Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About myrdin
About myrdin
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
12-06-2016
20Posts
0Likes
2Solutions
Dec 06, 2016Last Visited
User
Activity
User
Profile
Latest posts by myrdin
| Subject | Views | Posted |
|---|---|---|
| 1001 | 12-04-2016 03:34 PM | |
| 1032 | 11-29-2016 01:39 PM | |
| 1052 | 11-28-2016 01:33 PM | |
| 1087 | 11-27-2016 02:23 PM | |
| 330 | 10-17-2016 11:00 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 1 | |||
| 1 | |||
| 1 | |||
| 1 |
User Badges
Public Statistics
| Date Registered | 03-30-2016 03:31 PM |
| Date Last Visited | 12-06-2016 10:21 PM |
| Total Messages Posted | 20 |
12-04-2016
03:34 PM
Hi guys thanks for all your help, turns out it was the ISP device that for some reason was working with the previous device and not with the Palo for unknown reasons. We bypassed that ISP router completely and boom everything started working straight away.
... View more
- Tags:
- help
11-29-2016
01:39 PM
Allright thanks very much guys. So this is what i am going to do: - have the /30 configured in the WAN interface - add also the /24 on the same WAN interface, with no /32 ip specified - NAT rules are already there. - use the GARP once i switch the cable to force the ISP device to update its own MAC table. does this sound right? thanks heaps
... View more
11-28-2016
01:33 PM
mmm thanks, so you have to add all the IPs one by one? I mean if i have 200 addresses in use on the /24, do i have to add them to the interface? thanks
... View more
11-27-2016
02:23 PM
Hi, my ISP has assigned me with a /30 for the p2p connection and it is routing a /24 public subnet towards that /30. Meaning the WAN interface in the Palo will have to respond to many different ips on two different subnets. I haven't found any Kb that describe this scenario. Also please consider we are migrating from another devicewhich is perfectly working fine with this configuration, this in case we want to start pointing fingers to the ISP. No, it is definitely the Palo. Also for the sake of the conversation i am running a p3020 with 7.1 - outbound traffic works (a machine inside the LAN can go out to the internet and uses one of the /24 addresses using the NAT rule i have configured). - Inbound traffic (published services) do not work at all, it seems that the Palo never answer with an ARP to tell the other device that it "has" those ips. - tried using loopbacks, or to add the additional subnet in the interface configuratio, i have zero traffic hitting the interface (no ARP sent) Digging around i found two solutions, didnt manage to test them thou: - forcing a GARP within the CLI (this is an horrible solution, and i would need to do this everytime i restart the Palo?) - Add a fake route in the virtual router. Add a route to the /24 with next hop None, so that the Palo installs a route and start accepting the traffic. This is still a horrible workaround. I am wondering how you guys do it, thanks!
... View more
10-17-2016
11:00 PM
I have resolved like this: - created a default route to ISP1 (usuale way in the Virtual route). - removed ISP2 as second default route with higher metric - added PBF to force traffic from lan to ISP2, and negate routing to internal networks (so only traffic to 0.0.0.0/0 would be intercepted). - This kept ISP1 accessible while forcing traffic originating from LAN to ISP2. (and ISP2 is still accessible somehow) Very akward way to achieve a working configuration in such scenario, but thats it.
... View more
10-17-2016
08:35 PM
Hi, this is the scenario: - ISP1 : only for GlobalProtect -ISP2 : only for Internet access ISP1 has distance 10 and metric 10 ISP2 has distance 10 and metric 15 in this scenario the ISP1 interface responds to Global protect gateway/portal no problem. Also ISP2 pings, and i can access management through ISP2 public ip. If i change the metric to ISP1 to 20, ISP2 becomes primary. BUT ISP1 no longer responds to pings nor GlobalProtect nor management, nothing. It appears that returning traffic entering ISP1 go out through ISP2 no matter what if ISP2 is preferred. The other way around tho, when ISP1 is primary, traffic entering ISP2 get out ISP2. any clues? thanks
... View more
09-21-2016
02:51 PM
Nat Rule: Source Zone: untrust Dest Zone: untrust (same) Dest int: none Source address: any (you will filter by the security rule) Dest Address: Public IP assigned to the internal server Service: http/https or whatever service you are publishing Translated Packet Source Translation: None Destination Translation:Private ip of the server Destinaton port: destination port of the server, if left blank it will be the same as the one specified in the "Service" above, in your case it will be the internal port where the service is responding, Sec Policy: Source Zone: untrust Desintation Zone: trust (or the zone where the server being published sits) Destination Address: THE PUBLIC IP assigned Appliatication/port: The port that is responding externally (not the internal port where the internal server is responding)
... View more
09-20-2016
02:29 AM
thanks RFalconer. after a lot more reading, i found out that Bonjour sets ttl=1 by default so crossing a router, although possible, will decrease ttl to 0 and the packet it is discarded. This is by design. Multicast routing although possible, it will not serve this purpose hence it won't work. The only way to handle this is to use a bonjour gateway which is a feature some vendors offer, like Aruba or Cisco Meraki.
