Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
About drewdown
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About drewdown
12-09-2021
136Posts
14Likes
7Solutions
Dec 09, 2021Last Visited
User
Activity
User
Profile
Latest posts by drewdown
| Subject | Views | Posted |
|---|---|---|
| 1101 | 11-01-2021 10:08 AM | |
| 1144 | 11-01-2021 05:47 AM | |
| 1318 | 10-29-2021 12:50 PM | |
| 1101 | 09-23-2021 10:00 AM | |
| 1116 | 09-23-2021 09:28 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 10-29-2021 12:50 PM | |
| 1 Like | 09-23-2021 10:00 AM | |
| 1 Like | 09-22-2021 12:15 PM | |
| 1 Like | 04-20-2018 08:28 AM | |
| 3 Likes | 05-03-2018 09:26 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 1 Like | |||
| 1 Like | |||
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 08-20-2015 10:23 AM |
| Date Last Visited | 12-09-2021 09:38 AM |
| Posts | 136 |
| Total Likes Received | 14 |
11-01-2021
10:08 AM
@BPry So the problem is when a user resolves an @github.com address and it returns an IP not in the external dynamic IP list that minemeld is puling from github that traffic gets denied. I just confirmed this, github.com resolves to a 140.82.113.4 but if you look at their list of public IPs that IP is not there: https://api.github.com/meta Granted it says its not a completely accurate list but really defeats the purpose of even publishing it if isn't kept up to date (rant at github). As far as the dynamic address group that would require that A) the address object is there and B) its tagged with the right tag. That doesn't scale well at all and is manual which I am trying to avoid. Just to clarify what you are saying... I can just set the destination as an address object FQDN of github.com and as long as both the client and the PAN are using the same DNS,so they resolve the same IP it should work? I for sure had it set like that prior along with some /24 networks in the destination field and it did not work.
... View more
11-01-2021
05:47 AM
I didn't mean to accept this as a solution but not sure how to undo it. I read somewhere that FQDNs only return 10 IPs? Is there a limitation to doing it this way? I mean if I just put the destination as *.github.com and the applications as github/ssh/ssl/web-browsing that should allow git commands to anything @*.github.com? Sometimes I really despise PAs, like there are so many options and functionality but for something as simple as this there doesn't seem to be any easy solution. Its almost like its too complex in some instances. I forgot to mention I tried using minemeld pulling github public IPs from their website. Hoping this will suffice but either way its a lot of work for such a small task.
... View more
10-29-2021
12:50 PM
1 Kudo
I read some posts here about the best way to allow github to only *.github.com IPs and I can't seem to find an easy way to do it. If I do it this way: Source IP – on-prem networks
Destination - Any
APP ID/Service – github/ssh/ssl/web browsing
URL category - Custom category for *.github.com
Action - Allow That pretty much allows all traffic that matches the APPID/Service which leads me to believe that the firewall isn't looking at at that URL category or the traffic to match against *.github.com. So I then have to put specific github destination IPs to make this work like I want it to. There has got to be an easier way to do this, is there? For reference with just the URL category specified on that rule above: Versus when I have it locked down to giithub destination IPs:
... View more
09-23-2021
10:00 AM
1 Kudo
Hell yeah brother! Another PA article yet giving another way to skin a cat. I will take a look and see if it works better because I absolutely hate PBF with a passion and all the nuances (breaking) that comes along with it. I guess this just goes back to PA articles and so many offering so many different solutions. I mean I do it one way and you do it a completely different way but if I google PA dual ISPs the first link is using PBF. Also PBF monitors the link as well to an external IP it just requires that you have all the networks defined that you want to be applied to that PBF. It then breaks inbound NAT as you can see and causes issue with VPN traffic hairpinning to the internet and to other VPN tunnels.
... View more
09-23-2021
09:28 AM
Pray tell how its handled by routing without running BGP between our multitude of carriers? And what is PBF if not routing? Besides here is one of many PA articles outlining how to configure DUAL ISPs with failover using PBF: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/policy-based-forwarding/use-case-pbf-for-outbound-access-with-dual-isps
... View more
09-22-2021
12:15 PM
1 Kudo
Do you mean enforce it on the PBF for the dual internet links? PAN documentation is so bad and confusing I am not even sure who they got managing it, a trained monkey?
... View more
09-20-2021
06:13 AM
Having an issue where we implemented PBF for dual ISPs on an HA pair that already had inbound NATs configured. When we did this the inbound NATs broke and I found this article:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzeCAC which basically said to remove the interface from the PBF specific route which I did but that made no difference. In the end I had to disable 'Spoofed IP address' from the outside zone protection profile to get it working again. Does anyone know why you can't have PBF, inbound NAT's and spoof protection enabled?
... View more
- Tags:
- Security Policy
08-24-2021
09:14 AM
Are the application timeouts across the board for something like SSH? Meaning for user SSH connections through the PAN and admin SSH connections to the PAN that application controls the timeouts for both?
... View more
07-30-2021
08:49 AM
so if you have PBF for internet redundancy and your IPv6 gateway is via some other zone/interface outside of your untrust then you need 2 x PBF rules in both directions for that IPv6 traffic. Simply having one or the other will break it in either direction.
... View more
07-30-2021
08:38 AM
So now I have similar issue with IPv6 traffics return path from the internet. So the return or inbound IPv6 traffic comes across the Trust interface and should all be routed to the LAB but it is routing that traffic to UnTrust. This is the no IPv6 PBF: Internet > Trust > Lab but its going Internet > Trust > UnTrust so something not right with my PBF but not clear on what:
... View more
07-30-2021
06:14 AM
@BPry I figured it out part of it....stupid PBF. So I had PBF for IPv4 internet redundancy and if I added the source IPv6 network to it the traffic went in the right direction from Trust > Lab but not the other. And since I don't have IPv6 on the egress interface I had to create a no PBF for the IPv6 traffic and set it to Not forward. Once I did that it started working in both directions but not back from the internet.
... View more
07-29-2021
12:27 PM
I have a PAN on the internet with only IPv4. I have an ASA dual stacked that I want to send IPv6 traffic from hosts connected behind the PAN to the ASA via the LAN. All the interfaces on the PAN in the path have IPv6 configured. However, when the pan receives IPv6 packets that need to route it simply sends it out the UnTrust zone vs the Trust zone where my default and other static IPv6 routes reside. Note IPv4 is working fine and I can ping the Lab interfaces from the host behind the PAN and so forth, its just any IPv6 traffic that needs to be routed past (or through) these PANs that gets punted to the UnTrust zone and I can't figure out why. Its like its not even looking at the IPv6 route table. Next hop of IPv6 edge gateway ASA: 2403:8600:80CF:E100:2000::3 PAN Trust interface: 2403:8600:80CF:E100:2000::5/68 PAN Lab interface: 2403:8600:80cf:e101:2000::1/68 PAN Lab next hop: 2403:8600:80cf:e101:2000::2/68 PAN Lab CIDR: 2403:8600:80cf:e10c:3780::/73 PAN Lab host: 2403:8600:80CF:E10C:3710::10 Eth1/1 is my Trust interface and Eth1/15 is my Lab interface IPv6 route table is below: I have policies allowing all the traffic but it seems like anything it doesn't have a specific IPv6 route for it sends it to the Untrust zone even though the default route is pointing out eth1/1 to 2403:8600:80CF:E100:2000::3. Why would the PAN still try to send the traffic out the UnTrust interface at this point? In the logs below you can see a ping from the ASA (.3) gets punted to UnTrust. But a ping from the PAN itself (.1) routes within that zone without issue all to the same host 2403:8600:80CF:E10C:3710::10. No matter what I do I cannot get the PAN to route all IPv6 traffic to the trust or lab zones, none of it should be going to untrust as there is no IPv6 configured on that zone/interface.
... View more
07-16-2021
09:58 AM
Are you running TM on the IPSec Tunnels themselves as well on the PBF rules? I was just doing it on the PBF rules but added them to the actual tunnel interfaces as well. Hoping that will solve my problem of having to manually restart both tunnels when one goes down and all traffic stops passing. I have no STATIC routes for any of the CIDRs on the other ends of both tunnels, can anyone tell me if this is right? IPSec Tunnel: PBF:
... View more
07-12-2021
09:16 AM
Having issues with a fair amount of AWS VPN tunnels that will go down due to path or ISP issues but they don't come back up unless I manually bounce them on the PAN side. Configuration is standard with DPD set to 10/2 and using PBF monitoring the far ends of the tunnels. So I will see the tunnels go down and they show down in AWS but they DO NOT come back up until I manually bounce them from the IPSec Tunnels page. Has anyone seen this before? I am seeing this across 2 separate PANs (1 x HA, 1 standalone) to separate AWS accounts/regions but the problem seems to be consistent and not sure why. Note I am not using 'Tunnel Monitor' on the IPSec Tunnels but I am on the PBF rules, could that be the problem? Meaning I should be using TM on one or the other but not both? Someone show me the way.
... View more
05-19-2021
06:53 AM
I figured it out by trial and error. So an EDL for DOMAINS can only be attached to an anti-spyware profile and after you do that it will populate the list of domains on the EDL itself. Until you do that it will complain about it not being referenced by a policy but you don't reference in a policy per se, its attached to anti-spyware profile on a policy. PAN documentation is so convoluted that it took me a couple days to figure out the difference between an EDL for IPs for DOMAINS and how to implement them correctly.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-09-2021
09:38 AM
|
Latest Tags
No tags yet
Likes From
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks
