This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About jickfoo
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About jickfoo
08-18-2015
21Posts
0Likes
0Solutions
Aug 18, 2015Last Visited
User
Activity
User
Profile
Latest posts by jickfoo
| Subject | Views | Posted |
|---|---|---|
| 2343 | 05-08-2012 10:41 AM | |
| 5022 | 03-17-2011 08:40 AM | |
| 5859 | 03-17-2011 06:34 AM | |
| 7638 | 03-14-2011 01:02 PM | |
| 2374 | 03-11-2011 07:26 AM | |
| 7638 | 03-10-2011 04:45 AM | |
| 7638 | 03-07-2011 09:35 AM | |
| 7859 | 03-07-2011 08:21 AM | |
| 7859 | 03-07-2011 07:22 AM | |
| 8915 | 03-07-2011 07:07 AM |
User Badges
Community Statistics
| Member Since | 06-10-2010 12:10 PM |
| Date Last Visited | 08-18-2015 09:06 AM |
| Posts | 21 |
05-08-2012
10:41 AM
Well, I fully understand the need for training users and we do that but there are those who will never learn/listen. URL Filtering is a critical piece of our security arsenal. We pay money to have a company (PaloAlto and Brightcloud) find and categorize websites. I understand it cannot be 100% accurate or up to date. Google Docs is a safe haven for Phishers is it not ? They hide behind a legit certificate which PA cannot filter on because it is not the same as the URL. If I was Google I would be concerned and I'm sure they are. I can create a decryption rule but do not want to turn this on for everywhere. I'd have to think that any list of google subnets would be only temporarily accurate at best. It's a pickle.
... View more
03-17-2011
08:40 AM
so I did the debug trace.. Not as easy as a tcpdump but whatever. In the Drop trace I see PA dropping keep alives. See attached. Any ideas ? Is PA dropping keep alives which is why I am getting idle sessions terminating ? If so, where can I change this ?
... View more
03-17-2011
06:34 AM
I have a bunch of connection, 12 to be exact. From a webserver to a Oracle DB Server. They timeout every 2 hours. They pass through a Cisco ASA and a PA 4020. I've created and override rule with a custom app with no timeout. (see attached) I'm in the position where I need to prove this is not the Palo Alto killing the connection. I'm sure it's not closing naturally. Something is killing the connection. How can I prove this on the PA? I know when the connections are going to die. I'm going to do a packet capture with the debug flow commands. Any hints on what to look for ? Will I see TCP RSTs or Fins sourced from the PA ? Thanks, Justin
... View more
03-14-2011
01:02 PM
Thanks.. I had the policy configured with 1 less IP then I needed. It's classifying correctly now. It's odd that the log wont tell you why the session closed. That's important information. In Cisco logs you will either see a FIN or a TCP Timeout. I'm pretty sure the firewall is not timing me out so it's ok but in the future this could be critical. Thanks again for your help, Justin
... View more
03-11-2011
07:26 AM
Bump.. I agree this is one weakness with the product.
... View more
03-10-2011
04:45 AM
One oddity remains. When I look at the traffic in the logs, its still says the traffic type is 'Oracle'. I would think it would show that the traffic type is Oracle-no-timeout. I checked the policy numerous times and cant figure out what I am doing wrong. Also, I have an end log for a session, but it doesnt say why it ended. If it ended due to a Firewall Timeout, would that show up in the logs? Thanks, Justin
... View more
03-07-2011
09:35 AM
Thanks for your responses. I probably should have gotten that from the documentation. You assistance is appreciated.
... View more
03-07-2011
08:21 AM
Thanks for the response It needs to be 0 because the app won't support keep alives. Between these 2 servers there are 8 nailed up connections. 8 nailed up connections are not going to override the boxes capabilities. Only this traffic will be changed to the alternate traffic type. So I guess I'm still left with, when I put in 0, why does the firewall change it to 0 - 604800 ? How do I disable TCP Timeouts for this particular stream ? Justin
... View more
03-07-2011
07:22 AM
I may have answered part of this myself. I just found the application override rules. I'm assuming that this is what I want to create? If so, the only remaining question is about the timeouts. Does that greyed out 0-604800 mean Zero ? Or does it mean 604800 ? Thanks, Justin
... View more
03-07-2011
07:07 AM
If you work with firewalls long enough you will undoubtably run into this issue. I have a webserver in the DMZ that needs to talk to the database server on the inside. The connections need to be nailed up. In otherwords, I dont want the firewalls to close any connections that it feels may be idle as this causes errors in the aplpication. So, I cloned the service and attempted to change the TCP timeouts to zero. Then, I created a rule high up in the scheme which states, from this webserver to this database server, using this custom service, Accept. but when I look at the logs, the traffic isnt going through this rule and I have a suspicion that the timeouts are still occuring. When I look at my custom timeouts, they are now greyed with a 0-604800 setting on them. Any clue as to why my rule wont trigget and what this greyed out 0-604800 means ? I attached the picture Thanks, Justin
... View more
Labels:
- Labels:
-
Configuration
-
Networking
-
Troubleshooting
03-02-2011
09:07 AM
you mean in the auth profile I add all ? Like in the attached picture ? Cause that didnt work. What do you use for login attribute ? sAMAccountName ?
... View more
03-02-2011
08:13 AM
I'm still struggling trying to authenticate a group of users as Palo Alto admins. These users are not in any one particular group. I get the error 'Authentication profile not found for the user' . I just want to create a list of ids for Palo Alto to query AD for using LDAP. Is the problem that PA will only search for groups or at a particular search base DN ? It cant search nested groups. I also am lost on how to turn debugging on just for this process. It would be good to see what the PA queries for. A 'test authentication' applet in the GUI might be a good thing to add. Any help would be appreciated.
... View more
03-02-2011
06:34 AM
Any documentation on how to do this in Active Directory ? Is there a prebuilt domain role that would provide this functionality ? Server Operators anything like that ? Thanks.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-18-2015
09:06 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks