This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About UXPSystems
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About UXPSystems
04-16-2018
17Posts
2Likes
0Solutions
Apr 16, 2018Last Visited
User
Activity
User
Profile
Latest posts by UXPSystems
| Subject | Views | Posted |
|---|---|---|
| 3944 | 04-13-2018 01:08 PM | |
| 3994 | 04-13-2018 12:18 PM | |
| 2793 | 03-23-2018 06:04 AM | |
| 2936 | 03-22-2018 11:37 AM | |
| 1657 | 09-06-2017 01:00 PM | |
| 2742 | 07-11-2017 08:26 AM | |
| 2975 | 07-10-2017 08:33 AM | |
| 3028 | 07-07-2017 09:30 AM | |
| 4445 | 06-30-2017 08:00 AM | |
| 4584 | 06-26-2017 01:22 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 06-26-2017 01:22 PM | |
| 1 Like | 04-17-2017 06:23 AM |
User Badges
Community Statistics
| Member Since | 08-16-2016 01:50 PM |
| Date Last Visited | 04-16-2018 02:16 PM |
| Posts | 17 |
| Total Likes Received | 2 |
04-13-2018
01:08 PM
Great. Thank you all for the input. It looks like PANOS 8.1 and GlobalProtect 4.1 might provide a solution for me. Basically I can set the whole SaaS domain to pass through the VPN tunnel; but is not do-able on my PA right now (PA software version is still at 7.1.x).
... View more
04-13-2018
12:18 PM
Hi. In the Palo Alto firewall, I've created a new Address object with the type set to FQDN and with a valid DNS record. Saved and committed the change. Then I try to add this newly created address object to the access route list in the GlobalProtect's split tunnel list (we using split tunnel for the VPN connection). However, I am not seeing the new address object that I've created showing in the access route list. It looks the address object with the type set to FQDN do not supported as an entry in the access route. Can someone please confirm if this is true? Thank you.
... View more
03-23-2018
06:04 AM
Hi. Here is my two NAT policy for this setup NAT #1 Source Zone = L3-Untrust Destination Zone = L3-Untrust Detination Interface = Any Source Address = Any Desination Address = public IP Service = Any Source Translation = None Destination Translation = private IP of the ADFS WAP server NAT Rule #2 (u-turn): Source Zone = L3-Trust Destination Zone = L3-Untrust Destination Interface = Any Source Address = Any Destination Address = public IP Service = Any Source Translation = dynamic-ip-and-port; ethernet 1/1, public IP Destination Translation = private IP of the ADFS WAP server From the traffic log, I can see the ADFS WAP server is trying to access the internal ADFS server over port 443, but looks like nothing is return from the internal ADFS server. The session end due to aged out. I don't see any deny action. The traffic is allowed as far I can see from the PAN traffic log, but seems the internal ADFS server is not responding for somehow. I've verified port 443 is opened on the ADFS server's windows firewall on all the profile. Thanks.
... View more
03-22-2018
11:37 AM
Hi all. I am trying to setup a ADFS environment in our network. The actual ADFS server is located in the internal LAN, and the ADFS Web Application proxy is reside in the DMZ; internal LAN and DMZ is in a different VLAN. The goal is to send user authentications (orginiated from the Internet) to the ADFS web application proxy, and from there it communicate with the ADFS server in the internal LAN over port 443. I've created the NAT rule in the PA firewall, and pointed it to the ADFS WAP server. Also created the security policies to allow port 443 communication between the ADFS WAP and the ADFS server. However, this where I am having the problem. The ADFS WAP and the ADFS server failed to communicate with each other over port 443. Odd thing is this setup worked fine initially, and then suddenly stopped working. This is my 3 security policy that I've created : Rule #1 Source = L3-Untrust User = Any Destination Zone = L3-DMZ Destination Address = public IP Applicatoin = ssl Service = application-default Action = allow Rule #2 Source = L3-Trust User = Any Destination Zone = L3-DMZ Destination Address = public IP Application = ssl, ms-rdp, web-browsing Service = application-default Action = Allow Rule #3 Source = L3-DMZ Source Address = private IP of the server, also the public IP for the server User = Any Destination Zone = L3-Trust Desination Address = IP of the ADFS server Application = ssl Service = application-default Action = allow Am I missing anything here? Thank you. Note: I am able to RDP to the ADFS WAP server from the internal network.
... View more
09-06-2017
01:00 PM
Hi there. So we just got TRAPS Endpoint Protection implemented in our environment. I am just wondering how effectiveness is the default policy. How much protection is provided by the default policies, and what type of threats were being blocked by the default policies. We've got few windows server and couple user on windows OS, majority is on Linux and Mac OS. Thanks.
... View more
07-11-2017
08:26 AM
I see. In my case, I should fill up the "Application" field, and then set the "Service" field to "application-default". I was freaked out when I saw the telnet connection to those ports were sucessed even though I haven't allow the access on the PA. Thank you all for the explanation.
... View more
07-10-2017
08:33 AM
Hi all. So in general, the allow access is based on the "application" and "service" list, and if the applications and services isn't on the either of the Application and Service list, the PA firewall will accept the connection by then will drop it after the rule check? I guess what confuse me is I am expecting the PA to block the port 80 access (in this example) rather than it accepts the connection, then do the rule check, then drop the connection. In Cisco world, usually it simply blocks the port access if it is not on the allow list.... I still can telnet to port 80 from a windows laptop, and it simply give me a blank screen, which just means the port 80 is accessible ... Thank you.
... View more
07-07-2017
09:30 AM
Hi all. I am playing with security policy, and seeing a result that I am not expected. Basically I would like to allow connection from the Local (trusted) zone to a specific server in the DMZ zone to allow port 443 (ssl) traffic only In the Source section, to simplify things a bit, I set to "Any, Any" (all user in the Local zone is allowed to access the DMZ zone). Then in the Destination section, I set the Application field to "ssl", and the "Service" field to "any" (default is application-default). However, I notice users in the Local (trusted) zone is able to access the specific server in the DMZ zone over other ports, eg: 80, etc. Now, once I've set the "Application" field to "ssl", and "Service" field to "application-default", it is giving me the desire result. Can anyone please give me an explanation on this? Eg: the evaulation (relationship) between "Application" and "Service". Do I need to configure both "Application" and "Service" field, or just configure one of them is fine? Thank you.
... View more
06-30-2017
08:00 AM
Great. Thank you for the explanation. That make me feel relief a bit ^0^.
... View more
06-26-2017
01:22 PM
1 Kudo
Hi all. I am reviewing the "Threat" section on the Palo Alto firewall and I noticed some weird thing, perhaps it is normal, but I can't tell, thus this thread. There are couple of threat in the "Critical" category indicated with the "dropped" action. Yet when I opened the threat to see the details, I am seeing two timestamp for this event and each of the timestamp carries a different action. For example, a timestamp at 4:00AM marked with a "dropped" action (type is "vulnerability), yet another timestamp at 4:01AM for the same threat (type is "end") would marked with an "allow" action. Is this treat being blocked or it is allowed? Little bit confuse here. Thank you.
... View more
04-17-2017
06:23 AM
1 Kudo
Hi all. After couple of email exchange with the customer, and conference calls. It ends up their network administartor configured the VPN tunnel, yet he didn't configure the routes for this VPN connection. That explains why the tunnel is up, but no traffic goes through. Now they've assigned another network administrator to look into, yet he is on vacation till mid May.... Nothing can be done till mid May. Thank you for all the feedback, much appreciated!
... View more
04-11-2017
06:17 AM
Hi all. I don't have access to customer's network, thus no pcacp available from their end. It is a pain to get a hold of their staff to investigate this issue. They keep responding they've done the necessary configuration at their end, and from their prespective, this VPN configuration has been completed at their end. Yet no network traffic coming from their end. I've gone over the troubleshooting step as outline here, https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Troubleshoot-IPSec-VPN-connectivity-issues/ta-p/59187 I can see the "Encap Bytes" value keep increasing, while the "Decap Bytes" stays constant. Per the explaination, that indicate network traffic is going out, but nothing returns from the target.
... View more
04-10-2017
02:23 PM
Hi. Nope, not running on Azure. It looks like the customer end is running on Juniper firewall if that helps.
... View more
04-10-2017
09:52 AM
Hi all. So I ran the "show vpn flow name" command, and I can see the " encap/decap bytes" field logs data there, and no authentication errors. The tunnel looks perfectly fine. Pretty much stuck on this one ...
... View more
04-07-2017
09:46 AM
I am not sure about the VPN product that the other end is using. As a test, if I configured the Proxy ID, the tunnel status goes into "down" state (red). A static route existed for the remote network If I do a tracert to the remote server, the tracert stops at our PA firewall. The PA traffic monitor will show packets has send to the remote network, but no packet receives (eg: no return traffic). I am wondering if the remtoe network didn't configure their route properly. Otherwise I don't see any issue on the VPN tunnel side, it is up, just no traffic coming back. Also the tracert result bothers me, as it shows stopped on our PA.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-16-2018
02:16 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks