About clonesheep

clonesheep · ‎10-03-2019

Some one same Error? Can help trouble shooting?

clonesheep · ‎09-26-2019

okay doesn't sound good. but then i'm not alone with my problem at least. i have a pa220 with panos 8.1.10. it's not related to the DNS setting. i've already tested that. it resolves correctly. maybe someone has a solution? PAN itself?

clonesheep · ‎09-16-2019

Hi have found my carriere vodafone use udp/500, udp/4500 and this is allowed in my policies. Loogin is there active. It can be the return traffic or any NAT Problem. There I didnt know exatly how to configure. Is there anywhere a good help for this?

clonesheep · ‎09-13-2019

Has anyone already got wifi calling via PA to run? I see in the session log the connections udp 500 and 4500 but wifi calling does not work on my iPhone 8. I have already excluded my AP, that's not the reason. At home router with itss integrated AP it ran - no problem. In which logs can I find something about this? I released ike and ipsec-esp-udp as well as tested them with any rule. have a static IP Internet connection. My policies for this are on trust untrust any

clonesheep · ‎05-29-2019

Hello, everyone, Currently I have the problem to build an IPSec tunnel between a PA200 (A) and a PA220 (B). My one side A has a Telekom hybrid Internet connection (its a german product with LTE and cable connection) to a Speedport router. Thus only one dynamic official IP. The other side B is a normal company connection with a fixed IP address. I have configured my tunnel so that only side A is allowed to start the tunnel. (B side enable passive mode) If I now start the tunnel on page A, I also see in the monitoring at page B the requests ike on port 500 for port 500. Unfortunately then nothing happens further and page A has then a Faild Due to timeout. You can also see that page A transmits data but does not receive any data. What could that be? What is the best way to narrow down the problem?

clonesheep · ‎05-29-2019

That was a stupid question. The solution can be found in the technical data sheet. the PA200 can only 50mbits as ipsec tunnel. That explains my problem.

clonesheep · ‎05-15-2019

Hi all, I have a IPSec VPN between a PA200 and a PA220. Now i'm transporting a file from the pa200 network via ftp through the side-to-side tunnel to the pa220 network. The connection between the PAs is a 300mbits synchronous connection. The dataplane cpu goes up to over 90% with PA200 and the bandwidth reaches only low 10mbyte/s. The interesting thing is, if I transfer 10 files at the same time, the speed goes up to about 20-25mbyte. Dataplane CPU is around 90-95% again. What could be the reason for this? How do I get more speed?

clonesheep · ‎05-07-2019

Hello, I have two PAs and want to build IPSec tunnels between them. one PA A has a static IP. The other PA B has two internet connections. One with a static IP and one with a dynamic IP. Now I want to build two tunnels from device B to the A side. my two internet interfaces eth 1/4 has the IP 192.189.5.4 and the router behind it has the IP 192.168.5.1. What should my routing look like? Both interfaces are in the same default VR. There I have a route 0.0.0.0/0 on interface eth 1/1 where my main internet connection is. My other side where the tunnel should terminate is the 1.1.1.1 IP. Don't really know right now.When my tunnel from eth 1/4 now start, it will go to the untrust zone of eth 1/1. Where can I find helpful information?

clonesheep · ‎02-25-2019

Its a PA220

clonesheep · ‎02-25-2019

Okay look: MGT IP 10.0.8.1 eth 1/1 public IP eth 1/2 10.0.8.2 my trust network defualt virtual router route 0.0.0.0 to eth 1/1. So my Mgmt Rule Src 10.0.8.1 trust zone goes to untrust destiantion any. This is how PA Updates work fine.

clonesheep · ‎02-25-2019

But at the moment I have "Use Management Interface for all" and this will run. So I get PA Updates and Virusupdates and so on. For my MGT there is the default GW the eth2 and this I see in the Monitor Log. But no NTP 😞

clonesheep · ‎02-25-2019

Hi I have a problem with the NTP sync. When i make a "show ntp" NTP state: NTP not synched, using local clock NTP server: asia.pool.ntp.org status: rejected reachable: no authentication-type: none NTP server: pool.ntp.org status: rejected reachable: no authentication-type: none But my mgmt interface is alow via policy rule to use ntp. I am able to ping the ntp host and a traceroute runs good. So I search a bit you erros.. only found in sysdagent.log TIME: Unable to connect to asia.pool.ntp.org for ntpdate I test it with "debug software restart process ntp" Any Ideas?

clonesheep · ‎12-05-2018

Hi we use Aerohive AP and from there i get syslogs at my Kiwi Syslog Server. Like this one: ah_auth: add new RT sta: MAC=xxxxxxxx, IP=10.100.100.20, hostname=xxxxx, username=xxxxxx on wifi0.7 And now i need this information in the PA because there i only see in the traffic monitor the Source IP Adress from the AP and no Source User. How can i configure that the PA can take the log information from the kiwi syslog? Or is there an easy way to take the Aerohive Login/logout and device informations to the firewall? Aerohive and Palo Alto Network have a cooperation... https://manualzz.com/doc/23623919/aerohive-and-palo-alto-networks

clonesheep · ‎09-11-2018

I want to use it in IKE Gateway. But how must I define it? I use it just as well as NAT. How must look my NAT entry? And how can I test it?

clonesheep · ‎09-11-2018

I have 12 public IPs and i must all use. So must i configure ...146/32 ...147/32 ..and so on? Or how can i connect to the ips?

clonesheep · ‎09-11-2018

Hi I have to build up a IPSec tunnel with a partner. So at Network -> Interfaces -> eth 1/1 I have my connection to internet with a /28 Net. I call it for example 12.34.56.144/28 net. There the router from my isp is IP 12.34.56.145. I will build up my tunnel on ip .146. Now on the eth 1/1 I define the IP 12.34.56.146/28 so the complete /28 net is set. On Network -> IKE Gateway I can only chose the local IP Address /28 from interface and not one /32 IP. How can I do this? When I set a second /32 address I get a routing error. So how must I configure this right way?

clonesheep · ‎08-17-2018

Yes Port 2,3,4, on the switch is connected to the routers. On eatch port one router.

clonesheep · ‎08-17-2018

okay, i thought i needed some routing between the vlans. so have now my vlan ids 1 200 201 202. in vlan 1 is default all ports untagged vlan 200 is port 1 and 2 both tagged other ports excluded vlan 201 is port 1 and 3 both tagged other ports excluded vlan 202 is port 1 and 4 both tagged other ports excluded now i connect my p200 on port 1 at the swtich and configure my three subinterfaces with the tag 200 and so on.. right?

clonesheep · ‎08-17-2018

And is there a other way for my 8Port switch? Because it have only Layer2 VLAN function. Its a HP 1820 and so i cannot configure my port 1 witch is then in 3 different VLANs. So can i put physical my 3 connections to this litte 8 port swtich without vlans? and how must i configure then the eth port on my pa200?

clonesheep · ‎08-17-2018

I want to transfer client a via internet a and client b via a different internet b line. My default virtual router has only a default 0.0.0.0.0/0 address and therefore its next hop from the provider router. And how can I change the default path with pbf? there I can only define a next hop.

clonesheep · ‎08-13-2018

Hi @reaper thanks for the subinterfaces link. That sounds good. But now i will make for every internet connection a own virtual router so thaht i can use them unattached from each others. But there is a spec only 3 VR. 😞 do you have an idea how i can go avoid that limitation?

clonesheep · ‎08-13-2018

okay i was almost thinking. but i wanted to ask at least, not that there is a point for custom dh group somewhere. thank you

clonesheep · ‎08-10-2018

Hi I must build up an IPSEC tunel between PA and Watchguard XTM. The other Side gives me ike phase where DH Group is 15. On PA I only can choose Group 1—768 bits, Group 2—1024 bits (default), Group 5—1536 bits, Group 14—2048 bits, Group 19—256-bit elliptic curve group, and Group 20—384-bit elliptic curve group Is there a way to build up a "custom" DH Group or must the otherside set the DH Group to a value that my PA side can work with? https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/bovpn/manual/diffie_hellman_c.html https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/vpns/site-to-site-vpn-concepts/internet-key-exchange-ike-for-vpn/ike-phase-1

clonesheep · ‎08-10-2018

Hello everyone I have a PA200 which has only 4 network ports. But now I have 2 direct internet connections and 2 4g connections and 1 is uplink to my network. Would it be possible to connect a port of the pa200 not directly to the router but to a small 8port switch to which my two routers are connected? These have the IP 192.168.5.1/24 and 192.168.6.1/24. What do I have to configure on the ethernet 1/4 port of the PA200? Put them there as IP address? And routing technical? Where should the default route point to? 0.0.0.0 to 192.168.6.1? Only one can do it.

clonesheep · ‎08-07-2018

ah decryption was no topic until today because we have a ssl proxy. so is must configure a policies -> decryption -> decryption policy rule ..and what kind of options? SSL Forward Proxy?

clonesheep · ‎08-07-2018

Hi @vsys_remo sounds good.Thanks. But don`t understand what you mean with TLS decryption?

clonesheep · ‎08-07-2018

Hi, i must set the firewall to connect to this webpage www.google.com/recaptcha/api/siteverify I have a object -> adress groups -> own address group for some other adresses (like itunes.apple.com and so on. There I musst now inser this domain www.google.com/recaptcha/api/siteverify But i Can set this as a FQDN like the others because "The value in this field is invalid." So anyone an idea how to let the server connect to this domain? Its for the Sophos Mobile Control service. https://community.sophos.com/kb/en-us/113217

clonesheep · ‎07-27-2018

Hello, we have some Aerohive WiFi access points and they are managed with the HiveManager. Now when a user logs on to a WLAN SSID with his hive user and then surfs, you only see the internal IP of the access point in the Paloalto Log. If several users do this, you can't tell it apart because no user information arrives at the PA. How can I transfer the connection logs from the Aerohive to the PA? Is there a manual for this? I am using PAN OS 8.1 and HiveManager 8.2.

clonesheep · ‎06-13-2018

@BPryMy internal DNS (with a public IP like example 80.80.80.80) is my first DNS at PA. And my FQDN is example server.domainname.com and this Domain Name is regestrated by me (but have a differnt IP who shows this name as A record to). But the IP i use internal is a public IP and some one other has this IP in Use for a Webserver. Thats my problem. and i dont understand why my own DNS looks in the www for the fqdn of my DNS-Server.

clonesheep · ‎06-13-2018

Hi, i get in the system monitor a message Type dnsproxy and event resole-fail mgmt-obj 'Failed to resolve domain name:server.domain.com after trying all attempts to name server(s): IP_from_internal_DNS 8.8.4.4 ' and i dont know why. I have set and Object for the server.domain.com DNS Name to the IP but error comes again. In Device -> Setup -> Services - there are my internal IP adresse from the DNS Server and the google public DNS. (can it be a problem that my server.domain.com a public IP is and when i try it outside my network a other server answer on this ip?

Date Registered	‎05-18-2016 05:24 AM
Date Last Visited	‎10-14-2019 02:44 AM
Total Messages Posted	59
Total Likes Received	4

Online Status	Offline
Date Last Visited	‎10-14-2019 02:44 AM

Strata

Prisma

Cortex

About clonesheep