This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
About myrdin
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About myrdin
12-06-2016
20Posts
1Like
2Solutions
Dec 06, 2016Last Visited
User
Activity
User
Profile
Latest posts by myrdin
| Subject | Views | Posted |
|---|---|---|
| 4740 | 12-04-2016 03:34 PM | |
| 4770 | 11-29-2016 01:39 PM | |
| 4790 | 11-28-2016 01:33 PM | |
| 5040 | 11-27-2016 02:23 PM | |
| 1135 | 10-17-2016 11:00 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 09-20-2016 02:29 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 1 Like | |||
| 1 Like | |||
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 03-30-2016 03:31 PM |
| Date Last Visited | 12-06-2016 10:21 PM |
| Posts | 20 |
| Total Likes Received | 1 |
12-04-2016
03:34 PM
Hi guys thanks for all your help, turns out it was the ISP device that for some reason was working with the previous device and not with the Palo for unknown reasons. We bypassed that ISP router completely and boom everything started working straight away.
... View more
- Tags:
- help
11-29-2016
01:39 PM
Allright thanks very much guys. So this is what i am going to do: - have the /30 configured in the WAN interface - add also the /24 on the same WAN interface, with no /32 ip specified - NAT rules are already there. - use the GARP once i switch the cable to force the ISP device to update its own MAC table. does this sound right? thanks heaps
... View more
11-28-2016
01:33 PM
mmm thanks, so you have to add all the IPs one by one? I mean if i have 200 addresses in use on the /24, do i have to add them to the interface? thanks
... View more
11-27-2016
02:23 PM
Hi, my ISP has assigned me with a /30 for the p2p connection and it is routing a /24 public subnet towards that /30. Meaning the WAN interface in the Palo will have to respond to many different ips on two different subnets. I haven't found any Kb that describe this scenario. Also please consider we are migrating from another devicewhich is perfectly working fine with this configuration, this in case we want to start pointing fingers to the ISP. No, it is definitely the Palo. Also for the sake of the conversation i am running a p3020 with 7.1 - outbound traffic works (a machine inside the LAN can go out to the internet and uses one of the /24 addresses using the NAT rule i have configured). - Inbound traffic (published services) do not work at all, it seems that the Palo never answer with an ARP to tell the other device that it "has" those ips. - tried using loopbacks, or to add the additional subnet in the interface configuratio, i have zero traffic hitting the interface (no ARP sent) Digging around i found two solutions, didnt manage to test them thou: - forcing a GARP within the CLI (this is an horrible solution, and i would need to do this everytime i restart the Palo?) - Add a fake route in the virtual router. Add a route to the /24 with next hop None, so that the Palo installs a route and start accepting the traffic. This is still a horrible workaround. I am wondering how you guys do it, thanks!
... View more
10-17-2016
11:00 PM
I have resolved like this: - created a default route to ISP1 (usuale way in the Virtual route). - removed ISP2 as second default route with higher metric - added PBF to force traffic from lan to ISP2, and negate routing to internal networks (so only traffic to 0.0.0.0/0 would be intercepted). - This kept ISP1 accessible while forcing traffic originating from LAN to ISP2. (and ISP2 is still accessible somehow) Very akward way to achieve a working configuration in such scenario, but thats it.
... View more
10-17-2016
08:35 PM
Hi, this is the scenario: - ISP1 : only for GlobalProtect -ISP2 : only for Internet access ISP1 has distance 10 and metric 10 ISP2 has distance 10 and metric 15 in this scenario the ISP1 interface responds to Global protect gateway/portal no problem. Also ISP2 pings, and i can access management through ISP2 public ip. If i change the metric to ISP1 to 20, ISP2 becomes primary. BUT ISP1 no longer responds to pings nor GlobalProtect nor management, nothing. It appears that returning traffic entering ISP1 go out through ISP2 no matter what if ISP2 is preferred. The other way around tho, when ISP1 is primary, traffic entering ISP2 get out ISP2. any clues? thanks
... View more
09-21-2016
02:51 PM
Nat Rule: Source Zone: untrust Dest Zone: untrust (same) Dest int: none Source address: any (you will filter by the security rule) Dest Address: Public IP assigned to the internal server Service: http/https or whatever service you are publishing Translated Packet Source Translation: None Destination Translation:Private ip of the server Destinaton port: destination port of the server, if left blank it will be the same as the one specified in the "Service" above, in your case it will be the internal port where the service is responding, Sec Policy: Source Zone: untrust Desintation Zone: trust (or the zone where the server being published sits) Destination Address: THE PUBLIC IP assigned Appliatication/port: The port that is responding externally (not the internal port where the internal server is responding)
... View more
09-20-2016
02:29 AM
1 Kudo
thanks RFalconer. after a lot more reading, i found out that Bonjour sets ttl=1 by default so crossing a router, although possible, will decrease ttl to 0 and the packet it is discarded. This is by design. Multicast routing although possible, it will not serve this purpose hence it won't work. The only way to handle this is to use a bonjour gateway which is a feature some vendors offer, like Aruba or Cisco Meraki.
... View more
09-20-2016
02:20 AM
thanks reaper, that is correct, the group mapping is specifically created to map that AD group
... View more
09-19-2016
10:41 PM
Hi, i have followed the procedure to configure and it works as long as in the authentication profile the allow list is set to "all". The user is present in the administrators list, and i can login using my domain user password. Problem is, i want that to work against an AD group not "all". If i set a group mapping pointing to a specific AD group where the same user is, i can't login anymore. I am also using a group mapping for GlobalProtect, which perfeclty works. Ideas? thanks
... View more
09-13-2016
10:39 PM
Hi, this is the scenario: - a PA with two physical L3 interfaces (1 zone per interface, 1 subnet per interface, we call them A and B). - I have a device in Subnet A which is an Airport thing with a printer attached. Devices in Subnet A they can discover the printer via the Apple Bonjour service - Devices in Subnet B cannot discover the printer in subnet A - Traffic from/to these two subnets is completely allowed, no restrictions whatsover, and no NAT. - Both subnets and devices have the PA interface as default gateway - i am running 7.1 What i did: - in network-router, i edited the existing virtual router, went to "Multicast" and enabled Multicast. - - RP Static, RP Interface is the Subnet A interface, RP Address the Subnet A interface address - Group list: 224.0.0.0/4 - Remote Rendevous point: empty Interfaces: Subnet A interface, Subnet B Interface IGMP/PIM enabled - added policy from Subnet A zone and Subnet B zone to "Multicast" zone all allowed - and committed Still from Subnet B i cannot see the airport via the multicast Bonjour service. Ideas? thanks heaps
... View more
08-22-2016
08:55 PM
thanks guys. I thought about it and i came to the conclusion that the Palo is slow already as it is, if i even am to add a NAT to translate WITHIN the LAN every packet to another internal segment, it will catch fire. I found an article that explains how to create a zone protection and i will apply on the trust zone only so to avoid enabling the bypass globally, and in the zone protection to avoid dropping traffic because of the syn sequential number problem thanks to all pointing in the right direction
... View more
08-21-2016
07:16 PM
Hi, is there a way to troubleshoot the NAT sessions in real time? i know i can use , for example: show session all filter nat-rule NATRULE to see if i am hitting the NAT rule, but i have to keep issuing the command to do that. Is there a similar thing to see it in real-time (i.e. the "follow" using the show system resources command). thanks
... View more
08-19-2016
03:53 PM
also guys is it possible to check (and how) somewhere whether a packet is being discarded because of the asymettric problem reason, because from the traffic logs i cant see anything being discarded thanks
... View more
08-19-2016
03:39 PM
Hi, thanks heaps for your answer. Yes so router 2.2.2.2 has default route to 2.2.2.1, host on the 3.3.3.0/24 network have the right gateway. Please note that with a "dumb" router in which i simply create forward rules to 2.2.2.2 everything works. Basically the dumb router is configured exaclty as the Palo, but there is obviously something the Palo is doing more that is preventing that to work. I have other destination NAT rules that are working on the same PALO (i know you have to define untrust/untrust in the destination NAT). The difference is that the destiation NAT that are working are going to an network directly attached to the PALO. In example: 1.1.1.1 PALO 5.5.5.1 ---- 5.5.5.2 host the desintation NAT 1.1.1.1 to 5.5.5.2 WORKS in the PALO what it does not work is the one originally posted so 1.1.1.1 PALO 2.2.2.1 --- 2.2.2.2 DUMBROUTER 3.3.3.1 ---- 3.3.3.2 Forwarding 1.1.1.1 to 2.2.2.2 which in turns forwards to 3.3.3.2 does not work. With a dumb router instead of the PALO which forwards packets received to 1.1.1.1 to 2.2.2.2 which in turns forward to 3.3.3.2 it works. I am suspecting the PALO is not forwarding the same way the dumbrouter does and the patckets that the DUMBROUTER receives are different from what a "normal" router does. Unfortunately i cannot share the config. If you have any other ideas, i can put in my queue but i have very limited time for testing as when we switch to the PALO we have very limited time to make things working before reverting back but thanks
... View more
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks