This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About CHammock

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
CHammock
‎10-11-2020
since ‎08-14-2013
L2 Linker
User Activity
User Profile
Latest posts by CHammock
View All
My LIVEcommunity Articles Contributions
View All
User Badges
Community Statistics
Member Since ‎08-14-2013 01:42 AM
Date Last Visited ‎10-11-2020 11:43 PM
Posts 31
Total Likes Received 3

Re: Feature Request NOT in Filters

by in Expedition Discussions
‎07-09-2019 08:55 AM
‎07-09-2019 08:55 AM
I wonder, if the feature for adding NOT logic to the Filters is complicated, would a simpler request be to add a predifined filter that is "Duplicate Addresses NOT with Duplicate Values" for the interim period? ... View more

Feature Request NOT in Filters

by in Expedition Discussions
‎06-20-2019 06:25 AM
‎06-20-2019 06:25 AM
Some of the predifined filters are great, Show Duplicate Names and Values is great for identifying duplicate objects to be deleted (or merged).  Show Duplicate Names is great for identifying objects that need more investigation.   When you are working with Panorama it is common to have Duplicate Names as objects will exist in different device groups including shared generally this is fine and wont impact anything if pushed to the device providing the values are the same.   However usually if I want to identify potential issues I need to see Duplicate Names and NOT Duplicate Names and Values.  These will show only the duplicate objects the don't have duplicate values.   As an example if I have 1655 duplicate names and 1660 duplicate names and values I only need to worry about 5 objects but how can you identify just those 5 objects. ... View more

Re: Log forwarding profile in all security policies

by in General Topics
‎03-08-2019 03:16 AM
1 Kudo
‎03-08-2019 03:16 AM
1 Kudo
FYI, if you name the profile "default" all new security rules will apply the profile automatically.  Same goes for security profile groups ... View more

Re: Is Zone Protection on Shared Gateways Supported

by in General Topics
‎11-28-2017 01:46 AM
‎11-28-2017 01:46 AM
Just to clarify my questions were based on a design I am putting forward but in the end I decide to lab the functionality to be sure.   I have just tested this in the lab and have found the below   1.  As vsys_remo suggested when you assign a zone protection profile to a zone in an SG it will log to the threat log if you change the Virtual System drop down to all.  I have to say I didn't expect this but it is a pleasent suprise.  Obviously a Log Forwarding profile is only needed if you wish to forward those logs to an external log device like syslog.   2.  The other thing I discovered regarding my point of the "show zone-protection" command.  If you use "show zone-protection zone {zonename}" you will only be able to filter based on zones which belong to a VSYS not an SG, however if you just run the command "show zone-protection" it will list all the zone-protection states including those from the SG zones.   Many Thanks to vsys_remo for the guidance. ... View more

Re: Is Zone Protection on Shared Gateways Supported

by in General Topics
‎11-27-2017 03:20 AM
‎11-27-2017 03:20 AM
Thanks for the response.  The link at least clears up the question of External Zone Support in VSYS, however are you able to confirm the qestion of if Zone protection profiles are supported on Layer3 Zones assigned to Shared Gateways?  If so where would you find the logs? ... View more

Is Zone Protection on Shared Gateways Supported

by in General Topics
‎11-24-2017 09:03 AM
‎11-24-2017 09:03 AM
I have a question regarding Zone Protection on Zones in a shared gateway.  Is it supported.  When I try and configure it it seems to be valid configuration.  However as a shared gateway does not generate logs where do the the ZP logs go?  Also when I run the command "show zone-protection zone ?" the SG zones do no show in the list so I can't collect stats for the zone protection.   I did try applying zone protection to the external zone which connects to the SG but this gave a commit warning saying something about syn-cookie not supported.  Also in my mind this would apply zone protection too late for it to be affective. ... View more

Re: Active-Active NAT Rule Binding

by in General Topics
‎04-24-2016 07:42 AM
‎04-24-2016 07:42 AM
Thanks for the reply pulukas.   I understand the whole binding thing and really don't have a problem with having duplicate rules for each device (although its not ideal).  I guess my main issue is   When I use your suggested method of duplicate NAT rules DeviceID 0 and DeviceID 1 or use (both) binding which I still don't understand why this isn't available for source nat.  I can't control which FW responds to the request as it seems both are ARPing for the address, which is confirmed by the system log 'Received conflicting ARP on interface ethernet1/1 indicating duplicate IP 80.6.91.149, sender mac d4:f4:be:xx:xx:xx'   So really I guess the question is why are floating addresses available to control which firewall responds to ARP, unless you use NAT rules in which case both will.   It really would fix my problem if there was a CLI command to switch off NAT rule ARPing off as I could then define Floating Addresses for evertything used in NAT.   My confusion is increased by the fact I am not seeing this conflicting MAC behaviour consistantly across the customer enviroment (which has ) or my LAB setup.  Makes me wonder if I am seeing some wierd BUG. ... View more

