This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About campbech1
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About campbech1
07-19-2022
7Posts
1Like
1Solution
Jul 19, 2022Last Visited
User
Activity
User
Profile
Latest posts by campbech1
| Subject | Views | Posted |
|---|---|---|
| 1126 | 03-11-2022 08:29 AM | |
| 2585 | 01-09-2021 09:24 AM | |
| 2761 | 01-06-2021 11:04 PM | |
| 3344 | 05-11-2020 01:09 PM | |
| 1741 | 06-20-2018 08:32 AM | |
| 1253 | 06-06-2018 05:52 AM | |
| 3272 | 04-25-2018 08:54 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 01-06-2021 11:04 PM |
User Badges
Community Statistics
| Member Since | 04-24-2018 01:46 PM |
| Date Last Visited | 07-19-2022 11:42 PM |
| Posts | 7 |
| Total Likes Received | 1 |
03-11-2022
08:29 AM
Just completed an install this last weekend and received a report that a user wasn't able to connect to GlobalProtect. I started with the normal troubleshooting and quickly realized this was going to be something more detailed. The user that initially complained said that she wasn't able to connect to GP. I asked them to just try to hit the portal with a web browser and make sure she could get there first. Nope, can't reach the portal via a browser. Next step I did some monitoring and packet captures on the firewall and verified I can see their traffic hitting the firewall on the GP portal address but I'm only seeing packets in one direction. I see the client hello in the packet capture but I don't ever see the server hello and then certificate exchange, it just stops there on the client. Performing a packet capture on the firewall I see in the tx capture that the server hello is being sent and also verified this with a packet capture downstream from the firewall. The server hello just never makes it to the remote client. The client is able to ping the GP portal fine. It appeared that this was an isolated issue with this one client, but I'm now finding that my cell phone, when on my home Internet, I'm able to connect, but on AT&T wireless I'm not. Any one have any ideas? One more piece to the puzzle. The client is able to connect to other devices with SSL on the same network here and is also able to VPN to the existing Cisco ASA that's here without any issues. The only issue is to the GP portal. I sat on a call with Palo support for the last two days without any resolution. Hardware: PA-460 in HA Version: 10.1.4 GP versions tried 5.2.10 and 6.0
... View more
01-09-2021
09:24 AM
Maybe an easier solution, but I was able to resolve this by creating two entries in the BGP routing instance on each of the Palo's. Created two export rules in each of the Palo's. Created a "locally significant routes" and entered the local networks to the match criteria, set the action of a local preference of 200 to make sure local routes at this site will route to that firewall. Created a "remote routes" and entered the remote networks to the match criteria, set the action of a local preference of 100 and prepended 5 AS paths so that these routes will be available but not as attractive to the Azure IPSec tunnel. If the other IPSec tunnel at our other site is online, these routes are still available for Azure to use to connect to our other site. Did this for both firewalls and is working great now. I have also failed over both firewalls and routing is working as it should.
... View more
01-06-2021
11:04 PM
1 Kudo
We have two on-prem data centers connected with dual L3 EVC links between them on our core switches and we are using OSPF for routing. We also have PA firewalls deployed in each location and we are extending OSPF up to them. We are then connected to Azure over each of the PAs over an IPSEC VPN and using BGP and injecting the OSPF routes. If I disable one of the IPSec tunnels, everything works perfectly. The issue we are having is that Azure is sending return traffic back to the wrong data center location when both IPSec tunnels are up, then of course the firewall is dropping the traffic. What is the best way with BGP to have the backup routes available, but make sure the traffic to each data center is for the local subnets in that data center. For instance: Data Center 1 - 192.168.30.0/24 Data Center 2 - 10.128.0.0/24 Azure - 10.140.0.0/16 I need to make sure that the VPN from Azure to DC1 has a route to 192.168.30.0/24 and 10.128.0.0/24 but the 10.128.0.0/24 should only be a backup route and should send the traffic to DC2 if that route is available. Azure should send traffic to 10.128.0.0/24 to DC2 when that IPSec tunnel is up with a backup route to 192.168.30.0/24. What is the process with BGP to force the route(s) that I'm advertising from DC1, which should be a backup route to DC2, to force it to be a backup route to stop the asymmetrical routing?
... View more
05-11-2020
01:09 PM
Are you using a network monitoring tool with SNMP? You can also query the tunnel interface for interface statistics.
... View more
06-20-2018
08:32 AM
I'm currently migrating from a pair of Cisco ASAs and the zones have me a little confused. Right now I have interfaces on the ASAs of inside, wireless, outside, dmz-private-web, dmz-private-db, dmz-public-web, dmz-public-db, dmz-dev-web, dmz-dev-db. My plan was to group the inside and wireless together as "trusted", outside as "outside, and then all of the DMZ zones as "DMZ". When the interfaces are placed into a single zone like that, hopefully rules are still required between them?
... View more
06-06-2018
05:52 AM
We have had some requirements change since ordering this equipment and may change direction on where these new firewalls get installed. Initially we ordered the 3260s for our hosted data center since most of the servers are located there and vendor provided backup solution is there. The concern was the amount of traffic that we would be pushing through the firewall during backup times. All of the server VLANs are terminated on the firewalls. That direction is changing now. We are looking to move the servers back to our corporate location where we had planned on the 850s to be installed. A long term direction was proposed today to bring these servers back in-house by the end of the year which changes where I potentially place these firewalls. I'm now looking at installing the 850s at the hosted data center and the 3260s at our corporate location (data center). Am I able to write a policy to allow hosts to talk to other hosts through the firewall but to disable the APP-ID and threat prevention policies to allow traffic to flow at the 10G speeds? This would be related to backup traffic in particular. Thank you in advance. This should be an interesting weekend installing these since I've been a Cisco engineer for the past 20 years.
... View more
04-25-2018
08:54 AM
Does the credential phishing policy require the URL filtering license? Thank you.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-19-2022
11:42 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks