Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
About bhelman
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About bhelman
08-30-2018
28Posts
0Likes
0Solutions
Aug 30, 2018Last Visited
User
Activity
User
Profile
Latest posts by bhelman
| Subject | Views | Posted |
|---|---|---|
| 1908 | 08-28-2018 01:04 PM | |
| 1909 | 08-28-2018 01:00 PM | |
| 1921 | 08-28-2018 12:12 PM | |
| 1228 | 10-20-2014 01:42 PM | |
| 2475 | 04-22-2013 11:10 AM |
User Badges
Community Statistics
| Member Since | 06-11-2010 01:50 PM |
| Date Last Visited | 08-30-2018 03:40 AM |
| Posts | 28 |
08-28-2018
01:04 PM
I'm seeing the error within the System Log widget on the dashboard. It's fine to turn it off, but the fact that I'm getting an error makes me think I have another issue. Is there a way to tell which interface on the PAN is being used to query DNS? Our internal DNS happen to be on segments directly connected to the PAN's, but I'm not seeing the traffic in the logs (from that PAN interface). It's going to take me a while to go through all of the interfaces to see which one is being used. I also checked for the management interface .. also not in the logs (for application dns).
... View more
08-28-2018
01:00 PM
Yikes. So I've noticed something on my systems. When I issue a "request resolve address <address>" command, any system that can respond with an IPv6 address returns a value immediately. Any system that can only respond with an IPv4 address takes ~9 seconds to return the information. I'm looking in to that now.
... View more
08-28-2018
12:12 PM
Have you been able to resolve this? I've pretty much ignored it for months on my systems. I just upgraded to 8.1.3 and, at least, they fixed the "diskable" typo, but I'm still getting the warning. I cannot find the reports it is flagging .. even searching the XML configuration code.
... View more
10-20-2014
01:42 PM
Last week I ran an ACC report for the top 25 applications. Netflix was #3 (university environment, so it's to be expected). Today, I ran the same report and Netflix (as an application) is no where to be found. I launched Netflix on my computer to generate some traffic and I'm not seeing it (I waited 20 minutes to make sure the session was ended and logged). I've tried searching, but I don't see any modifications to the application. Any reason this isn't showing up any more? PA-5050 @ PANOS 5.0.10 -Brian
... View more
Labels:
- Labels:
-
App-ID
04-22-2013
11:10 AM
The last I heard, this is not officially supported. However, if one did do it, two pairs of 100Mbs media converters would be the way to go. Hypothetically. You can also throw them into a layer-2 DEDICATED VLAN, if you don't have dedicated fiber between the devices. You need to make sure latency is very low though, or you're going to end up with both FW's going active.
... View more
03-20-2012
01:35 PM
That's what I'd expect as well, which is why I posted the question. It's possible the passive device is holding sessions "open" longer, to ensure they are actually closed in the event of a failover, but it seems odd. I can understand the high utilization for the management plane during a synch, but I would have expected it to come down much faster. It's also possible the unit is still doing a considerable amount of processing, even though the dashboard *says* everything is done.
... View more
03-20-2012
12:17 PM
I forgot to mention, we're running PANOS 4.0.9
... View more
03-20-2012
11:41 AM
I have a pair of PA-4020's in HA active/passive. I just did a commit (which went fine, except the synchronization failed and I had to push the config to the passive peer). I then looked at the passive and the information in the Resource Information widget on the Dashboard is a little suspicious. Again, this is immediately after a successful commit and a manual synchronization to the passive (I did not ssh in to look; everything is from the GUI): Active: Management Plane = 63%; Data Plane = 32%; Session Count = 69,000(ish) Passive: Management Plane = 85%; Data Plane = 1%; Session Count = 101,000(ish) I verified that the Passive did not kick in as active (the last log entries on the passive are from 6 days ago). At this moment (probably 10 minutes after the synchronization completed as far as I could see): Active: Management Plane = 15%; Data Plane = 32%; Session Count = 62,000(ish) Passive: Management Plane = 3%; Data Plane = 1%; Session Count = 95,000(ish) Shouldn't the session count on the Passive be either 0(ish) or the same as the Active? -Brian
... View more
07-13-2011
11:05 AM
"Your ping/traceroute traffic was not going off into segment B, it did not have a policy to allow it to the proper destination and was following the default route on the PaloAlto on which it could go." I think this is where I am confused. How do you define a "policy" that controls routing? Shouldn't that be an entry in the Virtual Router/Static Routes?
... View more
07-13-2011
10:58 AM
I need to parse most of what you said to fully understand it, but I don't think my original questions are answered: 1) why is traffic following the fw's default route rather than the known route of the destination server? Granted, without a security rule in place, it isn't going to work, but it should still try .. and that leads to #2 2) why do I not see "deny"'s in the monitor log? It really appears that the fw is making an assumption rather than routing. It makes no sense to me that a security policy impacts the routing path. Thanks, Brian
... View more
07-12-2011
11:05 AM
I just posted a somewhat similar issue. Explicitly allowing the traffic (even though the logs were not showing anything was blocked) resolved the problem. My post asked why this behavior is occuring.
... View more
07-12-2011
10:56 AM
We have been trying to troubleshoot an issue for a couple weeks now. We seem to have found the issue, but it doesn't make sense. I'm hoping someone can shed some light on this: First off, we have a pair of PAN-4020's in HA @ 3.1.9. I'm going to oversimplify the situation, but I think the logic will hold: Segments A, B and C Segment A is a user segment with 2 routers, in serial, (layer 3 switches) between the test user and the PAN Segment B is our connection to the Internet via a Cisco router connected to the PAN Segment C is a Data Center segment with one router (layer 3 switch) between the servers and the PAN. It's all layer 3, so this doesn't matter much, but Segments A, B and C hit the PAN on different interfaces. Segment C also has a load balancer on it (same device as the layer 3 switch). Users on Segment A are dynamically NAT'd ("many" users to 1 public address) Servers on Segment C are 1:1 static NAT'd Load balancer uses public addresses; All users access the servers via the public address, whether local or from the Internet. ------------ The issue: From a workstation on Segment A, if I web/ssl to a server on Segment C it works fine (there is a policy allowing this) From a workstation on Segment A I can go out on the Internet (obviously also a policy) From a workstation on Segment A, if I try to traceroute to a server (public or private address) on Segment C it fails. This is where the confusion lies .. There is not a policy allowing ping/icmp from A to C. What I don't understand is I do NOT see any failures in the logs from the workstation on A (either its public or private address) to the server on C (also checking both public and private addresses). ALSO, the traceroute goes off to the Internet (Segment B) and eventually fails rather than heading toward Segment C. Lastly, once I do put an explicit policy in place allowing icmp/ping (and SSH for that matter) from Segment A to Segment C, everything is happy. I don't understand how a security policy is impacting routing paths.
... View more
- Tags:
- default_route
- nat
06-01-2011
11:32 AM
What was your final resolution to this issue? We are in the process of upgrading to Exchange 2010 now and the consultants just sprang this multicast issue on me.
... View more
04-29-2011
08:53 AM
We are building a new data center across the street from the old one (probably 300 yards). Even though that's not a great separation, it's better than using the same room so I'm considering leaving 1 unit in the old data center and moving 1 to the new. I have my own fiber between the buildings, so fiber count is not an issue right now. I think I'm more inclined to use media converters though, just because of the switch-maintenance issue. The problem with that .. I need to figure out the HAx port speeds so I get the right fiber/copper converters (I don't want to buy 100/1000 if I can only use 100, but it sounds to me like 100 is probably overkill for the amount of data anyway). This is all good information. Thanks!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-30-2018
03:40 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2021 - Palo Alto Networks