Active-Active NAT Rule Binding

by in General Topics
‎04-18-2016 12:54 PM
‎04-18-2016 12:54 PM
I can't find anything which goes into enough detail on Active-Active design around NAT and more importantly ARP. The easiest way to explain the current deployment is as follows: Site 1 / Firewall A Site 2 / Firewall B Each firewall is connected to unique networks and routers internally and externally.   The expectation is to provide redundancy by putting both firewalls in HA A/A and setting floating addresses so that each firewall will be the primary for its site as listed above but in the event of a site or firewall failure the remaining firewall will take over both site and firewall responsibility.   From a network point of view we have L2 connectivity for all networks across both sites. The A/A config is such that floating IPs mean the correct firewall will ARP for the correct addresses for that site. Everything works fine apart from the NAT. DeviceID 0 is Primary, DeviceID 1 is Secondary   Destination NAT for Site 1 is fine. I have bound all destination NAT rules for Site 1 to the “Primary” device.  So Firewall A arps for all destination NAT addresses.  If Firewall A fails the remaining device becomes primary and ARPs for all destination NAT addresses.   The Problem 1: Destination NAT for Site 2 can only be bound to DeviceID 1 which means if it fails the remaining firewall doesn’t arp for the Destination NAT. If I change the NAT binding to both I get an arp conflict for the IP as both firewalls are on the same L2 network and its hit and miss as to which firewall the routers send the traffic.   The Problem 2: Source NAT can only be bound to DeviceID 0 or DeviceID 1. Which means similar to problem 1 I either get no failover or an ARP conflict.   I feel like the solution is to have a "Secondary" bind option and to allow Source NAT rules to be able to be bound to both Primary and Secondary devices.   Am I missing something from the network design or is this a limitation of the Active-Active Technology. A work around would be to disable the NAT rules from ARPing and it all being managed by the HA floating address configuration.  Is there a CLI command to disable NAT rule ARPing?   Any advice appriciated. ... View more

Re: Agentless UserID in a MultiDomain Environment

by in General Topics
‎07-15-2015 01:10 AM
‎07-15-2015 01:10 AM
True but this doc is dated 2011 which would have been before PanOS 4.1 which was when the new UserID agent was released, plus this doc is based on the windows agent and not the onbox agentless agent. ... View more

Agentless UserID in a MultiDomain Environment

by in General Topics
‎07-10-2015 06:33 AM
‎07-10-2015 06:33 AM
My first question would be is it possible to configure a firewall with no vsys license to query more than one domain without deploying the UserID windows agent? My second question would be if yes then how given that there is only 1 WMI authentication username, one list of DCs and also that the ignore user list would only apply to a single domain as you don't specify the domain prefix. ... View more
Labels:

Re: Panorama Templates best practice?

by in General Topics
‎03-05-2015 08:17 AM
‎03-05-2015 08:17 AM
Interesting to see you have come to the same conclusion as myself regards what to and not to use templates for.  Can I ask how you manage a mix of vsys and non vsys firewalls.  Obviously I wouldn't want to manage any of the vsys via a template however the only solution I have found is to create two templates, one for vsys firewalls and one for non vsys firewalls.  The templates themselves are identical accept for the fact that one has virtual systems checked and the other doesn't.  This approach makes it tough to maintain the same settings in both templates but I can't really find an alternative solution.  Hopefully future releases of Panorama will support hierarchical templates which may solve this problem. ... View more

Re: How Does the "Highlight Unused Rules" Option Work on Panorama?

by in General Topics
‎07-31-2014 04:18 AM
‎07-31-2014 04:18 AM
That is perfect exactly what I thought would happen, as in its logical and consistent.  So the fact that my panorama logs are rolling every month won't affect the highlight unused rules. ... View more

How Does the "Highlight Unused Rules" Option Work on Panorama?

by in General Topics
‎07-30-2014 07:02 AM
‎07-30-2014 07:02 AM
As far as I am aware Panorama doesn't have counters so are the unused rules identified based on counters or similar from the devices in the device-group or based on traffic logs? ... View more
Labels:

Re: Deploy custom signature using XML API

by in Automation/API Discussions
‎04-30-2014 02:48 AM
‎04-30-2014 02:48 AM
Maybe useful if you can post the api call you are using.  I haven't done this before but I am sure the action override is only used when you are overriding template values pushed from panorama (which maybe why you mentioned you are not using panorama).  Sorry if I am teaching you to suck eggs but I have found when doing API work I use the command "debug cli on" and then try and create the application in the cli.  The cli will output the api call required to repeat that cli process. ... View more

Re: Chromebooks

by in Automation/API Discussions
‎04-22-2014 01:50 AM
‎04-22-2014 01:50 AM
If the idea of using the API and Programming scares you, you could deploy a V6 UserID agent (or upgrade you existing UserID deployment) which will except syslog directly from you wireless solution as discussed in the above doc.  All you would have to do is write a regex pattern to pull the username and ip address out of the messages sent from your wireless solution.  The onbox PANOS V6 agent already has some regex patterns for more popular wireless and other solutions so if you update this post with the system you are using someone running PANOS 6 may give you the regex you need. ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎10-11-2020 11:43 PM
Latest Tags
No tags yet
Likes Given To
View All
Likes From
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks