About drewdown

drewdown

drewdown

Ok so even if I have static routes for the AWS subnets pointing to tunnel-A and PBF failing over to tunnel-B it should work? Basically I want all traffic to traverse tunnel-A and when that goes down switch over to tunnel-B. Not worried about the AWS side, just the right configuration on the PAN side.

drewdown

Anyone run into this before? I have 2 x AWS tunnels (No BGP) and I want failover to occur and I want to backhaul internet traffic from AWS out through the PAN. I have connectivity between AWS and on-prem with no static routes configured. However, if I try to backhaul internet traffic from AWS across the s2s vpn tunnel (attached to TGW) it fails. The only way I can get it to work is by adding a static route back to the AWS subnets in my VR. But in doing so that won't allow the traffic to failover via PBF as far as I know. Is that right and if not can someone explain how the correct way to make this work? Note I use PBF for dual ISP failover to the internet and am wondering if its in the same vein? IE a static route to the backup path and PBF for the primary? So what I am wondering do I need static routes configured in my VR? And if I do does PBF still trump the routing table?

drewdown

I figured this out. Co-worker had enabled PBR for ISP failover but did not include the cloud ip ranges in the destination IP ranges on that PBR rule so it was routing all of that out to the internet vs the core.

drewdown

I have a weird issue with a LAB interface/zone that when packets to a cloud IP that is reachable via the core it routes it to the internet vs the core. All other traffic is routed correctly but not this and I can't seem to figure out why. 10.100.2.1 is my core, 10.100.99.1 is the lab interface on the PAN which is part of VR1 (only virtual router configured). You can see in the trace it goes from the lab interface to the WAN/outside rather than the core even with a route configured. If I ping 172.24.4.76 from the FW using 10.100.99.1 as the source IP it works. What could be causing this? src: 10.49.1.62 dst: 172.24.4.76 VIRTUAL ROUTER: VR1 (id 1) ========== destination nexthop metric flags age interface next-AS 172.24.4.0/24 10.100.2.1 10 A S ae2 traceroute 172.24.4.76 traceroute to 172.24.4.76 (172.24.4.76), 30 hops max, 40 byte packets 1 10.49.1.1 (10.49.1.1) 0.950 ms 0.536 ms 0.565 ms 2 10.255.49.1 (10.255.49.1) 0.407 ms 0.783 ms 2.171 ms 3 10.100.99.1 (10.100.99.1) 0.542 ms 3.915 ms 2.626 ms 4 12.13.99.161 (12.13.99.161) 1.371 ms 3.335 ms 0.648 ms

drewdown · ‎02-18-2021

No because I wanted to get SAML working first but DUO MFA is on the roadmap once we got SAML working. Either way it shouldn't matter what number of authentication methods I choose it should still log me into the panorama. Whether I am using, local, LDAP, OKTA, SAML is irrelevant as those are simply authentication methods. LDAP and local works, SAML does not.

drewdown · ‎02-17-2021

I see the redirect page, I login using my SAML u/p and then it redirects me back to the panorama login screen. I have done all those commands and have a case open with support who were less than helpful so I figured I would ask here. For instance I test that SAML profile from the CLI and it spits out the test URL: https://<panIP>:443/SAML20/SP/TEST which when pasting into a browser opens up an OKTA authentication window, I login and it says 'signing into the Palo Alto Networks UI' or something along those lines and its back to the login screen. So authentication works it just doesn't work to actually login to panorama. From the logs I see PAN_AUTH_SUCCESS SAML response and redirects but again it just doesn't log me in. I would copy/paste the output but not really sure what is considered sensitive in those logs.

drewdown · ‎02-16-2021

Trying to get this working and I am able to authenticate using OKTA SAML via the button on the login screen but when I do (after entering u/p on the OKTA page) it redirects me back to the Panorama login page. I see PAN_AUTH_SCUESS SAML on the CLI but never an 'auth-sucess' in the GUI (Monitor > Logs ? System) because it never actually logs me in. The only thing I see in the GUI when attempting to login via SAML is a saml_client_redirect for that SAML profile when I attempt to use it. Does anyone have Admin SAML logins to panorama working and if so any idea what is going on here? I dont use GP or captive-portal and I only want this working with admin logins. This is the document I followed: https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Palo-Alto-Networks-Admin-UI.html

drewdown · ‎02-16-2021

It was a lingering GP profile on Panorama pointing to one of the stack templates for this HA pair. Once I removed it that message went away. And FWIW if you have a management profile on an outisde interface and its locked down to source IPs then non-source IPs wont see that port open whereas they do with a GP profile.

drewdown · ‎02-12-2021

Same issue for me, did you ever figure this out?

drewdown · ‎02-08-2021

I have this odd issue whereas one of HA Pairs seems to be listening on 443 on its outside interface for GP but I don't use GP and never had. I have a interface profile that allows HTTPS but not from any IP and when I disable that it still shows that page. no GP portal configured either. How can I stop it from listening on 443 for any source IP?

drewdown · ‎07-20-2020

I know this, what I was asking is why. Either way one my direct reports figured it out and it had to do with PBR and ISP failover. Once he added the VPN-S2S zone and the remote CIDR to that policy traffic started to flow.

drewdown · ‎07-17-2020

More details...I can ping the AZURE instance from the PAN but not from anything behind the PAN on the LAN: admin@fw3-3020(active)> ping source 10.100.2.5 host 10.113.129.4 PING 10.113.129.4 (10.113.129.4) from 10.195.2.5 : 56(84) bytes of data. 64 bytes from 10.113.129.4: icmp_seq=1 ttl=128 time=11.8 ms 64 bytes from 10.113.129.4: icmp_seq=2 ttl=128 time=11.1 ms 64 bytes from 10.113.129.4: icmp_seq=3 ttl=128 time=11.4 ms 64 bytes from 10.113.129.4: icmp_seq=4 ttl=128 time=11.3 ms

drewdown · ‎07-17-2020

So it looks to be matching the right policy from CLI but the GUI shows the wrong one when filtering by the destination IP within Azure. More importantly its not encrypting any packets towards AZURE and I can't figure that out. admin@fw3-3020(active)> show vpn flow tunnel-id 2 | match bytes encap bytes: 0 decap bytes: 95848 admin@fw3-3020(active)> test security-policy-match source 10.100.1.2 destination 10.113.129.4 protocol 80 "Allow-Azure-Ok; index: 2" { from trust; source 10.100.0.0/16; source-region none; to VPN-S2S; destination 10.113.128.0/20; destination-region none; user any; category any; application/service 0:any/any/any/app-default; action allow; icmp-unreachable: no terminal yes; }

drewdown · ‎07-17-2020

Recent new VPN tunnel is up with Azure. I can see traffic matching zone VPN-S2S > trust but anything from trust > VPN-S2S zone is not matching that specific policy. The oubound traffic is matching the blanket outbound policy and I can't figure out why. Can someone help me figure out what the deal is?

Date Registered	‎08-20-2015 10:23 AM
Date Last Visited	3 weeks ago
Total Messages Posted	117
Total Likes Received	11

Online Status	Offline
Date Last Visited	3 weeks ago

About drewdown

Re: AWS x PAN 2 tunnels PBF backhaul internet static routes?

Re: AWS x PAN 2 tunnels PBF backhaul internet static routes?

AWS x PAN 2 tunnels PBF backhaul internet static routes?

Re: FW routing packets to internet vs internal

FW routing packets to internet vs internal

New minemeld deploy unable to login to GUI

Re: Slow o365 downloads

Re: New minemeld deploy unable to login to GUI

Allowing ms-update on app-default, File blocking PE and therefore no windows updates

Re: How to add feed for github IPs?

Re: Route specific traffic out backup ISP?

Re: Route specific traffic out backup ISP?

Re: Route specific traffic out backup ISP?

Re: Route specific traffic out backup ISP?

Re: AWS x PAN 2 tunnels PBF backhaul internet static routes?

Re: AWS x PAN 2 tunnels PBF backhaul internet static routes?

AWS x PAN 2 tunnels PBF backhaul internet static routes?

Re: FW routing packets to internet vs internal

FW routing packets to internet vs internal

Re: OKTA SAML panorama authentication?

Re: OKTA SAML panorama authentication?

OKTA SAML panorama authentication?

Re: Outside interface listening on HTTPS "502 Bad Gateway"

Re: SAML Immediately logs me off???

Outside interface listening on HTTPS "502 Bad Gateway"

Re: VPN up but traffic not matching outbound policy, inbound policy is work

Re: VPN up but traffic not matching outbound policy, inbound policy is work

Re: VPN up but traffic not matching outbound policy, inbound policy is work

VPN up but traffic not matching outbound policy, inbound policy is working

Network Security

Cloud Security

Security Operations

About drewdown