This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About DenisHierholzer
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About DenisHierholzer
11-15-2018
10Posts
0Likes
0Solutions
Nov 15, 2018Last Visited
User
Activity
User
Profile
Latest posts by DenisHierholzer
| Subject | Views | Posted |
|---|---|---|
| 2022 | 06-06-2018 05:06 AM | |
| 2033 | 06-05-2018 10:12 AM | |
| 4366 | 04-09-2018 05:20 AM | |
| 4636 | 04-08-2018 11:17 PM | |
| 4656 | 04-05-2018 06:40 AM | |
| 4723 | 04-04-2018 10:31 PM | |
| 2553 | 12-17-2017 11:57 PM | |
| 1750 | 12-15-2017 05:46 AM | |
| 2626 | 12-15-2017 01:52 AM | |
| 1405 | 11-08-2017 02:27 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 2 Likes | |||
| 1 Like | |||
| 2 Likes | |||
| 5 Likes |
User Badges
Community Statistics
| Member Since | 04-13-2017 12:17 PM |
| Date Last Visited | 11-15-2018 03:33 PM |
| Posts | 10 |
06-06-2018
05:06 AM
@BPry, The matching security rule is "PROD-WEB-WHITELISTED-URLs" (see screenshot) and from there I've followed the path to the file blocking profile: security rule "PROD-WEB-WHITELISTED-URLs" -> security profile group "ZUR-MITIGATION-NO-URL-FILTER" -> file blocking profile "ZUR-FILE-BLOCK-DEFAULT" ZUR-FILE-BLOCK-DEFAULT contains 3 rules: 1) Name: DOWNLOAD-ALERT-DEFAULT Apps: any File Types: any Direction: download Action: alert 2) Name: DOWNLOAD-BLOCK-DEFAULT Apps: any File Types: bat, cmd, cpl, dll, dmg, exe, gzip, iso, lnk, mp3, msi, ocx, pif, powershell, tar, vbe, wmf Direction: download Action: alert 3) Name: UPLOAD-BLOCK-DEFAULT Apps: any File Types: any Direction: upload Action: block I cannot find anything in this file blocking profile that would block a CSV. Once again: afaik this file blocking profile hasn't change lately but the CSV download worked before with it. Maybe a bug with one of the latest "Applications and Threats" updates? I've found following list but I don't understand where exactly the file type IDs are used? https://live.paloaltonetworks.com/t5/Configuration-Articles/FileType-list-with-the-Threat-ID-number/ta-p/56119 Best Regards, Denis
... View more
06-05-2018
10:12 AM
Hi, I have following in my logs: Threat tpye: file Threat name: CSV file ID: 52032 Severity: low File Name: xyz.csv For Vulnerability Protection and Anti-Spyware I know how to easily create exceptions for specific IPs/URLs. Is there a way to easily create exceptions the same way for "file threats"? Furthermore I'm not aware that my file blocking profile says "CSV" or "any" for downloading files... This worked fine some days ago afaik. How would I unblock this? Best Regards, Denis
... View more
04-09-2018
05:20 AM
Ok - I've realized that I cannot use untagged sub interfaces in my specific scenario. Untagged sub interfaces are only for a specific scenario described in the links in my original post - beside this specific scenario untagged sub interfaces won't work. I will use tagged sub interfaces and different VLANs to communicate with the different vsys. Thanks for your help.
... View more
04-08-2018
11:17 PM
But the logical interfaces are also identified by a unique IP address. I don't understand why this is not enough to assign traffic to a specific logical interface.
... View more
04-05-2018
06:40 AM
Thanks for your answer. From our production network (e.g. 10.0.0.0/24) we'd like to connect to different DMZs which are protected by different vsys. Example: vsys 1 - internal IP in production network: 10.0.0.10/24 vsys 2 - internal IP in production network: 10.0.0.11/24 We'd like to trunk those two connections via one cable from the production network to the Palo device. If we would use a seperate VLAN for both vsys in between the production network and the Palo device it would require a major reconfiguration of our network infrastructure. Regards, Denis
... View more
04-04-2018
10:31 PM
Hi, As described in following links we've configured multiple untagged sub interfaces all assigned to different vsys (different virtual routers and different zones) but with different IPs from the same network and the same VLAN: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-L3-Untagged-Subinterfaces-to-Communicate-within/ta-p/55830 https://live.paloaltonetworks.com/t5/Learning-Articles/Untagged-Subinterfaces-L3/ta-p/55942 Example: eth1, IP: none, tag: none, vsys: 1, zone: none, virtual router: none --- eth1.1, IP: 192.168.0.10/24, tag: none, vsys: 2, zone: Zone-2, virtual router: VR-2 --- eth1.2, IP: 192.168.0.11/24, tag: none, vsys: 3, zone: Zone-3, virtual router: VR-3 The interface IPs 192.168.0.10 and 192.168.0.11 are pingable but traffic through the firewall won't be processed. The same problem was described in following thread: https://live.paloaltonetworks.com/t5/General-Topics/Multiple-Zones-with-one-VLAN/m-p/100851#M44302 Unfortunately I don't understand why this does not work. Would somebody please explain this? Thanks, Denis
... View more
12-17-2017
11:57 PM
Hi all, I have a PA-220 with PAN-OS 8.0.6. I run multiple VLANs on it and have configured 5 DHCP servers on 5 different VLAN interfaces. Now I'm wondering why this setup even works because when I read the PA-220 feature overview it says that only 3 DHCP servers are supported on this device. See "Address Assignment" on https://www.paloaltonetworks.com/products/product-comparison.html?chosen=pa-220,pa-500 How is this limit enforced? Any explanation why I successfully run 5 DHCP servers? In another thread talking about the PA-500 they say it's kind of a "soft limit": https://live.paloaltonetworks.com/t5/General-Topics/DHCP-Server-maximum-limit-of-PA500/m-p/50433#M37129 Best Regards, Denis
... View more
12-15-2017
05:46 AM
Hi Steven, Any progress with this? I also search a solution for this... Workaround so far: use Infoblox to run a script with the IP address as parameter. The scripts (e.g. PowerShell, batch) creates the needed XML and sends it to the XML API. Not nice but should work basically. Regards, Denis
... View more
12-15-2017
01:52 AM
Awesome - I've also scripted this by myself yesterday - more or less the same code 🙂 One addition: if you work with Panorama you should export the device state on the local boxes. If you only export the running-config it will only include the locally configured settings and not the settings pushed by Panorama. Just use following API query: /api/?type=export&category=device-state&key=...
... View more
11-08-2017
02:27 AM
Hi, When I configure a security rule and set the action to drop or deny, what sense does it make to configure Profile Settings? From my point of view the traffic gets blocked before any Profile settings will be checked. Is this correct? Best Regards, Denis
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks