This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About GavinPalmer

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
GavinPalmer
‎08-27-2019
since ‎10-07-2014
L2 Linker
User Activity
User Profile
Latest posts by GavinPalmer
View All
My Liked Posts
View All
User Badges
Community Statistics
Member Since ‎10-07-2014 06:13 AM
Date Last Visited ‎08-27-2019 05:27 PM
Posts 15
Total Likes Received 1

(DUP!) when pinging from the firewall

by in General Topics
‎08-14-2017 12:49 PM
‎08-14-2017 12:49 PM
Hi guys,   Strange issue here which I'm hopeing to get resolved.  I was SSH'ed into the our PA VM-100 today and happened to run the command >ping host 8.8.8.8.  This resulted in 100% (DUP!) replies on the ICMP replies.  However, when I specify the source and host I dont get this issue.   Any ideas why this could be happening?   Thanks   ... View more

Re: 7.0.8 to 7.1.8 upgrade - H.323 not working

by in General Topics
‎04-12-2017 06:08 AM
‎04-12-2017 06:08 AM
Hi Guys,   Ok so If use static NAT's and I have 8 meeting rooms with Polycom devices, that would mean 8 public IP addresses.  Surely that's not scalable?  Maybe some kind of PAT would be a better option?  What does everyone think? ... View more

Re: 7.0.8 to 7.1.8 upgrade - H.323 not working

by in General Topics
‎04-05-2017 01:31 AM
‎04-05-2017 01:31 AM
Seriously... No one wants to take a stab at this one? lol ... View more

7.0.8 to 7.1.8 upgrade - H.323 not working

by in General Topics
‎03-31-2017 08:22 AM
‎03-31-2017 08:22 AM
Dear All,   We have recently upgraded as the title suggests, and since upgrading our Polycom Group series video conference units are not working correctly on H.323 protocol.  When we connect to either a public video bridge or direct to another Polycom device, we are unable to hear the caller ont he conference.  This was previously working in 7.0.8.   From our initial investigations, we are able to get this working by configuring a static NAT rule for the Polycom device.  However when the device using the general Trust -> Untrust dynamic NAT it does not seem to work correctly.  We have performed packet captures which all seem to be flowing correctly and we are not seeing any dropped packets.    We have also configured a Trust -> Untrust ANY ANY security rule for the polycom to make sure its not being blocked from that perspective.   The only thing I can think of is that the traffic is not being routed back for some reason due to some change involving NAT that was implemented since 7.0.8.   Can anyone think of why we are having this issue?     ... View more

Re: QoS Implementation for Voice Traffic

by in General Topics
‎11-18-2015 06:22 AM
‎11-18-2015 06:22 AM
Hi there!  Thanks for your response I really appreciate.  So we are only concerned with call quality of a Lync call.  We would like to priortise this traffic over eveything else for now.  Currently we are using the DSCP (ef) marking.  In our switching core we are prioritising voice and then everything else goes into best effort.   It gets complicated tho as our Lync (or Skype for Business I should say) implementation touches a few zones/vlans.  Do I need to setup a QoS profile for each interface then?  voice traffic in our network could source from our Trust zone or our voice zone or our dmz internal and dmz external zone.     Can you maybe give me an example o how you have implemented voice priority QoS on Palo Alto?   Many thanks once again. ... View more

QoS Implementation for Voice Traffic

by in General Topics
‎11-16-2015 08:44 AM
‎11-16-2015 08:44 AM
We are looking to implement QoS on our Palo Alto device for our voice traffic. We are currently tagging voice traffic with DSCP 46(ef). This is done at the source using Windows group policy to tag all traffic that originates from application "lync.exe". We can see the traffic is definitely being tagged by performing a pcap at different points in the network. We want to make sure that the Palo Alto firewall is honoring this DSCP marking and prioritizing the traffic over everything else. So a few questions to that end are: 1) Setting the DSCP marking in a security policy, is this only marking the traffic? Is it mandatory for QoS to function since we are already marking the traffic using Windows GPO? I think this isnt required. 2) Does the Palo Alto firewall ONLY prioritize traffic that traverses from one zone to another? 3) Can I use the default QoS profile? Thanks all. ... View more

Re: Applications using non standard ports - Palo Alto best practice

by in General Topics
‎12-18-2014 02:36 AM
1 Kudo
‎12-18-2014 02:36 AM
1 Kudo
Mikael, I have tested your theory and it works.  I basically cloned my "Trust Web Traffic" rule which was "ANY trust to ANY Untrust, "web-browsing and ssl", but then I set the service to select and had "service-http and service-https".  This I still feel is negating the purpose of the Palo Alto App-ID architecture.  We are basically using the firewall in layer 3 mode and allowing ports through regardless of the layer 7 application information. The answer to this, and please jump in if you disagree, is for Palo Alto to have an application called "google-search" with dynamic TCP port range 80, 443.  This would allow the traffic to which to 443 and still identify the traffic at the layer 7 level.  This would then allow us to use the application-default option. Let me know your views on this. ... View more

Applications using non standard ports - Palo Alto best practice

by in General Topics
‎12-17-2014 09:53 AM
‎12-17-2014 09:53 AM
Ok I'm pretty sure this has been covered elsewhere however I cannot find anything on it.  Let me give you some background on the config:  Currently using software version 6.0.5 SSL decryption in operation Trust to Untrust traffic flow direction Ok so I have a rule called "Trust Web Traffic".  This rule allows any trust user to any untrust destination for applications "dns, google-analytics, ssl and web-browsing".  While SSL decryption is turned on for my user account, and I then navigate to www.google.com I get an application blocked.  I believe this is happening because google redirects the traffic to port 443.  In the monitor tab I can see the traffic first appear as port 80 web-browsing THEN change to port 443 ALSO web-browsing.  Since this is a non standard port for the application "web-browsing" the traffic is denied. What is the solution here?  I already know if I change the service to ANY it will work however this leaves this rule allowing any protocol for that application which I dont want to do.  I've also been told creating a custom app could be the way to go.  But seriously google search should be covered in Palo Alto Applipedia. What is the solution here?  While still keeping the rule explicit to the application-default. Thanks ... View more
Labels:

Re: New to Palo Alto from Juniper SSG

by in General Topics
‎10-21-2014 08:02 AM
‎10-21-2014 08:02 AM
I do have a bi-directional NAT setup for smtp.  but how can the traffic be trust to untrust when smtp mail flow comes in from the untrust zone?  I dont understand this.  ... View more

Re: New to Palo Alto from Juniper SSG

by in General Topics
‎10-21-2014 07:47 AM
‎10-21-2014 07:47 AM
Hi Steve, Ok thats great.  I have created the static NAT policy but now need to create a security policy for it.  will the direction of the sec policy be Untrust to Trust or Untrust to Untrust?  For example, to allow smtp to our exchange server, this comes in over a static public IP.  So should the security policy read, Untrust <ANY> -> Trust <exchange_internal> or Untrust <ANY> -> Untrust <exchange_public_ip> Thanks ... View more

New to Palo Alto from Juniper SSG

by in General Topics
‎10-07-2014 06:29 AM
‎10-07-2014 06:29 AM
I was wondering if someone could enlighten me on how to replicate the Mapped IP functionality from Juniper SSG to Palo Alto. We have a number of services on our current Juniper SSG.  The way we firewall these services is using MIP's on the Untrust Zone then the traffic passing from Untrust to Trust using standard juniper policies.  I was playing around with the Palo Alto and it seems its as easy as setting up an address on the Untrust Zone and Trust Zone.  Then allowing the traffic based on the App-ID.  Can someone explain this to me please? Apologies for the noob question.  But gotta start somewhere eh? Cheers ... View more
Labels:
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎08-27-2019 05:27 PM
Likes From
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks