About JanisM

JanisM · ‎10-28-2014

rgreens, have you tried to exempt this threat if you consider it safe?

JanisM · ‎01-24-2014

We got similar errors on PA500 device using 5.0.6 version. " debug software restart management-server " usually helped to get rid of this stuff for a while. Then it creeps back again. Local manager recommended to upgrade RAM, did that, also upgraded to 5.0.10 and so far I have not encountered this error so far. Will see, because usually it takes few weeks after management restart to accumulate errors again.

JanisM · ‎11-04-2013

I'm practicing necromancy by bring up this old post of mine. Then I settled with using proxy and all is acceptable, but for some trial time i got an CheckPoint SG80 device with OS version R75 with plans to get the same - get all traffic trough VPN so users behind CP device can use Web apps with PA external IP. Creating VPN is easy, bet when i active on CP "Route all traffic trough this site" and set proxy ID on PA like local: 192.168.0.0/24 and remote: 0.0.0.0/0 tunnel partially goes down. I can ping from PA to CP, but can't ping from CP to PA. System log shows, where *.*.*.118 is CP external IP: Does this "error" shows that computer behind CP is sending dns requests to google dns server but PA does not know what to do whit that? What would be proxy ID if on the other side would be an PA device with config like VinceM previously given?

JanisM · ‎06-07-2013

I played a little with proxy ID's on both sides (changes sources, destinations and stuff), but with no real result. What would be the correct way to configure such thing if i would have PA devices on both sides? Maybe according to such configuration, i could get to work that mikrotik router and see if i did something wrong in previous config tests.

JanisM · ‎06-06-2013

In PA side, i have interface, that is dedicated for VPN and policies that provides access to internal resources: VPN_POLICY - LAN_POLICY and rule for access to internet (if its correct): VPN_POLICY - WAN_INTERFACE. As goes for NAT rules or any other configuration besides IPSec's on Mikrotik side, i will add some pictures. Route is default to provide that connection works. pics ->here<-

JanisM · ‎06-06-2013

Hello. We have a few IPsec S-2-S tunnels with different devices on other side and all works nice, but in one of them is required, that users on other side can use internet resources (to get this sides WAN IP address and access few web systems that with restricted usage by IP's) trough main office. What would be the correct or at least theoretical configuration to get such thing work? I've done some sloppy testing with routes but usually connection and tunnel just drops dead or nothing happens. One way, of course, is proxy (install local server on main side and just configure other sides browsers network configuration) and it's the easy way for me, but not for the users. They would have to turn proxy settings on or off, it they wanted to use their local internet resources for casual internet browsing. Device on other side is a Microtik router. Besides that, tunnel works nice. I can join domain and do stuff as usual.

JanisM · ‎05-20-2013

It seems I have similar problem. While I was on 4.1.9, I had ssl dependency error on one application while commiting, but I ignored it because I planned to upgrade to 5.0.4 soon. Now my PA500 is on 5.0.4. and while testing I got such errors on every app that needs dependencies. And if i choose only, let's say google-earth, without needed web-browsing dependency - error on commit and google-earth does not work properly.

JanisM · ‎12-04-2012

What i really would like to see in PA device is usable DLP. A few days ago i powered up old fortigate device and damn their DLP is quite nice to work with. They even had a chance to search for keywords in mail subject or body.

JanisM · ‎11-20-2012

We have security rule where users IP segment is File Blocking profile dll,exes msi, whatever you need is in block action. There are few apps that now and then have to download some updated dll files. For that there is rule that sits before global user IP segment rule, that allows dll from specific IPs. If dll is downloaded from other site, it is blocked (for you instead of IP, you could have app, url category etc).

JanisM · ‎11-14-2012

it seems that adding brightcould app to allowed apps group resolved that error for me. But it just depends in what IP segments your management consoles address is and if it it shares that segment (and what policies) with something else For me - problem resolved

JanisM · ‎11-12-2012

I'm getting the same error, but i still have to check some things before starting to point with fingers (i got new machine, had to move config from old one and all is not as it should be in dynamic updates, but that should be fixed tomorrow)

Date Registered	‎08-28-2012 05:38 AM
Date Last Visited	2 weeks ago
Total Messages Posted	11

Online Status	Offline
Date Last Visited	2 weeks ago

About JanisM

Re: Legit Suspicious DNS Query?

Re: Commit Failed to send phase 1 abort !

Re: Accessing web systems using main office's IP trough IPSec tunnel

Re: Accessing web systems using main office's IP trough IPSec tunnel

Re: Accessing web systems using main office's IP trough IPSec tunnel

Re: check now and Invalid image, Failed to download file

Re: Cryptowall 2.0?

Re: App dependencies - that's creazy!!

Re: PANOS 6

Re: Testing WildFire

Re: Legit Suspicious DNS Query?

Re: Commit Failed to send phase 1 abort !

Re: Accessing web systems using main office's IP trough IPSec tunnel

Re: Accessing web systems using main office's IP trough IPSec tunnel

Re: Accessing web systems using main office's IP trough IPSec tunnel

Accessing web systems using main office's IP trough IPSec tunnel

Re: Application Dependency PAN-OS 5.0.0 more

Re: What is still missing or needs to be improved in PA Next Generation Firewalls ?

Re: Blocking Downloads - Real World Examples?

Re: Issues again with Brightcloud Services

Re: Issues again with Brightcloud Services

Network Security

Cloud Security

Security Operations

About JanisM