Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Live
- ›
- About wimjuste
About wimjuste
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
11-28-2017
15Posts
2Likes
0Solutions
Nov 28, 2017Last Visited
User
Activity
User
Profile
Latest posts by wimjuste
| Subject | Views | Posted |
|---|---|---|
| 1205 | 10-11-2013 01:22 AM | |
| 1384 | 10-01-2013 01:03 PM | |
| 1419 | 04-15-2013 07:46 AM | |
| 1419 | 04-13-2013 01:20 PM | |
| 409 | 04-12-2013 12:10 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 10-11-2013 01:22 AM | |
| 1 | 10-01-2013 01:03 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 2 |
User Badges
Public Statistics
| Date Registered | 08-14-2012 10:43 AM |
| Date Last Visited | 11-28-2017 01:41 AM |
| Total Messages Posted | 16 |
| Total Likes Received | 2 |
10-11-2013
01:22 AM
1 Kudo
Meanwhile I also received feedback of our Palo Alto Networks local systems engineer. Allow me to share this information, because it revealed to root cause / answer to our problem. NAT device binding options include the following: Device 0 and Device 1—Translation is performed according to device-specific bindings only if the session owner and the device ID in the NAT rule match. evice-specific NAT rules are commonly used when the two firewalls use unique public IP addresses for translation Both—This option allows either device to match new sessions to the NAT rule and is commonly used for destination NAT Primary—This option allows only the active-primary device to match new sessions to the NAT rule. This setting is used mainly for inbound static NAT, where only one firewall should respond to ARP requests. Unlike device 0/1 bindings, a primary device binding can move between devices when the primary role is transferred
... View more
10-01-2013
01:03 PM
1 Kudo
Dear all, I've configured my Palo Alto Cluster in a L3 Active / Active cluster setup. While I was trying to implement a NAT policy (Source Address Translation), it turns out that the only options that are working are: "0" and "1", as a reference to the member of the active/active cluster which should take care of the Address Translation. It turns out that the other option are not accepted by the PAN-OS while trying to push/commit the previously defined NAT policy (results in ERROR) Would be works as designed? Because, as a workaround I cloned the NAT rule, using either active/active binding to "0" and the exact same NAT rule, using active/active binding "1". Seems to be working fine, although I can imaging that the option "PRIMARY" would allow us to create this NAT rule ONLY ONCE. Thanks ! Kind regards, Wim
... View more
04-15-2013
07:46 AM
The assigned system support engineer provide exactly the same information as described by you. Concerning the 'awkward' phenomenon about starting fined grained information after having build that custom report, that must have been a coincidence/mix up. Now, all information is available while drilling down into menus of the Application Command Center. Thanks again for your valuable feedback.
... View more
04-13-2013
01:20 PM
Hi Mkiand, Thx for your suggestions ! Yes indeed: - NTP has been configured, even before the (data) interfaces were connected. So, onboard time sync was and is now also still in sync. - For data we want to see, there's an LOG AT START enabled. Should both (start/end) be enabled preferably to have correct and relevant data in ACC ? I already informed our Palo Alto engineer about this issue. He asked to open a support case in order to have a closer look. Just 1 remark: I don't know whether there's a link between both, but after creating a CUSTOM REPORT which forced to get data from the threat database for the past +/- 24hours, drilling down into the "Threat monitor" reveals fine grained information about sources/destations/etc. So, I tried to build a similar custom build report that forced to fetch data from "traffic" database, though the result was not successful: "no matching record" after drill down in the "Traffic monitor" I'll keep this thread up to date once a solution is provided from the support case.
... View more
04-12-2013
12:10 AM
Thx Bulent, From a secure configuration baseline policy point of view, deleting (or rather replacing it) the default administrative accounts, should be the first thing to do
... View more
04-12-2013
12:05 AM
Hi, Today we start using the Palo Alto device. Being one of its beneficial features, the Application Command Center provides a quick Birdseye view upon network visibility. Initially, we could drill down into (eg) Top Applications, in order to find out the top ip sources. After some 6 hours, this fine grained information seems not to be available anymore in ACC. All Top Sources, Application, etc display "No matching record", except for the information about "Threat Prevention". Regardless of the time interval being used as filter (15m, last 6 hours, ...) Though, if I click the respective icon to switch from ACC into the monitor TAB for either Traffic or Threat logs, the relevant log entries are available in here. Do I miss a configuration setting, in order to restore full information availability via ACC? Thanks Kind regards, Wim
... View more
04-11-2013
11:34 PM
Hi, Question about local administrative accounts and privileges: According to the manual the predefined "admin" account has full access. Does this means: 1) another local administrator account will never be able to get has much prviliges has the predefined one? 2) to maintain full access, the predefined "admin" must be used and thus, cannot be deleted? Thanks Kind regards, Wim
... View more
03-12-2013
08:59 AM
Damn too bad. A technical shortcoming. We already asked our PAN SE to apply for a feature request in order to have all operators available through all attribute in the policy rule editor. Nevertheless, this one might do the job: 1) filter all rules that includes a security profile group, using profile-setting/group eq 'my-group-reference' 2) Once filterd, select all rules listed. 3) Remove the selection criteria from the policy editor. Now all rules including a security profile group are selected, which should be the majority. Rules that do not have security group enabled (or different) are not selected. A visual cross check will indicate the suspected rules. I must admit that it takes some creative thinking to come to such a nasty solution .. Kind regards, Wim
... View more
03-12-2013
07:54 AM
Hi emr, Thanks for reply, your answer is helpful. For instance, we use a predefined set of security groups (but I didn't mentioned this one in my question) Though, your feedback is applicable for security groups as well ! 🙂 (profile-setting/group eq 'my-group-reference') I thought to be smart and use the "NEQ" operator in order to find out all rules WITHOUT a 'my-group-reference', but then, NONE rules are displayed. (suppose is would be the same as (profile-setting/profiles/virus neq 'default') Do you know perhaps how to inverse the (profile-setting/group eq 'my-group-reference') ? Thanks again ...
... View more
03-12-2013
07:00 AM
Dear all, How would it be possible to validate the security policy rules to have all a content inspection profile enabled? Because the "option" field does not allow to be selected as filter in the editor tab. (as this is the case for e.g. addresses or zones) Custom reports do also not include the ability to select content profile as an attribute. Thank you in advance, Kind regards, Wim
... View more
Labels:
- Labels:
-
Configuration
-
Management
02-28-2013
07:58 AM
Don't they mean the HEARTBEAT interval parameter? Because the minimum value for HELLO on PA-5020 is 8000ms, I can't imaging having to wait for 3x 8000ms before a failover takes place? If not, what is the purpose of the HEARTBEAT interval parameter? Also, is the 3 times retry value configurable?
... View more
02-21-2013
04:49 AM
, XML Dear all, The Panorama feature "Scheduled Config Export" is a great way to backup all device configs to a central backup repository. I known one can import this XML config from the device itself, But would there also be a way to import the complete XML files to respective device USING panorama? Thanks, Wim
... View more
Labels:
- Labels:
-
Panorama
02-15-2013
02:25 AM
Dear all, Does a "Security Profile Group" with all security engines selected to "NONE" would have any processing(/performance) impact? Reason the so, is for future readiness. Allowing NOT to have chaning ALL individual security policies, in case we would like to enable a security content engine in this "security profile group". Thanks in advance! Kind regards, Wim
... View more
11-15-2012
02:37 AM
Hi, I placed a PAN device in VWIRE mode on the WAN side of a internet connection. I planned to test the APP-ID capabilities of detecting IP64 tunnels. Over this WAN link, a 6-4 tunnel exists with Hurricane tunnel-brooker. The APP-ID is able to detect the 6-4 tunnel and identifies it as IPV6 application. But when a native IPv6 client is surfing the web to GOOGLE or FACEBOOK (IPv6 addresses), thus using this 6-4 tunn, the APP-ID does not preform continuous APP validation. So, we lose application visibility within the 6-4 tunnel towards Hurricane. Isn't PAN able to identify APPs within 6-4 tunnels? (ISATAP, TEREDO, GRE) (only tested the Hurricane tunnels) Or once the protocol ID 41 is identified (=6-4 tunnel), no more continuous is performed ? Thanks, Kind regards, Wim
... View more
Labels:
- Labels:
-
App-ID
10-26-2012
05:48 AM
Hi, Would there be a way how to read the statistics about the usage of the ICMP IPv6 token-bucket? Additionally what is the relation between token based rate limiting as a global device setting and the ICMPv6 CPS rate limiting in on a per zone configuration setting? Thank you, Kind regrads, Wim
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-28-2017
01:41 AM
|
Latest Tags
No tags yet
Latest Blogs
Latest Posts
Copyright 2007 - 2020 - Palo Alto Networks
