About hbalzac

hbalzac · ‎09-09-2019

Im trying to setup a syslog forward from a loggcollector with tls, i get this error in the syslog log on the collector. Certificate subject does not match configured hostname; hostname='scrubbed', certificate='blah.blah.com' However the certificate has the correct hostname as a san name (aswell as blah.blah.com), however it has lots of san names (10+), blah.blah.com is the last one in the list of san name if i check the certificate with openssl from a other host. Has anyone run into issue with lots of san names on a palo while using client certificate?

hbalzac · ‎08-03-2019

Not an answer, but how do you avoid disabling rules that just was added?

hbalzac · ‎05-14-2019

Say that i have imported a big ruleset (from junos), i have to split this ruleset i to multiple firewall (due to redisign) Is there any way to export part of the ruleset (maybe be search The part i want)

hbalzac · ‎05-13-2019

So we are in a big project to replace lots of junos firewall. Atm every time we do a new firewall we create a new project and have to The same task over and over (search replace ping, rpc applications and some more) we also do a renaming of some host group. Since this takes some time each time. Im wonder if its somewhow any advance feature to do a macro for this?

hbalzac · ‎03-01-2019

I have not installed pan os 9 yet. WIll try to get ahold of a vm to play with. Looks nice from the documentation How about the ansible playbooks (and pandevice), will they have support for the json api in the future? Thanks!

hbalzac · ‎03-01-2019

Has anyone had time to play with this?

hbalzac · ‎02-28-2019

Well first off, is it recommended to use dynamic or static routing between the aci/palo? Does anyone still implement zones? (using multiple vrf/s to seperate it?)

hbalzac · ‎02-22-2019

This is often talked about from bot cisco and palo (when you use a pbr in aci to route some ports to the firewall) Is there anyone here acctuly using it?

hbalzac · ‎02-10-2019

Ok, it strange that there is no problem configure it on a pa 3260 (The status even say its ena led)

hbalzac · ‎02-10-2019

Is this supported or not? It can be configured, but rumors floading around the internet says that there is a part in the panos 9 that says support for pre-negotiation will be added for some models, among those 3200

hbalzac · ‎02-05-2019

Any news about more ansible modules? 🙂

hbalzac · ‎12-12-2018

PA has a bit strange behavior on BFD, apparently it will flush the fib during a ha failover if BFD is in use. (this was confirmed by a local SE after we spent quite some time with bfd tweaking), so if i understand your concern, you are correct. BFD can make it worse during a failover. This was to cisco routers (with a l2 switch between). We never got it to work even with tweaking the timers.

hbalzac · ‎12-08-2018

We have quite alot of devices and they are growing in numbers. If we would like to check different settings accross all the devices how would you accomplish that? (from what i have understood, there is no way in panorama to see for example if settings are overided local on the device?), and there is sometime settings that you have local on the device aswell. How would you solve this?

hbalzac · ‎12-04-2018

2287 - Not sure the name in PA:s systems. But it is to have a more flexible loopbackfilter (at the moment, you cant have different subnets in the acl for snmp and https for example)

hbalzac · ‎11-28-2018

Our pki team has setup a scep/ndes server for us to use for new firewall we setup. The error i get in the gui is not saying anything. If I would like to start a debug on the firewall cli for scep. Where do i do that?

hbalzac · ‎11-27-2018

Just of curriosity, has something happend with the ansible playbook progress discussed? Compared to some month ago there was alot more activity and new modules published here https://github.com/PaloAltoNetworks/ansible-pan When i look now there are tons of Pull Requests waiting to be done, see no activity from the maintainsers for almost a month.

hbalzac · ‎11-11-2018

I found this, however as BPry points out, the user dont put the answer in code box, so i still dont know the answer 🙂 https://live.paloaltonetworks.com/t5/General-Topics/Adding-device-serial-number-to-Panorama-with-API/m-p/224805#M64526

hbalzac · ‎11-09-2018

Despite me reading alot of documentation i have not really understood this. Im trying to add a device in panorama, so i run this command from the cli. set mgt-config devices 1234555 hostname 1234 This gives me the following output. (container-tag: mgt-config container-tag: devices container-tag: entry key-tag: name value: 1234555 leaf-tag: hostname value: 1234) ((eol-matched: . #t) (xpath-prefix: . /config) (context-inserted-at-end-p: . #f) ) (mgt-config (devices (entry (@ (name 1234555)) (hostname 1234)))) (hostname 1234) <request cmd="set" obj="/config/mgt-config/devices/entry[@name='1234555']" cooki e="5357976790132914"><hostname>1234</hostname></request> 2018-11-09 16:35:03 <response status="success" code="20"><msg>command succeeded</msg></response> So when i try to create a request of this it looks like this (if i take the url) https://1.1.1.1/api/?type=config&action=set&Key=LUFRPT1FYXpRSlNvdjc2M1ZIVDdHZG40NWx2c1BlZ2c9bHAyUmhhRHBxRUptd1ZXNNNNnQrK2hnZz09&xpath=/config/mgt-config/devices/entry[@name '1111'] This give me a "error 12" If i use the api browser it gives me a get command, but i want to add a new device. Any ideas?

hbalzac · ‎11-07-2018

I hate snmp overall aswell, however in larger enterprise its not always that easy to decide what monitor equipment to use 🙂 But i will try to do it from each firewall

hbalzac · ‎11-07-2018

My idea was first to setup panorama to monitor the logs for critical and then send snmp trap. But from what i can see from the PA mibs, there are no way for panorama to send info in the trap about the device? So all i see in the trap is the panorama ip. Is there any way around this? Or is maybe best practise to trap from the individual device?

hbalzac · ‎10-16-2018

Thanks alot for the long and qualified response! It sounds good that there are alot of modules coming up, i have already posted what modules i see as most prioritize for me. Looking forward to it 🙂 I can only speak for myself, but we install ansible from the rpm:s that are delivired by redhat (epel aswell, so xmltodict is fine) , the serveradmins and so on are generally very strict about installing things in production from places like pip (i think they have been scared by paranoid security people with stories like https://www.bleepingcomputer.com/news/security/ten-malicious-libraries-found-on-pypi-python-package-index/ ). For me, in a ideal situation it would be possible to download a signed rpm with the two library from palo but i understand that it would take quite alot of work.

hbalzac · ‎10-11-2018

Yeah exact, i like the way the ansible part is going with palo. There are still some very key modules missing, but more and more are added. My biggest problem in all this is the thing about modules. In my case managment and architects, perhaps being abit to much oldschool dont really like to idea of having everything built around external thirdparty modules.

hbalzac · ‎10-08-2018

Yeah you can install the panpython/pandevice from other places then github. What i mean is if i run into a bug on any of this modules. The only way to get help is to post a anonumoys post on palos github place in the issue section. I know that they are normaly answerd quite soon.

hbalzac · ‎10-08-2018

I dont think its that bad, however im not really a fan of using external modules hosted at github (having to rely on forum post on github to make bugreports on python modules is a not really enterprise). And yes im aware that other big vendor in the same field uses the same approach, so its not really a palo problem i guess. As far as functions, we deploy new vlan to exisiting "l3" trunks on daliy basis. That is a function/playbook i really do miss.

hbalzac · ‎10-08-2018

I see, well im comming from using a other vendor where like half of the upgrades fail and we need to upload logs to the support. So maybe im just stuck with old thinking then 🙂

hbalzac · ‎10-07-2018

If i do a upgrade on a firewall from panorama (maybe api is the same?), is there anyway of gather the log from the upgrade or follow the progress from the cli? Just in case the upgrade failes i guess it would be nice to be able to read the logs afterwards.

hbalzac · ‎10-02-2018

That did not work either. Will try again next time. But if it works with just dl the deb package its much easier for me 🙂

hbalzac · ‎10-02-2018

I tried to use proxy, it worked to a extend. But for some reason it tried to go and use pip to download some python package. And that bypassed all my proxy settings. Ended up open wide in my (atm non palo)firewall temporary. I can try this now (looking forward to the release notes for the new hotfix)

hbalzac · ‎09-28-2018

But you did not mentioned it above?

hbalzac · ‎09-28-2018

Good job (but what i can read on github, you also have a zone module?)

Date Registered	‎05-30-2018 10:12 PM
Date Last Visited	‎09-11-2019 01:48 PM
Total Messages Posted	39

Online Status	Offline
Date Last Visited	‎09-11-2019 01:48 PM

Strata

Prisma

Cortex

About hbalzac