Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About Laurent_Dormond
About Laurent_Dormond
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Online
46Posts
3Likes
1Solution
Sep 23, 2020Last Visited
User
Activity
User
Profile
Latest posts by Laurent_Dormond
| Subject | Views | Posted |
|---|---|---|
| 4215 | 07-26-2019 01:35 AM | |
| 4254 | 07-24-2019 08:02 AM | |
| 4306 | 07-24-2019 02:47 AM | |
| 1763 | 06-07-2019 12:34 AM | |
| 2256 | 05-10-2019 12:21 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 07-24-2019 08:02 AM | |
| 1 | 10-11-2017 02:33 AM | |
| 1 | 10-03-2017 05:57 AM |
User Badges
Public Statistics
| Date Registered | 08-15-2016 07:10 AM |
| Date Last Visited | 11 hours ago |
| Total Messages Posted | 79 |
| Total Likes Received | 3 |
07-26-2019
01:35 AM
Hello, Indeed we had a limitation of 2000 GB (and not 2 TB) Virtual Disk. That explains why our Virtual Disks are just under 2 TB, thus preventing us to add new disks, following the KB. Now this limitation is no more active, allowing us to add Virtual Disk of maximum 4 TB. Do you know wether Panorama allow virtual disk extension ? For example if we extend our current 2000 GB virtual disk to 4 TB, Panorama will be able to see and use this new disk space ? Regards,
... View more
07-24-2019
08:02 AM
1 Kudo
Hi Alexander.Astardzhiev Thanks for your reply. I will have to double-check this with our virtualization team, but I think that we may be facing same issue. Regards, Laurent
... View more
07-24-2019
02:47 AM
Hello, We are running Panorama VM release 8.1.8 un Panorama mode. We have a 2 TB disk for logging and we would like to add a second 2 TB disk. The new virtual disk has been added to the VM, and after reboot is seen as sdb in Panorama (sdc is already working) : > show system disk details Name : sdb State : Present Size : 1887436 MB Status : Migration completed Reason : Admin disabled Name : sdc State : Present Size : 1992294 MB Status : Available Reason : Admin enabled I have already tried to enable this new partition but it still doesn't work : > request system disk add sdb Executing this command will delete all data on the drive being added. Do you want to continue? (y or n) Operation: Addition of the sdb disk is already in progress. Run 'show system disk details' to see the status Any idea to make this virtual disk enabled in Panorama ? Do you know if any messages are logged regarding this ? Regards, Laurent
... View more
05-10-2019
12:21 AM
I'm currently running same release 8.0.14 on my appliances (planned to upgrade to 8.1 soon) and never seen this issue. I'm pretty sure that 8.0.14 is a very stable release, but you can have a look at the last 8.0.17 RN to see wether similar issue has been identified if you want.
... View more
05-09-2019
08:24 AM
Hi, You should try to download the current dynamic updates files from the PaloAlto customer portal, and then manually upload them to your device and install. After that the dynamic updates should work fine. I also faced a similar issue once when a downloaded update was no good (maybe corrupt) I had to manually delete it from the boy (using cli) and then download another update file it solved the issue. > delete anti-virus update archivename > delete content update filename Regards, Laurent
... View more
05-09-2019
08:19 AM
05-09-2019
08:15 AM
Hello, When launching the userid installer 8.1 on a server running userid release 8.0, it displays a warning message during the update process : This message was never displayed during update process of older release. What does it mean and is there any potential impact on running applications or processes ? Regards, Laurent
... View more
- Tags:
- User-ID 8.1
05-08-2019
04:06 AM
Many thanks, this is a really usefull documentation. I was not able to find it.
... View more
05-08-2019
01:54 AM
Hello, I wonder what is the port / protocol used by windows UserID agents to monitor Exchange and AD servers ? Indeed I have another FW between my PaloAlto device and the Active Directory and Exchange servers I want to monitor. Is this SMB traffic on port TP 445 ? Is this the case for any version of AD / Exchange servers ? I can't find any information regarding this point. Regards, Laurent
... View more
03-22-2019
05:47 AM
Hi, indeed, I tried to use static IP instead of Dynamic Ip (with session redistribution) for DNAT and it commits successfully. Thanks for the info, also we need to upgrade our appliances to PanOS 8.1. This is a case where managing the applicanes through Panorama in later release could lead to attempt to configure unsupported features...
... View more
03-22-2019
02:59 AM
Hello, I'm trying to configure double NAT rule (SNAT + DNAT) using Panorama 8.1.4 managing PA 5220 devices running PanOS 8.0.14. I can valid / commit configuration on Panorama, but when pushing config to devices I get following error message : vsys -> vsys4 -> rulebase -> nat -> rules -> Exchange-vers-SMTP -> dynamic-destination-translation unexpected here vsys -> vsys4 -> rulebase -> nat -> rules is invalid Commit failed Source Address translation : Dynamic IP -> one unique IP address I tried to specify Dynamic IP and port instead, same error. Destination Address translation : Dynamic IP (with session distribution) -> address group (2 IP addresses) I tried to specify translated ports or leaving blank, same error. Any idea ? Regards, Laurent
... View more
01-30-2019
01:16 AM
Hello guys, Many thanks for your answers. Of course it makes sense that userid mapping table should not be shared across multiple VSYS by default, I was just thinking about something like a "hidden" command to make it that way. However it's not a major need for me, it would be a "nice to have", also I will configure userid for each VSYS.
... View more
01-29-2019
05:49 AM
Hello, We are using PA cluster in multiple VSYS environment. We would like to be able to configure user / group based policies across all the VSYS by sharing userid mapping table with all the VSYS (the user identification baseline is the same for all the VSYS). Is there a quick method to achieve this or do we have to configure (same) userid settings in each VSYS ? Laurent
... View more
08-06-2018
08:04 AM
Hi reaper, Yes I have tried this without success. I have already tried following queries : (user.src in 'prefix_') (user.src in 'domain\prefix_') (user.src in 'prefix_*') (user.src in 'domain\prefix_*') (srcuser eq prefix_) (srcuser eq domain\prefix_) (srcuser eq prefix_*) (srcuser eq domain\prefix_*)
... View more
08-06-2018
06:42 AM
Hello, We are an organization with thousends of users. Our user names have prefixes stranding for their departement or unit, for example tic_username for IT, mkt_username for marketing and so on. I would like to generate custom report using Panorama Query builder but I'm unable to achieve this. I have tried to use source user filters ("source user in" and "source user equal"). I have tried with our without domain name, with or without wildcard, but it always return no result. How to properly use the query builder ? Regards, Laurent
... View more
06-12-2018
02:07 AM
Hi, FTPS is basically FTP over SSL layer (do not confuse with SFTP), which means that since you enable SSL decryption you should see application "FTP". When you don't enable SSL decryption you will see application "SSL". Just be carefull as often, FTPS service are running on exotic ports (I have many in my environment on port 90x or 120x it depends of the provider. In this case be sure to disable "default application" in the service tab (and use particular service or "any") otherwise your FW wil drop the traffic. Regards,
... View more
06-12-2018
01:59 AM
Hi vsys_remo , We upgraded 3 months ago in 8.0.1 with migration from legacy mode to panorama mode. We added CPU and RAM as requested for that (8 vCPU and 16 GB RAM). We have 2 TB for the storage VMFS (we didn't change it) Regards,
... View more
06-12-2018
12:37 AM
I think that in most of large network environments you will see a part of unknown-tcp / udp traffic. I always saw it by our customers, also I don't think it would be a great idea to block such traffic. If you do so, it's likely you will get some side effects and then several applications no more working as expected. Ideally, you should try to identify this kind of traffic and building custom app signatures and use application override to properly identify this traffic. Laurent
... View more
06-12-2018
12:28 AM
Hello, We recently upgraded our Panorama VM from PanOS 7.1 to PanOS 8.0, currently running 8.0.8. After the upgrade and the migration process, we noticed that our traffic log retention capacity decreased to over a third (from around 100 days to around 30 days). We had no change in our network also no reason thinking to have an increase of the overall network traffic. Did you notice the same in your environment ? Laurent
... View more
04-26-2018
06:28 AM
Thanks for your answer. We are not using Minemeld yet but we are looking at it. I did the commit of course also the exception has been added to the config.
... View more
04-26-2018
01:53 AM
Hello, We have recently upgraded our FW to PanOS 8.x (currently running 8.0.8) and we want to use the newly added feature that enable to add exceptions in External Dynamic List. However it doesn't seem to work since the configured IP we put in exceptions (in a IP list) are still blocked by our policy. Did you try this and does it work for you ?
... View more
10-11-2017
02:33 AM
1 Kudo
Hi, Thanks for your answer. We have been added to this FR by our local SE. Regards, Laurent
... View more
10-03-2017
05:57 AM
1 Kudo
Hello, I think that it depends of the load-balancing algorithm that you choose for ECMP routing. If you use IP-Modulo (default option) you will always have same route as preferred route for a given source / destination couple. Regards, Laurent
... View more
10-03-2017
05:23 AM
Hello, We are using a proxy server to control Internet access from internal resources, including the PA firewall. This proxy can only be used to reach external destination. Also, we had to configure the proxy server on the PA device (Setup -> Services -> Global) in order for the PA to perform updates. Now we would like to use External Dynamic List (EDL), and it seems that the connection to the Source URL is also using the configured proxy server. However our EDL file is hosted in our internal network, also our proxy can't reach this network. Is there any way to selectively configure proxy server for PA services ? For example having a proxy server configured fo PA updates and no proxy server configured for accessing EDL ? Kind Regards, Laurent
... View more
05-08-2017
04:51 AM
After spending several hours to analyze the behaviour, trying to replicate the issue and so on I can finally say that is is really tricky to handle. Indeed, it involves both HTTP and HTTPS traffic, and I'm pretty sure there are very tight links with MS updates, since along with all replications of the issue I could see HTTP GET request to www.download.windowsupdate.com (User-Agent: Microsoft-CryptoAPI/6.1) I tried to define custom apps for Adobe requests and MSupdate requests (based on the User Agent) but it still didn't work. Finally I opened all tcp 80 / 443 for the users, allowing the updates to achieve and then deletes the rule and that did the trick. To summarize : it would be really helpfull if PaloAlto could release an efficient contend-id signature for all these Adobe Creative Cloud related traffic...
... View more
05-05-2017
12:17 AM
Hello, 1) No we don't decrypt trafic yet. Indeed I was thinking that this could help to deal with, however I'm afraid of the drawbacks involved by decrypting HTTPS traffic. 2) No I was just sharing my thoughts here for the instance. Laurent
... View more
05-04-2017
08:59 AM
Hello, unfortunately it relies on Akamai-like technologies : no way to identify IP ranges...
... View more
05-04-2017
07:32 AM
Hello, Many thanks for you follow-up and advices. I just made a Change Request to increase the timeout cache value from default 45 min to 120 min. I will see in a few days whether this has fixed my issue. Regards
... View more
05-04-2017
07:29 AM
Hello, We have several of our users that are using well-known Creative Cloud client to download/manage/update/upload/assess/enhance/whatever their wonderfull Adobe softwares (Aftereffect, DreamWeaver, ...) We have a PA with application-based policies. We deny all traffic that rely on "ms-update" application by default (because we have WSUS in place and we don't want users to perform OS updates on their own or even unexpected). The issue is that it seems that a lots of (all?) Adobe CC updates are identified by PA as "ms-updates" traffic. I put that in evidence by issuing PCAP capture on the PA device filtered on the source IP of one workstation that is facing this issue and I saw lots of HTTP GET to *msupdate" as well as *adobe.com* destinations at the same time... My question is : How to allow Adobe CC related traffic while denying "real" MS updates traffic ? Kind Regards, Laurent
... View more
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
