This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About buck1
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About buck1
06-01-2023
9Posts
0Likes
1Solution
Jun 01, 2023Last Visited
User
Activity
User
Profile
Latest posts by buck1
| Subject | Views | Posted |
|---|---|---|
| 1692 | 02-08-2022 05:54 AM | |
| 2033 | 02-05-2022 03:47 PM | |
| 816 | 02-03-2022 07:09 AM | |
| 2190 | 02-02-2022 12:47 PM | |
| 2889 | 10-16-2020 01:24 PM | |
| 3026 | 10-16-2020 06:41 AM | |
| 3386 | 10-09-2020 06:22 AM | |
| 3493 | 10-08-2020 09:12 AM | |
| 8379 | 09-05-2018 01:34 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like |
User Badges
Community Statistics
| Member Since | 09-05-2018 07:35 AM |
| Date Last Visited | 06-01-2023 05:43 PM |
| Posts | 9 |
02-08-2022
05:54 AM
Thanks all for the feedback. I will look into using a separate vsys and see if that resolves my NAT issues. And to Astardzhiev, regarding leaving out the route for return traffic, I did do some original testing routing out to the internet from a separate VR and found that the return route does have to be there or it doesn't work.
... View more
02-05-2022
03:47 PM
Thanks for the reply. How does that solve the issue though? Any specifics on thoughts around design/configuration would be appreciated. Thanks.
... View more
02-03-2022
07:09 AM
Pulukas, do you have any examples of how to set this up? This scenario is exactly what I am trying to do, but having issues with the NAT statements needed to accomplish this. If I create a NAT policy to change source IPs to a non-overlapping subnet, then my outbound NAT rule doesn't seem to work. Seems like I can only get one or the other to work, not both. Thanks.
... View more
02-02-2022
12:47 PM
Below is an example diagram of my scenario. We have a subnet that is part of our production network, and then we have the same overlapping subnet for testing and disaster recovery which exists in a separate virtual router. I've oversimplified the drawing, so hopefully this makes sense. For testing purposes, the overlapping subnet in virtual router 2 needs internet access (eggress interface for internet access exists in virtual router 1. My initial thoughts are that I create a default route in virtual router 2 that simply points to virtual router 1. But... I need to have a route for virtual router 1 that points back to virtual router 2 for this subnet. Can't do that, because it is an overlapping subnet. So my assumption here is that I need to do some type of NAT translation for virtual router 2. So as an example, I would like the 10.5.107.0/24 subnet in virtual router 2 to translate to 10.2.107.0/24, and then use that translated address to NAT out for internet access. So in a sense, I guess NAT would actually happen two times. But I've been trying to set this up in my lab environment and can't seem to get it working. Any direction on how to do this would be appreciated. I've been searching forums for a good while now, and can't seem to find any documentation on the exact setup I am trying to achieve. Thanks!
... View more
10-16-2020
06:41 AM
Anybody else experiencing slowness with HIP check? Our clients establish an initial connection very quickly (about 5 seconds). But then the process of doing the HIP check actually takes an additional 40-50 seconds. I can clearly see in the logs that the HIP check takes this long to occur, and so users aren't able to access certain resources until this check completes. Any best practices for shortening this time? We are currently doing three main checks: Domain join check Check for BigFix Check for Sentinel One My next steps will be to remove these checks one by one and see if it makes any difference. I'm not sure exactly how HIP check works, if it checks everything regardless, or if it only checks what you tell it to check. So not sure if removing single items will make any difference.
... View more
10-09-2020
06:22 AM
I came up with a work-around solution that I am currently testing. I decided to move the pre-logon off to a separate gateway. This allows me to give it its own tunnel, with its own zone, and therefore I can disable the user-ID on just that zone. Initial testing so far has been positive.
... View more
10-08-2020
09:12 AM
We are trying to deploy pre-logon, we have security policies around pre-logon users, and then security policies for actual users once they authenticate. Basically, an initial pre-logon rule that allows access to domain controllers, etc., followed by a pre-logon deny all rule, followed by rules for users that have fully authenticated to GP. All of this works great, except for one problem. We run user-ID agents on our network to map IP to username, and we have found that once the user-ID agent maps an IP to a username, the firewall seems to no longer treat that connection as pre-logon from a security rules perspective. So here is the specific example (by the way, we are testing with user initiated pre-logon): User clicks connect button on logon screen, which initiates pre-logon connection to gateway. User then enters domain credentials and successfully authenticates (pre-logon rules are being used for this). User is now logged into computer, but not fully authenticated to GP yet as a user (MFA required to fully authenticate). But because User-ID agent maps the IP of the user to the username, we see that the firewall jumps past our pre-logon deny rule and starts allowing the user to access internal resources we do not want them to access yet. So.. status is still pre-logon, but they are jumping past our pre-logon rules. Not ideal. I opened a ticket with Palo and after explaining everything to them, they said that is just the way it is, and we would have to make a feature request to our SE to change this. I just can't believe we are the only company that users user-ID agent mapping, and also uses Global Protect with pre-logon. Seems like anyone using these two things together would have the same issue with their security policies. On the occasion that user-ID IP/username mapping does not work, then the pre-logon deny rule does not get jumped, and everything works as expected (traffic gets denied to internal sensitive resources). But any traffic that does capture the username will jump the pre-logon deny rule. Anybody have any thoughts on a way to get around this issue?
... View more
09-05-2018
01:34 PM
I have to create a VPN tunnel between two businesses. The main objective is that company A needs to provide access to the following subnets to company B: 10.10.1.144/28 10.1.2.144/28 I've got all the tunnel info set up, and there is just a public IP address on each firewall as the peer IP. For company A where the subnets are located, I'm struggling with the NAT rule needed to allow access to this range of IPs. Would it look something like this: source zone: vpn_untrust destination zone: inside_trust destination interface: any source address: public IP of company B destination address: public IP of company A destination translation: subnets listed above
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks