About wimjuste

wimjuste · ‎10-11-2013

Meanwhile I also received feedback of our Palo Alto Networks local systems engineer. Allow me to share this information, because it revealed to root cause / answer to our problem. NAT device binding options include the following: Device 0 and Device 1—Translation is performed according to device-specific bindings only if the session owner and the device ID in the NAT rule match. evice-specific NAT rules are commonly used when the two firewalls use unique public IP addresses for translation Both—This option allows either device to match new sessions to the NAT rule and is commonly used for destination NAT Primary—This option allows only the active-primary device to match new sessions to the NAT rule. This setting is used mainly for inbound static NAT, where only one firewall should respond to ARP requests. Unlike device 0/1 bindings, a primary device binding can move between devices when the primary role is transferred

wimjuste · ‎10-01-2013

Dear all, I've configured my Palo Alto Cluster in a L3 Active / Active cluster setup. While I was trying to implement a NAT policy (Source Address Translation), it turns out that the only options that are working are: "0" and "1", as a reference to the member of the active/active cluster which should take care of the Address Translation. It turns out that the other option are not accepted by the PAN-OS while trying to push/commit the previously defined NAT policy (results in ERROR) Would be works as designed? Because, as a workaround I cloned the NAT rule, using either active/active binding to "0" and the exact same NAT rule, using active/active binding "1". Seems to be working fine, although I can imaging that the option "PRIMARY" would allow us to create this NAT rule ONLY ONCE. Thanks ! Kind regards, Wim

wimjuste · ‎04-15-2013

The assigned system support engineer provide exactly the same information as described by you. Concerning the 'awkward' phenomenon about starting fined grained information after having build that custom report, that must have been a coincidence/mix up. Now, all information is available while drilling down into menus of the Application Command Center. Thanks again for your valuable feedback.

wimjuste · ‎04-13-2013

Hi Mkiand, Thx for your suggestions ! Yes indeed: - NTP has been configured, even before the (data) interfaces were connected. So, onboard time sync was and is now also still in sync. - For data we want to see, there's an LOG AT START enabled. Should both (start/end) be enabled preferably to have correct and relevant data in ACC ? I already informed our Palo Alto engineer about this issue. He asked to open a support case in order to have a closer look. Just 1 remark: I don't know whether there's a link between both, but after creating a CUSTOM REPORT which forced to get data from the threat database for the past +/- 24hours, drilling down into the "Threat monitor" reveals fine grained information about sources/destations/etc. So, I tried to build a similar custom build report that forced to fetch data from "traffic" database, though the result was not successful: "no matching record" after drill down in the "Traffic monitor" I'll keep this thread up to date once a solution is provided from the support case.

wimjuste · ‎04-12-2013

Thx Bulent, From a secure configuration baseline policy point of view, deleting (or rather replacing it) the default administrative accounts, should be the first thing to do

wimjuste · ‎04-12-2013

Hi, Today we start using the Palo Alto device. Being one of its beneficial features, the Application Command Center provides a quick Birdseye view upon network visibility. Initially, we could drill down into (eg) Top Applications, in order to find out the top ip sources. After some 6 hours, this fine grained information seems not to be available anymore in ACC. All Top Sources, Application, etc display "No matching record", except for the information about "Threat Prevention". Regardless of the time interval being used as filter (15m, last 6 hours, ...) Though, if I click the respective icon to switch from ACC into the monitor TAB for either Traffic or Threat logs, the relevant log entries are available in here. Do I miss a configuration setting, in order to restore full information availability via ACC? Thanks Kind regards, Wim

wimjuste · ‎04-11-2013

Hi, Question about local administrative accounts and privileges: According to the manual the predefined "admin" account has full access. Does this means: 1) another local administrator account will never be able to get has much prviliges has the predefined one? 2) to maintain full access, the predefined "admin" must be used and thus, cannot be deleted? Thanks Kind regards, Wim

wimjuste · ‎03-12-2013

Damn too bad. A technical shortcoming. We already asked our PAN SE to apply for a feature request in order to have all operators available through all attribute in the policy rule editor. Nevertheless, this one might do the job: 1) filter all rules that includes a security profile group, using profile-setting/group eq 'my-group-reference' 2) Once filterd, select all rules listed. 3) Remove the selection criteria from the policy editor. Now all rules including a security profile group are selected, which should be the majority. Rules that do not have security group enabled (or different) are not selected. A visual cross check will indicate the suspected rules. I must admit that it takes some creative thinking to come to such a nasty solution .. Kind regards, Wim

wimjuste · ‎03-12-2013

Hi emr, Thanks for reply, your answer is helpful. For instance, we use a predefined set of security groups (but I didn't mentioned this one in my question) Though, your feedback is applicable for security groups as well ! 🙂 (profile-setting/group eq 'my-group-reference') I thought to be smart and use the "NEQ" operator in order to find out all rules WITHOUT a 'my-group-reference', but then, NONE rules are displayed. (suppose is would be the same as (profile-setting/profiles/virus neq 'default') Do you know perhaps how to inverse the (profile-setting/group eq 'my-group-reference') ? Thanks again ...

wimjuste · ‎03-12-2013

Dear all, How would it be possible to validate the security policy rules to have all a content inspection profile enabled? Because the "option" field does not allow to be selected as filter in the editor tab. (as this is the case for e.g. addresses or zones) Custom reports do also not include the ability to select content profile as an attribute. Thank you in advance, Kind regards, Wim

wimjuste · ‎02-28-2013

Don't they mean the HEARTBEAT interval parameter? Because the minimum value for HELLO on PA-5020 is 8000ms, I can't imaging having to wait for 3x 8000ms before a failover takes place? If not, what is the purpose of the HEARTBEAT interval parameter? Also, is the 3 times retry value configurable?

wimjuste · ‎02-21-2013

, XML Dear all, The Panorama feature "Scheduled Config Export" is a great way to backup all device configs to a central backup repository. I known one can import this XML config from the device itself, But would there also be a way to import the complete XML files to respective device USING panorama? Thanks, Wim

wimjuste · ‎02-15-2013

Dear all, Does a "Security Profile Group" with all security engines selected to "NONE" would have any processing(/performance) impact? Reason the so, is for future readiness. Allowing NOT to have chaning ALL individual security policies, in case we would like to enable a security content engine in this "security profile group". Thanks in advance! Kind regards, Wim

wimjuste · ‎11-15-2012

Hi, I placed a PAN device in VWIRE mode on the WAN side of a internet connection. I planned to test the APP-ID capabilities of detecting IP64 tunnels. Over this WAN link, a 6-4 tunnel exists with Hurricane tunnel-brooker. The APP-ID is able to detect the 6-4 tunnel and identifies it as IPV6 application. But when a native IPv6 client is surfing the web to GOOGLE or FACEBOOK (IPv6 addresses), thus using this 6-4 tunn, the APP-ID does not preform continuous APP validation. So, we lose application visibility within the 6-4 tunnel towards Hurricane. Isn't PAN able to identify APPs within 6-4 tunnels? (ISATAP, TEREDO, GRE) (only tested the Hurricane tunnels) Or once the protocol ID 41 is identified (=6-4 tunnel), no more continuous is performed ? Thanks, Kind regards, Wim

wimjuste · ‎10-26-2012

Hi, Would there be a way how to read the statistics about the usage of the ICMP IPv6 token-bucket? Additionally what is the relation between token based rate limiting as a global device setting and the ICMPv6 CPS rate limiting in on a per zone configuration setting? Thank you, Kind regrads, Wim

Date Registered	‎08-14-2012 10:43 AM
Date Last Visited	‎11-28-2017 01:41 AM
Total Messages Posted	16
Total Likes Received	2

Online Status	Offline
Date Last Visited	‎11-28-2017 01:41 AM

About wimjuste

Re: HA binding "both option" not working in NAT policy

HA binding "both option" not working in NAT policy

Re: "No matching record" in ACC after initialy using the PA-device

Re: "No matching record" in ACC after initialy using the PA-device

Re: Predefined admin account

Re: HA binding "both option" not working in NAT policy

HA binding "both option" not working in NAT policy

Re: HA failover time

Re: HA binding "both option" not working in NAT policy

HA binding "both option" not working in NAT policy

Re: "No matching record" in ACC after initialy using the PA-device

Re: "No matching record" in ACC after initialy using the PA-device

Re: Predefined admin account

"No matching record" in ACC after initialy using the PA-device

Predefined admin account

Re: Howto validate security policies for content inspection enabled ?

Re: Howto validate security policies for content inspection enabled ?

Howto validate security policies for content inspection enabled ?

Re: HA failover time

Config (XML) import to device, using Panorama

Process impact of "Security Profile Group" all set to NONE ?

APP-ID detection capabilities in IP64 tunnels

Howto read out ICMPv6 Token Bucket statistics?

Network Security

Cloud Security

Security Operations

About wimjuste