About kprewitt

kprewitt · ‎02-14-2020

All of my rules that are one NAT and one Security for a given access work, but I have a unique rule that does not seem to be working correctly. I have four NAT rules for a given public IP that use different service ports that I created destined for unique IPs with the same port. Example: NAT1 Original Packet is Untrust/Untrust, Any Interface / Any Source address, Public IP destination, TCP-1234 service, destination translation is IP: 1.1.1.1 on Port: 2222 NAT2 Original Packet is Untrust/Untrust, Any Interface / Any Source address, Public IP destination, TCP-4321 service, destination translation is IP: 1.1.1.2 on Port: 2222 NAT3 Original Packet is Untrust/Untrust, Any Interface / Any Source address, Public IP destination, TCP-5678 service, destination translation is IP: 1.1.1.3 on Port: 2222 NAT4 Original Packet is Untrust/Untrust, Any Interface / Any Source address, Public IP destination, TCP-2222 service, destination translation is IP: 1.1.1.4 on Port: 2222 I have one security rule that includes all four services and ANY app with the public IP and untrust/untrust zones. Note that the only NAT rule that hits is NAT4 where the ports are the same. None of the others hit and the security rule allows traffic to only the #4 server. When users try to access with the other service ports, they get no response and NAT1-3 are currently labeled as UNUSED. Am I going to have to divide the security rule up? Or is there something I can do to get it to recognize the different ports when they are attempted? PAN-OS v9.0.4

kprewitt · ‎02-01-2019

I see what you are saying. When I look at the logs, it shows the site blocked when they do not use the www. at the beginning. That may be because I have a wildcard in the subdomain location and forcing them to put something there to trigger the custom category. I appreciate the follow up.

kprewitt · ‎01-30-2019

Within Panorama, while managing client firewalls, routinely the customer wants some variation of the built-in URL category restrictions. While it is great to have so many categories and for the most part they are well apportioned. However, to get around the one off requests for sites to be opened that are in a category that is blocked, it is our policy to build a separate custom whitelist URL Category. It is automatically populated to the URL Filtering at the bottom and we are able to turn it on to allow traffic. The problem that I am noticing is the top-down reading of the categories will often knee-jerk block a site that is whitelisted later. Occassionally the site gets through, but by and large it does not. To resolve this we often have to either open a category that is undesired or put in a request for a site reclassification that can take a while. Meanwhile the client is either exposed to unwanted traffic or has to wait for the reclassification. I would like to suggest allowing category shuffling for custom URL categories within the URL Filtering. That will allow a custom category to be moved above its rival built-in category so that it reads the allowance before the block. Or just swith the spawn point of the custom categories to the top instead of the bottom, since they are always desired sites. Thank you for listening.

Member Since	‎07-26-2018 12:38 PM
Date Last Visited	‎04-19-2021 12:57 PM
Posts	3

Online Status	Offline
Date Last Visited	‎04-19-2021 12:57 PM

About kprewitt

Re: Destination NAT to other Port

Re: Suggestion for Panorama update

Suggestion for Panorama update

File Blocking Continue Page in a TLS connection

Re: Destination NAT to other Port

Re: Suggestion for Panorama update

Suggestion for Panorama update