Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- ›
- About MatthewSabin
About MatthewSabin
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Monday
13Posts
8Likes
1Solution
Jan 18, 2021Last Visited
User
Activity
User
Profile
Latest posts by MatthewSabin
| Subject | Views | Posted |
|---|---|---|
| 284 | 11-03-2020 12:15 PM | |
| 381 | 10-21-2020 08:20 AM | |
| 406 | 10-19-2020 09:27 PM | |
| 1704 | 12-13-2017 02:15 PM | |
| 5985 | 05-19-2017 11:15 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 11-03-2020 12:15 PM | |
| 2 | 05-18-2017 03:43 PM | |
| 4 | 04-13-2017 10:30 AM | |
| 1 | 03-31-2017 11:34 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 2 | |||
| 3 | |||
| 1 | |||
| 1 | |||
| 3 |
User Badges
Public Statistics
| Date Registered | 03-15-2017 03:23 PM |
| Date Last Visited | Monday |
| Total Messages Posted | 20 |
| Total Likes Received | 8 |
11-03-2020
12:15 PM
1 Kudo
Thanks for the tip, but it turns out that my problem wasn't about syntax but method. Pasting all of the parts of a certificate into the configuration and comitting doesn't actually "install" a certificate, or so I've learned. Rather than pasting it in, TAC informs me that I must exit configuration mode and import the certificate as below: scp import certificate source-ip <scp server IP> remote-port <scp server port> from <user>@<scp server>:<path><filename> format <pem|pkcs12> [passphrase <pass phrase>] certificate-name <name> Whe the certificate is imported, that invalid syntax line magically materializes in the show output.
... View more
10-21-2020
08:20 AM
We'll need a little more detail to give you any help. In the meantime, take a look at this thread: https://live.paloaltonetworks.com/t5/general-topics/globalprotect-the-server-certificate-is-invalid/td-p/193204/jump-to/first-unread-message --Matthew
... View more
10-19-2020
09:27 PM
I have successfully loaded my device certificate and a CA certificate from the CLI - took some seraching for format of the certificate strings, but they're in there now. One problem. In a firewall I have previously set up I show (in set format) the certificate stanza: set shared certificate wanroot subject-hash ffffffff set shared certificate wanroot issuer-hash ffffffff set shared certificate wanroot not-valid-before "May 23 02:36:33 2020 GMT" set shared certificate wanroot issuer /CN=wanroot set shared certificate wanroot not-valid-after "May 18 02:36:33 2040 GMT" set shared certificate wanroot common-name wanroot set shared certificate wanroot expiry-epoch 2220921393 set shared certificate wanroot ca yes set shared certificate wanroot subject /CN=wanroot set shared certificate wanroot public-key "-----BEGIN CERTIFICATE-----[blahblahblah]-----END CERTIFICATE-----" set shared certificate wanroot algorithm EC I get an error entering the line "set shared certificate wanroot ca yes" - Invalid syntax. What is the correct way to declare a certificate a CA certificate from the CLI? --Matthew
... View more
- Tags:
- certificate
- cli
12-13-2017
02:15 PM
We put it in lab last week - no issues to report. We'll start testing in the production environment after the holidays.
... View more
05-19-2017
11:15 AM
I'll revive this question - as the answers didn't actually relate. The Cisco ASA packet tracer allows you to propose a hypothetical flow and runs it through the engine as if it were real. Evaluating the NAT and route dicisions which would likely apply in addition to the policy/ACL allow/deny logic. It was very helpful to see if your configured configuration should pass traffic you are planning for prior to the actual traffic arriving.
... View more
05-18-2017
03:43 PM
2 Kudos
Thankyou chris.russell for this one, we've been pulling our hair out trying to build an XML file "template" This will make our configuration push script much easier to build.
... View more
04-13-2017
10:30 AM
4 Kudos
I'm about 2-months in, and I'm still looking for what I need to know. What I most want is the "How to think Palo Alto" guide - the biggest picture of how the parts fit together, and the minute details of what little "other-guy" process or method doesn't work here. I'll publish it myself once I think I have it 😉
... View more
03-31-2017
11:34 AM
1 Kudo
i'll eat my crow now... Problem solved: Bad cable/ethernet jack on upstream router. All successful connections correlate with events where a coworker was forcing the lab traffic over a different link. His timing just made my troubleshooting harder. Layer 1 sure gets in the way when you're think 4 through 7.
... View more
03-28-2017
03:41 PM
I got my SE on the case and while studying packet-captures it suddenly seemed like the communication was great until the packets got big. We wondered if it could be an MTU problem. I put a laptop in the PA220's place and ran through the connections at MTU 1500 - AOK. Put the laptop in the client's place and had to drop down to 1400 to get the transfers to go. We couldn't find anywhere in the PA220 where MTU was set below default (1500?) but when we turned on jumbo-frames and set the GlobalMTU at jumbo-default, and rebooted, all flows pass properly. Yay, but really?!
... View more
03-21-2017
01:01 PM
Is there a better way than a screen shot? Here's the ruleset I have, only NetAdmin and NTP work at this time.
... View more
03-20-2017
07:12 AM
Sorry, I confused the thread there. There are three processes which my IoT device preforms: NTP, FTP, HTTPS NTP: get the time (obviously I suppose) - this works perfectly, UDP out, UDP in session times out, repeat FTP: check for updates, download and install them automagically - the check works, the GET to pull down update fails HTTPS: send telemetry to the cloud (the function we've installed the thingh to perform) - the client hello and key negotiation work fine, firewall stops passing as soon as encryption is engaged.
... View more
03-17-2017
02:01 PM
It's not a decision I get to make - IoT means "I'll make this thing and decide how it woll communicate and you can take it or leave it" for the most part - sigh. My laptop in the thing's spot can connect on the TCP/21 port and I can authenticate etc. It's only when I try to GET a file that the connection times out. Once the server stops trying to send and the client stops trying to GET, I have CLI back and can try GET again. I've got the same behavior in the web browser. The client session starts helloing and negotiating then when TLS is engaged, I stop getting packets. Is there a knob or switch set someplace which tells the PA to analyze the streams and I've got it set at 10 when it needs to be turned down to 2?
... View more
- Tags:
- IoT
03-16-2017
04:56 PM
I hope OP will forgive me for hijacking this thread. I too have a client behind the firewall trying to connect to an FTP site. The session end is always noted as tcp-rst-from-client. It's an IoT-thing, so I did a packet capture and see the device connect, log-in (plaintext password - ick!) and navigate to the desired directory, change to binary, attempt to get a file, after that fails, set passive and try to get the file again. My capture shows the client request the get, and the server attempt to send, but the client never gets the packet. I put my laptop in the client's spot and tried from my FTP client - same resuts. Each get times out. apparently the PA220 is eating the reply packet, yet I can't find loggin to that effect. Where do I look next?
... View more
- Tags:
- IoT
Latest Blogs
Latest Posts
Copyright 2007 - 2021 - Palo Alto Networks