... View more
09-20-2016
02:20 AM
thanks reaper, that is correct, the group mapping is specifically created to map that AD group
... View more
09-19-2016
10:41 PM
Hi, i have followed the procedure to configure and it works as long as in the authentication profile the allow list is set to "all". The user is present in the administrators list, and i can login using my domain user password. Problem is, i want that to work against an AD group not "all". If i set a group mapping pointing to a specific AD group where the same user is, i can't login anymore. I am also using a group mapping for GlobalProtect, which perfeclty works. Ideas? thanks
... View more
09-13-2016
10:39 PM
Hi, this is the scenario: - a PA with two physical L3 interfaces (1 zone per interface, 1 subnet per interface, we call them A and B). - I have a device in Subnet A which is an Airport thing with a printer attached. Devices in Subnet A they can discover the printer via the Apple Bonjour service - Devices in Subnet B cannot discover the printer in subnet A - Traffic from/to these two subnets is completely allowed, no restrictions whatsover, and no NAT. - Both subnets and devices have the PA interface as default gateway - i am running 7.1 What i did: - in network-router, i edited the existing virtual router, went to "Multicast" and enabled Multicast. - - RP Static, RP Interface is the Subnet A interface, RP Address the Subnet A interface address - Group list: 224.0.0.0/4 - Remote Rendevous point: empty Interfaces: Subnet A interface, Subnet B Interface IGMP/PIM enabled - added policy from Subnet A zone and Subnet B zone to "Multicast" zone all allowed - and committed Still from Subnet B i cannot see the airport via the multicast Bonjour service. Ideas? thanks heaps
... View more
08-22-2016
08:55 PM
thanks guys. I thought about it and i came to the conclusion that the Palo is slow already as it is, if i even am to add a NAT to translate WITHIN the LAN every packet to another internal segment, it will catch fire. I found an article that explains how to create a zone protection and i will apply on the trust zone only so to avoid enabling the bypass globally, and in the zone protection to avoid dropping traffic because of the syn sequential number problem thanks to all pointing in the right direction
... View more
08-21-2016
07:16 PM
Hi, is there a way to troubleshoot the NAT sessions in real time? i know i can use , for example: show session all filter nat-rule NATRULE to see if i am hitting the NAT rule, but i have to keep issuing the command to do that. Is there a similar thing to see it in real-time (i.e. the "follow" using the show system resources command). thanks
... View more
08-19-2016
03:53 PM
also guys is it possible to check (and how) somewhere whether a packet is being discarded because of the asymettric problem reason, because from the traffic logs i cant see anything being discarded thanks
... View more
08-19-2016
03:39 PM
Hi, thanks heaps for your answer. Yes so router 2.2.2.2 has default route to 2.2.2.1, host on the 3.3.3.0/24 network have the right gateway. Please note that with a "dumb" router in which i simply create forward rules to 2.2.2.2 everything works. Basically the dumb router is configured exaclty as the Palo, but there is obviously something the Palo is doing more that is preventing that to work. I have other destination NAT rules that are working on the same PALO (i know you have to define untrust/untrust in the destination NAT). The difference is that the destiation NAT that are working are going to an network directly attached to the PALO. In example: 1.1.1.1 PALO 5.5.5.1 ---- 5.5.5.2 host the desintation NAT 1.1.1.1 to 5.5.5.2 WORKS in the PALO what it does not work is the one originally posted so 1.1.1.1 PALO 2.2.2.1 --- 2.2.2.2 DUMBROUTER 3.3.3.1 ---- 3.3.3.2 Forwarding 1.1.1.1 to 2.2.2.2 which in turns forwards to 3.3.3.2 does not work. With a dumb router instead of the PALO which forwards packets received to 1.1.1.1 to 2.2.2.2 which in turns forward to 3.3.3.2 it works. I am suspecting the PALO is not forwarding the same way the dumbrouter does and the patckets that the DUMBROUTER receives are different from what a "normal" router does. Unfortunately i cannot share the config. If you have any other ideas, i can put in my queue but i have very limited time for testing as when we switch to the PALO we have very limited time to make things working before reverting back but thanks
... View more
08-19-2016
03:28 PM
thanks all you guys heaps. I will try the U-TURN, i didnt know i would need this kind of configuration in an asymetric routing situation. Would this explain the fact that ping was passing but not https connection? Is that because https will start a tcp handshake and ping does not use TCP (so no ACK etc)? I can troubleshoot via the monitor but i dont know a way to sniffer the packets via ssh, is there a troubleshooting guide somewhere? or do you guys can give me some commands i can use? I essentially need to sniffer the NAT translations to see whehter it is hitting a NAT rule it shouldnt and actually see the traffic at very low level on that LAN interface, thanks heaps
... View more
08-19-2016
04:42 AM
HI imagine this scenario: Internet 1.1.1.1 PA 2.2.2.1 ---- 2.2.2.2 ROUTER 3.3.3.0/24 network I am forwarding all packets received to 1.1.1.1 https to 2.2.2.2 https which then re-nat to 3.3.3.0/24 host With a stupid dlink 50$ router instead of the PA, everything works. I just forward https to 2.2.2.2 and it works. with the Palo, no way. In the Palo i have also have another network interface (say 4.4.4.0/24) and i forward other ports to hosts in the 4.4.4.0/24 and everything works, but if i forward to the 2.2.2.2 which then re-nat to 3.3.3.0, it does not work. And i cannot see any errors on the PALO. I have done these configuration multiple times (i mean just publishing servers etc...). Any suggestions? How do i troubleshoot NAT? is there a way to see the NAT translations on the PALO? thanks
... View more
08-19-2016
04:33 AM
HI just ran into a very weird issue today. A PA running version 7.1 The PA has IP 192.168.1.254 and it is the default gateway for the network. There is another network 192.168.2.0/24 reachable through 192.168.1.200. There is a route in the PA that says to reach 192.168.2.0/24 go to 192.168.1.200. This is same-zone routing. I have also disabled the thingy to allow asymetric routing. I have a rule that allows same zone traffic as a client will get to 192.168.1.254 to reach 192.168.2.0/24 via 192.168.1.200 Now the issue: if i am sitting on a client with ip 192.168.1.1 and ping 192.168.2.1 (which is a host in the 2.0/24 network) i can actually ping but nothing else works. i.e. 192.168.2.1 is a webserver and i should be able to browse to it. There is no rule blocking https, but it simply does not work. No logs either, i get logs about the pings. Trace goes like this: 192.168.1.254 192.168.1.200 192.168.2.1 so there is bidirectional communication, but again apart from ping nothing else passes. I have put another dumb router, and everything perfectly works. thanks
... View more
06-29-2016
08:58 PM
Sorry for the very late reply and thanks for your answers. I will give it shot.
... View more
06-13-2016
07:10 PM
Hi, a couple of questions on the matter: - to get URL reports i need URL Filter on the rule to be on . Is this correct? Or can i have url reports without that enabled? - with a PA200 with 1 computer connected, with URL fitler when i enter the website, it takes 4-5 seconds to show the page. without url filtering on the rule the page displays immediately. Is this normal? or there is a piece of configuration that i can change to speed this up. The goal here is NOT to filter the websites but to have a report of websites visited per user or IP. Since the url do not get logged if i dont have the url filter on the rule, i need to fix the issue on the slowness. Again, these tests i made were with a 50Mbps connection and 1 single computer connected to the palo. thanks
... View more
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
