This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About KGC
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About KGC
09-05-2020
71Posts
7Likes
0Solutions
Sep 05, 2020Last Visited
User
Activity
User
Profile
Latest posts by KGC
| Subject | Views | Posted |
|---|---|---|
| 2157 | 10-30-2013 08:20 AM | |
| 2195 | 10-29-2013 09:05 AM | |
| 6441 | 10-01-2013 02:03 PM | |
| 7089 | 09-25-2013 12:58 PM | |
| 4767 | 07-16-2013 09:54 AM | |
| 4293 | 11-21-2012 12:21 PM | |
| 4293 | 11-21-2012 10:24 AM | |
| 4293 | 11-21-2012 10:12 AM | |
| 4398 | 11-21-2012 10:02 AM | |
| 3599 | 05-30-2012 01:00 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 03-01-2011 10:17 AM | |
| 2 Likes | 02-17-2012 08:22 AM | |
| 1 Like | 02-17-2012 07:10 AM | |
| 1 Like | 08-31-2011 11:25 AM | |
| 1 Like | 07-11-2011 10:30 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like |
User Badges
Community Statistics
| Member Since | 12-16-2010 11:36 AM |
| Date Last Visited | 09-05-2020 12:52 AM |
| Posts | 71 |
| Total Likes Received | 7 |
10-30-2013
08:20 AM
This is essentially what we are doing, the challenge is that they want to connect to the Azure-hosted app directly via the MS cloud, and not via our PAN firewall. We obviously can't deploy our own VM PAN out in Azure, so I am looking for options.
... View more
10-29-2013
09:05 AM
We are in the process of testing the deployment of Internet-facing services into Azure, such that they are accessible from the public Internet via Azure but have a VPN connection back into our environment. Obviously in this scenario we must rely on Microsoft to protect the public-facing service, which removes all visibility and undermines our investment in our firewalls. (We considered deploying Azure as an extension of the DMZ protected by our on-prem firewalls, but for performance reasons decided against it for the moment.) Has anyone else considered a similar deployment, and what have been your experiences? Is PAN working on solutions to allow customers to somehow accommodate this scenario using their products/services?
... View more
10-01-2013
02:03 PM
These are all great suggestions in general for simple straightforward applications, however the way MS implements Exchange Online is anything but simple or predictable. I will try to address these individually: Challenge with packet capture method: the sessions are sometimes very long, lasting hours if not days, generating massive amount of data. Besides, I am pretty sure that PAN identifies the application correctly. The disconnects look just like a normal finished TCP session, there are no denys in the logs. Challenge with watching traffic between source and destination: what is the destination? MS publishes lists of public IPs which are supposed to correspond to the various cloud services they offer, however these lists are not well-maintained and change rapidly. Some of the MS cloud addresses are on a 2-min TTL. We also observed a number of IPs serving Exchange Online which were outside the published ranges. Challenge with allowing all traffic and then narrowing it down to just the application: MS serves a lot of different products on the same IPs and ports, including some we do not want to enable (e.g. Sharepoint Online, aka SkyDrivePro.) The AppID is really the best and only effective way to enable just the app you want. For the most part we have the service enabled, however there are still some minor challenges (e.g. occasional disconnects) which is why I was hoping that PAN offered a formal tested and recommended guide for implementing O365.
... View more
09-25-2013
12:58 PM
Does PAN offer any formal guidance for implementing access to Office 365, specifically for Outlook access to Exchange Online? We have, via trial-and-error, enabled this access using the newly-minted AppID for Office 365, but are seeing occasional Outlook session disconnects. Microsoft is, predictably, telling us that none of their other customers see this problem, and are vaguely suggesting it's our firewall. Does Palo Alto Networks have any recommendations on how to best enable Exchange Online? Anyone have any positive experiences to share? (I can also share some of our pains in reverse-engineering the O365 service, if there is interest...) Thanks!
... View more
Labels:
- Labels:
-
App-ID
-
Configuration
-
Set Up
07-16-2013
09:54 AM
We are having this exact same issue, only on 4.1.12 and using lower-case. (Perhaps I should have created a new thread for this given that the original post is now two years old, but Hub described it so well I didn't see a reason to duplicate the effort ) The problem is only affecting a single address object, and in the FDQN logs it shows as "not resolved". Other similar entries are resolving correctly. What's odd is that this was working when originally configured some weeks ago. The firewall is able to ping the address by name, so name resolution is working. The problem entry is outlook.office365.com which is a mix of both IPv6 and IPv4 addresses.
... View more
11-21-2012
10:12 AM
Thanks - rolling back to 338 here as well, figured no point us all opening the same so long as you tell them it's not just an isolated case.
... View more
11-21-2012
10:02 AM
Same problem here, rolling back to 338. Anyone open a case on this with PA yet?
... View more
05-30-2012
12:50 PM
Right, forgot about that. Perhaps this is part of the problem - the latest release I see under my Support portal is 750-1031 from 22 May 12
... View more
05-30-2012
12:27 PM
Same problem here. What should we be seeing as the latest release?
... View more
03-13-2012
10:19 AM
So can we upgrade our Panorama to 4.1.3 and still be able to manage our 3.1.8 units without any issues (understanding that the new v4 functionality will not apply to the old units)? We would like to bring Panorama to the latest release and then use it for some testing with a QA firewall before upgrading our production units. Thanks.
... View more
03-06-2012
03:49 PM
Looking to upgrade our Panorama and mix of 500, 2000 and 4000 HA units from 3.1.8 to 4.1.3. We understand that we need to jump to 4.0 first, and then to 4.1.3 as there is no direct upgrade path. Here are some of the questions however: Can we upgrade Panorama 3.1.8 -> 4.0 -> 4.1.3, and then do the same to the firewalls at a later time? What's the impact of running Panorama at 4.1.3 and the firewalls at 3.1.8? If we upgrade everything at once, should we go 3.1.8->4.0 across all units before proceeding to 4.1.3, or can each one be upgraded individually directly to 4.1.3 regardless of the state of the rest of the environment (e.g. the version of the HA partner)? Thanks!
... View more
Labels:
- Labels:
-
Configuration
-
Panorama
02-17-2012
08:22 AM
2 Kudos
Try enabling QoS (without enforcing any policies) to get a bandwidth graph on a given interface; it doesn't give you historical data but it will show you real-time consumption during your problem periods.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-05-2020
12:52 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks