This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About JoseEspinoza
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About JoseEspinoza
10-17-2019
11Posts
0Likes
0Solutions
Oct 17, 2019Last Visited
User
Activity
User
Profile
Latest posts by JoseEspinoza
| Subject | Views | Posted |
|---|---|---|
| 3882 | 10-16-2019 02:56 PM | |
| 4096 | 10-16-2019 01:01 PM | |
| 4100 | 10-16-2019 12:50 PM | |
| 4154 | 10-16-2019 08:15 AM | |
| 4430 | 10-16-2019 08:07 AM | |
| 3263 | 10-09-2019 03:35 PM | |
| 3323 | 10-02-2019 10:26 AM | |
| 4559 | 10-02-2019 10:02 AM | |
| 4856 | 09-30-2019 07:00 AM | |
| 4961 | 09-24-2019 12:06 PM |
User Badges
Community Statistics
| Member Since | 03-12-2018 10:01 AM |
| Date Last Visited | 10-17-2019 05:56 PM |
| Posts | 11 |
10-16-2019
02:56 PM
yes, we found that the admin of the AD server was not setup properly the other 3 srvs, just he configure one, 😞 now all of them show their status as a CONNECTED thank you
... View more
10-16-2019
01:01 PM
hi the below is the log from the PA 2019-10-16 07:48:35.172 -0600 Error: pan_user_id_win_log_query(pan_user_id_win.c:1364): log query for SRPRDC03 failed: NTSTATUS: NT code 0x80041003 - NT code 0x80041003 2019-10-16 07:48:35.172 -0600 Error: pan_user_id_win_get_error_status(pan_user_id_win.c:1055): WMIC message from server SRPRDC03: NTSTATUS: NT code 0x80041003 - NT code 0x80041003 cordially jose
... View more
10-16-2019
12:50 PM
hi there as I said before, all 4 AD servers have the same user configuracion and permissions for this setup, the issue that only one appears as a connected. cordially jose
... View more
10-16-2019
08:15 AM
hello team we have this new set up for group-mapping , with 4 AD servers, we already set-up everything, we can see in the user monitoring all activity from user, however in the section relate to server monitor the status only shows one server connected, we follow the KB: https://knowledgebase.paloaltonetworks.com/KCArticleDetail?id=kA10g000000ClaICAS to validate the configuration on the AD's for he user and we are fine with this, we are running PAN-OS 8.1.9 in this scenario. are we facing a bugging issue as a reason why we don't see all the 4 AD's with status as a connected? please let me know your comments. cordially jose
... View more
10-16-2019
08:07 AM
hello to everybody due the limitation from Ckpoint R77 to split large files, we weren't ables to export to expedition, we finally use a excel table to get the information from CKpoint and manually created in PA 3220 all the 257 FW rules. we are planning to deploy in production this weekend. cordially jose
... View more
10-09-2019
03:35 PM
hello Steve no, basically we have a Global Protect client using the E1/3 WAN interface, if I source a ping from the E1/3 I can reach the ISP router , If I sourced the ping from E1/3 to somewhere else in the internet like www.google.com that ping doesn't work. If i try the GP client from a PC outside of the network, I got the message portal not found, in the debugs in the PA there is not any log that shows the GP client attempt to connect. -directin the ISP admin said that the interface have to have their DNS servers configured in order to allow bi-directional traffic, but our client can't change their internal DNS since their web hosting web page. hope this clarify the issue, btw , yes routing is configured in the FW. cordially jose
... View more
10-02-2019
10:26 AM
hello team, we have this client running his ISP thru E1/3 (secondary ISP service), he wants to allow the Global Protect client thru this conection, however, after configure the portal and gateway in the PA-500, we test in the agent installed and we got the follow logs from the GP Client engine: (T22764) 09/26/19 19:56:27:735 Debug(4523): No need to check gateway route since no tunnel. (T22764) 09/26/19 19:56:30:758 Debug(5218): NetworkConnectionMonitorThread: m_state = 0, m_bOnDemand=0, m_bAgentEnabled=1, m_bJustResumed is 1, m_bHibernate is 0, m_bAgentEnabled is 1, m_bDisconnect is 0, IsConnected() is 0, IsVPNInRetry() is 0. (T22764) 09/26/19 19:56:30:758 Debug(4523): No need to check gateway route since no tunnel. (T22764) 09/26/19 19:56:30:758 Debug(5235): NetworkConnectionMonitorThread: Detected route change, but skip network discovery. (T22764) 09/26/19 19:56:34:723 Debug(5157): NetworkConnectionMonitorThread: route change detected. Wait for 3 seconds. (T22764) 09/26/19 19:56:34:723 Debug(4523): No need to check gateway route since no tunnel. (T22764) 09/26/19 19:56:37:725 Debug(5218): NetworkConnectionMonitorThread: m_state = 0, m_bOnDemand=0, m_bAgentEnabled=1, m_bJustResumed is 1, m_bHibernate is 0, m_bAgentEnabled is 1, m_bDisconnect is 0, IsConnected() is 0, IsVPNInRetry() is 0. (T22764) 09/26/19 19:56:37:725 Debug(4523): No need to check gateway route since no tunnel. (T22764) 09/26/19 19:56:37:725 Debug(5235): NetworkConnectionMonitorThread: Detected route change, but skip network discovery. (T22764) 09/26/19 19:56:40:571 Debug(5157): NetworkConnectionMonitorThread: route change detected. Wait for 3 seconds. (T22764) 09/26/19 19:56:40:571 Debug(4523): No need to check gateway route since no tunnel. (T5392) 09/26/19 19:56:42:041 Debug( 301): Received session change, event type 8, session 1 (T22764) 09/26/19 19:56:43:572 Debug(5218): NetworkConnectionMonitorThread: m_state = 0, m_bOnDemand=0, m_bAgentEnabled=1, m_bJustResumed is 1, m_bHibernate is 0, m_bAgentEnabled is 1, m_bDisconnect is 0, IsConnected() is 0, IsVPNInRetry() is 0. (T22764) 09/26/19 19:56:43:572 Debug(4523): No need to check gateway route since no tunnel. (T22764) 09/26/19 19:56:43:572 Debug(5235): NetworkConnectionMonitorThread: Detected route change, but skip network discovery. (T9888) 09/26/19 19:57:00:241 Info ( 246): HipCheckThread: got check hip event or time out. (T9888) 09/26/19 19:57:00:241 Debug( 258): HipCheckThread: WAIT_TIMEOUT (T9888) 09/26/19 19:57:00:241 Debug( 270): HipCheckThread: m_bHipPolicyReady is false, coninue; (T9888) 09/26/19 19:57:00:241 Debug( 216): HipCheckThread: wait for hip check event for 3600000 ms); (T22764) 09/26/19 20:08:59:228 Debug(5157): NetworkConnectionMonitorThread: route change detected. Wait for 3 seconds. (T22764) 09/26/19 20:08:59:228 Debug(4523): No need to check gateway route since no tunnel. (T22764) 09/26/19 20:09:02:230 Debug(5218): NetworkConnectionMonitorThread: m_state = 0, m_bOnDemand=0, m_bAgentEnabled=1, m_bJustResumed is 1, m_bHibernate is 0, m_bAgentEnabled is 1, m_bDisconnect is 0, IsConnected() is 0, IsVPNInRetry() is 0. (T22764) 09/26/19 20:09:02:230 Debug(4523): No need to check gateway route since no tunnel. (T22764) 09/26/19 20:09:02:230 Debug(5235): NetworkConnectionMonitorThread: Detected route change, but skip network discovery. (T22764) 09/26/19 20:09:02:373 Debug(5157): NetworkConnectionMonitorThread: route change detected. Wait for 3 seconds. (T22764) 09/26/19 20:09:02:373 Debug(4523): No need to check gateway route since no tunnel. in the PA using CLI we validate the conection between E1/3 (PA500) and the e1/4 from rhe RV20 Cisco from ISP and below is the ping results: @Server-PA> ping source 2xx.1xx.69.44 host 2xx.1xx.69.41 PING 2xx.1xx.69.41 (2xx.1xx.69.41) from 2xx.1xx.69.44 : 56(84) bytes of data. 64 bytes from 2xx.1xx.69.41: icmp_seq=1 ttl=255 time=1.08 ms 64 bytes from 2xx.1xx.69.41: icmp_seq=2 ttl=255 time=0.997 ms ^C --- 2xx.1xx.69.41 ping statistics --- 8 packets transmitted, 8 received, 0% packet loss, time 7069ms rtt min/avg/max/mdev = 0.997/2.856/15.404/4.743 ms @Server-PA> @Server-PA> @Server-PA> @Server-PA> @Server-PA> ping source 2xx.1xx.69.44 host 8.8.4.4 PING 8.8.4.4 (8.8.4.4) from 2xx.1xx.69.44 : 56(84) bytes of data. ^C --- 8.8.4.4 ping statistics --- 257 packets transmitted, 0 received, 100% packet loss, time 256151ms @Server-PA> were the 2xx.1xx.69.41 is the GW router. ISP provider said "you need to put our DNS servers IP's on the next device (in this case the PA-500) in order to get INternet traffic flow", we haven't tested this option , due the fact that the client has their own DNS servers. by the way, client also has another IPS at E1/1 which has an specific NAT rule mapped to service 80,443 for their web portal servcies, we also pointed the in first try the GP thru that interface mapped to service :8443, and again Global protect message: Portal Not found. any ideas how to solve this? cordially jose
... View more
10-02-2019
10:02 AM
hi there just to let you know that , finally, I was able to upload in the Expedition tool, the 400+ fw rules from the Checkpoint , however, I getting issues with the merge, the Expedition just get stuck and freeze while the merge is running. Ideas? will we need to provision more HW to the expedition server? any idea is more than welcome cordially jose
... View more
09-30-2019
07:00 AM
hi there we use another tool from CKpoint, we were able to get all the config file segmented. we will try today if we can be able to just check the firewall rules (+400). thanks
... View more
09-24-2019
12:06 PM
hi CMachado the problem is that migration tool can only read under 400 lines of rules, we are not able to read it when we upload on Expedition, that is why we need to find out how to extract from the CKPoint ONLY the segment relate to security rules or firewall rules and from there upload to the expedition tool. are we in the same line? we will check again the files, but until now aren/t able to find the fw rules from the ckpoint. any other hint? cordially, jose
... View more
09-24-2019
07:04 AM
hello team We have to migrate a Checkpoint R77 policies firewal security rules +400 rules policy migration, however we can't see those policies when we export to the expedition tool, we know that in R80 version you can use the CLI on the CKpoint to export in pieces those big amount of rules from 0-400 and from 400-800 and so. we try to use the same commands from R80 to do the same in the R77, but those commands failed, there is another way to do in the CheckPoint R77? any hint? cordially Jose
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-17-2019
05:56 PM
|
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks