About ZEBIT

ZEBIT · ‎04-20-2022

Thanks all for this info. I know now which direction I need to go.

ZEBIT · ‎04-12-2022

We have two types of network. The internal LAN and guest LAN. These are two separated networks On the internal LAN we have use other policies then the guest LAN. Our employees connect to the guest LAN to avoid the policies on the internal LAN. So I created a block rule on the guest LAN if the user = AD User. On the internal LAN we have an active directory server and we use user identification. On the guest LAN I also enabled user identification, but the users don't get recognized and the policies doesn't work. I think the problem is that from the guest LAN you can't contact the internal AD server, but that is also the purpose. What can I do to fix this?

ZEBIT · ‎12-06-2021

Hi Shai, I have changed this, but the only thing that happens when a user get's an ip address is a ping to the default gateway.

ZEBIT · ‎12-03-2021

Hi, We have a PaloAlto firewall which is connected to a Cisco switch and on this Cisco swtich an AP is connected. On the firewall I use ethernet 1/2 port to handle the free wifi clients. This port is in Layer 3 mode. This port is connected with the Cisco switch. The port on the Cisco switch is configured in access mode and in vlan 5. On my AP I set the option that the free wifi is connected with vlan 5. On the firewall my ISP is connected on port 1/3. On the firewall I have configured the following: - Ethernet 1/2 is in mode Layer 3 and has IP address 192.168.128.1/24 - This interface is in virtual router internal and in security zone FREE_WIFI - DHCP server configured on Ethernet 1/2 with these options: IP pool: 192.168.128.2-192.168.128.254 GW: 192.168.128.1 DNS: 1.1.1.1 I configured the following security rules: - Deny from zone Free_WiFi to zone Internal_Network - Allow from zone Free_WiFi to zone Free_WiFi - Allow from zone Free_WiFi to zone Extern I configured NAT: - From zone Free_WiFi to zone Extern I configured PBF: - NO PBF for zone FREE_WIFI I configured the virtual routers: Internal: Interfaces: Ethernet 1/2 Static route: 0.0.0.0/0 to ISP and 192.168.128.0/24 next hop 192.168.128.1 Extern: Interaces: Ethernet 1/3 Static route: 0.0.0.0/0 to ISP and 192.168.128.0./24 next-vr is Internal The users get an ip address but they don't have internet access. The only rule that is getting hit is Allow from zone Free_WiFi to zone Free_WiFi. The client always do a ping to 192.168.128.1 and that's it. When they want to access the internet I see the following in the monitoring: Source 192.168.128.x to Destination 192.168.128.1 Port 80.

ZEBIT · ‎05-06-2021

@reaper We did this before but the thing is we use this Windows CA to sign lot of internal applications. If the firewall would get breached or hacked, the hacker is able to get the Windows CA certificate. This way we need to re-generate the Windows CA and resign all these applications.

ZEBIT · ‎05-06-2021

@QuentinH Yeah we found a solution. We created an application group with the file sharing apps we allow. This is wetransfer and google drive. After that I created a policy rule called File sharing app, allowed the users who may use these apps, set the Application to the application group we created and in the URL filtering we allowed the category online storage and backup. We created a seperate URL filtering for this policy rule.

ZEBIT · ‎05-05-2021

We have created on the firewall a Root CA which also signs the SSL Forward Trust certificate. The firewall Root CA certificate has been deployed with GPO to all our devices there Trusted Root Certificate Authorities. The root ca certificate on the firewall will almost expire and needs to be renewed, but what is the procedure? Select the certificate -> click renew -> commit, export this certificate and redistribute everything through GPO again?

ZEBIT · ‎05-05-2021

@QuentinH Yeah we found a solution. We created an application group with the file sharing apps we allow. This is wetransfer and google drive. After that I created a policy rule called File sharing app, allowed the users who may use these apps, set the Application to the application group we created and in the URL filtering we allowed the category online storage and backup. We created a seperate URL filtering for this policy rule.

ZEBIT · ‎04-23-2021

@BPry I have rules which allows app like wetransfer download and no URL filtering. After this rule I have a rule with URL filtering. When we we hit the site download.wetransfer.com the app rule doesn't get hit but the URL filtering rule. After allowing the category online storage and backup the site get recognized as wetransfer-download.

ZEBIT · ‎04-22-2021

Yeah we are decrypting the traffic. But doesn't get recognized as the correct app-id. The link that get's opened is download.wetransfer.com/ The problem is that the app-id is wetransfer downloading which is allowed, but the url download.wetransfer.com is in the URL categorie online backup and storage and that is a block categorie in our environment. So one rule is over rulling the other one.

ZEBIT · ‎04-21-2021

I have created a rule which allow the wetransfer (download and upload) application. But when a user receive an email to download a file the url is we.tl/random numbers. When the user clicks it the firewall doesn't see it as the application wetransfer-download but as category online storage and backup. Is this a bug in the Pan-OS and how can we solve this?

ZEBIT · ‎04-12-2021

I found through internet this explanation and this helped me well. How to Create a new MineMeld output node based on existing prot... - Knowledge Base - Palo Alto Networks

ZEBIT · ‎04-02-2021

Hi all, I'm new to in using MineMeld. I have configured installed and configured it on Ubuntu 16.04. I would like to configure miners but I don't know how to start with it. Through the internet I have found this page minemeld-node-prototypes/bruteforceblocker.yml at master · PaloAltoNetworks/minemeld-node-prototypes · GitHub and would like to use the bruteforceblocker.yml. But how can I implement it and use it on my firewall?

ZEBIT · ‎06-09-2020

Hi @kiwi I made a work around and will analyze this with TAC.

ZEBIT · ‎06-08-2020

Hi @kiwi That is indeed the problem. How can I fix?

Member Since	‎04-16-2014 10:54 PM
Date Last Visited	‎06-04-2025 06:38 AM
Posts	72
Total Likes Received	7

Online Status	Offline
Date Last Visited	‎06-04-2025 06:38 AM

About ZEBIT

Re: Block known AD users from Guest LAN

Block known AD users from Guest LAN

Re: Workstations no internet after receive IP from firewall DHCP Server

Workstations no internet after receive IP from firewall DHCP Server

Re: Renew firewall CA certificate and distribute with GPO

Re: Wetransfer download site we.tl not seen as Wetransfer application

Renew firewall CA certificate and distribute with GPO

Re: Wetransfer download site we.tl not seen as Wetransfer application

Re: Wetransfer download site we.tl not seen as Wetransfer application

Re: Wetransfer download site we.tl not seen as Wetransfer application

Re: Problems connecting to Azure Devops

Major issue PanOS 8.1.3: Network intefaces go down

Re: Rule allowed but policy-deny?

How to setup multiple vpn?

Re: How to publish IIS website with static external IP address

Re: Block known AD users from Guest LAN

Block known AD users from Guest LAN

Re: Workstations no internet after receive IP from firewall DHCP Server

Workstations no internet after receive IP from firewall DHCP Server

Re: Renew firewall CA certificate and distribute with GPO

Re: Wetransfer download site we.tl not seen as Wetransfer application

Renew firewall CA certificate and distribute with GPO

Re: Wetransfer download site we.tl not seen as Wetransfer application

Re: Wetransfer download site we.tl not seen as Wetransfer application

Re: Wetransfer download site we.tl not seen as Wetransfer application

Wetransfer download site we.tl not seen as Wetransfer application

Re: How to add nodes

How to add nodes

Re: Problems connecting to Azure Devops

Re: Problems connecting to Azure Devops

Unlock your full community experience!

About ZEBIT