This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About mkopcic
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About mkopcic
02-22-2023
32Posts
4Likes
0Solutions
Feb 22, 2023Last Visited
User
Activity
User
Profile
Latest posts by mkopcic
| Subject | Views | Posted |
|---|---|---|
| 1244 | 08-13-2022 03:03 AM | |
| 1324 | 08-10-2022 04:22 AM | |
| 85270 | 09-06-2019 07:28 AM | |
| 85293 | 09-06-2019 06:08 AM | |
| 85314 | 09-06-2019 12:53 AM | |
| 2321 | 03-26-2019 06:57 AM | |
| 5202 | 03-26-2019 06:39 AM | |
| 1427 | 02-21-2018 04:05 AM | |
| 2175 | 08-01-2017 12:24 AM | |
| 2196 | 07-26-2017 02:44 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 2 Likes | 03-26-2019 06:57 AM | |
| 2 Likes | 12-28-2011 03:53 AM |
User Badges
Community Statistics
| Member Since | 12-16-2010 03:04 AM |
| Date Last Visited | 02-22-2023 08:22 PM |
| Posts | 32 |
| Total Likes Received | 4 |
08-13-2022
03:03 AM
Hello!
I decreased number of CPUs from 51 to 40 and now Machine Learning is working. Thank you very much for your help.
Regards,
Maja
... View more
08-10-2022
04:22 AM
Hello!
Machine Learning analysis is failing. In GUI, error is "Failed". In /tmp/error_SecRulesLearn logs I see this error:
org.apache.spark.SparkException: Job aborted due to stage failure: Task 26 in stage 89.0 failed 1 times, most recent failure: Lost task 26.0 in stage 89.0 (TID 6323, localhost, executor driver): java.io.FileNotFoundException: /tmp/blockmgr-9a58c978-4463-4f0c-a09d-e4bcc41c3691/25/temp_shuffle_1ae06377-b4dd-4d10-a389-7e656f2e5fd5 (Too many open files)
Did anybody has this error? Please help.
Thank you and regards,
Maja
... View more
09-06-2019
07:28 AM
Yes, I see login page. In documentation is written that admin\paloalto is default login.
In the meantime I started with reinstallation. After installation is complete, I'll try admin\expedition.
Regards,
Maja
... View more
09-06-2019
06:08 AM
No, I didn't change default password. This is new installation. Account for CLI is working.
Regards,
Maja
... View more
09-06-2019
12:53 AM
Hi!
I'm also unable to access Expedition via GUI. How this can be solved?
Regards,
Maja
... View more
03-26-2019
06:57 AM
2 Kudos
Hello! Every few days I get this error and can't access knowledge base. It is VERY FRUSTATING!!!! Error started to appear after last tool upgrade. Does PAN have mailing list for resolving partner access issues? Regards, Maja
... View more
03-26-2019
06:39 AM
Hi! Does anybody know, if Network or Device configuration is changed localy on the firewall, will that change will be seen in Panorama automatically? Will firewall synchronize localy config changes with Panorama? For example. If I add new static route on the firewall (firewall is managed with Panorama), will that route will be synchronized with Panorama? Thank you and best regards, Maja
... View more
02-21-2018
04:05 AM
Hello! I have 2 PA-5020 with 5.0 software and want to upgrade them to 8.0. One way to do this is to follow upgrade procedure. Configuration is very simple and can be deleted. Is it possible to upload 8.0 software using GUI, boot firewall in maintenance mode and reset it to factory defaults using 8.0? Or is is possible to use FTP in maintenance mode to upload 8.0 and then reset it to factory defaults using 8.0? Thank you and best regards, Maja Kopcic
... View more
08-01-2017
12:24 AM
Thank you for your suggestions. You wrote: "Your inbound NAT rules, however, are incorrect. NAT zones are determined pre-NAT based on the routing table, so inbound connections to 3.3.3.10 should be internet to internet because 3.3.3.10 also lives on the external interface from the firewall perspective i'd also recommend attaching the 3.3.3.10 IP on the external interface (not sure if you did that, the graph doesn't show it) as secondary IP, this makes management a bit easier and prevents accidents, plus you can then use 'dropdown' options where applicable (and will fix bi-directional)" This configuration just didn't work. After 3-4 hours of troubleshooting and stubbornly following Palo's documents, I quitted and followed my common sense. Few days after we had similar scenario at the customer’s Palo (version 7.1), and colleague first configured Internet for source and destination zones, and that configuration didn’t work. We also tried with secondary IP address on Internet interface and also it didn’t work. " If possible i'd also recommend attaching 2.2.2.0/24 to the external interface and provisioning your public DMZ with private IP addresses, this is a little more secure as you control not only security policy but NAT translation, and this will allow other segments to benefit more easily from this address pool without creating tricky U-Turn NAT because you use an IP that physically belongs to an internal interface on 2 different and unrelated (internet + privdmz) interfaces" This is not an option. In one day all servers from public DMZ will be migrated to private DMZ, but for now design is like that. In my experience, NAT is not security feature (it is just a way to hide private addresses and preserve public). If you open HTTP to the server and don’t harden it, it doesn’t matter if server has public or private IP address. Good rules on FW from dmzs to inside network are much more important. HTTP is UFBP (Universal Firewall Bypass Protocol) 🙂 🙂 This is also example how NAT can be configured in unusual network design. Kind regrds, Maja
... View more
07-26-2017
02:44 AM
Hello! This is the scenario and configuration that works on 8.0.3. It is implemented in our company. Servers on public_dmz have public addresses and access Internet with that addresses. Only server with address 2.2.2.10 needs to be translated to 3.3.3.10 in both directions. 2.2.2.10 -> 3.3.3.10 Servers from private_dmz are published on the Internet using address from the address space used for public_dmz 2.2.2.0/24. They are using the same addresses when they are accessing Internet. For example: 10.10.10.20 -> 2.2.2.20 Hosts from LAN are published on the Internet using address from the address space 2.2.2.0/24. They are using the same addresses when they are accessing Internet. For example: 172.16.10.100 -> 2.2.2.100 One server from LAN has to be destination translated to 1.1.1.3. 192.168.3.3 -> 1.1.1.3 Basic routing ISP configured routes for 2.2.2.0/24 and 3.3.3.10/32 pointing to the PAN (1.1.1.2). PAN has default route pointing to the 1.1.1.1. Routes on PAN for LAN networks are pointing to the 172.16.1.2. Layer3 switch has default route to the 172.16.1.1. NAT rules configuration NAT for server 2.2.2.10. Bi-directional NAT doesn’t work. Separate source and destination NAT rules must be configured. Source NAT: Source zone: public_dmz Destination zone: Internet Destination interface: Eth1/1 Source IP: 2.2.2.10 Destination IP: any Source translation static: 3.3.3.10 Destination NAT: Source zone: Internet Destination zone: public_dmz Destination interface: Any Source IP: any Destination IP: 3.3.3.10 Destination translation: 2.2.2.10 NAT for server on the private_dmz. Bi-directional NAT doesn’t work. Separate source and destination NAT rules must be configured. Source NAT: Source zone: private_dmz Destination zone: Internet Destination interface: Eth1/1 Source IP: 10.10.10.20 Destination IP: any Source translation static: 2.2.2.20 Destination NAT: Source zone: Internet Destination zone: private_dmz Destination interface: Any Source IP: any Destination IP: 2.2.2.20 Destination translation: 10.10.10.20 NAT for the first server on the LAN. Bi-directional NAT doesn’t work. Separate source and destination NAT rules must be configured. Source NAT: Source zone: trust Destination zone: Internet Destination interface: Eth1/1 Source IP: 172.16.10.100 Destination IP: any Source translation static: 2.2.2.100 Destination NAT: Source zone: Internet Destination zone: trust Destination interface: Any Source IP: any Destination IP: 2.2.2.100 Destination translation: 172.16.10.100 NAT for the second server on the LAN. Destination NAT: Source zone: Internet Destination zone: Internet Destination interface: any or Eth1/1 (works with both settings) Source IP: any Destination IP: 1.1.1.3 Destination translation: 192.168.3.3 NAT routing /32 for public address used in destination NAT, /32 routes must be configured. For ONLY source NAT, these routes don’t have to be configured. For server in public_dmz Destination: 3.3.3.10/32 Interface: Eth1/2 Next hop: None For server in private_dmz Destination: 2.2.2.20/32 Interface: Eth1/3 Next hop: None For the first server on LAN: Destination: 2.2.2.100/32 Interface: Eth1/4 Next hop: None Security rules configuration For server in public_dmz Source zone: Internet Destination zone: public_dmz Source IP: Any Destination IP: 3.3.3.10 Destination applications: web-browsing, ssl Action: Allow For server in private_dmz Source zone: Internet Destination zone: private_dmz Source IP: Any Destination IP: 2.2.2.20 Destination applications: web-browsing, ssl Action: Allow For the first server in LAN Source zone: Internet Destination zone: trust Source IP: Any Destination IP: 2.2.2.100 Destination applications: web-browsing, ssl Action: Allow For the second server in LAN Source zone: Internet Destination zone: trust Source IP: Any Destination IP: 1.1.1.3 Destination applications: web-browsing, ssl Action: Allow Global permit rules for zones: Source zone: public_dmz Destination zone: Internet Source IP: 2.2.2.0/24 Destination IP: Any Destination applications: web-browsing, ssl Action: Allow Source zone: private_dmz Destination zone: Internet Source IP: 10.10.10.0/24 Destination IP: Any Destination applications: web-browsing, ssl Action: Allow Source zone: tust Destination zone: Internet Source IP: 172.16.0.0/16, 192.168.0.0/16 Destination IP: Any Destination applications: web-browsing, ssl Action: Allow
... View more
09-15-2016
04:58 AM
Hello! I downloaded MT 3.1 for vmware player, imported it and turn it on. MT has ip adres 192.168.208.129 and I can ping it, but when I try to access it using HTTPS, it refuses connection. Does anybody had similar problem and how it can be solved? Best regards, Maja
... View more
02-02-2012
06:26 AM
Traffic blocked on Palo looks like that: Source IPx, MACx -> Dest: IP virtual, MAC virtual SYN Source: IP virtual, MAC real -> Dest: IPx, MACx SYN ACK Does Palo drop session because is getting response from different MAC address? And why NLB works ok on virtual-wire configurations??? Thank you and regards, Maja
... View more
02-02-2012
05:40 AM
Hi! Customer configured Palo firewall to work in Layer 2 mode to protect VLAN. In that VLAN there are two servers in MS NLB configuration. In VLAN configuration in Palo, static MAC entry is configured for virtual MAC address, but that entry isn't displayed with show mac command. See attached picture and listing: mkopcic@PA-4020> show mac Bridge_4-440 | match 02:bf:0a:0b:08:f8 mkopcic@PA-4020> Application (HTTP portal) works if real IP adresses are used, but if virtual IP adress is used, application is unreachable. Ping to virutal IP address is working. On Palo I captured dropped packets and saw that Palo is dropping traffic to NLB virtual address. See attached file. Does anyone have idea why Palo is dropping traffic? Best regards, Maja
... View more
01-16-2012
01:16 AM
Thanks for the reply. If that it's true, turns out that one user downloaded one file many times. I know that it isn't true. Investigating through Data and Traffic Log I found out that something isn't right. Please look at the pictures. In 4.1 version there is no session ID in available columns when creating report from Data Filtering log.
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks