About ldormond

ldormond · ‎03-11-2015

Hi, Many thanks for your help on this weird issue ! Indeed, disabling this feature in IE makes the upload work. (I had no chance to try with another browser since the customer infrastructure is very constrained). I didn't find this doc, despite having browsed the PaloAlto support community for a while. Furthermore, the PanOS 5.x Admin Guide states that The following web browsers are supported for access to the firewall web interface: • Internet Explorer 7+ • Firefox 3.6+ • Safari 5+ • Chrome 11+ Maybe the "for access to the firewall web interface" makes all the difference Regards, Laurent

ldormond · ‎03-06-2015

Hello, I am currently working on a new PA-3020 deployment. The device has been delivered with old PanOS 5.0.6 release. Also I would like to upgrade it to last PanOS 6.0.x release before going ahead with configuration. The device has currently no access to Internet, also I have to manually upgrade the device. In order to achieve this, I firstly have to upgrade to PanOS 6.0.0 base image, then to last PanOS 6.0.x release. According to the PanOS 6.0.0 RN, the device must be running dynamic content 401 or later. Also I downloaded the last dynamic content file from the PaloAlto Networks portal (apps 489-2600). I try to upload the file from the WebUI Device --> Dynamic Content. I click on Upload, and then choosing Content from the drop-down list (only one choice), browse for my file, and finally click OK. I get always this error : I have also tried with the oldest file I can download from the PaloAlto portal (apps 454-2355) but it results in the same issue. I also tried with the all content file (all-contents 489-2600) and I get the same error. The current application definition on the device is 320-1459. Do you think this app definition is far to old ? Regards, Laurent

ldormond · ‎12-12-2013

Hi Greg, Thanks for these helpful advices. I will first try the debug procedure you suggested (I only have PaloAlto ACE certification, also I don't know about troubleshooting tips). Then I will suggest the customer to perform an upgrade to last 5.0.9 release. Regards, Laurent

ldormond · ‎12-11-2013

Hello, We have a customer who is using PA-3020 in L3 A/P cluster, running PanOS 5.0.2. We have set up User-ID with PanAgent services (Primary and Secondary) installed on two different servers members of the domain. User-ID is configured to be based on : - Security logs - Sessions - Probing On 4 different servers : - 2 AD servers - 2 Exchange servers The User-ID agents and the monitored servers are all well connected, and there is nothing wrong in the system logs regarding User-ID. Most of the time, all is working fine : users are well identified and thus the proper rules are applied (based on user groups). However, it seems that sometimes the User-ID just stops, and the users are no more identified. Indeed, we can see in the traffic log monitoring that the Source User field is empty. As a result, the applied rule is not the right one and the URL Filtering profile that is applied is not the expected one. The customer is obviously complaining about this and I don't really know how to figure out what's wrong with this User-ID... You can see on the following prinscreen that the Source User field is suddenly empty, and starting this point, the matched rule is of course not the same. The user-ID agents are connected as you can see And the monitored servers as well Finally, the User-ID restarts after just 1 hour How can I monitor the User-ID and ensure that this won't occur again ? Or maybe this is a bug ? Kind Regards, Laurent

ldormond · ‎06-25-2013

Hi all, Thanks for your various answers. Indeed, I would like to display a standard response page from trafic that is denied, and a particular response page for trafic that is denied because of working hours. As I understand there is no simple way to achieve this functionality. Maybe there is a potential solution by using XML API, also I will have a look at this. If you have more info about this it would be helpful. Regards, Laurent

ldormond · ‎06-24-2013

Hello, I know that the Device -> Response pages menu allows to modify response page, but how can I add my own response page ? What I would like to do is displaying an advertisement page when traffic is blocked during working hours (using schedules). Is there a way to configure such feature ? Kind Regards, Laurent

ldormond · ‎06-10-2013

Hello, One of our customer is complaining for the same issue: They were using DHCP on windows servers before migrating to PaloAlto 3020 PanOS 5.1 and now they are complaining that DHCP offer is much more slower than before... Interfaces are set to 1Gb/FD and switches didn't change. Regards, Laurent

ldormond · ‎06-04-2013

Hi, Thanks for your help, however it just display the ouitgoing interface for the route, not the next-hop or next-vr. TSadmin@PA-3020_M(active)> test routing fib-lookup ip 193.135.106.162 virtual-router Trust-VR -------------------------------------------------------------------------------- runtime route lookup -------------------------------------------------------------------------------- virtual-router: Trust-VR destination: 193.135.106.162 result: interface ethernet1/3 -------------------------------------------------------------------------------- TSadmin@PA-3020_M(active)> test routing fib-lookup ip 193.135.106.162 virtual-router Untrust-VR -------------------------------------------------------------------------------- runtime route lookup -------------------------------------------------------------------------------- virtual-router: Untrust-VR destination: 193.135.106.162 result: interface ethernet1/3 -------------------------------------------------------------------------------- TSadmin@PA-3020_M(active)> Moreover, the result for Untrust-VR is wrong since you can't chose an outgoing interface that is part of another VR (in this case eth1/3 is part of Trust-VR and when I try to add a static route in Untrust-VR using outgoing interface eth1/3 I got a message "can't use a route that is bound to another VR" Regards,

ldormond · ‎06-04-2013

Hello, We are using PA3020 in L3 A/P cluster mode. PanOS is release 5.0.2. We are using static routes to reach our different subnets. When trying to check a route destination to verify the path using the CLI, nothing is shown as there was no route for this particular destination : TSadmin@PA-3020_M(active)> show routing route destination 10.198.30.5/32 flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2 VIRTUAL ROUTER: Trust-VR (id 2) ========== destination nexthop metric flags age interface next-AS total routes shown: 0 VIRTUAL ROUTER: Untrust-VR (id 3) ========== destination nexthop metric flags age interface next-AS total routes shown: 0 TSadmin@PA-3020_M(active)> TSadmin@PA-3020_M(active)> show routing route destination 193.135.106.162/32 flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2 VIRTUAL ROUTER: Trust-VR (id 2) ========== destination nexthop metric flags age interface next-AS total routes shown: 0 VIRTUAL ROUTER: Untrust-VR (id 3) ========== destination nexthop metric flags age interface next-AS total routes shown: 0 TSadmin@PA-3020_M(active)> However there are adequates routes for these destinations : TSadmin@PA-3020_M(active)> show routing route flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2 VIRTUAL ROUTER: Trust-VR (id 2) ========== destination nexthop metric flags age interface next-AS 0.0.0.0/0 10.198.1.190 10 A S ethernet1/3 10.100.242.212/32 10.198.1.1 10 A S ethernet1/1 10.120.0.0/16 10.198.1.1 10 A S ethernet1/1 10.180.13.0/24 10.198.1.1 10 A S ethernet1/1 10.198.1.0/26 10.198.1.62 0 A C ethernet1/1 10.198.1.62/32 0.0.0.0 0 A H 10.198.1.64/26 10.198.1.126 0 A C ethernet1/2 10.198.1.126/32 0.0.0.0 0 A H 10.198.1.128/26 10.198.1.129 0 A C ethernet1/3 10.198.1.129/32 0.0.0.0 0 A H 10.198.8.0/21 10.198.1.65 10 A S ethernet1/2 10.198.17.0/24 vr Untrust-VR 10 A S Trust-VR/i3 10.198.30.0/23 10.198.30.1 0 A C ethernet1/12 10.198.30.1/32 0.0.0.0 0 A H 10.200.70.0/24 10.198.1.1 10 A S ethernet1/1 10.200.228.0/24 10.198.1.1 10 A S ethernet1/1 ... 172.30.0.0/16 10.198.1.1 10 A S ethernet1/1 194.11.240.0/24 10.198.1.1 10 A S ethernet1/1 total routes shown: 81 VIRTUAL ROUTER: Untrust-VR (id 3) ========== destination nexthop metric flags age interface next-AS 0.0.0.0/0 vr Trust-VR 10 A S Untrust-VR/i3 10.198.17.0/24 10.198.17.254 0 A C ethernet1/4 10.198.17.254/32 0.0.0.0 0 A H total routes shown: 3 TSadmin@PA-3020_M(active)> Is it a weird known bug ??? I have to say that it is very problematic since we have dozen of static routes to check... Kind Regards, Laurent

ldormond · ‎01-17-2013

Hello, We have a customer who has installed and configured a PanOS 5.0.0 A/P cluster of devices a few time ago. Now he has bought a Panorama licence to centrally manage and report his devices. Is there a quick and straight way to import devices congigurations into Panorama ? I have seen this documentation that describes how to manually import a configuration https://live.paloaltonetworks.com/docs/DOC-1742 However it is a quite long and tricky way to achieve this operation. Regards, Laurent

ldormond · ‎01-17-2013

Hello, Same issue here with PA-3020 and PanOS 5.0.0 QoS seems to work fine though. Regards, Laurent

ldormond · ‎01-10-2013

Hi guys, Thanks for your help and advices but it still doesn't work. I followed this guide and created a joint PEM with the two certs. I could import this but I am not sure I understand the next part. Before importing that do I need to make a CSR that matches that cert so that I can import it and have the private key. If I import without a private key then I obviously can’t use it to sign the captive portal. I also have a PFX bundle, that contains all of the certs and also the private key – importing that works and I can assigned it to the management web interface and the captive portal. As before the management web interface show no errors and works correctly but the captive portal doesn’t seem to present the intermediate certificate. Regards,

ldormond · ‎01-08-2013

Hi Nicolas, Thanks for your answer. Here are three screenshots : One shows the url when accessing the Captive Portal, the others show the certificate details. Regarsd

ldormond · ‎01-08-2013

Hello, We have a PA-3020 running PanOS 5.0.0 in L3 deployment. We have just one Private zone and one Public zone for the instance. I have configured a Captive Portal policy on the Private zone gto ensure that all users that are not authenticated by User-ID (users who are not logged in the domain) have to authenticate beffore accessing resources. I have set a Captive Portal redirect policy web-form based, linked with LDAP settings. It works fine, users are redirected to the web-form and they can login if they have a login/password. Then we have tried to import a certificate on the PaloAlto device in order to avoid the warning message in the browser. We have tried to add the CA root certificate as well as the intermediate certificate. From the PaloALto menu, the chaining seems correct (see certificate_chain.jpg) but the warning is still there in the browser. When we look at the certificate sent by the PaloAlto to the browser, we can see that the chaining is not effective. However, it works fine for the management access : the certificate chain is effective and the certificate is well trusted by the browser. Also it seems that it is only related to the Captive Portal feature. You can also see the Captive Portal settings (captive_portal.jpg). Kind Regards,

ldormond · ‎12-12-2012

Thanks for your answer. I read that PanOS 5.0.1 has implemented an increased ARP table. This could helps in some situations. Regards

Member Since	‎10-26-2010 01:25 AM
Date Last Visited	‎07-20-2016 09:50 AM
Posts	61
Total Likes Received	1

Online Status	Offline
Date Last Visited	‎07-20-2016 09:50 AM

About ldormond

Re: Unable to manually upload dynamic content

Unable to manually upload dynamic content

Re: Why does User-ID suddenly stops ?

Why does User-ID suddenly stops ?

Re: How to create custom response pages

How to create custom response pages

Re: DHCP Server ip adress give so slow

Re: Route checking using CLI issue ?

Route checking using CLI issue ?

How to import device configuration into Panorama ?

Re: How to select multiple objects at the same time ?

Re: Why does User-ID suddenly stops ?

Re: Unable to manually upload dynamic content

Unable to manually upload dynamic content

Re: Why does User-ID suddenly stops ?

Why does User-ID suddenly stops ?

Re: How to create custom response pages

How to create custom response pages

Re: DHCP Server ip adress give so slow

Re: Route checking using CLI issue ?

Route checking using CLI issue ?

How to import device configuration into Panorama ?

Re: PAN-OS 5.0.0 No statistics available for this interface. (Qos)

Re: Certificate chaining with Captive Portal

Re: Certificate chaining with Captive Portal

Certificate chaining with Captive Portal

Re: ARP timeout