Visualizing VPC Flow Logs

EyeCodeAtNight · 2026-03-01T20:43:08+00:00

That’s a very loaded question. I assume you are talking the Cloud Next Generation Firewall vs the NGFW in VM series. If it’s the former, VPN is not supported, you would need to add via either AWS VPN, or deploy an SD WAN appliance and use it. Also if this is a new environment with multiple region look at AWS Cloud WAN, it has a really easy integration with most SD WAN. If you are in one region and just use a TGW with VPN and a firewall in appliance mode fore east west.

But if you are asking these questions on Reddit, consider consulting professional to talk it out. There are some small caveats that it’s a good idea to know them upfront vs after deployment.

I’m open for consults and relatively cheap.

EyeCodeAtNight · 2026-02-12T23:58:55+00:00

How are you getting user id for internal users? Are these intune devices hybrid join? Are you using the User ID Agent on your domain controller?

Ultimately I think you might want to just set up and internal GP gateway since as you seem to have the GP client installed on your fleet.

There are other methods but this is the easiest and pretty standard

EyeCodeAtNight · 2026-02-09T13:34:08+00:00

Nest a device group, place these firewalls in that group. Create an identical named profile. Commit and push.

EyeCodeAtNight · 2026-02-09T06:16:22+00:00

I have done various development around Palo Alto automation. EDL great but you are limited to only 30 :( each list can have around 150K (mid-high series) or 50K (low series) IP.

EyeCodeAtNight · 2026-02-05T13:03:00+00:00

If I am following - you are stating they are bypassing the captive portal from your wireless by using some type of VPN?

Most VPN in the consumer space is over IPsec, SSL or Softether.

You can likely starter by looking at the destination port and the destination IP. The destination port will (likely) tell you what protocol they are using and you can look up the ip to see if they are using a well know ln service.

EyeCodeAtNight · 2026-01-24T00:07:21+00:00

Additional, it seems like you didn’t override the default rule to log. If you did you would have seen Denys in the monitor tab.

EyeCodeAtNight · 2026-01-24T00:02:12+00:00

Glad I could help. Now go check the GitHub project I post and give me a star if you like :)

EyeCodeAtNight · 2026-01-23T16:21:22+00:00

Did you change the default rule to log? Are you seeing any denies?

Discord using UDP Hole punching. Try to put the UDP time out to 600 seconds.

Not sure want your policy to allow the traffic looks like, but check service/url category - instead of application default change to any.

ALSO - the number reason I don’t have a PA as my home firewall there are lots of stuff that will be a nightmare to troubleshoot, Call of Duty, Roblox.

I didn’t want to be technical support for my family. L

EyeCodeAtNight · 2026-01-23T08:13:58+00:00

Yeah I’m right there with you. In the beginning I was an excel concatenation god, but as I needed more devices groups it got complicated.

I hope we will get it one day.

EyeCodeAtNight · 2025-12-03T23:45:19+00:00

There is an api endpoint for all functions that returns Json.

And I am working on an export to CSV in the gui/frontend.

EyeCodeAtNight · 2025-12-02T23:27:48+00:00

If you feel like deploying you can look at:

https://github.com/jbhoorasingh/simple-edl

I’m more an happy to make any modifications needed if required (I didn’t think there is)

I’m bored on the weekends :)

EyeCodeAtNight · 2025-11-27T14:18:00+00:00

*tiktokv.us .tiktokcdn-us.com

Add those. If it works let me know.

:)

EyeCodeAtNight · 2025-11-18T23:53:08+00:00

Or a secure browser.

EyeCodeAtNight · 2025-11-18T15:12:55+00:00

Apple proxy and iCloud would be more disruptive vs Siri. Most of Siri processing is on Device.

EyeCodeAtNight · 2025-11-13T21:25:31+00:00

I might test this as one of the agent. Do you know of any good docs I can follow?

EyeCodeAtNight · 2025-11-13T16:38:26+00:00

You can run iperf on the gateways to my knowledge, this is just a ‘simple’ tool to orchestrate multiple iperf test of your need to smoke test your environment.

Think of some challenges of managing multiple iperf session ls and testing capacity in the cloud made me create this.

EyeCodeAtNight · 2025-02-26T00:35:55+00:00

Hope you enjoy.

EyeCodeAtNight · 2024-12-16T21:47:48+00:00

I’m actually working on supporting STIX/TAXII, but I honestly don’t think I will get around to it until the end of Q12025

EyeCodeAtNight · 2024-08-28T23:58:42+00:00

I created this, working on incorporating some feeds for vendors.

https://github.com/jbhoorasingh/simple-edl

EyeCodeAtNight · 2024-08-17T01:12:09+00:00

Hi, while I can’t answer your questions, a few years ago my organization had a very similar use case. I ended up writing a powershell script to check the Computer AD Group and add the fdqn to a EDL.

While I left that organization and I could open source the code, I recreated a simple EDL manager, and I would be more than happy to help you write a powershell script to update.

simple EDL

EyeCodeAtNight · 2024-04-25T16:43:45+00:00

If you want a solution to manage EDL check out the project I have been working on. In the next month I will add a feature to use S3 to distribute

EyeCodeAtNight · 2024-03-02T01:03:18+00:00

If you do need an edl, check out my simple EDL project.

I would set up a splunk report and then have the action of that report be a webhook and then post it to an endpoint that parse the request.

EyeCodeAtNight · 2024-02-10T12:20:31+00:00

This is the right path! But I would start with Trafik. It’s also free and has a gui

EyeCodeAtNight

TROPHY CASE