This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About MarioMarquez
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About MarioMarquez
03-04-2020
54Posts
1Like
0Solutions
Mar 04, 2020Last Visited
User
Activity
User
Profile
Latest posts by MarioMarquez
| Subject | Views | Posted |
|---|---|---|
| 10677 | 03-04-2020 08:35 AM | |
| 3082 | 03-04-2020 08:28 AM | |
| 2100 | 08-26-2019 12:07 PM | |
| 1759 | 04-28-2019 10:39 PM | |
| 3966 | 04-25-2019 06:58 PM | |
| 3974 | 04-25-2019 01:12 PM | |
| 20494 | 04-11-2019 12:15 PM | |
| 20519 | 04-11-2019 11:40 AM | |
| 10266 | 04-11-2019 09:26 AM | |
| 10796 | 04-11-2019 05:36 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 09-15-2018 01:21 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 1 Like | |||
| 1 Like | |||
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 07-06-2018 06:22 AM |
| Date Last Visited | 03-04-2020 11:56 AM |
| Posts | 54 |
| Total Likes Received | 1 |
03-04-2020
08:35 AM
I have an active passive configuration which seems to be working and has failed over successfuly in the past (possibly a year ago). According to the PA docs I read the heart beat is a ping that runs every 1000ms. I assume since the heartbeat backup is down on both that if the active firewall were to break right now ther would be no failover correct? where I got my info... https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/high-availability/ha-concepts/failover
... View more
03-04-2020
08:28 AM
When I go to Monitor > Session Browser I still see active connections on the pasive peer. I verified it is truly the passive firewall and the other is active and that its supposed to be in Active/Passive mode in the HA configuration. Running the show session all command reveals the same thing. All time stamps are current.
... View more
08-26-2019
12:07 PM
My company is moving a few servers from an old data center with an ASA to a new data center with a Pal Alto. A lot of the rules for the old server on the old firewall are showing port numbers only. I would like to use application ID as much as possible and don't know how to find out what applications use these ports. I know I can google a port list and find what the port number is typically used for but app ID on the palo alto is often abbreviated and may not appear the same way as on the googled port list. How can I simply find out what ports use which app ID's in the Palo Alto so that I can use app ID instead of port based?
... View more
- Tags:
- app id
04-28-2019
10:39 PM
I have a site that only has 5 megs of upload speed and its constantly getting fully utilized. I know I should probably get more bandwidth from the ISP but thats simply not an option right now. Anyway here is my goal. I would like to make the firewall perform strict allocations of gaurenteed bandwidth for 3 different classes I have configured but it is not doing what I have configured it to do. QoS rule 1 should get 3 megs of guarenteed bandwidth (class1), QoS rule 2 should get 2 megs of guarenteed bandwidth (class 2) & QoS rule 3 should get no guarenteed bandwidth (class 8). In addition to this structure I would like all non priority traffic (QoS rule 3/class 😎 to be able to use the full 5 megs of traffic if class 1 & 2 are not currently being used so that all 5 megs are available when higher priority traffic is not egressing the WAN interface. I am using the default QoS profile & have configured the following guarenteed bandwidth amounts into classes 1, 2 & 8... class 1- 3 megs guarenteed class 2- 2 megs guarenteed class 3 to 8- 0 megs guarenteed In order to configure this structure of QoS I needed to set the interface bandwidth (egress max) to 10 so that I can allocate my desired gaurenteed bandwidth values. There were no errors after configuration & the values do show accordingly in all menu's how ever when I test I notice that the firewall is not strictly enforcing the gaurenteed bandwidth that I have configured for each class. I see that all 3 QoSpolicies are getting hit & in the QoS interface statistics I see the test traffic crossing the right class. Am I missing something? This seems like an easy configuration to make but the palo is just not strictly enforcing the configuration of the QoS profile & policy. See the statistics in the pic...
... View more
04-25-2019
06:58 PM
Thanks! Do these options actually change the DSCP value from best effort to EF? If I look in the header I should see EF afterwards without needing to change the DSCP on the internal client app machines is that correct?
... View more
04-25-2019
01:12 PM
I have a vpn tunnel & clients on the internal network need to initiate connections to a server on the other side (egress traffic). The max upload speed of the broadband circuit is 5 megs which is always at max utilization. Is there a way to mark traffic that is only best effort DSCP and change the value to EF 46 when crosses the Egress interface? I set up a QoS profile using EF for all traffic to one destination but when I look at the captures the DSCP is still best effort/default. I am trying to get this traffic to have the highest priority when going to the Egress interface.
... View more
04-11-2019
12:15 PM
thanks. that didnt work.
... View more
04-11-2019
11:40 AM
I am trying to capture traffic between a specific source on the internal network to any destination on any zone. I totally understand how to enable captures and turn it on & off but my capture seems to be colleting data but not anything that I can recognize. I have double checked my filter & the traffic pattern, addresses & interfaces being crossed seem straight forward to me but whe I look at the output it looks like data has been captured that is not matching the filter I've created. I'm trying to make sense of it & am not able to. Can someone with experience please review my filter & tell me why I am seeing internal addresses in the capture that dont match the source im using in my filter? Filter I'm using... debug dataplane packet-diag set filter match source 192.168.180.210 source-netmask 32 ingress-interface ethernet1/3 Show Setting Output... paloalto> debug dataplane packet-diag show setting -------------------------------------------------------------------------------- Packet diagnosis setting: -------------------------------------------------------------------------------- Packet filter Enabled: yes Match pre-parsed packet: no Index 1: 192.168.180.210/32[0]->0.0.0.0/0[0], proto 0 ingress-interface ethernet1/20, egress-interface any, exclude non-IP -------------------------------------------------------------------------------- Logging Enabled: no Log-throttle: no Sync-log-by-ticks: yes Features: Counters: -------------------------------------------------------------------------------- Packet capture Enabled: no Snaplen: 0 Username: Stage receive : file cap Captured: packets - 3 bytes - 162 Maximum: packets - 0 bytes - 0 Stage transmit : file cap Captured: packets - 2 bytes - 108 Maximum: packets - 0 bytes - 0 --------------------------------------------------------------------------------
... View more
04-11-2019
09:26 AM
if that were true wouldnt that be 300 Mbps of throughput? The data sheet dows not say 150 both ways. Can you please explain how your interpreting that? Thank you. @fjwcash wrote: @MarioMarquez wrote: thanks for the details. I'm up in the air about getting a 100 down 100 up internet circuit for a site with a PA-220. if 150 Mbps is the least i will achive that means the same thing as saying 75 down 75 up is the least the PA-220 will be able to handle. Is that correct? Do you think a 100 down 100 up circuit is too much for this PA-220? No, that is not correct. The 150 Mbps is per direction. Meaning it can handle 150 Mbps of downloads along with 150 Mbps of uploads simultaneously. So a 100/100 connection will be fine for a PA-220. Even a lowly PA-200 could handle a 100/100 connection.
... View more
04-11-2019
05:36 AM
thanks for the details. I'm up in the air about getting a 100 down 100 up internet circuit for a site with a PA-220. if 150 Mbps is the least i will achive that means the same thing as saying 75 down 75 up is the least the PA-220 will be able to handle. Is that correct? Do you think a 100 down 100 up circuit is too much for this PA-220?
... View more
04-10-2019
07:05 PM
Can someone please tell me the maximum Upload/Download speed in megabits per second for a PA-220 with app-id and all threat prevention/ips features enabled along with an ipsec tunnel? The data sheet is a little confusing and I understand that it bases the specs from 64k packets but I don't know if this had 150 up 150 down or 50 up 50 down. Can someone tell me the the throughput I should expect in my use case mentioned above and explain yourself?
... View more
04-10-2019
04:51 AM
Here is what's happening.... 192.168.1.0/24 (real local subnet) gets translated to 10.222.224.0/24 when going to 10.240.0.0/22 (destination on other side of tunnel). This currently works but I need to find a way for 10.222.224.10 to Nat to 192.168.1.10 so that the last octet (.10) is always natting to the same IP (.10) on both networks for every IP address. 10.222.224.11 needs to Nat to 192.168.1.11 10.222.224.12 needs to Nat to 192.168.1.12 10.222.224.13 needs to Nat to 192.168.1.13 10.222.224.14 needs to Nat to 192.168.1.14 The last octet on both /24 subnets needs to Nat to the same number bidirectionally since both sides of the tunnel need to initiate TCP connections. Does this make sense?
... View more
04-09-2019
08:54 PM
Is there a specific setting to enable for it to work this way? I have a vendor that needs to initiate from their side of a VPN tunnel to my side and dynamic NAT worked when we tested but only from my side to theirs. I needed to do a one to one static for them to initiate to my side successfully.
... View more
04-09-2019
08:49 PM
Is there a way to make a dynamic NAT rule that translates one /24 subnet to another /24 subnet work in both directions and map last octet to last octet? There's a way to do it in Sonicwall so if your natting a subnet to another it will make .20 on the real local subnet map to .20 on the natted subnet and do that for all IP's. The reason why I ask is because I have a VPN vendor that needs to initiate from their side of the tunnel to specific IP's on our side of the tunnel for printing. I know I can make it work by doing a one to one static Nat from the vendor to my side but I figured since sonicwall can do this maybe Palo can?
... View more
- Tags:
- dynamic nat
- nat
03-20-2019
12:53 PM
Sonicwalls have a setting that allow a /24 subnet being natted to a different /24 subnet to get mapped on a one to one basis. Example, 192.168.1.10 will get bidirectionally natted to 10.0.0.10, 192.168.1.11 will get bidirectionally natted to 10.0.0.11, etc... The last octet will always stay the same which allows one nat rule to be added so both sides can initiate connections. Is there a way to do this on the Palo without doing a static one to one nat for each mapping?
... View more
- Tags:
- nat
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-04-2020
11:56 AM
|
Likes Given To
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks