About ewilen

ewilen · ‎04-26-2013

I understand--I'm dealing with a similar issue myself. I'm working with support, and if I can get a config working I'll update this thread.

ewilen · ‎04-25-2013

Possibly this document will help: What I take away from it is that if you want to exclude a site from decryption, you need to create a custom URL category that lists that site by ip address (page 3) not by name.

ewilen · ‎09-13-2012

Thank you for your help, but it turns out this was a simple workstation configuration oversight on my part. When I configured the virtual interface on my Mac, I didn't notice that the DNS server had to be set per-interface, and that it wasn't set. This may be unique to virtual interfaces and/or Mac OS X 10.8. Once I added a DNS server to the interface, everything worked fine.

ewilen · ‎09-13-2012

Well, I am not able to look at the firewall at this moment--will be in a position to do so in a few hours. But I'm quite sure the security policy is the same for Zone A and Zone B--that is I included them both in the same virtual router and the same policy, which specified allowing traffic from any of the internal zones. When I get a chance I'll increase the log level and retest. However, it occurred to me that the reason web pages aren't loading is (probably) because DNS isn't working. I believe my ping/traceroute tests were to IP addresses while web was to a domain name. I will also test accessing a web page by IP address. If it comes down to just DNS not working, then note that DNS uses UDP both outbound and inbound. On Mac, traceroute is (by default) UDP outbound and ICMP inbound. Ping is ICMP both outbound and inbound. If you put this all together then it may be that it's just the DNS UDP return packets which aren't being dellivered.

ewilen · ‎09-12-2012

In order to overcome the limited number of physical interfaces on the PA-200, I need to have one physical interface handle traffic for two different zones, A & B. These zones need to talk to each other and to other internal zones (with security policies enforced by the firewall). In addition, they need to access the Internet using Dynamic-IP-and-port NAT, using the IP address of the external interface (which is on the Internet zone). All the ethernet interfaces are configured as layer 3 and all are on the same virtual router. They work fine with NAT. I'm having trouble with Zone B. For zone A, I used ethernet1/3. It has its own static RFC1918 subnet. Untagged Subinterface is not checked. For zone B, I use ethernet1/3.1. It has another static RFC1918 subnet. Its Tag is 3. Now I attach a workstation to physical interface 3 and I create a virtual interface on the workstation with Tag 3. I configure this virtual interface with an appropriate IP address, subnet, and gateway for zone B. I turn off the "normal" Ethernet interface on the workstation. (This is all done through Mac OS 10.8 System Preferences > Network.) At this point I can ping devices on the Internet side of the firewall. I can also traceroute. However, web pages don't load and DNS doesn't seem to work. Any suggestions on what I might be doing wrong or how to make this work?

Member Since	‎08-12-2012 01:00 PM
Date Last Visited	‎08-18-2015 09:06 AM
Posts	8

Online Status	Offline
Date Last Visited	‎08-18-2015 09:06 AM

About ewilen

Re: Exclude www.google.* from decryption

Re: Exclude www.google.* from decryption

Re: configuring NAT with TAGGED subinterfaces

Re: configuring NAT with TAGGED subinterfaces

configuring NAT with TAGGED subinterfaces

Re: Exclude www.google.* from decryption

Re: Exclude www.google.* from decryption

Re: configuring NAT with TAGGED subinterfaces

Re: configuring NAT with TAGGED subinterfaces

configuring NAT with TAGGED subinterfaces