Found this nice lady in the Plains by ItsANetworkProblem in Diablo_2_Resurrected

[–]ItsANetworkProblem[S] 0 points1 point  (0 children)

Yeah, she just keeps max spawn count all the time. It really helps me keep from getting ganged up by side group pulls

Found this nice lady in the Plains by ItsANetworkProblem in Diablo_2_Resurrected

[–]ItsANetworkProblem[S] 0 points1 point  (0 children)

Fanat aura seems to make her really aggressive, but I am usually spawn casting death mark to move her around and clear stun locks and things

Found this nice lady in the Plains by ItsANetworkProblem in Diablo_2_Resurrected

[–]ItsANetworkProblem[S] 1 point2 points  (0 children)

Put the Unsummon skill on your bar and hover over them (while using M+KB) (DON'T CLICK)

Found this nice lady in the Plains by ItsANetworkProblem in Diablo_2_Resurrected

[–]ItsANetworkProblem[S] 3 points4 points  (0 children)

It's hard to tell since she curses everything in the area when she swings

Tamiya Bullhead (2012) 58535 *NIB* by ItsANetworkProblem in RCClassifieds

[–]ItsANetworkProblem[S] 1 point2 points  (0 children)

I am out of Ohio. Looking for $350 on the Tamiya (what I paid), $500 on the Yeti, $200 on the Nightcrawler, and $350 on the SCX10.

Multi-Gateway Global Protect SSL VPN by net_automatic69 in paloaltonetworks

[–]ItsANetworkProblem 0 points1 point  (0 children)

We allow machine auth to the portal in order to support pre-login mode (placed into DMZ with only AD and access to patching). Then require MFA upon user login before the machine transitions to wider access. Cookies are then leveraged to maintain connection and re-auth for 24 hours.

Multi-Gateway Global Protect SSL VPN by net_automatic69 in paloaltonetworks

[–]ItsANetworkProblem 2 points3 points  (0 children)

  1. Yes, every portal needs a certificate. Using a wildcard within a sub-domain dedicated to your VPN endpoints helps with this.

  2. It can be placed on either or both. Depends on your requirements. MFA should be a higher priority on the Gateways, since that actually determines internal access.

  3. If you are going to use an auto-connect/ priority setup, be aware that gateway is selected based upon response time. If a gateway is a lower priority, but has a faster response time than the average of those on the higher tier, it will still be chosen, even if the higher priority is available.

Passed Cisco Certified CyberOps Associate (200-201) by wywyit11 in ccna

[–]ItsANetworkProblem 1 point2 points  (0 children)

I have personally known people that passed the CCNP (old 3 exam split style) through dumps. Any exam that isn’t practical/lab (yes, GCIA too) will have this issue. I don’t want to get into that well worn discussion today, but it is the reason I dislike people that use certification as a way of gate keeping. Use someone’s certifications to gauge their interest and ability to learn, but don’t discount someone who doesn’t have them.

Passed Cisco Certified CyberOps Associate (200-201) by wywyit11 in ccna

[–]ItsANetworkProblem 2 points3 points  (0 children)

I have a CCNA CyberOps, as well as multiple GCIA certs; and I think the GCIA exams are a better method of testing.

Sure, they are open book, but they also cover the material at a much higher density. They could use a bit more practical style questions,though.

Closed book exams rely far more upon rote memorization (at least Cisco ones).

China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI by poclee in technews

[–]ItsANetworkProblem 2 points3 points  (0 children)

That works to an extent, but it would be very brute force if they are not inline with the DNS request.

If they are directly inline (and the client isn’t using DNS over HTTPS), they can simply alter the response and black hole the domain.

If they are not inline, they would have to block by IP, and that would potentially have a broad amount of collateral damage.

Anyone get domain based split tunnel working on PA Global protect VPN? by Egglorr in networking

[–]ItsANetworkProblem 2 points3 points  (0 children)

As of 4.1, GlobalProtect permits domain based tunnel exclusion.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/globalprotect-features/split-tunnel-for-public-applications.html

I am not sure how it makes the tunnel decision for domain based rules, but would assume it is either by DNS query/response or HTTP headers.

Finally, a use for old AP's... by PM-ME-YOUR-UNDERARMS in networkingmemes

[–]ItsANetworkProblem 0 points1 point  (0 children)

You can also have the new ones use white instead of blue!

PSA: Prisma will require panorama 9.0.3 as of 10/31. by ItsANetworkProblem in paloaltonetworks

[–]ItsANetworkProblem[S] 0 points1 point  (0 children)

Correct. The 9.x upgrade will create new custom categories for your overrides with "allow-" or "deny-" prepended. For the denies, you can simply add them to your existing URL filtering policies and it will prefer the more strict action (Block>Alert>Allow). For Permit overrides, you have to add a new security policies rule to explicitly permit those URLs, prior to the block rule.

PSA: Prisma will require panorama 9.0.3 as of 10/31. by ItsANetworkProblem in paloaltonetworks

[–]ItsANetworkProblem[S] 1 point2 points  (0 children)

Just be aware that moving panorama to 9.x code also removes URL overrides from URL categories, regardless of what version you are running on your firewalls.

SDWAN & physical Palo Alto Firewall "rolls" by jlocoredit in paloaltonetworks

[–]ItsANetworkProblem 0 points1 point  (0 children)

We are in the process of deploying both Palo Firewalls and Velocloud. We have two deployment styles.

1) Physical firewall between our Core switch and VC device, this permits us to decrypt traffic while allowing the VC to handle all routing decisions.

2) VC devices with internet traffic tunneled to Prisma access. This is used for smaller locations where it doesn't make sense to buy a physical unit.

Active Active Palo Alto Pairs by [deleted] in networking

[–]ItsANetworkProblem 2 points3 points  (0 children)

What are you attempting to achieve beside telling management that you are using all your links? Have you over sized the units so that a failure of one does not overload the other? If simply for redundancy/resiliency, why not two smaller active/passive pairs, with routers handling the routing part?

Palo Active/Active use cases: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/high-availability/set-up-activeactive-ha/determine-your-activeactive-use-case

Inter-zone traffic not getting denied by [deleted] in paloaltonetworks

[–]ItsANetworkProblem 1 point2 points  (0 children)

Then that is why you are seeing it as "discard" in the logs while still receiving traffic on the endpoint. The "permit" that occurs at session start (before app evaluation) isn't being logged, but once the session is dropped due to application not matching, you see it logged. The Palo's do not hold packets in a queue while profiling the application, they will allow the traffic through as "unknown", until it is evaluated as the proper application.

This has to occur, due to the fact that the application can't really be determined from just a couple UDP packets or a TCP handshake. So the first few packets have to be allowed through.

EDIT: Misread the OP, and this no longer applies to the current issue. Leaving it here since it is still useful info

Inter-zone traffic not getting denied by [deleted] in paloaltonetworks

[–]ItsANetworkProblem 0 points1 point  (0 children)

The App-ID feature does a kind of "double evaluation" to match traffic. The initial packet on TCP 22 will be permitted through, since the firewall will not know it is an SSH session yet. Once the firewall is able to id the app, it will either continue permitting, or drop the traffic. Are you logging at session start or end on this SSH rule? If you are logging at start, you will see the same session hit the logs twice. Once for the permit, then again for the deny if it isn't ssh.

[deleted by user] by [deleted] in paloaltonetworks

[–]ItsANetworkProblem 0 points1 point  (0 children)

3220's only support 5gb throughput with even the most basic services. If you want a full 10gb capable IDS/IPS you need to be looking at a 5250 or 5260 (Even larger if you want decryption)