procedure listing for the setup of a isolated PA unit where the appliance will not initially have access to the Internet to download software/firmware updates? I'd like to have a process to get the unit initially installed and configured using a PA software revision that is manually installed instead of being pulled down from the Internet. Thanks, Tariq
... View more
08-18-2015
24Posts
1Like
1Solution
Aug 18, 2015Last Visited
User
Activity
User
Profile
Latest posts by rahmant
| Subject | Views | Posted |
|---|---|---|
| 262 | 12-19-2012 10:24 AM | |
| 271 | 06-14-2012 05:40 AM | |
| 428 | 06-13-2012 12:16 PM | |
| 274 | 05-23-2012 01:58 AM | |
| 813 | 05-04-2012 12:37 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 11-24-2010 03:53 AM |
User Badges
Public Statistics
| Date Registered | 09-23-2009 07:21 AM |
| Date Last Visited | 08-18-2015 09:06 AM |
| Total Messages Posted | 24 |
| Total Likes Received | 1 |
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
