This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
About JoergSchuetter
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About JoergSchuetter
06-26-2022
142Posts
47Likes
28Solutions
Jun 26, 2022Last Visited
User
Activity
User
Profile
Latest posts by JoergSchuetter
| Subject | Views | Posted |
|---|---|---|
| 345 | 06-04-2022 11:02 PM | |
| 397 | 03-28-2022 01:26 PM | |
| 393 | 03-07-2022 11:28 PM | |
| 264 | 03-03-2022 12:03 AM | |
| 519 | 02-28-2022 02:09 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 06-04-2022 11:02 PM | |
| 1 Like | 03-28-2022 01:26 PM | |
| 1 Like | 02-28-2022 02:09 PM | |
| 1 Like | 01-25-2022 11:55 AM | |
| 1 Like | 01-20-2022 09:29 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 2 Likes | |||
| 1 Like | |||
| 1 Like | |||
| 11 Likes |
User Badges
Community Statistics
| Member Since | 02-18-2018 07:04 AM |
| Date Last Visited | 06-26-2022 07:53 AM |
| Posts | 142 |
| Total Likes Received | 45 |
06-04-2022
11:02 PM
1 Kudo
The passive device does not respond to anything (besides on the mgn interface). That's due to moving the IP and MAC to the active node, the passive node has no IP on the "traffic" interfaces. If you have LLDP enabled, please verify that "Enable in HA Passive State" is ticked (Interfaces --> Ethernet --> your Interface --> Advanced --> [x] Enable LLDP -- [x] Enable in HA Passive State)
... View more
03-28-2022
01:26 PM
1 Kudo
The file /etc/protocols on a Linux system has (among others) the following lines: esp 50 IPSEC-ESP # Encap Security Payload [RFC2406] ah 51 IPSEC-AH # Authentication Header [RFC2402] My experience is that ipsec-{esp,ah} matches ip protocols 50 and 51
... View more
03-07-2022
11:28 PM
Hello @peppywoll Please take a look on https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqxCAC
... View more
03-03-2022
12:03 AM
Hello @Schwarzer
If you change the name of the Zone in panorama, it will (at least that's my experience from ~1 year ago) change all and every object with the same name. Even if this is OK for you, you might end up with the situation that "device groups" and "templates" are not installed at exactly the same time. Policies require a zone which does not yet exist, or interface is bound to a zone where no rule has this zone listed (hence not granting traffic).
We created a new zone with the new name, added this zone to all rules where required and pushed the config to the firewalls. Once this was done we replaced the zone on the interface(s) and pushed again.
... View more
02-28-2022
02:09 PM
1 Kudo
Hello @Tthapa There are programs which simply try every available interface. You need to ensure that the direct way is perceived as "better". If you grant direct access to MS-Teams destination IPs (13.107.64.0/18, 52.112.0.0/14, 52.120.0.0/14) and allow only http(s) via the vpn tunnel to MS-Teams (do not permit 3478...3481 UDP via VPN), then chances are very high that the packets will go the split tunnel path.
... View more
02-25-2022
01:58 AM
Hello @yelfilali I would be surprised if this is possible at all. A fqdn could result in 0, 1, 2, ... IP addresses. If the result could be ambiguous, best way is to not use/allow these input types.
... View more
02-24-2022
01:59 PM
Hello @ZachHeise Using GP as an identity provider is possible. GP needs to "talk" with a VPN gateway on a regular base, but establishing a VPN tunnel is not required. Hence more or less the same config as for the remote users, but without the VPN part (see tab "internal" on portal config). In addition to this, there is a component named "Terminal Server Agent". It does not work for all applications (e.g. SMB fileshare is not bound to a user). This limitation is due to the fact that it's not possible to enforce the source port for SMB.
... View more
02-14-2022
04:37 AM
Hello @MHuschenbett
I guess you need to embrace your call with another layer holding the name of the ae interface. For us it is obvious that ae2.155 is below ae2, but how should the machine know this.
... View more
02-06-2022
08:39 AM
I had issues with importing certs as well. Using Firefox instead of Chrome fixed the issue for me.
... View more
01-25-2022
11:55 AM
1 Kudo
Hello @palomed Do you have a GlobalProtect license installed on your VPN gateway? The domain split feature requires that license to be installed.
... View more
01-20-2022
09:29 AM
1 Kudo
Hello
This flag ensures that L2 is up all the time.
If that wouldn't be the case, then the node needs to bring up the channel (plus L2). This takes a while (up to a few seconds).
If the port-channel and L2 are kept up (but simply not presenting the relevant MAC), it's just a matter of fraction of a second to have it fully active.
... View more
01-20-2022
04:44 AM
Hello @GnContente
We have the option "Enable in HA Passive State" enabled. Each of the nodes has a dedicated port-channel (per firewall ae) on the switch.
If you share a port-channel with both nodes, then the fail over (measured on how long there is no traffic) will take much longer.
... View more
12-15-2021
10:33 AM
Hello Is there a reason for limiting the VPN session time? I know this doesn't answer your question, but changing the session time might solve your need as well.
... View more
12-14-2021
11:30 PM
Hello @Lisensi-KAI Do you have the GP license installed on that firewall? Without this license you are able to provide VPN (with limited features) for Windows and Mac, but not for Linux, Android or iPhone.
... View more
12-06-2021
12:46 AM
@BPry Thanks for the hint regarding tunnel monitoring vs. ECMP. We picked the latter since it sounds very simply (enable the feature, no need to setup monitors per tunnel, ...).
... View more
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks