About jsalmans

@aceandy79I would be curious what your results are.  I have a test unit at home and while I can't really set it up as true static NAT since I get a dynamic IP from my service provider, it is still only one IP it is using.  I still see strict NAT on my home gaming devices.   Granted, it's entirely possible their port algorithms are set up differently for a true static IP configuration vs a Dynamic IP even though you're only ever getting the same IP.   I'd also encourage any Higher Ed or other entity supporting multiplayer gaming to contact your Palo Alto sales team and look into supporting Feature Request 7654.  I put this in about 2 years ago asking for some DIPP NAT option to implement something like "sticky NAT" and/or to implement something closer to Cisco's ASA implementation for Port Address Translation (PAT).  I was told by our sales team that these Feature Requests gain priority based on the number of customers that express the need for the specific feature.   There may be a better option than the one outlined in that specific FR but, one way or the other, I feel like we as a community can get together and express interest in something to get this fixed that doesn't involve using another vendor's product for gaming networks. ... View more

@MickBall wrote: Just a thought... would the entire operation be smoother if you just forwarded all DNS requests to your internal boxes via NAT policies...?   Possibly and it is certainly something to consider.  I'm not sure how many of these devices are using anything like DNSSEC.  The worst part would be that I'd probably have to do a hairpin NAT since the servers reside on the same area of the network as the users I want to do this for so I'd have to adjust both source and destination IPs.   Another alternative might be to spoof the IP addresses on the DNS servers themselves so that they respond to queries to 8.8.8.8 and 8.8.4.4 but I'm not sure if that is considered bad practice. ... View more

@BPryhow does one get signed up for the beta?  I was in the beta for 4.0 or maybe one of the later 3.x versions but I think it was only for that version... I haven't seen beta community forums or emails for a long while. ... View more

I just checked the patch notes.  We're running 4.0.x currently and the visaul improvement came in 4.1:   " GlobalProtect app 4.1 for Windows and macOS endpoints introduces an enhanced user experience through a more modern and streamlined user interface and a more intuitive connection process. The new app features simplified workflows that enable end users to view and modify GlobalProtect app settings, manage notifications from a central location, and connect to or disconnect from GlobalProtect more seamlessly. " ... View more

So an update.. it was determined the server and client are trying to use X25519 which is an ECDHE curve that Palo Alto doesn't support (definitely would be nice to see this as a note on the supported ciphers page... TLSv1.3 uses it as a standard and I know that isn't supported yet but TLSv1.2 uses it as well).   The workaround is to disable ECDHE but that doesn't seem like a great call given that we're talking about lowering server security to apply SSL Decryption for additional server security.   I found this for Windows Server 2016 and it seems to work: https://www.nsgp.net/2018/09/how-to-disable-curve25519-x25519-key-exchange-on-windows-server-2016/   I'm looking for similar instructions for Apache and Tomcat.  I'm not a server expert and I'm having trouble finding methods to do this on those platforms. ... View more

Wow our 5250s can do 30,000 tunnels.  Do we know what the GRE througput performance looks like?  I know IPSec and GlobalProtect SSL tunnels have limited max bandwitdh but I've always heard GRE has the potential to be closer to standard network speeds.   That's kind of disappointing on the Unique Policy ID but the audit history is still really cool.   *edit* I just downloaded GP 5.0 64-bit for Windows.  It's a completely different interface than the 4.x client!  Definitely will play around with it.  Can't wait for the Android version. ... View more

I got pretty excited while reading the release notes today and I'm installing 9.0 on my lab PAN-220 this evening to give it a spin.   Things that jumped out at me Security policy optimization is going to help out big time.  Expedition seems powerful but it also is a bit overwhelming when you're just trying to use it for security policy migration to app-based rules.  I'm sure I'll still use the best practices analyzer though. App-default rules applying correctly to decrypted traffic including web-browsing... yay! GRE tunnel support... A previous coworker had a thought about redoing our campus design to incorporate newer methods of network segmentation. GRE tunnels were an interesting method since it means the core and access layer can be pretty much whatever you need it to be as long as each building has a GRE capable Layer 3 device that can tunnel to the firewall. Traffic simulator for security rules.... one of the only things I miss from the ASA. DNS security WinRM for UserID Multiple categories for URL filtering is definitely cool and could allow more granual control Cisco SGT   Things I have questions about Any plans for a GlobalProtect update for other platforms besides iOS? I've seen it on my coworkers phones and it looks waayyyy better than my Android version or even the desktop versions. Will the Universal Unique IDs for Pocily Rules allow more than one rule with the same name?  I ended up copying rules from our own old device group into our new one and, of course, am having to deal with rules with "-1" at the end due to the existing code using the rule name as the unique ID.  I can also see this being handy for pointing a rule out to someone... rules being moved around or renamed makes them hard to refer to others sometimes. GRE Tunnels.. how many can each hardware platform support?   Seems like I had some other questions but they aren't coming to mind at the moment. ... View more

@gwessonnot sure how I missed that with the Intermediary cert but thanks!  I had it uploaded for on Panorama but not in the Device Group that pushed to the firewall... I added it and it immediately changed the Wildcard to be a sub-cert.  I did another scan and it hows correct now.   I'm opening a TAC case for the SSL decryption issue and I'll reply again when I have a solution in case someone else runs into this as well. ... View more

I found the SSL Labs IP range.  Some of the traffic does appear to be decrypted while some of it hits a decrypt-error.   I also see "This server's certificate chain is incomplete. Grade capped to B. "         Here is the current decryption profile for reference   ... View more

@gwesson   Here is my session output:   Session        35433597         c2s flow:                 source:      desktop IP [CampusCore]                 dst:         server IP                 proto:       6                 sport:       64022           dport:      443                 state:       DISCARD         type:       FLOW                 src user:   jsalmans                 dst user:    unknown                 offload:     Yes                 ecmp id:     8001         s2c flow:                 source:      server IP [DataCenter]                 dst:         desktop IP                 proto:       6                 sport:       443             dport:      64022                 state:       DISCARD         type:       FLOW                 src user:    unknown                 dst user:    jsalmans                 offload:     Yes         Slot                                 : 1         DP                                   : 1         index(local):                        : 1879165         start time                           : Tue Feb  5 12:03:56 2019         timeout                              : 90 sec         time to live                         : 28 sec         total byte count(c2s)                : 1797         total byte count(s2c)                : 5445         layer7 packet count(c2s)             : 20         layer7 packet count(s2c)             : 7         vsys                                 : vsys1         application                          : ssl         rule                                 : Allow Dept Anywhere         service timeout override(index)      : False         session to be logged at end          : True         session in session ager              : True         session updated by HA peer           : False         layer7 processing                    : enabled         URL filtering enabled                : True         URL category                         : educational-institutions         session via syn-cookies              : False         session terminated on host           : False         session traverses tunnel             : False         captive portal session               : False         ingress interface                    : ae1.10         egress interface                     : ae1.4001         session QoS rule                     : N/A (class 4)         tracker stage firewall               : proxy decrypt failure         end-reason                           : decrypt-error ... View more

@gwesson   I only have decryption enabled between my client and the server right now.  The scan from SSL Labs would have not gone through any decryption process on the firewall.  I wasn't sure if the scan would work since my browsers don't seem to get very far into the process when it is enabled and I didn't want to break anything for Internet traffic hitting the server.   I'll see if I can find an IP range they use so I can enable it just for that traffic. ... View more

@LukeBullimore   We went ahead and did a packet capture on the server.  I'm not seeing any communication between it and the firewall.   I see the following, all between my desktop and the server: Initial SYN from my desktop ACK from server Client Hello on TLSv1.2 from my desktop Server Hello, Certificate, Certificate Status, Server Key Exchange, Server Hello Done from server RST, ACK from my desktop ACK from my desktop ACK from my desktop TCP Retransmission from my desktop ACK from server RST, ACK from desktop RST, ACK from server ... View more

Thanks for the reply.   I believe I've done that.  I've tried this as Max and also setting TLS 1.2 as the max. As far as I know, Firefox and Chrome are both using whatever the defaults are.  If I turn off decryption, I can see it negotiating successfully with the server wiht an ECDHS cipher.  Here is what the packet capture is seeing my client offer. Here is the SSL Labs results for TLS 1.2:   ... View more

@dstjamesthanks for the reply.  That is actually what I ended up trying and it seems to work.  Panorama actually has no config information for those fields and they're just defined locally on the firewalls.  Since they won't sync even after config sync is re-enabled, they should remain unique on each.   I'm really curious why the instructions are worded like that... it doesn't make it clear if they're talking about management IP/hostname config in the Panorama templtate or the settings on the local configs on the firewalls. ... View more

@OtakarKlier thanks for the reply.   I believe that still burns some exrtra IP addresses... not a big deal on privates but some of these networks may end up on publics.  I did see another way to do something like that... OVH has an article on how to configure hosts on their network using network bridging.  It looks like they have you assign /32 addresses to each host and the gateway exists outside of that subnet so you have to create a static route for it.  I wasn't crazy about that solution because it requires extra config on the hosts.   I also found this but I'm not clear from the replies if someone got it to work or not: https://live.paloaltonetworks.com/t5/General-Topics/Has-anyone-had-success-using-Cisco-Systems-Private-VLANs-and/m-p/30641#M22429   If PVLAN won't work directly on the firewall, my fallback option is to put the SVIs on our Nexus9K and then use policy-based routing to push the traffic the rest of the way to the firewall.  It's an extra hop but the Cisco equipment can handle the traffic isolation and push the traffic to the firewall when it receives it. ... View more

@BPry VRFs are possible and may be an option but I would imagine I'd need to create one per server for true DC host isolation.  PVLANs seem much easier to scale since it seems to mostly be a one-and-done configuration on the Layer 2 side. ... View more