Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
About ewilen
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About ewilen
08-18-2015
8Posts
0Likes
1Solution
Aug 18, 2015Last Visited
User
Activity
User
Profile
Latest posts by ewilen
| Subject | Views | Posted |
|---|---|---|
| 1665 | 04-26-2013 09:55 AM | |
| 1665 | 04-25-2013 01:26 PM | |
| 1156 | 09-13-2012 10:40 AM | |
| 1156 | 09-13-2012 06:54 AM | |
| 1308 | 09-12-2012 06:54 PM |
User Badges
Community Statistics
| Member Since | 08-12-2012 01:00 PM |
| Date Last Visited | 08-18-2015 09:06 AM |
| Posts | 8 |
04-26-2013
09:55 AM
I understand--I'm dealing with a similar issue myself. I'm working with support, and if I can get a config working I'll update this thread.
... View more
04-25-2013
01:26 PM
Possibly this document will help: What I take away from it is that if you want to exclude a site from decryption, you need to create a custom URL category that lists that site by ip address (page 3) not by name.
... View more
09-13-2012
10:40 AM
Thank you for your help, but it turns out this was a simple workstation configuration oversight on my part. When I configured the virtual interface on my Mac, I didn't notice that the DNS server had to be set per-interface, and that it wasn't set. This may be unique to virtual interfaces and/or Mac OS X 10.8. Once I added a DNS server to the interface, everything worked fine.
... View more
09-13-2012
06:54 AM
Well, I am not able to look at the firewall at this moment--will be in a position to do so in a few hours. But I'm quite sure the security policy is the same for Zone A and Zone B--that is I included them both in the same virtual router and the same policy, which specified allowing traffic from any of the internal zones. When I get a chance I'll increase the log level and retest. However, it occurred to me that the reason web pages aren't loading is (probably) because DNS isn't working. I believe my ping/traceroute tests were to IP addresses while web was to a domain name. I will also test accessing a web page by IP address. If it comes down to just DNS not working, then note that DNS uses UDP both outbound and inbound. On Mac, traceroute is (by default) UDP outbound and ICMP inbound. Ping is ICMP both outbound and inbound. If you put this all together then it may be that it's just the DNS UDP return packets which aren't being dellivered.
... View more
09-12-2012
06:54 PM
In order to overcome the limited number of physical interfaces on the PA-200, I need to have one physical interface handle traffic for two different zones, A & B. These zones need to talk to each other and to other internal zones (with security policies enforced by the firewall). In addition, they need to access the Internet using Dynamic-IP-and-port NAT, using the IP address of the external interface (which is on the Internet zone). All the ethernet interfaces are configured as layer 3 and all are on the same virtual router. They work fine with NAT. I'm having trouble with Zone B. For zone A, I used ethernet1/3. It has its own static RFC1918 subnet. Untagged Subinterface is not checked. For zone B, I use ethernet1/3.1. It has another static RFC1918 subnet. Its Tag is 3. Now I attach a workstation to physical interface 3 and I create a virtual interface on the workstation with Tag 3. I configure this virtual interface with an appropriate IP address, subnet, and gateway for zone B. I turn off the "normal" Ethernet interface on the workstation. (This is all done through Mac OS 10.8 System Preferences > Network.) At this point I can ping devices on the Internet side of the firewall. I can also traceroute. However, web pages don't load and DNS doesn't seem to work. Any suggestions on what I might be doing wrong or how to make this work?
... View more
- Tags:
- nat
- sub_interface
Labels:
- Labels:
-
Configuration
-
Networking
09-11-2012
11:58 AM
Can the management port be used as a normal network port, that is, e.g., can it be connected to a virtual router and assigned to a security zone?
... View more
- Tags:
- management_port
Labels:
- Labels:
-
Configuration
-
Management
-
Networking
09-10-2012
10:09 AM
Okay, I still don't quite understand why there's the option to not use tunnel mode. It seems to be related to internal gateways only, though, so apparently tunnel mode is the correct choice for my install. Any reason to choose SSL vs. IPSec for data transport? All I could find in either the admin guide or the globalprotect guide was that " The SSL-VPN client may also operate in IPSec mode (if configured on the firewall) for efficient transport of data" (p. 231) and that if the IPSec option is chosen, IPSec will be primary but SSL will still be available as a fallback (pp. 246, 254). So it seems that the IPSec checkbox should be checked, but the documentation isn't very informative.
... View more
09-07-2012
05:26 PM
Just getting started with PA, running software version 4.1.6, and I am learning how to set up a VPN to allow remote users into the protected network. We don't have a GlobalProtect license, but single-portal, single-gateway capability is included in the basic PA license as a replacement for NetConnect. One thing that is not clear is why the GlobalProtect gateway configuration has a checkbox for Tunnel Mode. The Administrator's Guide mentions "non-tunnel mode" very briefly on p. 246, relating it to "internal gateways". These are also mentioned briefly on p. 251. Can anyone explain what this is for, or more important, whether it's relevant to my configuration? There's just going to be a single PA firewall at the border of the protected network(s). Also, the PA-4.1 Administrator's Guide discusses setting up HIP objects & profiles for GlobalProtect, but the document "GlobalProtect-Configuring-revE" which I located here doesn't mention this, and in fact I didn't find it to be necessary. Am I correct that the features of HIP (requiring clients to meet certain patch levels & such) are not available without a GlobalProtect license? Yet another question: are there any reasons to prefer SSL vs. IPSec for the Tunnel mode? The checkbox for "enable IPSec" is on by default, but there's no description on p. 254 of why one might turn it off. Thanks in advance for any answers.
... View more
Labels:
- Labels:
-
Configuration
-
Networking
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-18-2015
09:06 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2021 - Palo Alto Networks
