This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About cstech

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
cstech
‎02-05-2024
since ‎08-21-2014
L2 Linker
User Activity
User Profile
Latest posts by cstech
View All
User Badges
Community Statistics
Member Since ‎08-21-2014 03:57 PM
Date Last Visited ‎02-05-2024 10:54 AM
Posts 25
Total Likes Received 5

Re: Cannot run GlobalProtect Portal on preferred IP address

by in General Topics
‎09-11-2014 03:52 PM
‎09-11-2014 03:52 PM
csharma, Thank you for the suggestions.  I used option 2 and it works great.  I was a little worried about which zone the loopback should live in.  I put it in the DMZ but I don't know why. Thanks again, Chris ... View more

Cannot run GlobalProtect Portal on preferred IP address

by in General Topics
‎09-09-2014 09:23 AM
‎09-09-2014 09:23 AM
Please correct any wrong statements: 1. I connect my PA to the "untrust internet" via ethernet 1/1 2. My ISP assigned me 164.67.80.0/24 block of IPV4 addresses (actually this is a lie...) 3. I assigned 164.67.80.2/24 to ethernet 1/1 4. The PA is capable of running NAT on any of the addresses in the entire 164.67.80.0/24 subnet using Proxy ARP 5. I want to run a GlobalProtect HTTPS server on 164.67.80.3 6. The GlobalProtect Portal will not allow (5). 7. The reason for (6) is that 164.67.80.3 is not bound to ethernet 1/1.  The GlobalProtect HTTPS portal cannot use Proxy ARP. 7. I cannot bind 164.67.80.3/24 to ethernet 1/1 as a subinterface because it is on the same subnet as 164.67.80.1/24 8. I cannot run my GlobalConnect portal on 164.67.80.3, my preferred IP address 9. I must run GlobalConnect HTTPS Portal on the un-preferred IP address 164.67.80.2. Thank you, Chris ... View more
Labels:

Re: show vpn flow: Should "tunnel mtu" be renamed to "suggested tunel mtu"?

by in General Topics
‎09-05-2014 10:50 AM
1 Kudo
‎09-05-2014 10:50 AM
1 Kudo
Assuming the answer to (6) was yes, I dropped the interface MTU down to 1400 and my VPN bandwidth improved, certainly due to the reduced number of fragmented packets. Why is the PAN-OS going through the trouble of computing an ideal MTU but not actually applying it to an interface so that it can participate in PMTUD?  What am I not getting?  Arg! Chris ... View more

Re: show vpn flow: Should "tunnel mtu" be renamed to "suggested tunel mtu"?

by in General Topics
‎09-04-2014 11:26 AM
‎09-04-2014 11:26 AM
Hulk, Thank you for your help.  Would you please consider answering my question #4 and #6 in my original post? Thank you again! Chris ... View more

Re: Add source NAT: Bi-directional NAT breaks

by in General Topics
‎09-04-2014 09:46 AM
1 Kudo
‎09-04-2014 09:46 AM
1 Kudo
Thank you Tom for your help with this.  I solved the problem.  In my original post I described my source NAT rule's source translation: "Source Translation: dynamic-ip-and-port, 164.67.80.124" What I neglected to include in the post was the subnet mask.  I used the same address object in the NAT rule that I used for the interface: 164.67.80.124/26.  This was a mistake.  I should have created a second address object for the IP address with a subnet mask of /32: 164.67.80.124/32. This doesn't explain all the problems I described in this post.  And unfortunately for me (or fortunately depending on your viewpoint) some of them have gone away so I cannot examine them anymore. Anyhow, thank you again for your advice and introducing me to the LAND attack which is a source of packet drops that show up only in the counters and not in the logs.  And thank you for pointing out that I can can more fine grained control over my NAT rules by splitting the bi-directional rules. Chris ... View more

show vpn flow: Should "tunnel mtu" be renamed to "suggested tunel mtu"?

by in General Topics
‎09-03-2014 08:56 PM
1 Kudo
‎09-03-2014 08:56 PM
1 Kudo
Hello, Can you answer these questions regarding the tunel mtu that appears in the output below? cstankevitz@PA-500-Local> show vpn flow tunnel-id 27 tunnel  Sterling         id:                     27         type:                   IPSec         gateway id:             1         local ip:               164.67.80.124         peer ip:                53.103.78.197         inner interface:        tunnel.1         outer interface:        ethernet1/5         state:                  active         session:                20027         tunnel mtu:             1428 1. Who/what computed this MTU? 2. Did the thing that computed this MTU consider the encryption parameters I am using for the tunnel? 3. Why does this MTU value not participate in PMTUD? 4. (Same question as 3) Why does the MTU listed above not appear in a tracepath? 5. (Same question as 3) Why does the MTU listed above not appear in a "show routing fib"? 6. Am I expected to copy the MTU value listed above and paste it as the MTU value for the tunnel interface, overriding the default of 1500? 7. If the answer to (6) is "yes" (which I believe it is), then why didn't the PAN just do it for me? 8. Why would PAN confusingly give a tunnel interface two MTUs:the real MTU on the interface that participates in ICMP and another "fake" MTU that displayed above that does not participate in ICMP? 9. (Same question as 😎 Should the label "tunnel mtu" that appears in the output of "show vpn flow tunnel-id" be renamed to "suggested tunnel mtu"? Thank you for your help! Chris ... View more
Labels:

Re: Add source NAT: Bi-directional NAT breaks

by in General Topics
‎09-03-2014 12:34 AM
‎09-03-2014 12:34 AM
Another way traffic can be dropped but not appear in the traffic log is if the next hop is unavailable... ... View more

Re: Add source NAT: Bi-directional NAT breaks

by in General Topics
‎09-02-2014 10:05 PM
‎09-02-2014 10:05 PM
BTW, there is no session log for this traffic... presumably because no session can be established. ... View more

Re: Add source NAT: Bi-directional NAT breaks

by in General Topics
‎09-02-2014 10:04 PM
‎09-02-2014 10:04 PM
I do not know why it's happening, but what I believe should be Public->Public traffic is being dropped.  I can see the data is dropped by the PAN by inspecting the drop log from the packet capture. Eager to understand why the traffic is dropped, I added four security policies: Allow public->public, allow DMZ->DMZ, allow Private->Private, Deny All->All.  Every one of my security policies has logging turned on. Would you believe that the PAN is dropping packets (as evidenced in the packet capture drop log) but there is no trace of it in the Traffic Log? I have seen this before: it happens for example when a PAN interface drops ping due to the management profile.  Not sure why it is happening in my case though. Besides adding a "catch all" deny all->all, is there another way to get the drops to appear in the traffic log? Thank you, Chris ... View more

Re: Add source NAT: Bi-directional NAT breaks

by in General Topics
‎09-02-2014 03:15 PM
‎09-02-2014 03:15 PM
tpiens, Thank you again for your help.  I am embarrassed to say that I have never "checked my sessions" but I am going to do that now.  I will split the bi-directional NAT policy and hopefully in the process will discover my error. Chris ... View more

Re: Upgrade to PAN-OS 6.0.4 - a virtual wire did not come up

by in General Topics
‎09-02-2014 11:02 AM
‎09-02-2014 11:02 AM
Folks, Thank you all for your help with this.  The vwire came back up some time after after unplugging and re-plugging the cables (I'm sorry I don't know how long after could have been 1 second or 1 day). FYI the vwire does have "link pass through" enabled. In summary: 0. Traffic is flowing on vwire (verified with ping) 1. Upgrade PAN-OS from 6.0.2 to 6.0.4 2. PAN reboots as part of the upgrade 3. Ping (and other tests) confirm traffic is not flowing on vwire 4. PAN vwire is bypassed to get the network up 5. vwire is attached to a "test network" 6. I stupidly do not re-run step 3 (it is a remote site and we were all scrambling to get the net back up...) 7. monitor shows traffic is flowing on the vwire 8. I finally get around to re-running step 3 and it shows that the wire is back up Chris ... View more

Re: Add source NAT: Bi-directional NAT breaks

by in General Topics
‎09-02-2014 09:55 AM
‎09-02-2014 09:55 AM
tpiens, Thank you for your reply. Re your comment "192.16.1.10 to 164.67.80.77 equals trust to untrust in the sense of NAT translation" thank you I would have been unsure of that if/when I thought about it. Re the second implied rule for the bi-directional NAT policy, I figured something like that must be happening. Re the position of the source NAT rule that breaks my DMZ: Unfortunately the new source NAT rule is and has always been at the bottom of the list. Is there anything is unusual about my setup (I thought it was straight forward)?  If nothing is unusual about my setup, then I will have to look for something really odd on my network like a cable plugged into the wrong port etc. Thank you again, Chris ... View more

Add source NAT: Bi-directional NAT breaks

by in General Topics
‎09-01-2014 11:44 PM
‎09-01-2014 11:44 PM
Hello, 1. I have three zones: Public, DMZ, Private Public interface: bound to 164.67.80.124/26 Private interface: bound to 192.168.1.1/24 DMZ interface: bound to 192.168.2.1/24 2. I use bi-directional NAT to expose a few of the DMZ machines via their own public IP addresses: 164.67.80.77 <-> 192.168.2.77 164.67.80.78 <-> 192.168.2.78 164.67.80.79 <-> 192.168.2.79 Example: Source zone: DMZ Destination zone: Public Destination Interface: any Source Address: 192.168.2.77 Destination Address: any Service: any Source Translation: static-ip, 164.67.80.77, bi-directional: yes Destination Translation: none 3. I add security policies to allow the DMZ machines to access the internet and be accessed from the internet. 4. None of my interfaces are explicitly bound to 164.67.80.77, 78, or 79.  This works due to something called "Proxy ARP" on the public interface (as explained to me in these discussion forums). 5. I add a "Source NAT" policy with the intention of providing internet access to the Private zone: Source zone: Private Destination zone: Public Destination Interface: any Source Address: any Destination Address: any Service: any Source Translation: dynamic-ip-and-port, 164.67.80.124 Destination Translation: none 6. I don't yet add a security policy to allow Private machines to the Public zone. 7. After step 5, the communication between the DMZ and Public stops.  Internet cannot access the DMZ machines via the public IP addresses and the DMZ cannot access the internet. Question: Why does the DMZ stop working when I perform step 5? Thank you, Chris ... View more
Labels:

Re: Upgrade to PAN-OS 6.0.4 - a virtual wire did not come up

by in General Topics
‎09-01-2014 11:30 PM
‎09-01-2014 11:30 PM
Steven, Thank you.  I will reboot as soon as I can and report back. Chris ... View more

Upgrade to PAN-OS 6.0.4 - a virtual wire did not come up

by in General Topics
‎08-29-2014 05:47 PM
‎08-29-2014 05:47 PM
Hello, I have a PAN-OS 6.0.2 box that I upgraded to PAN-OS 6.0.4.  I have two vwires: one on interfaces 1/2 and another on 5/6.  The vwire on 5/6 did not come up.  The interfaces are "up" (green) as far as the web gui is concerned. The "Monitor" shows traffic being "allowed" per the appropriate rules.  However, traffic is not flowing. I have not tried rebooting the device and I don't want to yet... I would like to understand what is broken.  Can anyone offer some advice on how to troubleshoot this? Thank you, Chris ... View more
Labels:
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎02-05-2024 10:54 AM
Latest Tags
No tags yet
Likes From
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks