routeprotocol.com

Palo Alto

  • Palo Alto: VPN Troubleshooting Transform IDs

    When trying to establish a cross-vendor or business to business IPSec tunnel, finding an exact match in settings can be difficult. Palo Alto can provide some great troubleshooting debug tools if you know where to look. To activate debugging for VPNs, SSH to the Palo Alto firewall, and active debugging with these commands: # Debug…

  • Palo Alto VPN Troubleshooting: Testing

    In some policy based site to site VPNs, for the VPN to begin initialising, ‘interesting’ traffic needs to reach the router. Interesting traffic can be defined in the ‘Proxy IDs’ section of the IPSec tunnel in Palo Alto. When interesting traffic reaches the Palo Alto, if the VPN has not yet established, it will try…

  • Palo Alto: Manual Failover Process

    In an active-passive pair, steps can be taken to ensure that the firewall has a succesful failover if work needs to be carried out on the active firewall. Under Device > High Availability, ensure the pre-emptive box for the firewall you are going to suspend is unticked. Changes to this checkbox will need to commited…

  • Palo Alto: HIP Policy Check Failing Gradually

    This issue occured as part of PAN-148676, which was reported to be fixed in 8.1.16, 9.1.10, and 9.1.4 An issue was investigated recently where HIP policy checks began failing for more and more users over a period of time when connecting via GlobalProtect. It was initially thought an unknown change was being made to user…

  • Palo Alto EDU-110: Active/Passive High Availability

    Objectives: Describe the differences between active/active and active/passive high availability Define the prerequisites for creating a high availability pair Describe the metrics used to detect a firewall failure Configure the firewall interfaces used for heartbeats and hellos Configure a high availability pair Firewall High Availability Overview High availability is remains a concern for mission critical…

  • Palo Alto EDU 110: Monitoring and Reporting

    Objectives: Create an interactive, graphical summary of the applications with the ACC Export policy rules, objects, and IPS signatures using the configuration table export Create a predefined report to view traffic statistics for the previous day Describe how log files are forwarded to an external source Configure a Server Profile to forward logs to a…

  • Palo Alto EDU-110: Site to Site VPNs

    Objectives: Describe the three basic requirements for creating a VPN Configure the interface, IP addresses, and PSK for the IKE Gateway Configure the DH group, encryption methods, and authentication methods for an IKE Cryptographic profile Configure a static route in the route table for the tunnel Troubleshoot IPSec VPN issues from the responder side of…

  • Palo Alto EDU-110: Global Protect

    Describe the three major components of GlobalProtect Configure the client and server certificates to authenticate the agent and the portal Define the three methods supported for GlobalProtect client connections Configure the tunnel parameters for an external gateway connection Extending the security platform with GlobalProtect GlobalProtect builds on the technology of and offers several features over…

  • Palo Altro EDU-110: User-ID

    Objectives Describe the four main components of User-ID Describe the differences between the integrated agent and the Windows-based agent Define the methods to map IP addresses to users Configure the PAN-OS integrated agent to ocnnect to monitored servers Configure the Windows-based agent to probe IP addresses for username information User-ID’s Purpose The purpose of User-ID…

  • Palo Alto EDU-110: Wildfire

    Objectives: Describe how a firewall works with WildFire Threat Intelligence Cloud Describe how WildFire analysis is used to update URL categories listed in the PAN-DB URL Filtering data Configure Session Information Settings to specify which type of session information will be sent to Wildfire Define a WildFire Analysis Profile Configure both the types of information…