This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
About MatthewSabin
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About MatthewSabin
06-28-2022
22Posts
9Likes
1Solution
Jun 28, 2022Last Visited
User
Activity
User
Profile
Latest posts by MatthewSabin
| Subject | Views | Posted |
|---|---|---|
| 1090 | 01-13-2022 03:13 PM | |
| 453 | 09-24-2021 03:35 PM | |
| 1404 | 11-03-2020 12:15 PM | |
| 2486 | 10-21-2020 08:20 AM | |
| 1526 | 10-19-2020 09:27 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 05-19-2017 11:15 AM | |
| 1 Like | 11-03-2020 12:15 PM | |
| 2 Likes | 05-18-2017 03:43 PM | |
| 4 Likes | 04-13-2017 10:30 AM | |
| 1 Like | 03-31-2017 11:34 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 2 Likes | |||
| 1 Like | |||
| 2 Likes | |||
| 3 Likes | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 03-15-2017 03:23 PM |
| Date Last Visited | 06-28-2022 03:45 PM |
| Posts | 22 |
| Total Likes Received | 9 |
01-13-2022
03:13 PM
Will 10.0.x clients not be able to get authenticated (or renew certificates) until they're upgraded?
... View more
09-24-2021
03:35 PM
The image appears in my search in the software updates area on the support portal - you do need to be a Paloalto customer and I presume must be eligible to use the image in order to see it in the portal.
... View more
11-03-2020
12:15 PM
1 Kudo
Thanks for the tip, but it turns out that my problem wasn't about syntax but method. Pasting all of the parts of a certificate into the configuration and comitting doesn't actually "install" a certificate, or so I've learned. Rather than pasting it in, TAC informs me that I must exit configuration mode and import the certificate as below: scp import certificate source-ip <scp server IP> remote-port <scp server port> from <user>@<scp server>:<path><filename> format <pem|pkcs12> [passphrase <pass phrase>] certificate-name <name> Whe the certificate is imported, that invalid syntax line magically materializes in the show output.
... View more
10-21-2020
08:20 AM
We'll need a little more detail to give you any help. In the meantime, take a look at this thread: https://live.paloaltonetworks.com/t5/general-topics/globalprotect-the-server-certificate-is-invalid/td-p/193204/jump-to/first-unread-message --Matthew
... View more
10-19-2020
09:27 PM
I have successfully loaded my device certificate and a CA certificate from the CLI - took some seraching for format of the certificate strings, but they're in there now. One problem. In a firewall I have previously set up I show (in set format) the certificate stanza: set shared certificate wanroot subject-hash ffffffff set shared certificate wanroot issuer-hash ffffffff set shared certificate wanroot not-valid-before "May 23 02:36:33 2020 GMT" set shared certificate wanroot issuer /CN=wanroot set shared certificate wanroot not-valid-after "May 18 02:36:33 2040 GMT" set shared certificate wanroot common-name wanroot set shared certificate wanroot expiry-epoch 2220921393 set shared certificate wanroot ca yes set shared certificate wanroot subject /CN=wanroot set shared certificate wanroot public-key "-----BEGIN CERTIFICATE-----[blahblahblah]-----END CERTIFICATE-----" set shared certificate wanroot algorithm EC I get an error entering the line "set shared certificate wanroot ca yes" - Invalid syntax. What is the correct way to declare a certificate a CA certificate from the CLI? --Matthew
... View more
- Tags:
- certificate
- cli
12-13-2017
02:15 PM
We put it in lab last week - no issues to report. We'll start testing in the production environment after the holidays.
... View more
05-19-2017
11:15 AM
1 Kudo
I'll revive this question - as the answers didn't actually relate. The Cisco ASA packet tracer allows you to propose a hypothetical flow and runs it through the engine as if it were real. Evaluating the NAT and route dicisions which would likely apply in addition to the policy/ACL allow/deny logic. It was very helpful to see if your configured configuration should pass traffic you are planning for prior to the actual traffic arriving.
... View more
05-18-2017
03:43 PM
2 Kudos
Thankyou chris.russell for this one, we've been pulling our hair out trying to build an XML file "template" This will make our configuration push script much easier to build.
... View more
04-13-2017
10:30 AM
4 Kudos
I'm about 2-months in, and I'm still looking for what I need to know. What I most want is the "How to think Palo Alto" guide - the biggest picture of how the parts fit together, and the minute details of what little "other-guy" process or method doesn't work here. I'll publish it myself once I think I have it 😉
... View more
03-31-2017
11:34 AM
1 Kudo
i'll eat my crow now... Problem solved: Bad cable/ethernet jack on upstream router. All successful connections correlate with events where a coworker was forcing the lab traffic over a different link. His timing just made my troubleshooting harder. Layer 1 sure gets in the way when you're think 4 through 7.
... View more
03-28-2017
03:41 PM
I got my SE on the case and while studying packet-captures it suddenly seemed like the communication was great until the packets got big. We wondered if it could be an MTU problem. I put a laptop in the PA220's place and ran through the connections at MTU 1500 - AOK. Put the laptop in the client's place and had to drop down to 1400 to get the transfers to go. We couldn't find anywhere in the PA220 where MTU was set below default (1500?) but when we turned on jumbo-frames and set the GlobalMTU at jumbo-default, and rebooted, all flows pass properly. Yay, but really?!
... View more
03-21-2017
01:01 PM
Is there a better way than a screen shot? Here's the ruleset I have, only NetAdmin and NTP work at this time.
... View more
03-20-2017
07:12 AM
Sorry, I confused the thread there. There are three processes which my IoT device preforms: NTP, FTP, HTTPS NTP: get the time (obviously I suppose) - this works perfectly, UDP out, UDP in session times out, repeat FTP: check for updates, download and install them automagically - the check works, the GET to pull down update fails HTTPS: send telemetry to the cloud (the function we've installed the thingh to perform) - the client hello and key negotiation work fine, firewall stops passing as soon as encryption is engaged.
... View more
03-17-2017
02:01 PM
It's not a decision I get to make - IoT means "I'll make this thing and decide how it woll communicate and you can take it or leave it" for the most part - sigh. My laptop in the thing's spot can connect on the TCP/21 port and I can authenticate etc. It's only when I try to GET a file that the connection times out. Once the server stops trying to send and the client stops trying to GET, I have CLI back and can try GET again. I've got the same behavior in the web browser. The client session starts helloing and negotiating then when TLS is engaged, I stop getting packets. Is there a knob or switch set someplace which tells the PA to analyze the streams and I've got it set at 10 when it needs to be turned down to 2?
... View more
- Tags:
- IoT
03-16-2017
04:56 PM
I hope OP will forgive me for hijacking this thread. I too have a client behind the firewall trying to connect to an FTP site. The session end is always noted as tcp-rst-from-client. It's an IoT-thing, so I did a packet capture and see the device connect, log-in (plaintext password - ick!) and navigate to the desired directory, change to binary, attempt to get a file, after that fails, set passive and try to get the file again. My capture shows the client request the get, and the server attempt to send, but the client never gets the packet. I put my laptop in the client's spot and tried from my FTP client - same resuts. Each get times out. apparently the PA220 is eating the reply packet, yet I can't find loggin to that effect. Where do I look next?
... View more
- Tags:
- IoT
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks